Common Criteria Evaluation of Exchange 2007 SP2


Topic Last Modified: 2009-09-30

This document and the downloads that are associated with it contain important information about the evaluation and certification of Microsoft Exchange Server 2007 with Service Pack 2 (SP2), Enterprise Edition according to the Common Criteria (CC) for information technology security and the ISO 15408 Toolkit.

The CC evaluation of Exchange 2007 SP2 is currently in progress. This page will be updated with additional information when the certification process is complete.

It is important for governments and commercial users to understand the security features of the software products that they use. Most governments and organizations prefer to review security features by means of a third-party evaluation of the software. Until recently, different countries/regions had different standards against which software security was evaluated. To save time and costs to both evaluation vendors and software product customers, a set of Common Criteria standards were developed. The Common Criteria provides a concise definition of software security feature and assurance requirements and defines a precise security evaluation process, as described in the Common Evaluation Methodology document. This standard is recognized by 24 countries/regions by means of the Common Criteria Mutual Recognition Arrangement (CCRA) agreement and is adopted by many other government and commercial users.

The Common Criteria represents a formal and approved evaluation methodology for each adopting country/region. Additionally, it establishes a government certification that validates claims regarding the security of both the product development process and the product. This certification is based on an evaluation that is performed by a private evaluation lab that is certified in a particular country/region.

The CC documents define Evaluation Assurance Levels (EALs), by which security assurance criteria are ranked. These assurance levels range from EAL1 to EAL7. Of these, evaluations at EAL1 to EAL4+ (the “+” represents flaw remediation, which is not part of EAL4) are mutually recognized by the 24 countries/regions that signed the CCRA.

The certifying body of the German government, the Bundesamtes für Sicherheit in der Informationstechnik (BSI), is evaluating Exchange 2007 SP2 according to EAL4+. This is the first CC evaluation to be performed on Exchange 2007.

For information about BSI, see the BSI Web site. For information about the evaluation lab, TUViT, see the TUViT Web site.

The third-party Web site information in this topic is provided to help you find the technical information you need. The URLs are subject to change without notice.

Microsoft is committed to developing products that offer rich security features. Part of that commitment is the independent third-party evaluation of our products according to the Common Criteria evaluation standards. We will continue to work to improve the Common Criteria standards and to find ways to enhance the security of our products.

As of July, 2008, the following Microsoft products have been certified according to the Common Criteria evaluation standards:

  • Certificate Services 2003

  • Microsoft Exchange Server 2003 Enterprise Edition

  • Groove Workspace

  • Microsoft Internet Security and Acceleration Server (ISA) 2004

  • Microsoft Internet Security and Acceleration Server (ISA) 2004 Enterprise Edition Service Pack 2

  • Microsoft ISA Server 2000 with Service Pack 1 and Feature Pack 1

  • SQL Server 2005 Database Engine Enterprise Edition (English) Service Pack 1

  • Windows 2000 Professional/Server/Advanced Server

  • Windows 2003 and Windows XP

  • Windows XP/ Server 2003/ x64 Hardware Support

  • Windows Mobile 5.0 MSFP

  • Windows Mobile 6     

  • Windows Rights Management Services (RMS) 1.0 Service Pack 2

  • Windows Server 2003 and Windows XP

  • Windows Server 2003 Certificate Server

  • Windows Server 2003 SP2 including R2 Standard, Enterprise, and Itanium Editions, Windows XP Professional Service Pack 2 and x64 Service Pack 2, Windows XP Embedded Service Pack 2

As of July 2008, the following Microsoft products are in the process of being certified according to the Common Criteria evaluation standards:

  • Internet Security and Acceleration Server 2006

  • Windows Mobile 6.1

  • SQL Server 2005 Service Pack 2 Database Engine

  • OpenXML Format SDK

  • Exchange Server 2007 SP2, Enterprise Edition

  • SQL Server 2008 Database Engine

  • Windows Vista Service Pack 1/Windows Server 2008