Microsoft Nails CC Security Certification For Windows 2000


Windows XP, Windows.Net next up


Microsoft said Tuesday that its Windows 2000 platform had received a significant certification for security known as Common Criteria (CC) certification for Evaluation Assurance Level (EAL) 4.

The CC certification, also known as ISO international standard 15408, is recognized by 15 countries as the standard for evaluating the security features of IT products.

It is the first Microsoft product to receive this certification. Microsoft also plans to apply for CC certification for the successor Windows client and server platform, Windows XP and Windows.Net server.

As it tries to polish its image in the security arena, Microsoft claims it invested millions of dollars during the three-year evaluation process to get the endorsement, deemed important for getting government contracts.

The evaluation conducted by Science Applications International Corp. involved testing key aspects of Windows 2000 desktop and server components, including Active Directory, in several real-world scenarios.

"For us, it's a significant achievement," said Craig Mundie, Microsoft's senior vice president and chief technical officer, advanced strategies and policy. "By taking this further than any other company, it sets a new bar for the industry."

The certification is a big win for Microsoft, which launched its Trustworthy Computing initiative earlier this year to enhance the security aspects of its leading platform and dispel a shaky reputation in the security arena.

According to Mundie, the Carnegie Mellon Software Engineering Institute snagged more security holes in Unix and Linux operating systems in the past year than in Windows 2000. He claims Microsoft gets a bad rap in the security space because more hackers attempt to find holes in Windows than in Linux or Unix competitors.

"It's an impression, and the reality is that in absolute terms, Windows 2000 posts fewer critical vulnerabilities now and in past years that any other systems," Mundie said. "Perception is quite different than reality."

One solution provider said Microsoft's efforts to enhance its reputation will pay off in more corporate migrations to Windows from Unix.

"The Windows 2000 ISO certification is important," said Ken Winell, CEO and president of Econium, Totowa, N.J. "This is going to give Microsoft credibility with manufacturing companies looking to switch their SAP or

JD Edwards systems to the lower total cost of ownership of Windows from Sun Unix or HP-UX or IBM Unix. At least, that's what I suspect."

One analyst said CC certification is an important check-list item for Microsoft, since several other operating systems such as Silicon Graphics' IRIS Unix, Sun Microsystem's Solaris 8 and most of Oracle's database products have CC certification. However, it does not offer foolproof security, the analyst noted.

"It is significant for a software product to get Common Criteria

certification because it means an independent outside testing firm has looked at the security controls and features within the software product and verified that they work and can't be compromised," said John Pescatore, vice president for Internet security at Gartner. "So, certification at this level is a good thing, but it doesn't mean there aren't security flaws in the certified products. Common Criteria testing does not exhaustively test each line of code and look for flaws. There really aren't any defined standard for that level of assurance; experience after products get fielded is what happens."

Sun took the opportunity to throw pot shots at its key rival, saying that its own trusted Solaris Unix operating system has achieved security certifications and qualifications beyond CC certification.

"Microsoft has just joined the Little League of certifications. It will be a long time before we see them in the Major League of certifications," according to a statement released by Sun. "Microsoft is a 'Johnny come lately' to this subject. Sun has been serving the defense and financial sectors with strong security evaluated and certified by independent bodies for over a decade."