Microsoft Products Get Security Certified
Microsoft recently took another small step in its Trustworthy Computing initiative by obtaining security certification for a number of updated products.
The offerings that gained Common Criteria certification:Windows Server 2003, Standard Edition (32-bit version) with SP1
Windows Server 2003, Enterprise Edition (32-bit and 64-bit versions) with SP1
Windows Server 2003, Datacenter Edition (32-bit and 64-bit versions) with SP1
Windows Server 2003 Certificate Server, Certificate Issuing and Management Components (CIMC) (Security Level 3 Protection Profile, Version 1.0)
Windows XP Professional with SP2
Windows XP Embedded with SP2
Some earlier versions of those products had already attained CC certification, but without the service pack additions. The announcement hasn’t garnered much media attention, but it should boost Microsoft’s security reputation, which continues to suffer hits over vulnerabilities in Internet Explorer.
That’s because CC certification is independent of Microsoft. CC is an international consortium of organizations that’s established a set of common security standards it applies to products, which are submitted by companies for testing. If the products meet those standards, it’s awarded the CC certification. The higher the certification level, the better it meets agreed-upon security guidelines. And all products, whether they be from Microsoft, Oracle, CA and so on, get tested the same way for the same level. The Microsoft products attained Evaluation Assurance Level (EAL) 4, the top level for operating systems.
Microsoft compares favorably with other competing OS vendors. For example, Sun Solaris 9 achieved EAL 4; Mac OS X achieved EAL 3; Red Hat Enterprise Linux 3 achieved EAL 2; and SuSE Linux Enterprise Server Version 9, SP2 achieved EAL 3.
Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.