National Information Assurance Partnership ® TM Common Criteria Evaluation and Validation Scheme Validation Report Microsoft Windows Server 2003 and Microsoft Windows XP with x64 Hardware Support Report Number: CCEVS-VR-06-0042 Dated: September 18, 2006 Version: 0.2 National Institute of Standards and Technology National Security Agency Information Technology Laboratory Information Assurance Directorate 100 Bureau Drive 9600 Savage Road Suite 6740 Gaithersburg, Maryland 20899 Fort George G. Meade, MD 20755-6740 i Acknowledgements: The TOE evaluation was sponsored by: Microsoft Corporation Corporate Headquarters One Microsoft Way Redmond, WA 98052-6399 USA Evaluation Personnel: Science Applications International Corporation (SAIC) Common Criteria Testing Laboratory 7125 Columbia Gateway Drive, Suite 300 Columbia, MD 21046-2554 Shukrat Abbas Tony Apted Dawn Campbell Quang Trinh . Validation Personnel: Santosh Chokhani, Orion Security Solutions Geoff Beier, Orion Security Solutions ii Table of Contents 1 Executive Summary................................................................................................................ 1 2 Identification............................................................................................................................ 2 3 TOE Security Services............................................................................................................ 3 4 Assumptions ........................................................................................................................... 4 4.1 Physical Security Assumptions ...................................................................................... 4 4.2 Personnel Security Assumptions ................................................................................... 5 4.3 Connectivity Assumptions.............................................................................................. 5 5 Architectural Information......................................................................................................... 5 6 Documentation........................................................................................................................ 7 7 IT Product Testing................................................................................................................... 9 7.1 Developer Testing ........................................................................................................ 10 7.2 Evaluation Team Independent Testing ........................................................................ 10 8 Evaluated Configuration........................................................................................................ 10 9 Validator Comments ............................................................................................................. 13 10 Security Target...................................................................................................................... 14 11 List of Acronyms ................................................................................................................... 15 12 Bibliography .......................................................................................................................... 17 13 Interpretations....................................................................................................................... 18 13.1 International Interpretations ......................................................................................... 18 13.2 NIAP Interpretations..................................................................................................... 18 13.3 Interpretations Validation ............................................................................................. 18 iii 1 Executive Summary This report documents the National Information Assurance Partnership (NIAP) assessment of the evaluation of Microsoft Windows Server 2003 and Microsoft Windows XP with x64 hardware support. It presents the evaluation results, their justifications, and the conformance results. This Validation Report is not an endorsement of the Target of Evaluation (TOE) by any agency of the U.S. Government and no warranty of the TOE is either expressed or implied. The evaluation of Microsoft Windows Server 2003 and Microsoft Windows XP with x64 hardware support was performed by the SAIC Common Criteria Testing Laboratory in the United States and was completed during September 2006. The information in this report is largely derived from the Security Target (ST), Evaluation Technical Report (ETR) and associated test report. The ST was written by SAIC. The ETR and test report used in developing this validation report were written by SAIC. The evaluation team determined the product to be Part 2 Extended and Part 3 augmented, and concluded that the Common Criteria requirements for Evaluation Assurance Level (EAL) 4 augmented with ALC_FLR.3 (Systematic Flaw Remediation) have been met. Windows 2003/XP is an operating system that supports both workstation and server installations. The TOE includes eight product variants of Windows 2003/XP: • Microsoft Windows Server 2003, Standard Edition (32-bit version); Service Pack (SP) 1 • Windows Server 2003, Standard x64 Edition • Microsoft Windows Server 2003, Enterprise Edition (32-bit and IA 64-bit versions); SP 1 • Windows Server 2003, Enterprise x64 Edition • Microsoft Windows Server 2003, Datacenter Edition (32-bit and 64-bit versions); SP 1 • Windows Server 2003, Datacenter x64 Edition • Microsoft Windows XP, Professional; SP 2 • Windows XP Professional x64 Edition. The server products contain Domain controller features including the Active Directory, Kerberos Key Distribution Center, and Internet Information Service (IIS6) for use within the distributed Windows configuration. The Active Directory is also used by the TOE users to store and retrieve information. The discretionary access control capability and data replication capabilities of the Active Directory Service have been evaluated as part of this evaluation. Although the following components do not deal with any Security Functional Requirements specified in the Security Target, these were included in the TOE and hence evaluated (i.e., all assurance requirements applied) to ensure they did not permit violations of the specific access control, information flow, or authentication policies of the TOE: Certificate Server, File Replication, Directory Replication, DNS, DHCP, Distributed File System service, Removable Storage Manager, and Virtual Disk Service. The reason for this current Windows evaluation over the previous Windows XP and Server 2003 evaluation of Oct 2005 is the added protection offered by the x64 based hardware support. The x64 support adds a set of Data Execution Prevention (DEP) security checks to Windows. These checks, known as hardware-enforced DEP, are designed to block malicious code that takes advantage of exception-handling mechanisms by intercepting attempts to execute code in memory that is marked for data only. This hardware protection feature is also present in IA64 hardware and this IA64 feature was included as part of this evaluation. In addition to the 64 bit hardware support, the TOE grew in terms of other capabilities. The validation team monitored the activities of the evaluation team, participated in Technical Oversight Panel (TOP) meetings, provided guidance on technical issues and evaluation processes, reviewed successive versions of the Security Target, reviewed selected evaluation evidence, reviewed test plans, reviewed intermediate evaluation results (i.e., the CEM work units), and reviewed successive versions of the ETR and test report. The validation team 1 determined that the evaluation team showed that the product satisfies all of the functional and assurance requirements defined in the Security Target for an EAL 4 augmented with ALC_FLR.3 evaluation. Therefore the validation team concludes that the SAIC Common Criteria Testing Laboratories (CCTL) findings are accurate, and the conclusions justified. 2 Identification The CCEVS is a joint National Security Agency (NSA) and National Institute of Standards and Technology (NIST) effort to establish commercial facilities to perform trusted product evaluations. Under this program, security evaluations are conducted by commercial testing laboratories called CCTLs or candidate CCTLs using the Common Evaluation Methodology (CEM) for EAL 1 through EAL 4 in accordance with National Voluntary Laboratory Assessment Program (NVLAP) accreditation. The NIAP Validation Body assigns Validators to monitor the CCTLs and candidate CCTLs to ensure quality and consistency across evaluations. Developers of information technology products desiring a security evaluation contract with a CCTL and pay a fee for their product’s NIAP’s Validated Products List. Table 1 provides information needed to completely identify the product, including: • The Target of Evaluation (TOE): the fully qualified identifier of the product as evaluated; • The Security Target (ST), describing the security features, claims, and assurances of the product; • The conformance result of the evaluation; • The organizations and individuals participating in the evaluation. Table 1: Evaluation Identifiers Item Identifier Evaluation Scheme United States NIAP Common Criteria Evaluation and Validation Scheme Target of Evaluation Microsoft Windows Server 2003, Standard Edition (32-bit version); Service Pack (SP) 1 with security updates and patches as specified in the ST Windows Server 2003, Standard x64 Edition with security updates and patches as specified in the ST Microsoft Windows Server 2003, Enterprise Edition (32-bit and IA 64-bit versions); SP 1 with security updates and patches as specified in the ST Windows Server 2003, Enterprise x64 Edition with security updates and patches as specified in the ST Microsoft Windows Server 2003, Datacenter Edition (32-bit and 64-bit versions); SP 1 with security updates and patches as specified in the ST Windows Server 2003, Datacenter x64 Edition with security updates and patches as specified in the ST 2 Item Identifier Microsoft Windows XP, Professional; SP 2 with security updates and patches as specified in the ST Windows XP Professional x64 Edition with security updates and patches as specified in the ST Security Target Microsoft Windows 2003/XP Security Target, Version 2.0, 11 September 2006 Evaluation Technical Report Evaluation Technical Report for Microsoft Windows 2003/XP, Version 2.0, 15 September 2006. Conformance Result CC Part 2 Extended, CC Part 3 augmented, EAL 4 augmented with ALC_FLR.3 Compliant with Control Access Protection Profile (CAPP), Version 1.d, National Security Agency, 8 October 1999 Sponsor Microsoft Corporation Corporate Headquarters One Microsoft Way Redmond, WA 98052-6399 Common Criteria Testing Lab (CCTL) Science Applications International Corporation 7125 Columbia Gateway Drive, Suite 300 Columbia, MD 21046-2554 CCEVS Validator(s) Santosh Chokhani and Geoff Beier Orion Security Solutions 1489 Chain Bridge Road, Suite 300 Mclean, Virginia 22101 3 TOE Security Services The security services provided by the TOE are summarized below: • Security Audit – Windows 2003/XP has the ability to collect audit data, review audit logs, protect audit logs from overflow, and restrict access to audit logs. Audit information generated by the system includes date and time of the event, user who caused the event to be generated, computer where the event occurred, and other event specific data. Authorized administrators can review audit logs. • Identification and Authentication – Windows 2003/XP requires each user to be identified and authenticated (using password or smart card) prior to performing any functions. An interactive user invokes a trusted path in order to protect his identification and authentication information. Windows 2003/XP maintains a database of accounts including their identities, authentication information, group associations, and privilege and logon rights associations. Windows 2003/XP includes a set of account policy functions that include the ability to define minimum password length, number of failed logon attempts, duration of lockout, and password age. 3 • Security Management – Windows 2003/XP includes a number of functions to manage policy implementation. Policy management is controlled through a combination of access control, membership in administrator groups, and privileges. • User Data Protection – Windows 2003/XP protect user data by enforcing several access control policies (discretionary access control, WEBUSER and web content provider access control) and several information flow policies (IPSec filter information flow control, Connection Firewall); and, object and subject residual information protection. Windows 2003/XP uses discretionary access control methods to allow or deny access to objects, such as files, directory entries, printers, and web content. Windows 2003/XP uses information flow control methods to control the flow of IP traffic and packets. It authorizes access to these resource objects through the use of security descriptors (which are sets of information identifying users and their specific access to resource objects), web permissions, IP filters, and port mapping rules. Windows 2003/XP also protects user data by ensuring that resources exported to user- mode processes do not have any residual information. • Cryptographic Protection - Windows 2003/XP provides additional protection of data through the use of data encryption mechanisms. These mechanisms only allow authorized users access to encrypted data. • Protection of TOE Security Functions – Windows 2003/XP provides a number of features to ensure the protection of TOE security functions. Windows 2003/XP protects against unauthorized data disclosure and modification by using a suite of Internet standard protocols including Internet Protocol Security (IPSEC) and Internet Security Association and Key Management Protocol (ISAKMP). Windows 2003/XP ensures process isolation security for all processes through private virtual address spaces, execution context and security context. The Windows 2003/XP data structures defining process address space, execution context, and security context are stored in protected kernel-mode memory. Additionally, on 64-bit based hardware platforms, the TOE Security Function (TSF) has the added ability to protect memory pages using Hardware DEP. Hardware-enforced DEP marks all memory pages in a process as non-executable unless the page is explicitly declared as executable. Hardware- enforced DEP relies on processor hardware to permit the software to mark memory pages as executable and non-executable and then the hardware enforces the non-executable constraint. • Resource Utilization – Windows 2003/XP can limit the amount of disk space that can be used by an identified user or group on a specific disk volume. Each disk volume has a set of properties that can be changed only by a member of the administrator group. These properties allow an authorized administrator to enable quota management, specify quota thresholds, and select actions when quotas are exceeded. • Session Locking – Windows 2003/XP provides the ability for a user to lock their session immediately or after a defined interval. It constantly monitors the mouse and keyboard for activity and locks the workstation after a set period of inactivity. Windows 2003/XP allows an authorized administrator to configure the system to display a logon banner before the logon dialogue. 4 Assumptions 4.1 Physical Security Assumptions ƒ The processing resources of the TOE will be located within controlled access facilities that will prevent unauthorized physical access. 4 ƒ The TOE hardware and software critical to security policy enforcement will be protected from unauthorized physical modification. 4.2 Personnel Security Assumptions ƒ Authorized users possess the necessary authorization to access at least some of the information managed by the TOE and are expected to act in a cooperating manner in a benign environment. ƒ There will be one or more competent individuals assigned to manage the TOE and the security of the information it contains. ƒ The system administrative personnel are not careless, willfully negligent, or hostile, and will follow and abide by the instructions provided by the administrator documentation. 4.3 Connectivity Assumptions ƒ All connections to peripheral devices reside within the controlled access facilities. The TOE only addresses security concerns related to the manipulation of the TOE through its authorized access points. Internal communication paths to access points such as terminals are assumed to be adequately protected. ƒ Any other systems with which the TOE communicates are assumed to be under the same management control and operate under the same security policy constraints. The TOE is applicable to networked or distributed environments only if the entire network operates under the same constraints and resides within a single management domain. There are no security requirements that address the need to trust external systems or the communications links to such systems. 5 Architectural Information The diagram below depicts components and subcomponents of Windows 2003/XP that comprise the TOE. The components/subcomponents are large portions of the Windows 2003/XP OS, and generally fall along process boundaries and a few major subdivisions of the kernel mode OS. Figure 1: TOE Components The system components are: • Administrator Tools Module 5 o Administrator Tools Component (aka GUI Component): This component represents the range of tools available to manage the security properties of the TSF. • Certificate Services Module o Certificate Server Component: This component provides services related to issuing and managing public key certificates (e.g. X.509 certificates). However, no certificate server related security functions have been specified or evaluated in the TOE. • Firewall Module o Windows Firewall Component: This component provides services related to information flow control. • Hardware Module o Hardware Component: This component includes all hardware used by the TSF to include the processor(s), motherboard and associated chip sets, controllers, and I/O devices. • Kernel Software Module o Executive Component: This is the kernel-mode software that provides core OS services to include memory management, process management, and inter- process communication. This component implements all the non-I/O TSF interfaces for the kernel-mode. o I/O System: This is the kernel-mode software that implements all I/O related services, as well as all driver-related services. The I/O System is further divided into: ƒ I/O Core Component ƒ I/O File Component ƒ I/O Network Component ƒ I/O Devices Component • Miscellaneous OS Support Module o OS Support Component: This component is a set of processes that provide various other OS support functions and services • RPC and Network Support Module o Network Support Component: This component contains various support services for Remote Procedure Call (RPC), COM, and other network services. • Security Module o Security Component: This component includes all security management services and functions. • Services Module o Services Component: This is the component that provides many system services as well as the service controller. • Web Services Module o IIS Component: This component provides services related to web/http requests. 6 • Win32 Module o Win32 Component: This component provides various support services for Win32 applications and the command console application. • WinLogon Module o WinLogon Component: This component provides various interactive logon services to include interactive authentication, trusted path, session management and locking. 6 Documentation Following is a list of the evaluation evidence, each of which was issued by the developer (and sponsor): Assurance Class Document Title ASE Microsoft Windows 2003/XP Security Target, Revision 2.0, 11 September, 2006 ACM Windows 2003/XP with x64 Hardware Support Configuration Management (CM) Manual Version 0.2, 12 July 2006 ADO • Windows 2003/XP with x64 Hardware Support Delivery Procedures (ADO) Version 0.2, July 13, 2006 • Windows Server 2003 Security Configuration Guide, Version 2.0 10 August 2006 • Windows XP Professional Security Configuration Guide, Version 2.0, 08/10/2006 ADV • System Decomposition, Revision 7, 7 March 2006 • Informal TOE Security Policy Model Design Specification, Rev: 10 03/02/2006 • Functional Specification Completeness Rationale, Rev: 5, 1/27/2005 • API Correspondence Rules, Rev 3, 2/18/2004 • Implementation Subset Representation • Executive: Security Reference Monitor and Object Manager • Internet Information Server: Internet Information Services • IO Core: Mount Manager • IO Devices: IDE/ATAPI Port Driver and FIPS Crypto Driver • IO File: NPFS Driver and NT File System Driver • IO Network TCP/IP Protocol Driver • Network Support: Domain Name Service • OS Support: Session Manager • Security: LSA Audit and Secondary Logon Service • Services: Service Controller • Win32: Client Server Runtime Process • Windows Firewall Application Layer Gateway Service • WinLogon: WinLogon/GINA • Component and Subcomponent Design Specification (see Appendix A of ETR) 7 Assurance Class Document Title AGD • Windows Server 2003 Evaluated Configuration Administrator’s Guide, Version 2.0, 08/10/2006 • Windows XP Professional Evaluated Configuration Administrator’s Guide, Version 2.0, 08/10/2006 • Windows XP Professional Evaluated Configuration User’s Guide, Version 2.0, 06/02/2006 ALC • Assurance Life Cycle (ALC) for Windows 2003/XP with x64 Hardware Support, Version 0.1, 11 January 2006 ATE • Test Documents o ACL Test Suite, Rev 2.9, 08/04/2006 o Admin Access Test Suite, Rev 1.5, 08/04/2006 o Authentication Provider Test Suite, Rev 1.4, 08/02/2006 o Certificate Server Test Suite, Rev 1.9, 08/3/2006 o COM+ Test Suite, Rev 1.6, 08/04/2006 o COM+ Event System Service Test Suite, Rev 1.3, 08/04/2006 o Content Index Service Subcomponent Test Suite, Rev: 3, 6/03/2006 o Data Execution Prevention Test Suite, Rev: 4, 4/25/2006 o DCOM Test Suite, Rev 1.8, 06/08/2006 o Devices Test Suite, Rev 1.4, 08/04/2006 o Distributed Transaction Coordinator Subcomponent Test Suite, Rev: 2, 6/19/2006 o DS Replication Test Suite, Rev 1.6, 09/30/2005 o GDI Test Suite, Rev 1.8, 08/04/2006 o Handle Enforcement Test Suite, Rev 2.10, 08/04/2006 o Help and Support Subcomponent Test Suite, Rev: 3, 4/26/2006 o HTTP Client Test Suite, Rev 1.6, 08/03/2006 o IA32 Hardware Test Suite, Rev 1.5, 08/03/2006 o IA64 Hardware Test Suite, Rev: 3, 5/02/2006 o IMAPI Kernel Driver Subcomponent Test Suite, Rev: 3, 5/29/2006 o Impersonation Test Suite, Rev 1.10, 08/04/2006 o Indexing Service ISAPI Extension Subcomponent Test Suite, Rev: 5, 6/06/2006 o Indexing Service Webhits Subcomponent Test Suite, Rev: 3, 6/07/2006 o IPSEC Test Suite, Rev 2.4, 08/03/2006 o KDC Test Suite, Rev 1.9, 08/04/2006 o LDAP Test Suite, Rev 1.10, 08/04/2006 o License Logging Service Subcomponent Test Suite, Rev: 6, 8/03/2006 o MAPI Test Suite, Rev 1.4, 08/04/2006 o Miscellaneous Test Suite, Rev 3.2, 08/04/2006 o Net Support Test Suite, Rev: 3, 4/03/2006 o Object Reuse Test Suite, Rev 1.4, 08/04/2006 o Privilege Test Suite, Rev 2.7, 08/04/2006 o RSoP Service Application Subcomponent Test Suite, Rev: 8, 6/22/2006 o RPC Proxy Subcomponent Test Suite, Rev: 2, 5/30/2006 o Server Driver Test Suite, Rev 0.8, 08/04/2006 o Special Access Test Suite, Rev: 7, 6/01/2006 o System Restore Service Subcomponent Test Suite, Rev: 7, 8 Assurance Class Document Title 4/24/2006 o Task Scheduler Engine Subcomponent Test Suite Rev: 11, 5/26/2006 o Test Plan, Rev: 8, 5/29/2006 o Token Test Suite, Rev 1.8, 08/04/2006 o UPnP Device Host Subcomponent Test Suite, Rev: 6, 5/30/2006 o User Test Suite, Rev 1.13, 08/03/2006 o Windows Error Reporting Service Subcomponent Test Suite, Rev: 3, 5/26/2006 o Windows Firewall Test Suite, Rev 1.5, 08/01/2006 o X64 Hardware Test Suite, Rev: 5, 5/01/2006 • GUI Tests o Active Directory Domains and Trusts GUI, Version 0.8, 09/26/05 o Auditusr.exe GUI, Version 0.2, 09/09/2005 o Backup and Restore GUI, Version 0.4, 03/22/2005 o Certification Authority GUI, Version 1.2, 09/23/05 o COM+ Apps Test Plan/Procedures, Rev. 1.0, 08/01/2005 o Data Execution Prevention Test Suite, April 25, 2006, Revision 4 o Date and Time GUI, Version 0.3, 09/26/2005 o Device Manager GUI, Version 0.2, 09/09/2005 o Disk Quota GUI, Version 0.2, 03/22/2005 o Event Viewer GUI, Version 1.2, 09/03/05 o Explorer GUI, Version 0.3, 09/21/2005 o IIS Mgr Test Plan/Procedures", Rev. 1.0, 9/23/2005 o Network ID GUI, Version 0.3, 09/12/2005 o OU Delegation GUI, 06/06/2005 o Printers GUI, Version 0.2, 09/22/2005 o Registry Editor GUI, Version 0.2, 03/22/2005 o Services GUI, Version 0.2, 03/22/2005 o Session Locking GUI, Version 0.3, 09/26/2005 o Share a Folder Wizard, Version 0.2, 09/08/2003 o Users and Groups GUI, Version 0.8, 09/26/2005 o WinLogon/GINA, Rev. 1.6, 09/22/2005 o Security Policy GUI, v.1.7, 08/09/2005 • Test Code for each Test Suite • Test Results as referenced by test cases AVA • Windows Server 2003/Windows XP for Misuse Analysis Version 0.2,Junel 2, 2006 • Windows 2003/XP with x64 Hardware Support Strength of Function Analysis (AVA_SOF) Version 0.1, 11 January 2006 • Microsoft Windows Server 2003/XP Professional Vulnerability Analysis Version 2.0, Draft Version 0.04, August 10, 2006 7 IT Product Testing This section describes the testing efforts of the developer and the evaluation team. 9 7.1 Developer Testing The developer tested the interfaces identified in the functional specification and mapped each test to the security function tested. The scope of the developer tests included all TOE Security Functions and the entire TSF Interface (TSFI). Where testing was not possible, code analysis was used to verify the TSFI behavior. The evaluation team determined that the developer’s actual test results matched the vendor’s expected results. It should be noted that the TSFI testing was limited to testing security checks for the interface. The TSFI input parameters were not exercised for erroneous and anomalous inputs. 7.2 Evaluation Team Independent Testing The evaluation team ensured that the TOE performed as described in the design documentation and demonstrated that the TOE enforces the TOE security functional requirements. Specifically, the evaluation team ensured that the developer test documentation sufficiently addresses the security functions as described in the security target and the TSFI as described in the Functional Specification. The evaluation team performed a sample of the developer’s test suite and devised an independent set of team tests. The evaluation team determined that the vendor's test suite was comprehensive. Thus the independent set of team tests was limited. A total of twenty (20) team tests were devised and covered the following areas: Residual Information Protection, TSF Security Functions Management, TOE Security Banners, Session Locking, Identification & Authentication, TOE Access Restriction, and Access Control on Encrypted Files. The evaluation team confirmed that the developer's vulnerability analysis was comprehensive in terms of examining the evaluation evidence and search for vulnerabilities from public domain sources. The developer's vulnerability analysis also included examination of Microsoft Knowledge base maintained based on the security flaws reported from Microsoft internal research, external consumers, and external security research and testing organizations. The evaluation team augmented the developer's vulnerability analysis by researching and analyzing the following open sources for Windows 2003/XP vulnerabilities: CVE from http://www.cve.mitre.org Web Site. The evaluation team also conducted twenty (20) penetration tests. The penetration tests fall in the following areas: cached logon, access to special accounts and resources, registry settings, erroneous IP packets, configuration settings, audit, Obsolete TSFI, Shatter Attack, and invalid TSFI inputs. 8 Evaluated Configuration The evaluated configuration identified in this section was also the test configuration. The evaluation results are valid for the various realizable combinations of configurations of hardware and software listed in this section. A homogeneous Windows system consisting of various Servers, Domain Controllers, and Workstations using the various hardware and software listed in this section maintains its security rating when operated using the secure usage assumptions listed in Section 4 of this validation report, including the connectivity assumptions listed in Section 4.3 of this validation report. TOE Hardware – The evaluation results are valid for the following hardware platforms. The TOE testing was also conducted on these platforms. Manufacturer Model Processor(s) Memory Dell Optiplex GX620 3.0 GHz Intel Pentium D Processor 830 (1 CPU), 32-bit 2GB 10 Dell PowerEdge SC1420 3.6 GHz Intel Xeon Processor (1 CPU), 32-bit 2GB Dell PowerEdge 1800 3.2 GHz Intel Xeon Processor (1 CPU), 32-bit 2GB Dell PowerEdge 2850 2.8 GHz Intel Xeon Processor (2 Dual-Core CPUs), 64-bit 4GB HP Proliant DL385 2.6 GHz AMD Opteron Processor 252 (2 CPUs), 64-bit 2GB HP rx1620 Bundle Solution Server 1.3 GHz Intel Itanium Processor (1 CPU), 64-bit 2GB HP xw9300 Workstation 2.2 GHz AMD Opteron Processor 248 (1 CPU), 64-bit 2GB IBM eServer 326m 2.0 GHz AMD Opteron Processor 270 (1 Dual-Core CPU), 64-bit 2GB IBM eServer 326m 2.4 GHz AMD Opteron Processor 280 (2 Dual-Core CPUs), 64-bit 2GB Unisys RASCAL ES7000 3.0 GHz Intel XeonMP EM64T Processor (32 CPUs), 64-bit 64GB GemPlus GemPC Twin USB smart cards TOE Software Identification – The evaluation results are valid for the following Windows Operating Systems when security updates listed in this section are applied. The TOE testing was conducted for these Operating Systems after applying the security updates listed in this section: • Microsoft Windows Server 2003, Standard Edition (32-bit version); Service Pack (SP) 1 • Windows Server 2003, Standard x64 Edition • Microsoft Windows Server 2003, Enterprise Edition (32-bit and IA 64-bit versions); SP 1 • Windows Server 2003, Enterprise x64 Edition • Microsoft Windows Server 2003, Datacenter Edition (32-bit and 64-bit versions); SP 1 • Windows Server 2003, Datacenter x64 Edition • Microsoft Windows XP, Professional; SP 2 • Windows XP Professional x64 Edition The following security updates and patches must be applied to the above Server products except as noted: • MS06-045: Vulnerability in Windows Explorer Could Allow Remote Code Execution (KB921398) • MS06-042: Cumulative Security Update for Internet Explorer (KB918899) • MS06-041: Vulnerability in DNS Resolution Could Allow Remote Code Execution (KB920683) • MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (KB921883) • MS06-036: Vulnerability in DHCP Client Service Could Allow Remote Code Execution (KB914388) • MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (KB917159) • MS06-030: Vulnerability in Server Message Block Could Allow Elevation of Privilege (KB914389) 11 • MS06-015: Vulnerability in Windows Explorer Could Allow Remote Code Execution (KB908531) • An incorrect audit record may appear in the local security log when access is attempted to a named pipe: An associated Microsoft Security Bulletin for this issue is not available (KB922769) - 64-bit editions only • Software Update for Base Smart Card Cryptographic Service Provider: An associated Microsoft Security Bulletin for this issue is not available (KB909520) • MS06-008: Vulnerability in Web Client Service Could Allow Remote Code Execution (KB 911927) • MS06-001: Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (KB 912919) • MS05-053: Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (KB 896424) • MS05-051: Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (KB 902400) • MS05-049: Vulnerabilities in Windows Shell Could Allow Remote Code Execution (KB 900725) • IPSec Policy Agent Update: An associated Microsoft Security Bulletin for this issue is not available (KB907865) • MS05-042: Vulnerabilities in Kerberos Could Allow Denial of Service, Information Disclosure, and Spoofing (KB 899587) • MS05-027: Vulnerability in Server Message Block Could Allow Remote Code Execution (KB 896422) The following security updates must be applied to the above XP products: • MS06-045: Vulnerability in Windows Explorer Could Allow Remote Code Execution (KB921398) • MS06-042: Cumulative Security Update for Internet Explorer (KB918899) • MS06-041: Vulnerability in DNS Resolution Could Allow Remote Code Execution (KB920683) • MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (KB921883) • MS06-036: Vulnerability in DHCP Client Service Could Allow Remote Code Execution (KB914388) • MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (KB917159) • MS06-030: Vulnerability in Server Message Block Could Allow Elevation of Privilege (KB914389) • MS06-018: Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service (KB913580) • MS06-015: Vulnerability in Windows Explorer Could Allow Remote Code Execution (KB908531) 12 • An incorrect audit record may appear in the local security log when access is attempted to a named pipe: An associated Microsoft Security Bulletin for this issue is not available (KB922769) - x64 only • Software Update for Base Smart Card Cryptographic Service Provider: An associated Microsoft Security Bulletin for this issue is not available (KB909520) • MS06-008: Vulnerability in Web Client Service Could Allow Remote Code Execution (KB911927) • MS06-001: Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (KB912919) • MS05-053: Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (KB896424) • MS05-051: Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (KB902400) • MS05-049: Vulnerabilities in Windows Shell Could Allow Remote Code Execution (KB900725) • MS05-047: Vulnerability in Plug and Play Could Allow Remote Code Execution and Local Elevation of Privilege (KB905749) • IPSec Policy Agent Update: An associated Microsoft Security Bulletin for this issue is not available.( KB907865) • MS05-043: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (KB896423) • MS05-042: Vulnerabilities in Kerberos Could Allow Denial of Service, Information Disclosure, and Spoofing (KB899587) • MS05-027: Vulnerability in Server Message Block Could Allow Remote Code Execution (KB896422) • MS05-018: Vulnerability in Windows Kernel Could Allow Elevation of Privilege and Denial of Service (KB890859) – x86 only • MS05-011: Vulnerability in Server Message Block Could Allow Remote Code Execution (KB885250) – x86 only • MS05-007: Vulnerability in Windows Could Allow Information Disclosure (KB888302) – x86 only • MS04-044: Vulnerabilities in Windows Kernel and LSASS Could Allow Elevation of Privilege (KB885835) – x86 only 9 Validator Comments The TOE developer and sponsor, and the Evaluation Team are commended for their effort to develop tests for such a complex system. The Evaluation Team is commended for their painstaking efforts to validate the evaluated configuration during team testing. The security functional testing activities were limited to verifying that the security checks at each TSFI are enforced. The TSFI input parameters were not exercised for erroneous and anomalous inputs during security functional testing or during penetration testing. 13 While no specific security functional requirements or TSFI are listed for the following components of the TOE, the TOE was not evaluated in the following areas and is known to be not compliant with applicable standards and hence can cause security and interoperability problems: ƒ The Microsoft Cryptographic Applications Programming Interface (CAPI) does not perform X.509 certification path validation in accordance with applicable ISO and Internet standards. ƒ The Internet Information Server (IIS) Transport Layer Security (TLS) and Secure Socket Layer (SSL) do not perform X.509 certification path validation for client authentication in accordance with applicable ISO and Internet standards 10 Security Target See Table 1 in this validation report. 14 11 List of Acronyms ACM Configuration Management (Assurance Class) ADO Delivery and Operations (Assurance Class) ADV TOE Development (Assurance Class) AGD Guidance Document (Assurance Class) ALC Life Cycle (Assurance Class) API Application Programming Interface ASE ST Evaluation (Assurance Class) ATE TOE Testing (Assurance Class) AVA Vulnerability Analysis (Assurance Class) CAPI Cryptographic API CC Common Criteria CCEVS Common Criteria Evaluation and Validation Scheme (US CC Validation Scheme) CCIMB Common Criteria Implementation Board CCTL Common Criteria Testing laboratory CEM Common Evaluation Methodology COM Component Object Model DEP Data Execution Prevention DHCP Dynamic Host Control Protocol DNS Domain Name Service EAL Evaluation Assurance Level ETR Evaluation Technical Report FIPS Federal Information Processing Standard FLR Flaw Remediation GUI Graphic User Interface HP Hewlett Packard I/O Input/Output IBM International Business Machine IIS Internet Information Service IPSEC Internet Protocol Security ISAKMP Internet Security Association and Key Management Protocol ISO International Organization for Standards IT Information Technology NIAP National Information Assurance Partnership NIST National Institute of Standards and Technology NSA National Security Agency NVLAP National Voluntary Laboratory Assessment Program OS Operating System RPC Remote Procedure Call SAIC Science Application International Corporation SSL Secure Socket Layer 15 ST Security Target TLS Transport Layer Security TOE Target Of Evaluation TOP Technical Oversight Panel TSF TOE Security Function TSFI TSF Interface URL Universal Resource Locator VR Validation Report . 16 12 Bibliography The validation team used the following documents to prepare the validation report. [1] Common Criteria for Information Technology Security Evaluation – Part 1: Introduction and general model, dated January 2004, Version 2.2. [2] Common Criteria for Information Technology Security Evaluation – Part 2: Security functional requirements, dated January 2004, Version 2.2. [3] Common Criteria for Information Technology Security Evaluation – Part 2: Annexes, dated January 2004, Version 2.2. [4] Common Criteria for Information Technology Security Evaluation – Part 3: Security assurance requirements, dated January 2004, Version 2.2. [5] Common Evaluation Methodology for Information Technology Security – Part 1: Introduction and general model, dated January 2004, Version 2.2. [6] Common Evaluation Methodology for Information Technology Security, dated January 2004, Version 2.2. [7] Final Evaluation Technical Report for Windows 2003/XP Product, Version 2.0, 15 September, 2006. [8] Microsoft Windows 2003/XP Security Target, V 2.0, 11 September, 2006. [9] Common Criteria Evaluation and Validation Scheme for IT Security, Guidance to Validators of IT Security Evaluations. Scheme Publication # 3, Version 1.0, January 2002. [10] Evaluation Team Test Plan for Microsoft Windows 2003/XP, Version 0.4, 15 September, 2006 17 13 Interpretations 13.1 International Interpretations The evaluation team performed an analysis of the international interpretations and identified those that are applicable and had impact to the TOE evaluation. The table summarizes the set of interpretations determined to have an impact on the evaluation and identifies the impact. Impact on Security Target Requirement Impact on ETR Work Unit Interpretation Identification (ID) New element added after ACM_CAP.3.3C RI-3 ACM_SCP.1.1D and ACM_SCP.1.1C changed RI-4 ASE_OBJ.1.2C and ASE_OBJ.1.3C changed (no work unit change indicated) RI-43 ADO_IGS.1.1C and AVA_VLA.1.1 – 1.3C changed RI-51 FMT_SMF.1 introduced RI-65 ASE_REQ.1-20 work unit changed RI-84 ASE_REQ.1.10C (ASE_REQ.1-16 work unit changed) RI-85 FDP_ACF.1 changed RI-103 FIA_USB.1 changed RI-137 ADO_DEL.1-2 work unit deleted RI-116 FAU_STG.1 changed RI-141 FMT_REV.1 changed RI-201 FAU_GEN.1 changed RI-202 All portions of the CC and CEM should be considered "Normative" unless specifically denoted as "Informative. RI-222 13.2 NIAP Interpretations Neither the ST nor the vendor’s evidence identified any National interpretations. As a result, since National interpretations are optional, the evaluation team did not consider any National interpretations as part of its evaluation. 13.3 Interpretations Validation The Validation Team concluded that the Evaluation Team correctly addressed the interpretations that it identified. 18