United States   Change   |   All Microsoft Sites

Home

Microsoft Home  |  Servers and Tools  |  Forefront  |  Edge Security

Common Criteria

Common Criteria: A Global Security Standard

Many software products claim to make your networks secure, but how do you know for sure? Common Criteria (CC) is a framework for evaluating and certifying the security of IT products and systems that is recognized by governments and IT professionals around the world as a critical measure of the quality of an information technology security product. CC certification is increasingly used as one of the key decision-making criteria by local, federal, and international government agencies and is also becoming a key differentiator for many private-sector industries, such as finance and healthcare. You can read more about CC on the Common Criteria site.

ISA Server 2006

Microsoft Internet Security and Acceleration (ISA) Server 2006 has passed Common Criteria Evaluation Assurance Level 4+ (EAL 4+).

The certification work has been performed by the Federal Office for Information Security (BSI), the Common Criteria certification body of the German government.

Microsoft Internet Security and Acceleration (ISA) Server 2006 certification report is available for reading from the BSI website, here.

The CC Guidance Documentation Addendum for ISA Server 2006 is available for download from this page.

To ensure the integrity of your ISA 2006 downloads from this page, please perform the following steps.

  1. Download the FCIV tool from http://support.microsoft.com/default.aspx?scid=kb;en-us;841290The sha-1 value of this download is 99fb35d97a5ee0df703f0cdd02f2d787d6741f65 (hex) and shall be verified before executing the download. This can be done using any tool capable of calculating SHA-1 values.

  2. Download the "Integrity Check ISA 2006" and "CC Guidance Documentation Addendum" to the directory where FCIV has been extracted.

  3. Open a command prompt and change to directory where FCIV has been extracted.

  4. Check the integrity of "Integrity Check ISA 2006" by executing the command
    fciv "Integrity Check ISA 2006.zip" -sha1

  5. Verify that the result is
    06b67016f7f986a45011dd84f7ba5f98fb2cfcef integrity check isa 2006.zip

  6. Check the integrity of the CC Guidance Addendum by executing the command
    fciv "CC_Guidance_Documentation_Addendum_for_ISA_2006.pdf" -sha1

  7. Verify that the result is
    e9e5cd5369d1fbb0a2b57c27351b69ff5ea5978f cc_guidance_documentation_addendum_for_isa_2006.pdf

  8. Follow the CC Guidance Addendum for further Installation and Configuration of the TOE (Target Of Evaluation).

ISA Server 2004

Microsoft Internet Security & Acceleration (ISA) Server 2004 has achieved CC Evaluation Assurance Level 4+ (EAL 4+). Level 4 is the highest level possible that is mutually recognized by all countries participating in CC certification. This level provides the deepest evaluation and testing possible from an independent testing laboratory. In addition, ISA Server passed an even more thorough review, earning Level 4+. This CC certificate assures you that the evaluated security features of ISA Server Standard Edition are effective and implemented correctly.

ISA Server 2000 Standard Edition

In September 2003, ISA Server 2000 achieved certification for CC Evaluation Assurance Level 2 (EAL 2). ISA Server CC certification, coupled with the Windows 2000 Server EAL 4 + Flaw Remediation certification, is an important consideration for organizations requiring CC certification.

The Microsoft Commitment to CC Certification

Robust and objective non-Microsoft auditing, as with the certification process involved in CC, is critical for establishing trust in security products. Auditing represents a significant investment and is something that all customers should evaluate when making technology purchases. It is a Microsoft corporate goal to provide rigorous non-Microsoft auditing for all Microsoft security products, at a level comparable to or better than that of other vendors.