Microsoft wins government security certifications

Microsoft wins government security certifications

Therrien cautioned that while certification for Windows NT 4.0 is reassuring, "no operating system is 100 percent secure. What you have now is a way to calculate risks. We now have a way to quantify where our risks are. Without certification, there would be much more guesswork involved."
jdean@govexec.com

Microsoft Corp.'s Windows NT Server and desktop operating systems-products that are heavily used at many federal agencies-last week received two important security certifications from the federal government.

The Windows NT 4.0 network operating system was certified as compliant with Federal Information Processing Standard 140-1 (FIPS 140-1) and the C2 level of the Trusted Computer System Evaluation Criteria (TCSEC). The desktop operating systems Windows 95 and Windows 98 and the forthcoming Windows 2000 also won FIPS 140-1 certification.

"FIPS 140-1 is the certification which is more important," said Rick Therrien, leading edge services deputy in the Office of the Navy's Chief Information Officer. "FIPS 140-1 deals with information interchange on computers that are networked, as well as secure e-mail, authenticating onto a network and accessing secure Web sites."

Therrien estimates that the Navy uses Windows NT on more than 400,000 computers globally. In addition, the Marine Corps just converted from Banyan Systems Inc.'s Vines network software to Windows NT 4.0.

FIPS 140-1 was created by the National Institute of Standards and Technology. It lays out security requirements for the cryptography module within an operating system.

Windows NT 4.0 was also tested by a private laboratory and certified by the National Computer Security Center, a unit of the National Security Agency, as achieving the C2 level of security. C2 products have demonstrated they can:

  • Identify and authenticate system users
  • Limit data access to only approved users
  • Audit system and user actions
  • Prevent access to files that have been deleted by others

Microsoft's new operating system, Windows 2000, is scheduled to be released in February.

The network configuration used in evaluating the security of the NT 4.0 network operating system, as updated with Service Pack 6a consisted of single- and multi-processor Proliant servers from Compaq Computer Corp., along with Compaq PCs and printers and storage subsystems from Hewlett-Packard Co.