REDMOND, Wash. - Dec. 6, 1999 - Microsoft Corp. today announced two major U.S. government evaluations: "Orange Book" evaluation of the Microsoft^® Windows NT^® 4.0 operating system at the C2 level and FIPS 140-1 validation of the cryptographic services provided in the Windows^® 95, Windows 98, Windows NT 4.0 and Windows 2000 operating systems. With these evaluations, customers now have formal, third-party verification of the security of Windows 95, Windows 98, Windows NT 4.0 and Windows 2000.

Both the "Orange Book" and FIPS 140-1 are U.S. government security evaluation processes. The "Orange Book" reviews computer products and evaluates their overall security. C2 is generally acknowledged to be the highest rating a general-purpose operating system can achieve. The C2 evaluation team had unprecedented access to the product, including full access to all source code. The entire development process was scrutinized, including how Microsoft designs, develops and tests software, as well as how any reported security vulnerabilities are handled. FIPS 140-1 evaluation is a joint certification process of the U.S. government and the Canadian Communications Security Establishment that serves as a verification of the correct implementation of cryptoalgorithms.

"Customers look to Microsoft to deliver products that are built from the ground up with security in mind. C2 and FIPS 140-1 evaluations serve as an incredible proof point to Microsoft's commitment to keeping customers' information secure," said Jim Allchin, group vice president, Platforms Division, Microsoft. "We are proud to deliver this significant security milestone to customers today."

"This announcement means Microsoft's products are moving forward in a favorable direction that uses our existing Enterprise Agreement now that federal security standards are native in Windows 2000," said Rick Therrien, director, Leading Edge Services, U.S. Navy CIO office. "The certification helps address barriers to integrating Windows-based networks and applications with smart cards and the DOD Public Key Infrastructure. This means we could develop a migration plan from many Windows NT 4.0-based networks to a Windows 2000-based enterprise, taking full advantage of Microsoft's built-in cryptographic modules."

Customers' security is a primary consideration in product design, development and support. Windows NT 4.0 was built with security as a primary design element. It provides robust security architecture that is easy to use and manage. It is used by millions of customers worldwide in security-sensitive and Web-based applications such as banking, health care and government. In addition, Windows 2000 promises to be the most secure operating system Microsoft has ever shipped. C2 and FIPS 140-1 evaluations point to the security built into these systems.

Past evaluations include C2 for Windows NT 3.5, and E3/FC2 for Windows NT 3.51 and Windows NT 4.0.

Additional Information

C2

http://www.microsoft.com/security/issues/c2evaluation.asp

FIPS 140-1

http://www.microsoft.com/security/issues/fips140-1evaluation.asp

Microsoft TechWeb Security Site

http://www.microsoft.com/technet/

Microsoft Security Advisor Site

http://www.microsoft.com/security/