Nothing Common in “Common Criteria”: How Microsoft Customers Can Utilize the Unprecedented Security Recognition Awarded to Windows 2000



Mike Nash, corporate vice president, Security Business Unit


Bill Veghte, corporate vice president, Windows Server Group

REDMOND, Wash., Oct. 29, 2002 — The Microsoft Windows 2000 operating system has been awarded the highest level Common Criteria Certification for the broadest set of real world scenarios yet achieved by any operating system, as defined by the Common Criteria for Information Technology Security Evaluation (CCITSE). (See press release.)

The certification represents an important milestone toward Microsoft’s ongoing commitment to Trustworthy Computing. To get a better understanding of what the Common Criteria recognition means to Microsoft customers, PressPass spoke with two senior Microsoft executives: Mike Nash , corporate vice president for the Security Business Unit, and Bill Veghte , corporate vice president for the Windows Server Group

PressPass: What exactly is Common Criteria?

Veghte: Common Criteria (CC) Certification is a globally-accepted standard for evaluating the security features and capabilities of information technology products. It is designed to help customers’ select IT products that meet their security requirements.

PressPass: What does this mean to Microsoft customers?

Nash: For current and potential Windows 2000 customers, this Common Criteria certification provides a high level of quality security assurance. The Common Criteria helps consumers make informed decisions about secure IT products by establishing a consistent, stringent and independently verified set of evaluation requirements for products. This doesn’t mean that products certified through the Common Criteria evaluation are free of all security vulnerabilities; however, it does provide a higher level of assurance that the product is secure.

The Systematic Flaw Remediation certification for Window 2000 means the Microsoft Security Response Center (MSRC) process for managing the tracking of security vulnerabilities and developing and distributing software technical solutions meets NIAP Common Criteria requirements. Certification at this high level is unique to Microsoft: no other company, worldwide, has certified such a detailed procedure for assuring the ongoing security of their operating system products.

PressPass: How can customers use this certification to make better-informed decisions around the security of their IT systems?

Nash: Customers have different needs from Windows 2000 and use it in different ways. So, in addition to earning certification for the operating system, we submitted key components and technologies of Windows 2000 for evaluation. Those additional certifications are for sensitive data protection device, directory service, virtual private network, software signature creation device, single sign on, network management and desktop management.

These certifications enable customers who are interested in any one or combination of these aspects to be confident that the relevant technologies have been rigorously tested and certified and to review the Common Criteria certifications for themselves to understand exactly what they can expect from the security features of these technologies.

PressPass: Purchase decisions are just the first step for customers. Does this milestone also help customers plan their deployments?

Veghte: Yes it does. First, the Common Criteria program provides customers with very detailed information to enable higher security in their actual implementation and deployment of evaluated products. Customers can obtain this information by going to the Common Criteria Web site at http://www.commoncriteria.org .

Second, we are helping customers to achieve, in their own deployments, the level of security seen in the Common Criteria testing. Microsoft has put together a series of guides for security configuration, administration, and users that present the Common Criteria evaluation data in the most useful, actionable way, including deployment recommendations and best practices. We have made these guides available online at http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/cccert.asp .

PressPass: What types of real-world deployments were tested during the certification process?

Veghte: The evaluation of Windows 2000 went far beyond that of any other operating system to incorporate a number of real-world deployment scenarios including multi-master directory services, L2TP/IPSEC-based virtual private networking, single sign-on and several other scenarios.

PressPass: Beyond direct significance for Microsoft’s customers, what does the Common Criteria certification mean for Microsoft’s vendors?

Veghte: Vendors who embrace the opportunities afforded by the Common Criteria can, in effect, help customers build more secure IT systems. From the server to the desktop, they can deliver solutions that ensure a higher level of trust, whether they’re developing horizontal solutions or solutions for specific companies or industry segments. Vendors can also utilize the resources I just mentioned to help their customers build and maintain a more secure networked environment based on Windows 2000.

PressPass: How does the Windows 2000 Common Criteria certification compare to certifications for other operating systems such as Solaris and Linux?

Nash: Common Criteria certified Windows 2000 with the highest level of security evaluation with the broadest set of real-world scenarios yet achieved by any operating system. Sun Solaris has been certified according to the Controlled Access Protection profile. But it hasn’t evaluated and certified the number of real-world scenarios that Windows 2000 technologies have achieved, such as those for directory service, Kerberos, single sign on, file system encryption, VPN functionality, policy-based network management, desktop management, and more. To our knowledge, Linux has not been evaluated for any protection profiles under Common Criteria.

PressPass: What does this certification mean for the security standing of other Microsoft products?

Veghte: Common Criteria certification is a very extended process; the certification for Windows 2000 took more than two years. We are committed to achieving certification for Windows XP, Windows .NET Server 2003, and future Microsoft operating system products. And everything we learned about security in Windows 2000 was designed into Windows XP and Windows .NET Server 2003 Common Criteria certification and is just one part of our much-broader commitment to delivering the most secure products available.