Microsoft Exchange Server 2007 EE SP2 Common Criteria Certification (BSI-DSZ-CC-0436-2009)
Microsoft Exchange Server 2007 Enterprise Edition SP2 has passed Common Criteria
Evaluation Assurance Level 4+ (EAL 4+).
The certification work has been performed by the Federal Office for Information Security (BSI),
the Common Criteria certification body of the German government and TÜViT Evaluation Body for IT
security which evaluates products worldwide according to the ITSEC and the Common Criteria (CC).
Microsoft Exchange Server 2007 EE SP2 certification report is
available for reading from the BSI website
and from this page.
This site contains information and downloads for the certified version.
It provides links to the Security Target which lists the security and assurance claims certified by
the evaluation, to additional guidance documentation and other required files.
Steps in order to ensure the integrity of Exchange Server 2007 EE SP2
Please perform the following steps in order to ensure the integrity of your downloads from this website:
- Download the FCIV tool  from Microsoft. The SHA1 value of this download is
and shall be verified before executing the download. This can be done using any tool capable of
calculating SHA-1 values. While running the file you have to enter a destination folder where
the FCIV executable should be extracted to.
- Download the
to the directory where FCIV Tool has been extracted.
- Integrity Check Validation Data ,
- CC Guidance Addendum ,
- Exchange Server 2007 Guidance , and
- Exchange Server 2007 SP2 
- Extract the Integrity Check Validation Data archive to the directory where FCIV Tool has been extracted.
- Verify that the folder contains the following files:
- Insert the Exchange Server DVD that requires validation into the DVD Drive X: (where X: is your DVD-ROM drive)
- Open a command window and change to the folder where the validation files are located.
Then, type the following to validate Exchange Server 2007:
- After Exchange Server 2007 DVD has been sucessfully validated type the following to verify the integrity of Exchange Server 2007 SP2:
- If the DVD/file cannot be validated as an authentic DVD/file, a message will be displayed, indicating that the
DVD/file is not authentic. The integritycheck.log file, listing the failure details, will be created
in the folder with the original files.
If the DVD/file is correctly validated, the following message will be displayed:
The ... is an authentic <product name>
- After the final verification steps have been finished follow the Exchange 2007 CC
Guidance Addendum for the installation and configuration of the
TOE (Target of Evaluation; for details see Security Target).
-  FCIV Tool
- The File Checksum Integrity Verifier (FCIV) is a command-prompt utility that computes and verifies
cryptographic hash values of files. FCIV can compute MD5 or SHA-1 cryptographic hash values.
-  Integrity Check Validation Data
- This file contains hash values in form of XML files that can be used to verify the integrity of the product and command files for easier usage.
-  CC Guidance Addendum
- This document provides guidance information to be used with and modifies the guidance documentation specifically
for the operation and use of the Common Criteria version.
-  Exchange Server 2007 Guidance
- This is the Exchange Server 2007 helpfile which contains the main documentation.
-  Exchange Server 2007 SP2
- Exchange Server 2007 Service Pack 2 is required to update Exchange 2007 to the evaluated version.