Windows 2000 Gets Common Criteria Certification

Qnal writes "e-Week is reporting that Microsoft Windows 2000 has been awarded Common Criteria Certification.. Read more of the propaganda here. Basically, according to the article Any user running Windows 2000 with Service Pack 3 is running exactly the same system that was evaluated. The Common Criteria certification is an internationally recognized ISO standard established for evaluating the security of infrastructure technology products. Too bad it takes 3 Service Packs..."

What the CC means

[PotatoMan]

OK. Enough with the childish flames. MS got a security rating. Good for them. Now, what does it mean?

Read the description on the CC web site, and you'll see that the evaluation was for the development process, and that only part of the impementation was tested at all. (I wonder which part?)

All of which, while interesting to some, is in the 'so what' category. Security is not a cert, or a product. Security is what you do.

For example, Windows NT 3.5 was certified to the NIST 'C2' level (basically, C2 means you have separated the users and require a login). But there was no problem building a 'B2' level (mandatory access control) system with NT3.5; you just had to add some software and hardware to plug the holes.

So these certs are of no use except to PR flaks. And trolls.