Microsoft announced Tuesday that Windows 2000 has received the highest security certification level available to an OS. As noted in Paul Thurrott's news story, "The International Organization for Standardization (ISO) awarded Windows 2000 with the Common Criteria (CC) certification for the broadest set of real-world scenarios yet achieved by any operating system as defined by the Common Criteria for Information Technology Security Evaluation." The criteria are outlined in ISO publication ISO-IEC-15408.
Craig Mundie, chief technology officer and senior vice president for advanced strategies and policy at Microsoft, accepted the award Tuesday during the Federal Information Assurance Conference at the University of Maryland, College Park. A spokesperson for Microsoft said, "The CC certification is a globally recognized ISO standard (ISO-IEC 15408) established for evaluating the security of infrastructure technology products. Through a multiyear, multimillion-dollar commitment, the Windows 2000 Platform has earned CC certification for Evaluation Assurance Level 4 (EAL4) augmented with ALC FLR 3 (Systematic Flaw Remediation) from the National Information Assurance Partnership (NIAP). In addition, the evaluation of Windows 2000 goes far beyond that of any other operating system to incorporate a number of real-world deployment scenarios including multi-master directory services, L2TP/IPSec-based virtual private networking, single sign-on and several other scenarios."
Microsoft also said that it "submitted the Windows 2000 platform to the CC certification evaluation process to ensure that customers would have an independent, standard validation of the security features of the Windows 2000 platform. Achieving CC certification demonstrates a milestone toward Microsoft's commitment to provide customers with a secure platform for Trustworthy Computing."
In conjunction with the announcement, Microsoft released two new guides, the "Common Criteria Evaluated Configuration User's Guide," and the "Common Criteria Evaluated Configuration Administrator's Guide," which help people configure the OS securely. Microsoft said the User's Guide, "provides sufficient guidance for Windows 2000 users to securely use the product in accordance with the requirements stated in the Windows 2000 Common Criteria Security Target (ST)." The document is specifically targeted at nonadministrative Win2K users. The Administrator's Guide is "targeted at the administrator and provides a description of how to perform the administrative security functions needed to securely operate Windows 2000 in accordance with the ST requirements." Both documents are available on Microsoft's Web site and include detailed configuration information including screenshots.