Windows 2000 gains government-based security certification

After a nearly three-year process, Microsoft said Tuesday that its Windows 2000 operating system has been certified as secure through an evaluation process that was developed through the cooperative efforts of 15 national governments worldwide.

The certification means Windows 2000 with Service Pack 3 can be used as part of sensitive government security systems without buyers having to get special waivers from the National Security Agency or pass additional testing. Those security systems would be handling sensitive or classified data at government agencies including the Department of Defense and civilian contractors.

The certification does not mean the software is now bulletproof, but means the testing has confirmed the code is working as advertised.

Microsoft admitted that the certification has no direct implications for non-government users beyond the awareness that the software has passed the test. But the company says that fact is confirmation that the vendor has been working hard on security even before it announced its Trustworthy Computing initiative in January.

“This is a demonstration that many aspects of the things that lead to trust, security being a notable one, are things that we have paying attention to for some period of time,” said Microsoft CTO Craig Mundie, during a news conference to announce the certification. “For people who have concerns on an ongoing basis about our level of investment or focus on these questions about all the things that ultimately lead to security in computer systems, this is pretty strong testimony to the level of effort we have been applying.”

The security certification is defined by the Common Criteria for Information Technology Security Evaluation (CCITSE), which is known in government circles as Common Criteria certification. The CC certification is a globally recognized ISO standard for evaluating security features in computer software.

Nearly 75 products have passed the CC evaluation. SGI in June of this year had its Trusted IRIX 6.5 and its standard IRIX 6.5 operating system certified. Sun has had two versions of its operating system CC certified. Solaris 8 was certified, as was a "trusted" version with strong access control, security labels and software compartmentalization. Oracle has had versions 7, 8, and 8i of its database evaluated and certified.

Those products along with Windows 2000 received an Evaluation Assurance Level 4 (EAL4), which is described as "the highest level at which it is likely to be economically feasible to retrofit to an existing application.” As part of the evaluation, source code is examined and the vendor has to be prepared to “incur additional security-specific engineering.”

EAL4 is the highest CC certification level doled out for the 75 products tested to date, and is the highest level that's recognized by all CC country signatories. Above that, vendors are likely to see specific demands from individual countries.

Although complex to decipher, the EAL scheme basically says EAL1 is appropriate when requirements for security are “not serious.” EAL2 ups the ante in asking the product developer for design information and testing “consistent with good commercial practice.” At EAL3, the product is going to be “methodically tested and checked” in a CC-accredited lab in a search “for obvious vulnerabilities.”