Exchange Server 2003 Common Criteria Certification
Topic Last Modified: 2009-04-27
Published: November 15, 2005
Security begins with good software code and high-quality testing of that code, and it continues with the process used to identify, correct and update security vulnerabilities, and with third-party auditing based on recognized standards. Because of this, Microsoft submitted Microsoft Exchange Server 2003 for a through, independent evaluation based on the new Common Criteria for Information Technology Security Evaluation.
Ratified as an international standard in 1999, the Common Criteria replaces the old evaluation schemes, the US TCSEC, which provided the well-known "C2" rating, and the European ITSEC. The nations that embrace the Common Criteria believe that it will improve the availability of security-enhanced IT products, help customers evaluate IT products when making software purchase decisions, and contribute to higher levels of consumer confidence in IT product security.
This paper provides an overview of the Common Criteria, the benefits of certification, the Exchange Server 2003 scenarios that have been certified, and resources available to help customers configure and administer an Exchange Server 2003 environment that is secured in accordance with the Common Criteria for Information Technology Security Evaluation.
The United States federal government maintains a set of evaluation criteria for judging the security of computer systems. Many of its agencies, and many private-sector companies, will only buy systems that meet specified sets of these evaluation criteria. The well-known "C2" rating of the US Trusted Computer Systems Evaluation Criteria (TCSEC) was one such level. The European counterpart to the TCSEC, the Information Technology Security Evaluation Criteria, specified a comparable rating. Both the US TCSEC and the European ITSEC have been updated. To reflect the increased sophistication of technologies and the growing need for more international standards for evaluation, a group of nations joined forces through the International Organization for Standardization (ISO) to design a new security evaluation process, known as the "Common Criteria for Information Technology Security Evaluation" (CCITSE). In this paper we'll abbreviate it to the "Common Criteria".
Under the Common Criteria, classes of products (such as operating systems) are evaluated against the security functional and assurance requirements of "Protection Profiles." Protection Profiles may be developed to apply to operating systems, firewalls, smart cards, or other products that can be expected to meet security requirements. For example, the Controlled Access Protection Profile applies to operating systems and replaces the old C2 evaluation requirements. The Common Criteria also specify a series of Evaluation Assurance Levels (EALs) for evaluated products. A higher EAL certification specifies a higher level of confidence that a product's security functions will be performed correctly and effectively.
While the Common Criteria was ratified as a standard in 1999, the stringent and lengthy testing requirements mean that test results for operating systems submitted for evaluation then are only now available. Testing for Microsoft Exchange Server 2003 was recently completed, and as a result of these tests, Exchange Server 2003 achieved (EAL 4 + Systematic Flaw Remediation). The certification of Exchange Server 2003 covers the broadest set of real world scenarios and the highest level of evaluation yet achieved.
The existence of the Common Criteria impacts everyone that uses, deploys, and manages IT systems.
First, the Common Criteria provides a certain level of quality assurance by, among other things, allowing customers to apply a consistent, stringent, and independently verified set of evaluation requirements to their IT purchases. This raises the quality bar for products customers deploy, and it ensures a higher level of "truth in advertising". This is not to imply that all products that are certified through the Common Criteria are free of all security vulnerabilities; however, it does provide a higher level of assurance that the product is secure.
Second, the Common Criteria program provides customers with a wealth of information enabling higher security in their actual implementation and deployment of evaluated products. Vendors that embrace the opportunities afforded by the Common Criteria can help customers build more secure IT systems.
The remainder of this paper will discuss the benefits of the Common Criteria, and then go into more detail on the specific evaluations performed on Exchange Server 2003 and conclude with information about how customers can make real improvements to their configuration and implementation plans using the information provided by evaluators.
The nations that have embraced the Common Criteria did so because they recognized that their common endorsement of a uniform set of IT security standards would "improve the availability of evaluated, security-enhanced IT products."* These nations also recognized that the Common Criteria would contribute to higher levels of consumer confidence in IT product security and would "improve the efficiency and cost-effectiveness" of the evaluation and certification process.**
The Common Criteria help customers make informed security decisions in several ways:
Customers can compare their specific requirements against the Common Criteria's consistent and universal standards to determine the level of security they require.
Customers can more easily determine whether particular products meet their security requirements. Because the Common Criteria require certification bodies to prepare detailed reports about the security features of successfully evaluated products, consumers can use those reports to judge the relative security of competing IT products.
Customers can depend on Common Criteria evaluations because they are not performed by the vendors, but by independent testing labs. The Common Criteria is, however, increasingly used as a purchasing benchmark; for example, the U.S. Department of Defense announced plans to use only Common Criteria-evaluated systems for information assurance products.
Because the Common Criteria is an international standard, it provides a common set of standards that customers with worldwide operations can use to help choose products that meet their local operation's security needs.
By providing a detailed set of security standards, the Common Criteria effectively create an IT product security "language" that both vendors and consumers can understand. Vendors can draw upon this language to describe the security features included in their products by describing which Common Criteria evaluations their products have passed. Similarly, consumers can use this language to identify and communicate their security needs, which enables vendors to design products that meet those needs.
Furthermore, the Common Criteria language enables vendors to build their IT products in such a way that they can more easily demonstrate that their products meet specified security requirements, and the evaluation process allows them to have their product security evaluations performed by an impartial third party.
Microsoft has supported and embraced the Common Criteria from the beginning. Microsoft submitted Exchange Server 2003 for evaluation by the TÜV Informationstechnik GmbH (TUViT), an independent, accredited evaluator for evaluation under the Common Criteria. Microsoft and TUViT have worked together before: TUViT performed the respective EAL 2 and EAL 4+ evaluations of Microsoft Internet Security and Acceleration (ISA) Server 2000, and ISA Server 2004.
To better understand where EAL 4 fits within the seven levels, it is helpful to know that, according to the Common Criteria drafters, EAL levels 5-7 are targeted toward the evaluation of products built with specialized security engineering techniques. As such, these levels are generally less applicable to products built with commercial distribution in mind. EAL 4, then, represents the highest level at which products not built specifically to meet the requirements of EAL 5-7 ought to be evaluated. To meet the Flaw Remediation requirement over and above EAL 4, as Exchange Server 2003 did, the developer/vendor must establish flaw remediation procedures that describe the tracking of security vulnerabilities, the identification of corrective actions, and the distribution of corrective action information to customers. The Microsoft Security Response Center fulfills these roles for Exchange Server 2003.
According to TUViT, "The evaluation of Exchange Server 2003 according to Common Criteria EAL 4 opens a new dimension, since Exchange Server 2003 is the first product of this kind awarded this assurance level. TUViT is proud to have met this exciting challenge."
Microsoft also has certified the following products:
Microsoft Windows Server 2000
Microsoft Windows Server 2003 (in progress)
Microsoft Windows XP (in progress)
Microsoft Windows Certificate Server (in progress)
ISA Server 2000
ISA Server 2004
To reiterate, one of the key tangible benefits of the Common Criteria Certification is that it provides customers with guidance that simplifies the deployment and operations of Exchange Server 2003 in a more secure networked environment. Toward that end, Microsoft has worked to make sure that the evaluation data gathered in accordance with the Common Criteria are presented in a useful, actionable manner. As a result of this effort, customers have specific resources available to them - resources that meaningfully present architectural and configuration recommendations and best practices. These resources are:
The Exchange Server 2003 Common Criteria File Checksum Integrity Verifier utility described in the Evaluated Configuration Administrator’s Guide is a utility you can use to ensure that the English-language binaries in your system match the ones used for the Exchange 2003 Common Criteria certification.
Microsoft is deeply committed to optimizing the security of its products and services. As part of that commitment, Microsoft strongly supports the Common Criteria certification program¡a commitment that is directly reflected in its successful effort to design Exchange Server 2003 to meet and exceed the security requirements specified for commercially available systems. The efforts by Microsoft are rooted in the conviction that the Common Criteria evaluation and certification system creates a reliable, internationally recognized way for consumers to evaluate and gain confidence in the security of IT products. By defining clear, robust security standards and establishing an independent security evaluation process, the Common Criteria promote the benefits and efficiencies that secure computing environments can provide to individuals, businesses, and governments.
See the following resources for more information:
* The following nations are participants in the Common Criteria: Australia, Austria, Canada, Czech Republic, Finland, France, Germany, Greece, Hungary, Israel, Italy, Japan, Netherlands, New Zealand, Norway, Republic of Korea, Singapore, Spain, Sweden, Turkey, United Kingdom, and the United States. For more information about the Common Criteria and the nations that participate in it, see Welcome to the Common Criteria portal.
** Arrangement on the Recognition of Common Criteria Certificates in the Field of Information Technology Security, Preamble (May 2000) (http://www.niap-ccevs.org/cc-scheme/cc_docs/ccra.pdf).