Overview: Windows 2000 Common Criteria Certification
On This Page
Security begins with good software code and high-quality testing of that code, and it continues with the process used to identify, correct and patch security vulnerabilities, and with third-party auditing based on recognized standards. Because of this, Microsoft submitted the Windows 2000 family of operating systems for a through, independent evaluation based on the new Common Criteria for Information Technology Security Evaluation.
Ratified as an international standard in 1999, the Common Criteria replaces the old evaluation schemes, the US TCSEC, which provided the well-known "C2" rating, and the European ITSEC. The nations that embrace the Common Criteria believe that it will improve the availability of security-enhanced IT products, help customers evaluate IT products when making software purchase decisions, and contribute to higher levels of consumer confidence in IT product security.
This paper provides an overview of the Common Criteria, the benefits of certification, the Microsoft Windows 2000 scenarios that have been certified, and resources available to help customers configure and administer a secure Windows 2000 environment based on the Common Criteria evaluation.
What is the Common Criteria Security Evaluation Process?
The United States federal government maintains a set of evaluation criteria for judging the security of computer systems. Many of its agencies, and many private-sector companies, will only buy systems that meet specified sets of these evaluation criteria. The well-known "C2" rating of the US Trusted Computer Systems Evaluation Criteria (TCSEC) was one such level. The European counterpart to the TCSEC, the Information Technology Security Evaluation Criteria, specified a comparable rating. Both the US TCSEC and the European ITSEC have been updated. To reflect the increased sophistication of technologies and the growing need for more international standards for evaluation, a group of nations joined forces through the International Organization for Standardization (ISO) to design a new security evaluation process, known as the "Common Criteria for Information Technology Security Evaluation" (CCITSE). In this paper we'll abbreviate it to the "Common Criteria".
Under the Common Criteria, classes of products (such as operating systems) are evaluated against the security functional and assurance requirements of "Protection Profiles." Protection Profiles may be developed to apply to operating systems, firewalls, smart cards, or other products that can be expected to meet security requirements. For example, the Controlled Access Protection Profile applies to operating systems and replaces the old C2 evaluation requirements. The Common Criteria also specify a series of Evaluation Assurance Levels (EALs) for evaluated products. A higher EAL certification specifies a higher level of confidence that a product's security functions will be performed correctly and effectively.
While the Common Criteria was ratified as a standard in 1999, the stringent and lengthy testing requirements mean that test results for operating systems submitted for evaluation then are only now available. Testing for Microsoft Windows 2000 was recently completed and as a result of these tests, Windows 2000 achieved (EAL 4 + Flaw Remediation). The certification of Windows 2000 covers the broadest set of real world scenarios and the highest level of evaluation yet achieved.
What the Common Criteria Means for You
The existence of the Common Criteria impacts everyone that uses, deploys, and manages IT systems.
First, the Common Criteria provides a certain level of quality assurance by, among other things, allowing customers to apply a consistent, stringent, and independently verified set of evaluation requirements to their IT purchases. This raises the quality bar for products customers deploy, and it ensures a higher level of "truth in advertising". This is not to imply that all products that are certified through the Common Criteria are free of all security vulnerabilities; however, it does provide a higher level of assurance that the product is secure.
Second, the Common Criteria program provides customers with a wealth of information enabling higher security in their actual implementation and deployment of evaluated products. Vendors that embrace the opportunities afforded by the Common Criteria can help customers build more secure IT systems.
The remainder of this paper will discuss the benefits of the Common Criteria, and then go into more detail on the specific evaluations performed on the Windows 2000 family and conclude with information on how customers can make real improvements to their configuration and implementation plans using the information provided by evaluators.
Benefits of the Common Criteria
The fourteen nations1 that have embraced the Common Criteria did so because they recognized that their common endorsement of a uniform set of IT security standards would "improve the availability of evaluated, security-enhanced IT products". These nations also recognized that the Common Criteria would contribute to higher levels of consumer confidence in IT product security and would "improve the efficiency and cost-effectiveness" of the evaluation and certification process.2
Enables Customers to Make Informed Decisions
The Common Criteria help customers make informed security decisions in several ways:
Customers can compare their specific requirements against the Common Criteria's consistent and universal standards to determine the level of security they require.
Customers can more easily determine whether particular products meet their security requirements. Because the Common Criteria require certification bodies to prepare detailed reports about the security features of successfully evaluated products, consumers can use those reports to judge the relative security of competing IT products.
Customers can depend on Common Criteria evaluations because they're not performed by the vendors, but by independent testing labs. The Common Criteria is, however, increasingly used as a purchasing benchmark; for example, the U.S. Department of Defense recently announced plans to use only Common Criteria-evaluated systems.
Because the Common Criteria is an international standard, it provides a common set of standards that customers with worldwide operations can use to help choose products that meet their local operation's security needs.
Helps Vendors Build Secure IT Products
By providing a detailed set of security standards, the Common Criteria effectively create an IT product security "language" that both vendors and consumers can understand. Vendors can draw upon this language to describe the security features included in their products by describing which Common Criteria evaluations their products have passed. Similarly, consumers can use this language to identify and communicate their security needs, which enables vendors to design products that meet those needs.
Furthermore, the Common Criteria language enables vendors to build their IT products in such a way that they can more easily demonstrate that their products meet specified security requirements, and the evaluation process allows them to have their product security evaluations performed by an impartial third party.
Windows 2000 Common Criteria Certifications
Microsoft has supported and embraced the Common Criteria from the beginning. Microsoft submitted Windows 2000 for evaluation by the Science Applications International Corporation (SAIC), an independent, accredited evaluator for evaluation under the Common Criteria. Microsoft and SAIC have worked together before: SAIC performed the C2 evaluations of both Windows NT 4.0 and SQL Server™ 2000.
Using the Controlled Access Protection Profile (which, you'll recall, replaces the C2 set of evaluation requirements), SAIC determined through exhaustive testing that the Windows 2000 family achieved a rating of EAL 4 + Flaw Remediation under the Common Criteria.
To better understand where EAL 4 fits within the seven levels, it is helpful to know that, according to the Common Criteria drafters, EAL levels 5-7 are targeted toward the evaluation of products built with specialized security engineering techniques. As such, these levels are generally less applicable to products built with commercial distribution in mind. EAL 4, then, represents the highest level at which products not built specifically to meet the requirements of EAL 5-7 ought to be evaluated. To meet the Flaw Remediation requirement over and above EAL 4, as Windows 2000 did, the developer/vendor must establish flaw remediation procedures that describe the tracking of security flaws, the identification of corrective actions, and the distribution of corrective action information to customers. The Microsoft Security Response Center fulfills these roles for Windows 2000.
According to SAIC, the "Windows 2000 Common Criteria EAL 4 evaluation was, as yet, the most challenging evaluation project conducted by SAIC's Common Criteria Testing Lab from both technical and project management perspectives".
Other Windows 2000 Evaluations
The Windows 2000 family includes Windows 2000 Professional for desktop systems and the Windows 2000 Server family. Because Windows 2000 has such a broad range of features and abilities, it was submitted for evaluation against CC requirements that are beyond the Controlled Access Protection Profile. The result is that Windows 2000 is now evaluated with the following Information Assurance (IA) enabled information technology (IT) product features:
Sensitive Data Protection Device. Encrypting File System (EFS) protects sensitive data against tampering or theft by encrypting it on the local system. EFS protection meets the Common Criteria standards for certification as a Sensitive Data Protection Device.
Directory Service. Active Directory provides a robust, distributed enterprise directory service. The Common Criteria evaluation covers LDAP-based access and management of Active Directory objects; Windows 2000 meets the evaluation requirements by providing secure directory access and administration.
Virtual Private Network (VPN). VPNs make it possible for organizations to provide secure connectivity to remote servers and users without opening their networks to the world. Support for VPNs in Windows 2000 includes an integrated client and server services for two industry-standard protocols: L2TP+IPsec; the Windows VPN components have been evaluated for compliance with the Common Criteria standards.
Software Signature Creation Device. Digital signatures provide valuable integrity protection and authentication services, but only if the signature creation systems are secure against tampering or interference. Federal Information Processing Standard (FIPS) 140-1 sets out the requirements for secure signature creation; Windows 2000 provides security services that meet the FIPS 140-1 requirements, including a protection service that uses strong cryptography to protect user's private signature keys and a FIPS 186-2-compliant implementations of the RSA and DSA signature algorithms.
Single Sign On. Many enterprises want to allow users to sign on to multiple network systems with a single set of security credentials. Windows 2000 supports this by providing application programming interfaces (APIs) so that third-party developers can use authentication services in Windows 2000 directly. While not described by a Protection Profile in itself, Single Sign On, as a capability, is composed of evaluated components.
Network Management. Windows 2000 provides several powerful network management tools, including the Windows Management Instrumentation (WMI) Services for monitoring and controlling system performance and operations and Active Directory's Group Policy engine for applying security and application policies to computers on a network. Network management tools in Windows 2000 have been evaluated against the Common Criteria requirements for network management systems and software.
Desktop Management. Desktop management services allow efficient and secure policy application for desktop computers in an enterprise network. Group Policy provides these critical services for Windows desktops; accordingly, Windows 2000 has been evaluated as a Common Criteria Desktop Management product.
In the context of the Common Criteria, Windows 2000 provides the clear advantage of a multi-purpose platform whose evaluated components satisfy many of an organization's needs. From the operating system's security technologies, to network management security, to VPN security, Windows 2000 provides the key (and evaluated) pieces in one package.
Putting Windows 2000 Common Criteria Certifications into Action
To reiterate, one of the key tangible benefits of the Common Criteria Certification is that it provides customers with guidance that simplifies the deployment and operations of Windows 2000 in a secure networked environment. Toward that end, Microsoft has worked to make sure that the evaluation data gathered in accordance with the Common Criteria are presented in a useful, actionable manner. As a result of this effort, customers have specific resources available to them - resources that meaningfully present architectural and configuration recommendations and best practices. These resources are:
Windows 2000 Common Criteria Evaluated Configuration User's Guide: http://www.microsoft.com/technet/security/prodtech/Windows2000/w2kccug/default.mspx
Windows 2000 Common Criteria Evaluated Configuration Administrator's Guide: http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccadm/default.mspx
Windows 2000 Common Criteria Security Configuration Guide: http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccscg/default.mspx
Microsoft is deeply committed to ensuring the security of its products and services. As part of that commitment, Microsoft strongly supports the Common Criteria certification program — a commitment that is directly reflected in its successful effort to design Windows 2000 to meet and exceed the security requirements specified for commercially available systems. The efforts by Microsoft are rooted in the conviction that the Common Criteria evaluation and certification system creates a reliable, internationally recognized way for consumers to evaluate and gain confidence in the security of IT products. By defining clear, robust security standards and establishing an independent security evaluation process, the Common Criteria promote the benefits and efficiencies that secure computing environments can provide to individuals, businesses, and governments.
See the following resources for further information:
Common Criteria Scheme Home Page at http://niap.nist.gov/cc-scheme/
Latest Windows Common Criteria Security Evaluation Status Information at http://www.microsoft.com/technet/security/prodtech/windows2000/secureev.mspx
Windows 2000 Common Criteria Evaluated Configuration User's Guide at http://www.microsoft.com/technet/security/prodtech/Windows2000/w2kccug/default.mspx
Windows 2000 Common Criteria Evaluated Configuration Administrator's Guide at http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccadm/default.mspx
Windows 2000 Common Criteria Security Configuration Guide at http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccscg/default.mspx
1 The Common Criteria's drafters—Canada, France, Germany, the United Kingdom, and the United States—have been joined as signatories by Australia, Finland, Greece, Israel, Italy, New Zealand, Norway, Spain, and the Netherlands. Common Criteria, CCRA Participants (last visited Nov. 16, 2001 ).
2 Arrangement on the Recognition of Common Criteria Certificates in the Field of Information Technology Security, Preamble (May 2000) [hereinafter Arrangement] (last visited Nov. 21, 2001).