Validated Product - Microsoft Windows 2003 and Microsoft Windows XP

PRODUCT DESCRIPTION

Windows 2003/XP is a preemptive multitasking, multiprocessor, and multi-user operating system.  In general, operating systems provide users with a convenient interface to manage underlying hardware.  They control the allocation and manage computing resources such as processors, memory, and Input/Output (I/O) devices.  Windows 2003/XP expands these basic OS capabilities to controlling the allocation and managing higher level IT resources such as security principals like user or machine accounts, files, printing objects, services, windowstations, desktops, cryptographic keys, network ports/traffics, directory objects, and web contents. Multi-user operating systems, such as Windows 2003/XP, keep track of which user is using which resource, grant resource requests, account for resource usage, and mediate conflicting requests from different programs and users.

The TOE has been evaluated for the following hardware configurations:

• HP ProLiant DL380 G3 X2.8GHz 
• HP rx2600 1.5GHz CPU Server Solution
• HP Workstation ZX2000
• Dell Optiplex GX270
• Unisys ES700-420 (64-bit)
• Unisys ES7000-540-G3 (32-bit)
• Infineon SICRYPT Smart Cards
• IBM xSeries 346

Windows 2003/XP is an operating system that supports both workstation and server installations. The TOE includes five product variants of Windows 2003/XP: XP Embedded, XP Professional, Server 2003 Server, Server 2003 Enterprise Server, and Server 2003 Data Center.  The server products contain Domain controller features including the Active Directory, Kerberos Key Distribution Center, and  Internet Information Service (IIS6) for use within the distributed Windows configuration.  The Active Directory is also used by the TOE users to store and retrieve information.  The discretionary access control capability  and data replication capabilities of the Active Directory Service has been evaluated as part of this evaluation.  Although the evaluation had no specific requirements addressing the function of the following services, all were evaluated to ensure they did not permit violations of the specific access control, information flow, or authentication policies of the TOE:  Certificate Server, File Replication, Directory Replication, DNS, DHCP, Distributed File System service, Removable Storage Manager, and Virtual Disk Service.

The XP Embedded product in the TOE provides the Enhanced Write Filter (EWF) feature to allow the operating system to boot from a disk volume residing on any read-only media such as flash media, CD-ROM, or a write-protected hard drive. Otherwise, all variants include the same security features.    The primary difference between the variants is the number of users and types of services they are intended to support.

Windows 2003/XP Professional are suited for business desktops and notebook computers (note that only desktops are included in the evaluated configuration); it is the workstation product.   Designed for departmental and standard workloads, Windows Server 2003 Standard Server delivers intelligent file and printer sharing; secure connectivity based on Internet technologies, and centralized desktop policy management.  Windows Server 2003 Enterprise Server differs from Windows Server 2003 Standard Server primarily in its support for high-performance servers for greater load handling. These capabilities provide reliability that helps ensure systems remain available.  Windows Server 2003 Datacenter provides the necessary scalable and reliable foundation to support mission-critical solutions for databases, enterprise resource planning software, high-volume, real-time transaction processing, and server consolidation.  Windows XP Embedded is the embedded operating system that delivers the power of Windows in componentized form for rapidly building reliable and advanced embedded devices.

Windows 2003/XP provides an interactive user interface, as well as a network interface. The TOE includes a homogenous set of Windows 2003/XP systems that can be connected via their network interfaces and may be organized into domains.  A domain is a logical collection of Windows 2003/XP systems that allows the administration and application of a common security policy and the use of a common accounts database.   Windows 2003/XP supports single and multiple domain configurations.  In a multi-domain configuration, the TOE supports implicit and explicit trust relationships between domains.  Domains use established trust relationships to share account information and validate the rights and permissions of users.  A user with one account in one domain can be granted access to resources on any server or workstation on the network.  Domains can have one-way or two-way trust relationships.  Each domain must include at least one designated server known as a Domain Controller (DC) to manage the domain. The TOE allows for multiple DCs that replicate TOE Data among themselves to provide for higher availability.

Each Windows 2003/XP system, whether it is a DC server, non-DC server, or workstation, is part of the TOE and provides a subset of the TOE Security Functions (TSFs).  The TSF for Windows 2003/XP can consist of the security functions from a single system (in the case of a stand-alone system) or the collection of security functions from an entire network of systems (in the case of domain configurations).

SECURITY EVALUATION SUMMARY

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Windows 2003/XP TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.2.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 1.0.  Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 4 with the additional augmentation of the CC Flaw Remediation (ALC_FLR) family of assurance requirements.  The product, when configured as specified in either the Windows Server 2003 Security Configuration Guide (version 1.0) or Windows XP Security Configuration Guide (version 1.0), satisfies all of the security functional requirements stated in the Windows 2003/XP Security Target (Version 1.0) and is conformant to the CAPP. Five validators on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC.  The evaluation was completed in October 2005.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-05-0131, dated 6 November 2005) prepared by CCEVS.  The guidance documentation can be downloaded from http://www.microsoft.com/technet/security/prodtech/windowsxp/ccc/default.mspx.

ENVIRONMENTAL STRENGTHS

The logical boundaries of Windows 2003/XP can be characterized as the set of security functions available at its physical interfaces. Each of these security functions is summarized below.

• Security Audit – Windows 2003/XP has the ability to collect audit data, review audit logs, protect audit logs from overflow, and restrict access to audit logs.  Audit information generated by the system includes date and time of the event, user who caused the event to be generated, computer where the event occurred, and other event specific data.  Authorized administrators can review audit logs.
• Identification and Authentication – Windows 2003/XP requires each user to be identified and authenticated (using password or smart card) prior to performing any functions.  An interactive user invokes a trusted path in order to protect his identification and authentication information.  Windows 2003/XP maintains a database of accounts including their identities, authentication information, group associations, and privilege and logon rights associations.  Windows 2003/XP includes a set of account policy functions that include the ability to define minimum password length, number of failed logon attempts, duration of lockout, and password age.
• Security Management – Windows 2003/XP includes a number of functions to manage policy implementation.  Policy management is controlled through a combination of access control, membership in administrator groups, and privileges. 
• User Data Protection – Windows 2003/XP protect user data by enforcing several access control policies (discretionary access control, WEBUSER and web content provider access control) and several information flow policies (IPSEC filter information flow control, Connection Firewall); and, object and subject residual information protection.  Windows 2003/XP uses access control methods to allow or deny access to objects, such as files, directory entries, printers, and web content.  Windows 2003/XP uses information flow control methods to control the flow of IP traffic and packets. It authorizes access to these resource objects through the use of security descriptors (which are sets of information identifying users and their specific access to resource objects), web permissions, IP filters, and port mapping rules. Windows 2003/XP also protects user data by ensuring that resources exported to user-mode processes do not have any residual information.
• Cryptographic Protection - Windows 2003/XP provides additional protection of data through the use of data encryption mechanisms.  These mechanisms only allow authorized users with appropriate decryption keys access to encrypted data.
• Protection of TOE Security Functions – Windows 2003/XP provides a number of features to ensure the protection of TOE security functions.   Windows 2003/XP protects against unauthorized data disclosure and modification by using a suite of Internet standard protocols including Internet Protocol Security (IPSEC) and Internet Security Association and Key Management Protocol (ISAKMP).  Windows 2003/XP ensures process isolation security for all processes through private virtual address spaces, execution context and security context.  The Windows 2003/XP data structures defining process address space, execution context, and security context are stored in protected kernel-mode memory.

Resource Utilization – Windows 2003/XP can limit the amount of disk space that can be used by an identified user or group on a specific disk volume.  Each volume has a set of properties that can be changed only by a member of the administrator group.  These properties allow an authorized administrator to enable quota management, specify quota thresholds, and select actions when quotas are exceeded.

Session Locking – Windows 2003/XP provides the ability for a user to lock their session immediately or after a defined interval.  It constantly monitors the mouse and keyboard for activity and locks the workstation after a set period of inactivity.  Windows 2003/XP allows an authorized administrator to configure the system to display a logon banner before the logon dialogue.