Compliant Product - Microsoft Windows 7, Microsoft Windows Server 2008 R2
Certificate Date: 24 March 2011
Validation Report Number: CCEVS-VR-VID10390-2010
Product Type: Operating System
Conformance Claim: EAL4 Augmented with ALC_FLR.3
CC Testing Lab: SAIC Common Criteria Testing Laboratory
The Windows 7 and Windows Server 2008 R2 Target of Evaluation (TOE) is a general-purpose, distributed, network operating system (OS) that provides controlled access between subjects and user data objects. Windows 7 and Windows Server 2008 R2 have a broad set of security capabilities, including single network logon (using password or smart card); access control and data encryption; extensive security audit collection; a host-based firewall, native IPv6 and IPSec networking to control information flow, public key certificate services, standard-based security protocols such as Kerberos, Transport Layer Security (TLS)/Secure Sockets Layer (SSL), Digest, Internet Key Exchange (IKE)/IPSec, Light-weight Directory Access Protocol (LDAP) Directory-based resource management, web services, and validated FIPS-140 cryptography.
Windows 7 and Windows Server 2008 R2 provide the following security services: User Data Protection (by means of discretionary access control (DAC), integrity control, web content access control, web content publishing access control, IPSec information flow control, connection firewall information flow control), Cryptographic Support through full disk and volume encryption, Auditing, Identification and Authentication (I&A) (including trusted path/channel), Management of security features, Protection of the TOE Security Functions (TSF), Quotas for OS resources, and TOE access/session controls.
Windows 7 and Windows Server 2008 R2 security policies provide network-wide controlled access protection (access control for user data, WEBUSER and web content provider, IPSec information flow, connection firewall information flow), encrypted data/key protection, and encrypted file protection. These policies enforce access restrictions between individual users/groups and data objects, as well as incoming and outgoing network traffic through a physically separate part of the distributed TOE. The TOE is capable of auditing security relevant events that occur within a Windows 7 and Windows Server 2008 R2 network. All these security controls require users to identify themselves and be authenticated prior to using any node on the network.
The TOE has been evaluated for the following hardware configurations:
- Dell Optiplex 755, 3.0 GHz Intel Core 2 Duo E8400, 64-bit
- Dell PowerEdge SC1420, 3.6 GHz Intel Xeon Processor (1 CPU), 3264-bit
- Dell PowerEdge 2970, 1.7 GHz quad core AMD Opteron 2344 Processor (2 CPUs), 64-bit
- HP Proliant DL385 G5, 2.1 GHz quad core AMD Opteron 2352 Processor (2 CPUs), 64-bit
- HP Proliant DL385, 2.6 GHz AMD Opteron 252 Processor (2 CPUs), 64-bit
- HP Integrity rx1620, 1.3 Ghz Intel Itanium Processor (1 CPU), 64-bit (Itanium)
- Microsoft Hyper-V
- Microelectronics Trusted Platform Module [SMO1200]
- GemPlus GemPC Twin USB smart card reader
Windows 7 and Windows Server 2008 R2 are operating systems that supports both workstation and server installations. The evaluation includes six Windows 7 and Windows Server 2008 R2 editions:
- Microsoft Windows 7 Enterprise Edition (32-bit and 64-bit versions)
- Microsoft Windows 7 Ultimate Edition (32-bit and 64-bit versions)
- Microsoft Windows Server 2008 R2 Standard Edition
- Microsoft Windows Server 2008 R2 Enterprise Edition
- Microsoft Windows Server 2008 R2 Datacenter Edition
- Microsoft Windows Server 2008 R2 Itanium Edition.
In addition all critical security updates as of September 14, 2010 as well as the updates associated with security bulletins MS10-073 and MS10-085, and hotfix KB2492505.
Windows 7 is suited for business desktops and notebook computers; it is the workstation product, and while it can be used by itself, it is designed to serve as a client within Windows domains. Designed for the corporate IT environment, all editions of Windows Server 2008 R2 deliver intelligent file and printer sharing; secure connectivity based on Internet technologies, and centralized desktop policy management. Windows Server 2008 R2 Enterprise differs from Windows Server 2008 R2 Standard primarily in its support for high-performance server hardware for greater load handling. These capabilities improve reliability and scalability that helps ensure systems remain available. Windows Server 2008 R2 Datacenter provides the additional scalable and reliable foundations to support mission-critical solutions for databases, enterprise resource planning software, high-volume, real-time transaction processing, and server consolidation. Windows Server 2008 R2 Itanium provides support for the Intel Itanium processor family.
In terms of security, Windows 7 and Server 2008 R2 share the same security characteristics. The primary difference is that the Server 2008 Server R2 products include services and capabilities that are not part of Windows 7 (for example server roles for Active Directory, DNS Server, and DHCP Server). The additional services have a bearing on the security properties of the distributed operating system (e.g., by extending the set of available interfaces and proffered services) and as such are included within the scope of the evaluation.
Additional features that were not available in CC evaluations of previous Windows operating systems, but are included in this evaluation of Windows 7 and Windows Server 2008 R2 are:
- BitLocker to Go (BTG) - Windows 7 and Windows Server 2008 R2 extend the previous BitLocker capabilities with the ability to also encrypt removable USB storage devices (e.g., USB flash drives). The removable USB storage device content can be encrypted using either a password or credentials on a smart card. When a password is used, a version of the BitLocker To Go Reader application (that is capable of providing read access to the encrypted content when the appropriate credentials can be provided) is placed onto removable USB storage devices when configured to use this feature. While the content of a removable USB storage device can be read and written when using Windows 7 or Windows Server 2008 R2 (assuming appropriate credentials are available), the BitLocker Reader application provides a read-only dialog that allows content to be copied via the application, when provided the correct password, to the host operating system so that the decrypted file content can be accessed. Additionally, Group Policy can be used to configure USB storage devices to effectively require BitLocker To Go in order to write content on removable USB storage devices. Otherwise, such devices can be only used for read-only access.
- DirectAccess - Windows 7 and Windows Server 2008 R2 introduce DirectAccess. DirectAccess allows clients to securely access file shares, web sites, and applications without connection to a virtual private network (VPN). DirectAccess involves the establishment of bi-directional communication paths between applicable Windows operating systems when suitable network connectivity (e.g., to the Internet) exists. This feature is based on other features, primarily IPSec and IPv6.
- Network Access Protection (NAP) - While present in previous versions of Windows, the Network Access Protection (NAP) feature was not previously subjected to evaluation. This feature allows access to network resources to be controlled based on a computer’s identity and compliance with configurable governance policies. The NAP mechanism is capable of automatically bringing a client workstation or server into compliance with defined governance policies so that access is subsequently allowed. The NAP feature consists of a NAP agent running on NAP clients and a NAP health policy server running on a Windows 2008 R2 server, with the Network Policy Server (NPS) role. The NAP agents collect relevant health information for their host NAP client and provide it to the NAP health server when the client connects to a physical network. The NAP server uses NPS policies and settings to evaluate the health of NAP clients in order to determine whether to grant network access (full or restricted). When a NAP client does not conform to the configured settings and policies, either restricted network access will be allowed, or the NAP server and NAP agent can cooperate to remedy some identified problems in order to bring a NAP client into compliance so that its network access can be elevated. In the evaluated configuration, access to a network subsequent to NAP server approval can be enforced using the following mechanisms: IPsec, VPN, and DHCP.
SECURITY EVALUATION SUMMARY
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The Common Criteria for Information Technology Security Evaluation, Version 3.1 revision 2 criteria are the criteria against which the Windows 7 and Windows Server 2008 R2 Target of Evaluation (TOE) was judged. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 revision 3. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 4 augmented with ALC_FLR.3. The product, when configured as identified in the Microsoft Windows Common Criteria Evaluation Document, version 6, December 3, 2010, satisfies all of the security functional requirements stated in the Windows 7 and Windows Server 2008 R2 Security Target (version 1.0). The project underwent three Validation Oversight Panel (VOR) panel reviews. The evaluation was completed in December 2010. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-10390-2010, dated 24 March 2011) prepared by CCEVS.
Windows 7 and Windows Server 2008 R2 support the following security functions:
- Security Audit: Windows 7 and Windows Server 2008 R2 have the ability to collect audit data, review audit logs, protect audit logs from overflow, and restrict access to audit logs. Audit information generated by Windows includes date and time of the event, the user who caused the event to be generated, and additional event specific data. Authorized administrators can review audit logs including the ability to search and sort audit records. Authorized Administrators can also configure the audit system to include or exclude potentially auditable events to be audited based on a wide range of characteristics.
- Identification and Authentication (I&A): Windows 7 and Windows Server 2008 R2 require each user to be identified and authenticated by using password or smartcard prior to performing any functions. An interactive user invokes a trusted path in order to protect their I&A information. Windows 7 and Windows Server 2008 R2 maintain databases of accounts including their identities, authentication information, group associations, and privilege and logon rights associations. Windows 7 and Windows Server 2008 R2 include a set of account policy functions that include the ability to define minimum password length, number of failed logon attempts, duration of lockout, and password age.
- Security Management: Windows 7 and Windows Server 2008 R2 include a number of functions to manage policy implementation. Policy management is controlled through a combination of access control, membership in administrator groups, and privileges.
- User Data Protection: Windows 7 and Windows Server 2008 R2 protect user data by enforcing several access control policies (Discretionary Access Control, Mandatory Integrity Control, Encrypting File System, WEBUSER and web content provider access control) and several information flow policies (IPSec filter information flow control, Connection Firewall); and, object and subject residual information protection. Windows 7 and Windows Server 2008 R2 use access control methods to allow or deny access to objects, such as files, directory entries, printers, and web content. Windows 7 and Windows Server 2008 R2 uses information flow control methods to control the flow of IP traffic and packets. It authorizes access to these resource objects through the use of security descriptors (which are sets of information identifying users and their specific access to resource objects), web permissions, IP filters, and port mapping rules. Windows 7 and Windows Server 2008 R2 also protect user data by ensuring that resources exported to user-mode processes do not have any residual information.
- Cryptographic Protection: Windows 7 and Windows Server 2008 R2 provide FIPS-140-2 validated cryptographic functions that support data encryption/decryption, cryptographic signature generation and validation, cryptographic hashing, cryptographic key agreement, and random number generation. The TOE additionally provides support for public keys, credential management and certificate validation functions and provides support for the National Security Agency’s Suite B crypto algorithms. Windows also provides extensive auditing support for the cryptographic subsystem, support for replaceable cryptographic suites, and a key isolation service designed to limit the potential exposure of secret and private keys. In addition to supporting its own security functions with cryptographic support, Windows offers access to the cryptographic support functions for user application programs.
- Protection of TOE Security Functions: Windows 7 and Windows Server 2008 R2 provide a number of features to ensure the protection of TOE security functions. Windows 7 and Windows Server 2008 R2 protects against unauthorized data disclosure and modification by using a suite of Internet standard protocols including IPSec and ISAKMP. Windows 7 and Windows Server 2008 R2 ensure process isolation security for all processes through private virtual address spaces, execution context and security context. The Windows 7 and Windows Server 2008 R2 data structures defining process address space, execution context, memory protection, and security context are stored in protected kernel-mode memory. The Windows 7 and Windows Server 2008 R2 BitLocker features can be used to protect fixed and removable USB storage volumes. The Windows 7 and Windows Server 2008 R2 Network Access Protection feature can be used to limit access to network resources depending on the measured “health” of clients based on, for example, security settings, installed applications, and the presence of specified updates. The Windows 7 and Windows Server 2008 R2 also include self-testing features that ensure the integrity executable TSF image and its cryptographic functions. Windows 7 and Windows Server 2008 R2 can be configured by an authorized administrator to display a logon banner before the user supplies the user name and password.
- Resource Utilization: Windows 7 and Windows Server 2008 R2 can limit the amount of disk space that can be used by an identified user or group on a specific disk volume. Each volume has a set of properties that can be changed only by a member of the machine’s administrator group. These properties allow an authorized administrator to enable quota management, specify quota thresholds, and select actions when quotas are exceeded.
- Session Locking: Windows 7 and Windows Server 2008 R2 provide the ability for a user to lock their interactive desktop session immediately or after a defined interval of inactivity. Windows constantly monitors the mouse and keyboard for activity and locks the workstation after a set period of inactivity.