{"product_id":10151,"v_id":10151,"product_name":"Microsoft Windows Server 2003 SP1 (x86) and x64 Edition, Standard, Enterprise, and Datacenter; Windows Server 2003 SP1 (IA64), Enterprise and Datacenter; Windows XP Professional SP2 (x86) and x64 Edition (for specific TOE software updates, patches, and hotfixes see Section 1 of Security Target) ","certification_status":"Not Certified","certification_date":"2006-09-18T00:09:00Z","tech_type":"Operating System","vendor_id":{"name":"Microsoft Corporation","website":"https://www.microsoft.com"},"vendor_poc":"Tim Myers","vendor_phone":null,"vendor_email":"timmyers@microsoft.com","assigned_lab":{"cctl_name":"Leidos Common Criteria Testing Laboratory"},"product_description":"

Windows 2003/XP is a preemptive multitasking, multiprocessor, and multi-user operating system. In general, operating systems provide users with a convenient interface to manage underlying hardware. They control the allocation and manage computing resources such as processors, memory, and Input/Output (I/O) devices. Windows 2003/XP expands these basic OS capabilities to controlling the allocation and managing higher level IT resources such as security principals like user or machine accounts, files, printing objects, services, window stations, desktops, cryptographic keys, network ports/traffics, directory objects, and web contents. Multi-user operating systems, such as Windows 2003/XP, keep track of which user is using which resource, grant resource requests, account for resource usage, and mediate conflicting requests from different programs and users.

\r\n

The TOE has been evaluated for the following hardware configurations:

\r\n\r\n

Windows 2003/XP is an operating system that supports both workstation and server installations. The TOE includes four product variants of Windows 2003/XP: XP Professional, Server 2003 Server, Server 2003 Enterprise Server, and Server 2003 Data Center. The server products contain Domain controller features including the Active Directory, Kerberos Key Distribution Center, and Internet Information Service (IIS6) for use within the distributed Windows configuration. The Active Directory is also used by the TOE users to store and retrieve information. The discretionary access control capability and data replication capabilities of the Active Directory Service have been evaluated as part of this evaluation. Although the following components do not deal with any Security Functional Requirements specified in the Security Target, these were included in the TOE and hence evaluated (i.e., all assurance requirements applied) to ensure they did not permit violations of the specific access control, information flow, or authentication policies of the TOE:  Certificate Server, File Replication, Directory Replication, DNS, DHCP, Distributed File System service, Removable Storage Manager, and Virtual Disk Service.

\r\n

The primary difference between the variants is the number of users and types of services they are intended to support.

\r\n

Windows 2003/XP Professional are suited for business desktops and notebook computers (note that only desktops are included in the evaluated configuration); it is the workstation product. Designed for departmental and standard workloads, Windows Server 2003 Standard Server delivers intelligent file and printer sharing; secure connectivity based on Internet technologies, and centralized desktop policy management. Windows Server 2003 Enterprise Server differs from Windows Server 2003 Standard Server primarily in its support for high-performance servers for greater load handling. These capabilities provide reliability that helps ensure systems remain available. Windows Server 2003 Datacenter provides the necessary scalable and reliable foundation to support mission-critical solutions for databases, enterprise resource planning software, high-volume, real-time transaction processing, and server consolidation.

\r\n

Windows 2003/XP provides an interactive user interface, as well as a network interface. The TOE includes a homogenous set of Windows 2003/XP systems that can be connected via their network interfaces and may be organized into domains. A domain is a logical collection of Windows 2003/XP systems that allows the administration and application of a common security policy and the use of a common accounts database. Windows 2003/XP supports single and multiple domain configurations. In a multi-domain configuration, the TOE supports implicit and explicit trust relationships between domains. Domains use established trust relationships to share account information and validate the rights and permissions of users. A user with one account in one domain can be granted access to resources on any server or workstation on the network. Domains can have one-way or two-way trust relationships. Each domain must include at least one designated server known as a Domain Controller (DC) to manage the domain. The TOE allows for multiple DCs that replicate TOE Data among themselves to provide for higher availability.

\r\n

Each Windows 2003/XP system, whether it is a DC server, non-DC server, or workstation, is part of the TOE and provides a subset of the TOE Security Functions (TSFs). The TSF for Windows 2003/XP can consist of the security functions from a single system (in the case of a stand-alone system) or the collection of security functions from an entire network of systems (in the case of domain configurations).

","evaluation_configuration":null,"security_evaluation_summary":"

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Windows 2003/XP TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 1.0. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 4 with the additional augmentation of the CC Flaw Remediation (ALC_FLR) family of assurance requirements. The product, when configured as specified in either the Windows Server 2003 Security Configuration Guide (version 2.0) or Windows XP Security Configuration Guide (version 2.0), satisfies all of the security functional requirements stated in the Windows 2003/XP Security Target (Version 2.0) and is conformant to the CAPP. Five validators on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in September 2006. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-06-0042, dated 18 September 2006) prepared by CCEVS. The guidance documentation can be downloaded from http://www.microsoft.com/downloads website.

","environmental_strengths":"

The logical boundaries of Windows 2003/XP can be characterized as the set of security functions available at its physical interfaces. Each of these security functions is summarized below.

\r\n\r\n","features":[]}