Microsoft Windows Platform Products Awarded Common Criteria EAL 4 Certification
Dec. 14, 2005
Certification builds on Security Development Lifecycle advances to deliver unprecedented levels of assurance and quality for IT.

WASHINGTON, D.C. — Dec. 14, 2005 — Microsoft Corp. today announced that a wide range of Microsoft® Windows® platform products have been awarded Common Criteria (CC) Evaluation Assurance Level (EAL) 4 Augmented with ALC_FLR.3 certification. Issued by the National Information Assurance Partnership (NIAP), CC certification is an international standard for ensuring that IT products conform to stringent security requirements. Microsoft representatives Steve Lipner, senior director of security engineering strategy, and David Cross, director of program management of Windows security, accepted CC certification awards for six Windows products during Microsoft’s Security Summit East in Washington, D.C.

“CC certification of these Windows platform products, which includes evaluation of the broadest set of real-world scenarios of any operating system platform today, underscores our deep and ongoing commitment to the Common Criteria process,” Lipner said. “This milestone complements our ongoing advances in software quality through the Security Development Lifecycle process, ultimately benefiting any IT organization that is serious about security.”

The following products have earned EAL 4 Augmented with ALC_FLR.3 certification from NIAP:

  • Microsoft Windows Server™ 2003, Standard Edition (32-bit version) with Service Pack 1

  • Microsoft Windows Server 2003, Enterprise Edition (32-bit and 64-bit versions) with Service Pack 1

  • Microsoft Windows Server 2003, Datacenter Edition (32-bit and 64-bit versions) with Service Pack 1

  • Microsoft Windows Server 2003 Certificate Server, Certificate Issuing and Management Components (CIMC) (Security Level 3 Protection Profile, Version 1.0)

  • Microsoft Windows XP Professional with Service Pack 2

  • Microsoft Windows XP Embedded with Service Pack 2

The independent certification of Microsoft’s end-to-end platform products included the evaluation of more than 20 real-world scenarios or “workloads” by Science Applications International Corp.’s (SAIC’s) accredited Common Criteria testing lab. SAIC adheres to strict standards, and conducts rigorous and exhaustive testing at the source-code level to determine certifications.

“The assurance reflected in this level of Common Criteria certification, combined with Microsoft’s ongoing work to effectively address security through efforts such as the Security Development Lifecycle, provide encouraging evidence of Microsoft’s progress on security and the viability of the Windows platform in security-critical computing scenarios,” said Franchina Luisa, general manager of the High Institute for Communications and Information Technology in Italy.

The certification of a growing portfolio of Microsoft products parallels significant advances in software quality that Microsoft has achieved through the Security Development Lifecycle (SDL) process, a unique approach to software development that reflects the knowledge and best practices learned through focused security efforts during the past three years.

In November 2005, Microsoft launched new versions of three key products — Microsoft Visual Studio® 2005, Microsoft SQL Server™ 2005, and Microsoft BizTalk® Server 2006 Beta 2 — that became the first Microsoft products to have undergone the complete SDL process from inception to release. Microsoft’s work on SDL also produced new security-focused code analysis and debugging tools — PREfast and FxCop, among others — as part of Visual Studio 2005. Microsoft is committed to ensuring that all new major Internet-facing or enterprise-class products will be developed through the SDL process.

“Microsoft continues to build on its Trustworthy Computing progress by attaining Common Criteria certification for Windows platform products,” said Charles Kolodgy, research director of Security Products at IDC. “The high level of assurance regarding security capabilities reflected in these certifications, coupled with advances in software quality produced by the Security Development Lifecycle, reflect a deep commitment to security on the part of Microsoft that governments in particular will value and that any organization would be well-advised to consider.”

The Windows platform product certifications join previous EAL 4 certifications for Exchange Server 2003, Internet Security and Acceleration Server (ISA Server) 2004, Microsoft Windows 2000 Professional, and Microsoft Windows 2000 Server and Advanced Server.

Additional information about the certification of Microsoft Windows platform products is available at http://www.microsoft.com/technet/security/prodtech/windowsserver2003/ccc/cccwp.mspx. Information about the Trustworthy Computing SDL can be found at http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.asp.

Founded in 1975, Microsoft (Nasdaq “MSFT”) is the worldwide leader in software, services and solutions that help people and businesses realize their full potential.

Note to editors: If you are interested in viewing additional information on Microsoft, please visit the Microsoft Web page at http://www.microsoft.com/presspass on Microsoft’s corporate information pages. Web links, telephone numbers and titles were correct at time of publication, but may since have changed. For additional assistance, journalists and analysts may contact Microsoft’s Rapid Response Team or other appropriate contacts listed at http://www.microsoft.com/presspass/contactpr.mspx.

Read More: