At Microsoft's Security Summit East, held December 14 -15, 2005 in Washington D.C., the company announced that several of its products received Common Criteria (CC) Evaluation Assurance Level 4+ certification. The EAL 4 certifications are augmented by Assurance Level Compliance - Flaw Remediation, section 3 (ALC_FLR.3). The certifications were awarded to Windows Server 2003 Standard, Enterprise, and Datacenter editions, as well as Certificate Server and Windows XP with Service Pack 2.
Common Criteria is an evaluation and validation scheme governed by the National Information Assurance Partnership (NIAP), which is a collaboration between the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA). EAL 4 requires that a product be methodically designed, tested, and reviewed. ALC_FLR.3 requires that a vendor have systematic and documented flaw remediation processes.
"CC certification of these Windows platform products, which includes evaluation of the broadest set of real-world scenarios of any operating system platform today, underscores our deep and ongoing commitment to the Common Criteria process," said Steve Lipner, senior director of security engineering strategy. "This milestone complements our ongoing advances in software quality through the Security Development Lifecycle process, ultimately benefiting any IT organization that is serious about security."
The certification process evaluates the operating systems in specific scenarios. Microsoft did not say what those scenarios were and what modifications, if any, were made to default installation settings in order to achieve the certifications.
