While software vulnerabilities may still occasionally bug the operating system, the Common Criteria certification attests that the key software components of Windows 2000 meet a specific level of security. The effort to obtain the certification, which took almost three years and cost millions of dollars, shows that Microsoft is serious about security, said Craig Mundie, vice president and chief technical officer for the Redmond, Washington-based software giant.
"For people that have questions about our level of investment and our level of effort, this is testament to...our commitment to security," he said.
The certification, which is maintained by an association of international standards bodies, could make Windows 2000 an easier sell to government agencies within the 15 countries that recognize the award--the United States, Canada and the United Kingdom among them.
Based on a set of US Department of Defense specifications for trusted systems known as the Orange Book, the Common Criteria doesn't guarantee that an operating system or software application is bug-free, but that the development and support processes that created and maintain the product meet a certain level of standards.
Windows 2000 was certified at Evaluation Assurance Level (EAL) 4, which the Common Criteria Web site defines as "methodically designed, tested and reviewed." The certification is the highest level that can be attested to by a commercial laboratory. The top levels of certification--EAL 5, 6 and 7--must be attested to by government agencies.
While the certifications aren't a guarantee, they are useful, said John Pescatore, research director of Internet security for market researcher Gartner.
"It is the most meaningful test that we have," he said. "This was not a line-by-line review. This was a proof that the security features work and can't be broken."
Microsoft paid Science Applications International Corp's. (SAIC) Common Criteria testing lab to perform the evaluation of Windows 2000.
This is the first time that Microsoft had a variety of features of the operating system certified. In addition to the basic OS, several other components were certified by SAIC, including the Active directory service, Windows 2000's virtual private network (VPN) capability, the single sign-on function, its implementation of network security standard Kerberos, and the Windows 2000 encrypted file system.
In 1999, Microsoft received an earlier version of the Common Criteria certification, known as C2, for its Windows NT operating system. However, the networking functions weren't certified, making the award of questionable value, said Gartner's Pescatore.
While the latest rating is a feather in Windows 2000's cap, many operating systems on the market today could meet the Common Criteria, he said.
"Most of the Solarises and not all, but some of versions of Linux could meet this level as well," he said.
In May, Sun Microsystems announced that its security-enhanced version of the Solaris operating system, Trusted Solaris 8, had gained Common Criteria certification. Apple has also announced that it's attempting to have its MacOS certified, and an open-source policy group hopes to act as a central authority to have Linux certified as well.
Microsoft made the announcement at the Federal Information Assurance Conference (FIAC) 2002.
