The New Common Criteria Security Evaluation Scheme and the Windows 2000 Evaluation
| Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
The following Windows 2000 Target of Evaluation (TOE) has been certified under the Common Criteria (ISO/IEC 15408).
.gif "Cc723510.scurev02(en-us,TechNet.10).gif")
TOE Software Identification – The following Windows 2000 Operating Systems:*
Windows 2000 Professional with Service Pack 3 (SP3) with 326886 Hotfix
Windows 2000 Server with SP3 with 326886 Hotfix, or
Windows 2000 Advanced Server with SP3 with 326886 Hotfix
*The Windows operating system binary files listed in the Appendix B of the Windows 2000 Common Criteria security target https://niap.nist.gov/cc-scheme/st/ST_VID4002-ST.pdf are the exact same binary files found on Windows 2000 Datacenter Server with SP3 with 326886 Hotfix running on x86 machines except for a small number of machine specific device drivers.
Evaluation Assurance Level (EAL) – EAL 4, augmented with ALC_FLR.3 (Systematic Flaw Remediation).
This web page currently is being updated to provide customers with technical background materials associated with the Windows 2000 CC evaluation. The final update of this page will occur after NIAP CCEVS creates a Validated Product Entry (VPL) for Windows 2000 under the applicable Information Assurance Product Type areas, and posts the official validation report and the validated Windows 2000 security target on https://niap.nist.gov/cc-scheme/ValidatedProducts.html.
On This Page
Windows 2000 CC Resources
Common Criteria – An Executive Summary
Windows 2000 CC Resources
The following resources provide specific Windows 2000 CC evaluation information.
Windows 2000 CC Overview White Paper –
https://www.microsoft.com/technet/security/prodtech/Windows2000/w2kccwp.mspx.
Windows 2000 CC User Guide –
https://www.microsoft.com/technet/security/prodtech/Windows2000/w2kccug/default.mspx
Windows 2000 CC Administrator's Guide –
https://www.microsoft.com/technet/security/prodtech/windows2000/w2kccadm/default.mspx
Windows 2000 CC Security Configuration Guide –
https://www.microsoft.com/technet/security/prodtech/windows2000/w2kccscg/default.mspx
The above guides and security configuration templates (in inf format) would be available for download as pdf and inf files after NIAP posts the validated Windows 2000 security target.
Windows 2000 CC Validation Report
Common Criteria – An Executive Summary
The award of Windows 2000 Common Criteria (CC) impacts everyone who uses, deploys, and manages Windows 2000 based infrastructures. Common Criteria provides a certain level of quality assurance by allowing customers to apply a consistent, stringent, and independently verified set of evaluation requirements. It also provides customers with detailed information on enabling higher security in their actual implementation and deployment of Windows 2000. Windows 2000 CC empowers customers to make informed security decisions in several ways:
Comparison of customer's specific requirements against Common Criteria's consistent and universal standards.
Comparison of competing IT products security feature sets based upon detailed reports of the certified products
Customers can depend on Common Criteria evaluations because they are not completed by the vendor, but by independent testing labs
Common Criteria is an international standard that global organisations can use to help choose products that satisfy the local security requirements.
In support of the windows 2000 CC evaluation process three documents have been produced that address specific aspects of the overall evaluation process and provide customers with detailed guidance on how to deploy and operate Windows 2000 in a secure network environment. The documents created are listed below:
Windows 2000 Evaluated Configuration Administrator's Guide
Windows 2000 Common Criteria Security Configuration Guide
Windows 2000 Evaluated Configuration User's Guide
Windows 2000 Evaluated Configuration Administrator's Guide
https://www.microsoft.com/technet/security/prodtech/windows2000/w2kccadm/default.mspx
This document provides reference information to allow an administrator to securely operate Windows 2000 in accordance to the stated requirements in the Windows 2000 Common Criteria Security Target (ST). Two main areas are covered in this document:
Security Administration - this section provides an overview of administrating Windows 2000 securely by summarizing the following areas:
Windows 2000 Security Functionality
Roles and Privileges
Windows 2000 Evaluated Configuration
Administering Windows 2000 Security - This section describes how to operate Windows 2000 according to the Target of Evaluation (TOE) security policy in an IT environment that is consistent with the one described in the Security Target. It describes effective security practices for administering the Windows 2000 in a secure manner. Topics covered in this section include:
Operating environment
Security management interfaces
Security functions
Security-relevant events
Windows 2000 Evaluated Configuration User's Guide
https://www.microsoft.com/technet/security/prodtech/Windows2000/w2kccug/default.mspx
This document provides sufficient guidance for Windows 2000 users to securely use the product in accordance with the requirements stated in the Windows 2000 Common Criteria Security Target (ST). This document is specifically targeted at the non-administrative (e.g. non-privileged) user of Windows 2000 and covers the operating environment, security overview, and specific security functions. Security functions covered in this document include:
Passwords
Computer access
Disk quotas
Data protection
Windows 2000 Security Configuration Guide
https://www.microsoft.com/technet/security/prodtech/windows2000/w2kccscg/default.mspx
This document provides guidance to allow for the secure installation and configuration of Windows 2000 in accordance with the Windows 2000 ST. This document is targeted at those responsible for ensuring the installation and configuration process results in a secure configuration of Windows 2000. Topics covered in this document include:
Hardware and Software environment
Operating system installation
Secure Configuration - specifically
Security policies
Additional security configuration interfaces
Account policies
Local policies
Audit log management
User and Group Accounts
System services
File system
Registry
IPSec Policy
Encrypted file system
Security configuration templates – including evaluated configuration security templates that customers can use to implement Common Criteria security settings.
Summary
The information included in the Common Criteria guide documents provide an excellent security reference source for all Windows 2000 based infrastructures. However, the Windows 2000 components included in the Common Criteria evaluation and the recommended security configuration settings are specifically targeted at achieving Common Criteria certification. Prior to implementing the recommended settings to achieve Windows 2000 CC compliance the settings should be thoroughly tested against the target Windows 2000 infrastructure.
IT Professionals should use these guides and other security resources available on https://www.microsoft.com/technet/security/default.mspx to produce a security framework that satisfies their company's security requirements.