Your favorite messaging server – Exchange Server 2003 (don’t tell me it’s NOT Exchange Server 2003 as of now… though that may change some time in the near future with E12 betas around the corner.. ) – is now Common Criteria certified.
“Common Criteria for Information Technology Security Evaluation” (CCITSE) – commonly known as “Common Criteria” or CC – is an international standard (ISO 15408) for computer security. Exchange Server 2003 got certified at EAL4, the highest level you’ll see for most general products. Specifically, it wasn’t RTM but SP1 with hotfix 894549 (MS05-021) applied, build 6.5.7226.0.
How does the CC work? CC has 2 parts – first is a set of common requirements of what a product should do, called a Protection Profile. The second – the evaluation rating – says how well the product satisfied those requirements in a given configuration. So unless you know what the Protection Profile for a given product’s certification process is, the different evaluation ratings really mean nothing except the fact that some amount of reasonable testing was conducted under certain conditions and the product did well to get a higher rating.
The Exchange web site has more details and “Exchange Server 2003 Common Criteria Security Target” doc that describes the security requirements and components that were tested.
{ 0 comments… add one now }