Microsoft wins high-level security rating

After more than a year, Microsoft obtains the NSA's key C2 rating for NT 4.0

As Microsoft closes in on completing development of its next-generation Windows 2000 operating system, it finally has managed to receive the elusive C2 security rating for its NT 4.0 operating system.

On 2 December, Microsoft announced it had received the C2 rating for NT 4.0 Server and Workstation. Prior to last Friday, Microsoft had received the C2 rating only for NT 3.5.

C2 is a basic security rating that is one of several evaluations awarded by the National Security Agency, based on its Trusted Computer System Evaluation Criteria, or "Orange Book" criteria. Information systems purchased by the Department of Defence are supposed to carry at least a C2 rating.

Microsoft has been in pursuit of the C2 rating for NT 4 for more than a year. Originally, Microsoft had hired an independent contractor named Edward Curry to help the company obtain a C2 rating for NT 3.5 in the mid-1980s. But in 1995, Microsoft ended Curry's contract for reasons the company declined to divulge publicly.

Curry brought to the Department of Defence's attention late last year the fact that Microsoft had not obtained C2 certification for any release of NT beyond 3.5. In March of this year, while continuing to make known his concerns regarding Microsoft's alleged lack of operating-system security, Curry died suddenly of a stroke. Prior to Curry's death, Microsoft hired Science Applications International (SAIC) to continue its C2 certification efforts. A year ago, SAIC was predicting Microsoft would pass its first C2 milestone within weeks.

Microsoft officials have said they expect to be able to submit immediately Windows 2000 for evaluation under a newly merged US/UK security evaluation process, called Common Criteria Consolidation.

What do you think? Tell the Mailroom . And read what others have said.