National Information Assurance Partnership

Transcription

1 Natinal Infrmatin Assurance Partnership TM Cmmn Criteria Evaluatin and Validatin Scheme Validatin Reprt Micrsft Windws Server 2003, Micrsft Windws XP Prfessinal, and Micrsft Windws XP embedded Reprt Number: CCEVS-VR-VID Dated: February 07, 2008 Versin: 1.0 Natinal Institute f Standards and Technlgy Natinal Security Agency Infrmatin Technlgy Labratry Infrmatin Assurance Directrate 100 Bureau Drive 9600 Savage Rad Suite 6740 Gaithersburg, Maryland Frt Gerge G. Meade, MD i

2 Acknwledgements: The TOE evaluatin was spnsred by: Micrsft Crpratin Crprate Headquarters One Micrsft Way Redmnd, WA USA Evaluatin Persnnel: Science Applicatins Internatinal Crpratin (SAIC) Cmmn Criteria Testing Labratry 7125 Clumbia Gateway Drive, Suite 300 Clumbia, MD Shukrat Abbas Dawn Campbell Jean Petty Quang Trinh. Validatin Persnnel: Santsh Chkhani, Orin Security Slutins Sctt Shrter, Orin Security Slutins Shaun Gilmre, Natinal Security Agency ii

3 Table f Cntents 1 Executive Summary Identificatin TOE Security Services Assumptins Physical Security Assumptins Persnnel Security Assumptins Cnnectivity Assumptins Architectural Infrmatin Dcumentatin IT Prduct Testing Develper Testing Evaluatin Team Independent Testing Residual Vulnerability Evaluated Cnfiguratin Validatr Cmments Security Target List f Acrnyms Bibligraphy Interpretatins Internatinal Interpretatins NIAP Interpretatins Interpretatins Validatin iii

4 1 Executive Summary This reprt dcuments the Natinal Infrmatin Assurance Partnership (NIAP) assessment f the evaluatin f Micrsft Windws Server 2003, Micrsft Windws XP, and Micrsft Windws XP Embedded. It presents the evaluatin results, their justificatins, and the cnfrmance results. This Validatin Reprt is nt an endrsement f the Target f Evaluatin (TOE) by any agency f the U.S. Gvernment and n warranty f the TOE is either expressed r implied. The evaluatin f Micrsft Windws Server 2003, Micrsft Windws XP, and Micrsft Windws XP Embedded was perfrmed by the SAIC Cmmn Criteria Testing Labratry in the United States and was cmpleted during December The infrmatin in this reprt is largely derived frm the Security Target (ST), Evaluatin Technical Reprt (ETR) and assciated test reprt. The ST was written by SAIC. The ETR and test reprt used in develping this validatin reprt were written by SAIC. The evaluatin team determined the prduct t be Part 2 Extended and Part 3 augmented, and cncluded that the Cmmn Criteria requirements fr Evaluatin Assurance Level (EAL) 4 augmented with ALC_FLR.3 (Systematic Flaw Remediatin) have been met. Windws 2003/XP is an perating system that supprts bth wrkstatin and server installatins. The TOE includes furteen prduct variants f Windws 2003/XP: Micrsft Windws XP Prfessinal; Service Pack (SP) 2 Micrsft Windws XP Prfessinal x64; SP 2 Micrsft Windws XP Embedded, SP 2 Micrsft Windws Server 2003 Standard; SP 2 Micrsft Windws Server 2003 R2 Standard; SP 2 Micrsft Windws Server 2003 Standard x64; SP 2 Micrsft Windws Server 2003 R2 Standard x64; SP 2 Micrsft Windws Server 2003 Enterprise; SP 2 Micrsft Windws Server 2003 R2 Enterprise; SP 2 Micrsft Windws Server 2003 Enterprise x64; SP 2 Micrsft Windws Server 2003 R2 Enterprise x64; SP 2 Micrsft Windws Server 2003, Datacenter Editin x64; SP2 Micrsft Windws Server 2003 R2, Datacenter Editin x64; SP2 Micrsft Windws Server 2003 Enterprise Editin with SP2 fr Itanium-based Systems The server prducts additinally prvide Dmain Cntrller (DC) features including the Active Directry (AD) and Kerbers Key Distributin Center (KDC). The server prducts in the TOE als prvide Active Directry Federatin Services (ADFS), Windws Server Update Services (WSUS), cntent indexing and searching, RPC ver HTTP prxies, Simple Service Discvery Prtcl (SSDP) service, Distributed Transactin Crdinatr (DTC), Certificate Server, File Replicatin, Directry Replicatin, Dmain Name System (DNS), Dynamic Hst Cnfiguratin Prtcl (DHCP), Distributed File System (DFS) service, Remvable Strage Manager, and Virtual Disk Service. Active Directry is als used by the TOE users t stre and retrieve infrmatin. The discretinary access cntrl capability and data replicatin capabilities f the Active Directry Service have been evaluated as part f this evaluatin. Althugh the evaluatin had n specific requirements addressing the functin f the fllwing services, all were evaluated t ensure they did nt permit vilatins f the specific access cntrl, infrmatin flw, r authenticatin plicies 1

5 f the TOE: Certificate Server, File Replicatin, Directry Replicatin, DNS, DHCP, Distributed File System service, Remvable Strage Manager, and Virtual Disk Service. The reasn fr this current Windws evaluatin ver the previus Windws XP and Server 2003 evaluatin f September 2006 is the added functinality f WSUS, ADFS, cntent indexing and searching, Distributed Transactin Crdinatin (DTC), Simple Service Discvery Prtcl (SSDP) service fr Universal Plug and Play (UPnP), and RPC ver HTTP prxies t the evaluated cnfiguratin. The validatin team mnitred the activities f the evaluatin team, participated in Technical Oversight Panel (TOP) meetings, prvided guidance n technical issues and evaluatin prcesses, reviewed successive versins f the Security Target, reviewed selected evaluatin evidence, reviewed test plans, reviewed intermediate evaluatin results (i.e., the CEM wrk units), and reviewed successive versins f the ETR and test reprt. The validatin team determined that the evaluatin team shwed that the prduct satisfies all f the functinal and assurance requirements defined in the Security Target fr an EAL 4 augmented with ALC_FLR.3 evaluatin. Therefre the validatin team cncludes that the SAIC Cmmn Criteria Testing Labratries (CCTL) findings are accurate, and the cnclusins justified. 2 Identificatin The CCEVS is a jint Natinal Security Agency (NSA) and Natinal Institute f Standards and Technlgy (NIST) effrt t establish cmmercial facilities t perfrm trusted prduct evaluatins. Under this prgram, security evaluatins are cnducted by cmmercial testing labratries called Cmmn Criteria Testing Labratries (CCTLs) r candidate CCTLs using the Cmmn Evaluatin Methdlgy (CEM) fr EAL 1 thrugh EAL 4 in accrdance with Natinal Vluntary Labratry Assessment Prgram (NVLAP) accreditatin. The NIAP Validatin Bdy assigns Validatrs t mnitr the CCTLs and candidate CCTLs t ensure quality and cnsistency acrss evaluatins. Develpers f infrmatin technlgy prducts desiring a security evaluatin cntract with a CCTL and pay a fee fr their prduct evaluatins. Table 1 prvides infrmatin needed t cmpletely identify the prduct, including: The Target f Evaluatin (TOE): the fully qualified identifier f the prduct as evaluated; The Security Target (ST), describing the security features, claims, and assurances f the prduct; The cnfrmance result f the evaluatin; The rganizatins and individuals participating in the evaluatin. Table 1: Evaluatin Identifiers Item Evaluatin Scheme Target f Evaluatin Identifier United States NIAP Cmmn Criteria Evaluatin and Validatin Scheme Micrsft Windws Server 2003, Standard Editin (32-bit versin); Service Pack (SP) 2 with security updates and patches as specified in the ST Windws Server 2003, Standard x64 Editin; SP 2 with security 2

6 Item Security Target Evaluatin Technical Reprt Cnfrmance Result Spnsr Identifier updates and patches as specified in the ST Micrsft Windws Server 2003, R2 Standard Editin (32-bit versin); SP 2 with security updates and patches as specified in the ST Micrsft Windws Server 2003, R2 Standard x64 Editin; SP 2 with security updates and patches as specified in the ST Micrsft Windws Server 2003, Enterprise Editin (32-bit and 64- bit versins); SP 2 with security updates and patches as specified in the ST Micrsft Windws Server 2003, Enterprise x64 Editin; SP 2 with security updates and patches as specified in the ST Micrsft Windws Server 2003, R2 Enterprise Editin (32-bit and 64-bit versins); SP 2 with security updates and patches as specified in the ST Micrsft Windws Server 2003, R2 Enterprise x64 Editin; SP 2 with security updates and patches as specified in the ST Micrsft Windws Server 2003, Datacenter x64 Editin; SP 2 with security updates and patches as specified in the ST Micrsft Windws Server 2003, R2 Datacenter x64 Editin; SP 2 with security updates and patches as specified in the ST Micrsft Windws Server 2003 Enterprise Editin with SP2 fr Itanium-based Systems Micrsft Windws XP, Prfessinal; SP 2 with security updates and patches as specified in the ST Micrsft Windws XP Prfessinal x64 Editin; SP 2 with security updates and patches as specified in the ST Micrsft Windws XP Embedded; SP 2 with security updates and patches as specified in the ST Micrsft Windws Server 2003, XP Prfessinal and XP Embedded Security Target, Versin 3.0, Nvember 19, 2007 Micrsft Windws 2003/XP and XP Embedded Delta evaluatin, Versin 0.4, December 03, CC Part 2 Extended, CC Part 3 augmented, EAL 4 augmented with ALC_FLR.3 Cmpliant with Cntrl Access Prtectin Prfile (CAPP), Versin 1.d, Natinal Security Agency, 8 Octber 1999 Micrsft Crpratin Crprate Headquarters One Micrsft Way Redmnd, WA

7 Item Cmmn Criteria Testing Lab (CCTL) Identifier Science Applicatins Internatinal Crpratin 7125 Clumbia Gateway Drive, Suite 300 Clumbia, MD CCEVS Validatr(s) Santsh Chkhani Shaun Gilmre Sctt Shrter 3 TOE Security Services The security services prvided by the TOE are summarized belw: Security Audit Windws 2003/XP has the ability t cllect audit data, review audit lgs, prtect audit lgs frm verflw, and restrict access t audit lgs. Audit infrmatin generated by the system includes date and time f the event, user wh caused the event t be generated, cmputer where the event ccurred, and ther event specific data. Authrized administratrs can review audit lgs. In additin t audit data, the Windws Server Update Services creates extensive lgging infrmatin. This infrmatin is stred and prtected in the TOE filesystem. Identificatin and Authenticatin Windws 2003/XP requires each user t be identified and authenticated (using passwrd r smart card) prir t perfrming any functins. An interactive user invkes a trusted path in rder t prtect his I&A infrmatin. Windws 2003/XP maintains a database f accunts including their identities, authenticatin infrmatin, grup assciatins, and privilege and lgn rights assciatins. Windws 2003/XP includes a set f accunt plicy functins that include the ability t define minimum passwrd length, number f failed lgn attempts, duratin f lckut, and passwrd age. Security Management Windws 2003/XP includes a number f functins t manage plicy implementatin. Plicy management is cntrlled thrugh a cmbinatin f access cntrl, membership in administratr grups, and privileges. User Data Prtectin Windws 2003/XP prtects user data by enfrcing several access cntrl plicies (DAC, WEBUSER, web cntent prvider access cntrl, and Indexing Service access cntrl) and several infrmatin flw plicies (IPSec filter infrmatin flw cntrl, Cnnectin Firewall, UPnP filtering, and RPC ver HTTP); and, bject and subject residual infrmatin prtectin. Windws 2003/XP uses access cntrl methds t allw r deny access t bjects, such as files, directry entries, printers, and web cntent. Windws 2003/XP uses infrmatin flw cntrl methds t cntrl the flw f IP traffic, UPnP traffic, and RPC ver HTTP traffic. It authrizes access t these resurces thrugh the use f security descriptrs (which are sets f infrmatin identifying users and their specific access t resurces), web permissins, IP filters, and prt mapping rules. Windws 2003/XP als prtects user data by ensuring that resurces prvided t user-mde prcesses d nt have any residual infrmatin. 4

8 Cryptgraphic Prtectin - Windws 2003/XP prvides additinal prtectin f data thrugh the use f data encryptin mechanisms. These mechanisms nly allw authrized users t decrypt encrypted data. Prtectin f TOE Security Functins Windws 2003/XP prvides a number f features t ensure the prtectin f TOE security functins. Windws 2003/XP prtects against unauthrized data disclsure and mdificatin by using a suite f Internet standard prtcls including IPSec and ISAKMP. The XP prtin f the TSF prvides the ability t restre previusly archived TSF data. Windws 2003/XP prvides a Windws Server Update Services that allws authrized administratrs the ability t manage sftware updates and cntrl the prpagatin f updates t individual machines f the TOE. Windws 2003/XP ensures TOE self-prtectin and prcess islatin fr all prcesses thrugh private virtual address spaces, executin cntext and security cntext. The Windws 2003/XP data structures defining prcess address space, executin cntext, memry prtectin, and security cntext are stred in prtected kernel-mde memry. Resurce Utilizatin Windws 2003/XP can limit the amunt f disk space that can be used by an identified user r grup n a specific disk vlume. Each vlume has a set f prperties that can be changed nly by a member f the administratr grup. These prperties allw an authrized administratr t enable quta management, specify quta threshlds, and select actins when qutas are exceeded. TOE Access Windws 2003/XP prvides the ability fr a user t lck their sessin immediately r after a defined interval. It cnstantly mnitrs the muse and keybard fr activity and lcks the wrkstatin after a set perid f inactivity. Windws 2003/XP allws an authrized administratr t cnfigure the system t display a lgn banner befre the lgn dialgue. 4 Assumptins 4.1 Physical Security Assumptins The prcessing resurces f the TOE will be lcated within cntrlled access facilities that will prevent unauthrized physical access. The TOE hardware and sftware critical t security plicy enfrcement will be prtected frm unauthrized physical mdificatin. 4.2 Persnnel Security Assumptins Authrized users pssess the necessary authrizatin t access at least sme f the infrmatin managed by the TOE and are expected t act in a cperating manner in a benign envirnment. There will be ne r mre cmpetent individuals assigned t manage the TOE and the security f the infrmatin it cntains. The system administrative persnnel are nt careless, willfully negligent, r hstile, and will fllw and abide by the instructins prvided by the administratr dcumentatin. 4.3 Cnnectivity Assumptins All cnnectins t peripheral devices reside within the cntrlled access facilities. The TOE nly addresses security cncerns related t the manipulatin f the TOE thrugh its authrized access pints. Internal cmmunicatin paths t access pints such as terminals are assumed t be adequately prtected. Any ther systems with which the TOE cmmunicates are assumed t be under the same management cntrl and perate under the same security plicy cnstraints. The TOE is 5

9 applicable t netwrked r distributed envirnments nly if the entire netwrk perates under the same cnstraints and resides within a single management dmain. There are n security requirements that address the need t trust external systems r the cmmunicatins links t such systems. 5 Architectural Infrmatin The diagram belw depicts cmpnents and subcmpnents f Windws 2003/XP that cmprise the TOE. The cmpnents/subcmpnents are large prtins f the Windws 2003/XP OS, and generally fall alng prcess bundaries and a few majr subdivisins f the kernel mde OS. The system cmpnents are: Administratr Tls Mdule Figure 1: TOE Cmpnents Administratr Tls Cmpnent (aka GUI Cmpnent): This cmpnent represents the range f tls available t manage the security prperties f the TSF. Certificate Services Mdule Certificate Server Cmpnent: This cmpnent prvides services related t issuing and managing public key certificates (e.g. X.509 certificates). Hwever, n certificate server related security functins have been specified r evaluated in the TOE. Embedded Mdule Firewall Mdule Embedded Cmpnent: This cmpnent prvides a variety f applicatins that facilitate the OS functining in devices that require an embedded OS. Windws Firewall Cmpnent: This cmpnent prvides services related t infrmatin flw cntrl. 6

10 Hardware Mdule Hardware Cmpnent: This cmpnent includes all hardware used by the TSF t include the prcessr(s), mtherbard and assciated chip sets, cntrllers, and I/O devices. Kernel Sftware Mdule Executive Cmpnent: This is the kernel-mde sftware that prvides cre OS services t include memry management, prcess management, and interprcess cmmunicatin. This cmpnent implements all the nn-i/o TSF interfaces fr the kernel-mde. I/O System: This is the kernel-mde sftware that implements all I/O related services, as well as all driver-related services. The I/O System is further divided int: I/O Cre Cmpnent I/O File Cmpnent I/O Netwrk Cmpnent I/O Devices Cmpnent Miscellaneus OS Supprt Mdule OS Supprt Cmpnent: This cmpnent is a set f prcesses that prvide varius ther OS supprt functins and services RPC and Netwrk Supprt Mdule Security Mdule Services Mdule Netwrk Supprt Cmpnent: This cmpnent cntains varius supprt services fr Remte Prcedure Call (RPC), COM, and ther netwrk services. Security Cmpnent: This cmpnent includes all security management services and functins. Services Cmpnent: This is the cmpnent that prvides many system services as well as the service cntrller. Web Services Mdule Win32 Mdule WinLgn Mdule IIS Cmpnent: This cmpnent prvides services related t web/http requests. Win32 Cmpnent: This cmpnent prvides varius supprt services fr Win32 applicatins and the cmmand cnsle applicatin. WinLgn Cmpnent: This cmpnent prvides varius interactive lgn services t include interactive authenticatin, trusted path, sessin management and lcking. 6 Dcumentatin Fllwing is a list f the evaluatin evidence, each f which was issued by the develper (and spnsr): 7

11 Assurance Class Dcument Title ASE ACM Micrsft Windws Server 2003, XP Prfessinal and XP Embedded Security Target Versin 3.0, Nvember 19, 2007 Windws Server 2003 SP2 and Windws XP SP2 With ADFS and WSUS Cnfiguratin Management Manual, Versin 0.2, May 23, 2007 ADO Windws Server 2003 SP2 and Windws XP SP2 with ADFS and WSUS Delivery Prcedures, Versin 0.1, July 27, Windws Server 2003 with SP2 Security Cnfiguratin Guide, Versin 3.0, May 22, 2007 Windws XP Prfessinal with SP2 Security Cnfiguratin Guide, Versin 3.0, May 22,

12 Assurance Class Dcument Title ADV System Decmpsitin, Rev: 2, 11/09/2006 Infrmal TOE Security Plicy Mdel Design Specificatin, Rev: 4 03/05/2007 Functinal Specificatin Cmpleteness Ratinale, Rev: 5, 1/27/2005 API Crrespndence Rules, Rev 3, 2/18/2004 Implementatin Subset Representatin: Embedded: Enhanced Write Filter Driver Executive: Security Reference Mnitr, Prcess Manager and Object Manager Internet Infrmatin Server: Internet Infrmatin Services, Indexing Service Webhits, ADFS Web Agent ISAPI Extensin, IO Cre: Munt Manager IO Devices: Driver IDE/ATAPI Prt Driver and FIPS Crypt IO File: NPFS Driver and NT File System Driver IO Netwrk TCP/IP Prtcl Driver, Distributed File System Filter Driver, Netwrk Supprt: Dmain Name Service OS Supprt: Sessin Manager, Smart Card Resurce Manager, Distributed File System Replicatin Service, License Lgging Service Security: LSA Audit and Secndary Lgn Service, Windws Update AutUpdate Engine Services: Service Cntrller, Windws Update AutUpdate Engine, Win32: Client Server Runtime Prcess Windws Firewall Applicatin Layer Gateway Service WinLgn: WinLgn/GINA Cmpnent and Subcmpnent Design Specificatin (see Appendix A f Nn-Prp ETR) 9

13 Assurance Class Dcument Title AGD Windws Server 2003 with SP2 Evaluated Cnfiguratin Administratr s Guide, Versin 3.0, May 21, 2007 Windws XP Prfessinal with SP2 Evaluated Cnfiguratin Administratr s Guide, Versin 3.0, May 21, 2007 Windws XP Prfessinal with SP2 Evaluated Cnfiguratin User s Guide, Versin 3.0, February 26, 2007 ALC Windws Server 2003 SP2 and Windws XP SP2 With ADFS and WSUS Assurance Lifecycle, Versin 0.1 July 27, 2006 Windws Server 2003 SP2 and Windws XP SP2 With ADFS and WSUS Cnfiguratin Management Manual, Versin 0.1, July 27, 2006 ATE Test Dcuments ACL Test Suite, Rev 2.9, 08/04/2006 ADFS Security Package Subcmpnent Test Suite, Rev 1, 9/6/2006 ADFS Web Agent Authenticatin Service Subcmpnent Test Suite, Rev 1, 1/25/2007 ADFS Web Agent ISAPI Extensin Subcmpnent Test Suite, Rev 1.0, 11/13/2006 Admin Access Test Suite, Rev 1.5, 08/04/2006 ASP.NET ISAPI Filter Subcmpnent Test Suite, Rev 2, 10/10/2006 Authenticatin Prvider Test Suite, Rev 1.4, 08/02/2006 Backgrund Intelligent Transfer Service Subcmpnent Test Suite, Rev 2, 1/26/2007 BITS Server Extensins ISAPI Subcmpnent Test Suite, Rev 2, 1/26/2007 Certificate Server Test Suite, Rev 1.9, 08/3/2006 COM+ Test Suite, Rev 1.6, 08/04/2006 COM+ Event System Service Test Suite, Rev 1.3, 08/04/2006 Cntent Index Service Subcmpnent Test Suite, Rev: 3, 6/03/2006 Data Executin Preventin Test Suite, Rev: 4, 4/25/2006 DCOM Test Suite, Rev 1.8, 06/08/2006 Devices Test Suite, Rev 1.4, 08/04/2006 Distributed File System Filter Driver Subcmpnent Test Suite, Rev 1, 11/22/2006 Distributed File System Replicatin Service Subcmpnent Test Suite, Rev 3, 1/25/2007 Distributed Transactin Crdinatr Subcmpnent Test Suite, Rev: 2, 6/19/2006 DS Replicatin Test Suite, Rev 1.6, 09/30/2005 Federatin Server and ADFS Identity Authenticatin Subcmpnent Test Suite, Rev 18, 5/10/2007 GDI Test Suite, Rev 1.8, 08/04/2006 Handle Enfrcement Test Suite, Rev 2.10, 08/04/2006 Help and Supprt Subcmpnent Test Suite, Rev: 3, 4/26/2006 HTTP Client Test Suite, Rev 1.6, 08/03/2006 IA32 Hardware Test Suite, Rev 1.5, 08/03/2006 IA64 Hardware Test Suite, Rev: 3, 5/02/2006 IMAPI Kernel Driver Subcmpnent Test Suite, Rev: 3, 5/29/

14 Assurance Class Dcument Title Impersnatin Test Suite, Rev 1.10, 08/04/2006 Indexing Service ISAPI Extensin Subcmpnent Test Suite, Rev: 5, 6/06/2006 Indexing Service Webhits Subcmpnent Test Suite, Rev: 3, 6/07/2006 IPSEC Test Suite, Rev 2.4, 08/03/2006 KDC Test Suite, Rev 1.9, 08/04/2006 LDAP Test Suite, Rev 1.10, 08/04/2006 License Lgging Service Subcmpnent Test Suite, Rev: 6, 8/03/2006 Managed Cde Single Sign On Library Subcmpnent Test Suite, Rev 3, 3/2/2007 Managed Cde SSO Claim Transfrms Subcmpnent Library Test Suite, Rev 99, 8/31/2006 MAPI Test Suite, Rev 1.4, 08/04/2006 Miscellaneus Test Suite, Rev 3.2, 08/04/2006 Net Supprt Test Suite, Rev: 3, 4/03/2006 Object Reuse Test Suite, Rev 1.4, 08/04/2006 ODBC HTTP Server Extensin Subcmpnent Test Suite, Rev 2, 4/04/2007 Privilege Test Suite, Rev 2.7, 08/04/2006 RSP Service Applicatin Subcmpnent Test Suite, Rev: 8, 6/22/2006 RPC Prxy Subcmpnent Test Suite, Rev: 4, 5/22/2007 Server Driver Test Suite, Rev 0.8, 08/04/2006 Simple Targeting Authrizatin Web Service Subcmpnent Test Suite, Rev 1, 12/12/2006 Special Access Test Suite, Rev: 7, 6/01/2006 System Restre Service Subcmpnent Test Suite, Rev: 7, 4/24/2006 Task Scheduler Engine Subcmpnent Test Suite Rev: 11, 5/26/2006 Test Plan, Rev: 8, 5/29/2006 Tken Test Suite, Rev 1.8, 08/04/2006 UPnP Device Hst Subcmpnent Test Suite, Rev: 6, 5/30/2006 User Test Suite, Rev 1.13, 08/03/2006 Windws Errr Reprting Service Subcmpnent Test Suite, Rev: 3, 5/26/2006 Windws Firewall Test Suite, Rev 1.5, 08/01/2006 Windws Update AutUpdate Engine Subcmpnent Test Suite, Rev 1, 11/8/2006 Windws Update AutUpdate Service Subcmpnent Test Suite, Rev 1, 11/8/2006 (manual test) WSUS Catalg Sync Agent Subcmpnent Test Suite, Rev 1, 2/21/2007 WSUS Client Web Service Subcmpnent Test Suite, Rev 1, 1/24/2007 WSUS Cntent Sync Agent Subcmpnent Test Suite, Rev 3, 2/21/2007 WSUS Reprting Web Service Subcmpnent Test Suite, Rev 1, 12/12/2006 WSUS Server Sync Web Service Test Suite, Rev 5, 11/13/

15 Assurance Class Dcument Title X64 Hardware Test Suite, Rev: 5, 5/01/2006 GUI Tests Active Directry Dmains and Trusts GUI, Versin 0.8, 09/26/05 AT.exe Cmmand GUI, Versin 0.2, 5/10/2007 Auditusr.exe GUI, Versin 0.2, 09/09/2005 Autmatic Updates (WSUS Client), Versin 0.3, 4/09/2207 Backup and Restre GUI, Versin 0.4, 03/22/2005 Certificatin Authrity GUI, Versin 1.2, 09/23/05 COM+ Apps Test Plan/Prcedures, Rev. 1.0, 08/01/2005 Data Executin Preventin Test Suite, April 25, 2006, Revisin 4 Date and Time GUI, Versin 0.3, 09/26/2005 Device Manager GUI, Versin 0.2, 09/09/2005 Disk Quta GUI, Versin 0.2, 03/22/2005 Event Viewer GUI, Versin 1.2, 09/03/05 Explrer GUI, Versin 0.3, 09/21/2005 IIS Mgr Test Plan/Prcedures", Rev. 1.0, 9/23/2005 Indexing Service, Versin 0.2, 5/09/07 Netwrk ID GUI, Versin 0.3, 09/12/2005 OU Delegatin GUI, 06/06/2005 Printers GUI, Versin 0.2, 09/22/2005 Registry Editr GUI, Versin 0.2, 03/22/2005 Resultant Set f Plicy and Resultant Set f Plicy Prvider, Versin 0.1, 9/19/2006 Services GUI, Versin 0.2, 03/22/2005 Sessin Lcking GUI, Versin 0.3, 09/26/2005 Share a Flder Wizard, Versin 0.2, 09/08/2003 Users and Grups GUI, Versin 0.8, 09/26/2005 WinLgn/GINA, Rev. 1.6, 09/22/2005 Scheduled Tasks, Versin 0.3, 5/10/2007 Security Plicy GUI, v.1.7, 08/09/2005 System Restre, Versin 0.1, 10/10/2006 Task Scheduler (Schtasks.exe), Versin 0.2, 5/10/2007 WSUS, Versin 0.3, 4/09/2007 Test Cde fr each Test Suite Test Results as referenced by test cases AVA Windws Server 2003 SP2 and Windws XP SP2 with ADFS and WSUS Misuse Analysis, Versin 0.2, January 26, 2007 Windws Server 2003 SP2 and Windws XP SP2 with ADFS and WSUS Strength f Functin Analysis, Versin 0.2, December 19, 2006 Micrsft Windws Server 2003 with SP2/XP Prfessinal with SP2 Vulnerability Analysis Versin 3.0, Draft Versin 0.04, May 11, IT Prduct Testing This sectin describes the testing effrts f the develper and the evaluatin team. 12

16 7.1 Develper Testing The develper tested the interfaces identified in the functinal specificatin and mapped each test t the security functin tested. The scpe f the develper tests included all TOE Security Functins and the entire TSF Interface (TSFI). Where testing was nt pssible, cde analysis was used t verify the TSFI behavir. The evaluatin team determined that the develper s actual test results matched the vendr s expected results. It shuld be nted that the TSFI testing was limited t testing security checks fr the interface. The TSFI input parameters were nt exercised fr errneus and anmalus inputs. 7.2 Evaluatin Team Independent Testing The evaluatin team ensured that the TOE perfrmed as described in the design dcumentatin and demnstrated that the TOE enfrces the TOE security functinal requirements. Specifically, the evaluatin team ensured that the develper test dcumentatin sufficiently addresses the security functins as described in the security target and the TSFI as described in the Functinal Specificatin. The evaluatin team perfrmed a sample f the develper s test suite and devised an independent set f team tests. The evaluatin team determined that the vendr's test suite was cmprehensive. Thus the independent set f team tests was limited. The team tests were devised t fcus n the added functinality in this delta evaluatin, building n the team testing perfrmed in Nvember 2005 and September 2006 evaluatins. A ttal f six (6) team tests were devised and cvered the fllwing areas: TSF Security Functins Management, Security Audit, User Data Prtectin, and TSF Prtectin. The evaluatin team cnfirmed that the develper's vulnerability analysis was cmprehensive in terms f examining the evaluatin evidence and search fr vulnerabilities frm public dmain surces. The develper's vulnerability analysis als included examinatin f Micrsft Knwledge base maintained based n the security flaws reprted frm Micrsft internal research, external cnsumers, and external security research and testing rganizatins. The evaluatin team augmented the develper's vulnerability analysis by researching and analyzing the fllwing pen surces fr Windws 2003/XP vulnerabilities: CVE frm Web Site. The evaluatin team als cnducted five (5) penetratin tests. The penetratin tests fall in the fllwing areas: ADFS, WSUS, access authenticatin credential, and extensive vulnerability search f the public dmain. The penetratin tests were fcused n the main services evaluated in this delta evaluatin. 7.3 Residual Vulnerability The intent f the TOE design is t accept WSUS updates signed by a cde signing authrity frm a trusted publisher r a cde signer rted in ne f the tw Micrsft Rts. Hwever, due t a bug in the implementatin, a WSUS update signed by any cde signer wh terminates int any ne f the many trusted rt certificatin authrities installed in the TOE is accepted, thus increasing the ptential ppulatin f persns wh can prvide a Windws Update and making the TOE vulnerable t unauthrized updates. This threat is significantly mitigated by the fact that WSUS updates and related metadata (including the hash f the updates) n the varius Servers and targets are cntrlled by administrative DAC and the updates and related metadata (including the hash f the updates) are prtected by SSL during transit. 13

17 8 Evaluated Cnfiguratin The evaluated cnfiguratin identified in this sectin was als the test cnfiguratin. The evaluatin results are valid fr the varius realizable cmbinatins f cnfiguratins f hardware and sftware listed in this sectin. A hmgeneus Windws system cnsisting f varius Servers, Dmain Cntrllers, and Wrkstatins using the varius hardware and sftware listed in this sectin maintains its security rating when perated using the secure usage assumptins listed in Sectin 4 f this validatin reprt, including the cnnectivity assumptins listed in Sectin 4.3 f this validatin reprt. TOE Hardware The evaluatin results are valid fr the fllwing hardware platfrms. The TOE testing was als cnducted n these platfrms. Manufacturer Mdel Prcessr(s) Memry Dell Optiplex GX GHz Intel Pentium D Prcessr 830 (1 CPU), 32-bit 2GB Dell PwerEdge SC GHz Intel Xen Prcessr (1 CPU), 32-bit 1GB Dell PwerEdge SC GHz Intel Xen Prcessr (1 CPU), 32-bit 2GB Dell PwerEdge GHz Intel Xen Prcessr (1 CPU), 32-bit 2GB Dell PwerEdge GHz Intel Xen Prcessr (2 Dual-Cre CPUs), 64-bit 4GB HP Prliant DL GHz AMD Optern Prcessr 252 (2 CPUs), 64-bit 2GB HP rx1620 Bundle Slutin Server 1.3 GHz Intel Itanium Prcessr (1 CPU), 64-bit 2GB HP xw9300 Wrkstatin 2.2 GHz AMD Optern Prcessr 248 (1 CPU), 64-bit 2GB IBM IBM eserver 326m eserver 326m 2.0 GHz AMD Optern Prcessr 270 (1 Dual-Cre CPU), 64-bit 2.4 GHz AMD Optern Prcessr 280 (2 Dual-Cre CPUs), 64-bit Unisys RASCAL ES GHz Intel XenMP EM64T Prcessr (32 CPUs), 64-bit 64GB GemPlus GemPC Twin USB smart cards TOE Sftware Identificatin The evaluatin results are valid fr the fllwing Windws Operating Systems when security updates listed in this sectin are applied. The TOE testing was cnducted fr these Operating Systems after applying the security updates listed in this sectin: Micrsft Windws XP Prfessinal; Service Pack (SP) 2 Micrsft Windws XP Prfessinal x64; SP 2 Micrsft Windws XP Embedded, SP 2 Micrsft Windws Server 2003 Standard; SP 2 Micrsft Windws Server 2003 R2 Standard; SP 2 Micrsft Windws Server 2003 Standard x64; SP 2 Micrsft Windws Server 2003 R2 Standard x64; SP 2 Micrsft Windws Server 2003 Enterprise; SP 2 Micrsft Windws Server 2003 R2 Enterprise; SP 2 Micrsft Windws Server 2003 Enterprise x64; SP 2 2GB 2GB 14

18 Micrsft Windws Server 2003 R2 Enterprise x64; SP 2 Micrsft Windws Server 2003, Datacenter Editin x64; SP2 Micrsft Windws Server 2003 R2, Datacenter Editin x64; SP2 Micrsft Windws Server 2003 Enterprise Editin with SP2 fr Itanium-based Systems The fllwing security updates and patches must be applied t the abve Windws Server 2003 prducts: MS07-029: Vulnerability in Windws DNS RPC Interface Culd Allw Remte Cde Executin (KB935966) MS07-022: Vulnerability in Windws Kernel Culd Allw Elevatin f Privilege (KB931784) x86 nly MS07-021: Vulnerabilities in CSRSS Culd Allw Remte Cde Executin (KB930178) MS07-017: Vulnerabilities in GDI Culd Allw Remte Cde Executin (KB925902) Sftware Update fr Base Smart Card Cryptgraphic Service Prvider: An assciated Micrsft Security Bulletin fr this issue is nt available (KB909520) The fllwing security updates must be applied t the abve XP prducts: The fllwing apply t all XP prducts: MS07-021: Vulnerabilities in CSRSS Culd Allw Remte Cde Executin (KB930178) MS07-017: Vulnerabilities in GDI Culd Allw Remte Cde Executin (KB925902) Sftware Update fr Base Smart Card Cryptgraphic Service Prvider: An assciated Micrsft Security Bulletin fr this issue is nt available (KB909520). The fllwing updates are necessary fr XP prfessinal 32-bit nly: MS07-022: Vulnerability in Windws Kernel Culd Allw Elevatin f Privilege (KB931784) MS07-006: Vulnerability in Windws Shell Culd Allw Elevatin f Privilege (KB928255) MS06-075: Vulnerability in Windws Culd Allw Elevatin f Privilege (KB926255) MS06-070: Vulnerability in Wrkstatin Service Culd Allw Remte Cde Executin (KB924270) MS06-065: Vulnerability in Windws Object Packager Culd Allw Remte Executin (KB924496) MS06-064: Vulnerabilities in TCP/IP IPv6 Culd Allw Denial f Service (KB922819) MS06-063: Vulnerability in Server Service Culd Allw Denial f Service (KB923414) MS06-061: Vulnerabilities in Micrsft XML Cre Services Culd Allw Remte Cde Executin (KB924191) MS06-057: Vulnerability in Windws Explrer Culd Allw Remte Executin (KB923191) MS06-056: Vulnerability in ASP.NET 2.0 Culd Allw Infrmatin Disclsure (KB922770) Update fr Windws XP (KB922582) - This update reslve an issue identified in Filter Manager that can prevent yu frm installing updates frm Windws update. 15

19 Update fr Windws XP (KB910437) - This update reslve an issue in which Windws Update and Autmatic Updates can n lnger dwnlad updates after an Access Vilatin errr ccurs when using the Autmatic Updates service MS06-053: Vulnerability in Indexing Service Culd Allw Crss-Site Scripting (KB920685) MS06-045: Vulnerability in Windws Explrer Culd Allw Remte Cde Executin (KB921398) MS06-042: Cumulative Security Update fr Internet Explrer (KB918899) MS06-041: Vulnerability in DNS Reslutin Culd Allw Remte Cde Executin (KB920683) MS06-040: Vulnerability in Server Service Culd Allw Remte Cde Executin (KB921883) MS06-036: Vulnerability in DHCP Client Service Culd Allw Remte Cde Executin (KB914388) MS06-035: Vulnerability in Server Service Culd Allw Remte Cde Executin (KB917159) MS06-030: Vulnerability in Server Message Blck Culd Allw Elevatin f Privilege (KB914389) MS06-018: Vulnerability in Micrsft Distributed Transactin Crdinatr Culd Allw Denial f Service (KB913580) MS06-015: Vulnerability in Windws Explrer Culd Allw Remte Cde Executin (KB908531) MS06-008: Vulnerability in Web Client Service Culd Allw Remte Cde Executin (KB911927) MS06-001: Vulnerability in Graphics Rendering Engine Culd Allw Remte Cde Executin (KB912919) MS05-053: Vulnerabilities in Graphics Rendering Engine Culd Allw Cde Executin (KB896424) MS05-051: Vulnerabilities in MSDTC and COM+ Culd Allw Remte Cde Executin (KB902400) MS05-049: Vulnerabilities in Windws Shell Culd Allw Remte Cde Executin (KB900725) MS05-047: Vulnerability in Plug and Play Culd Allw Remte Cde Executin and Lcal Elevatin f Privilege (KB905749) IPSec Plicy Agent Update: An assciated Micrsft Security Bulletin fr this issue is nt available.( KB907865) MS05-043: Vulnerability in Print Spler Service Culd Allw Remte Cde Executin (KB896423) MS05-042: Vulnerabilities in Kerbers Culd Allw Denial f Service, Infrmatin Disclsure, and Spfing (KB899587) MS05-027: Vulnerability in Server Message Blck Culd Allw Remte Cde Executin (KB896422) MS05-018: Vulnerability in Windws Kernel Culd Allw Elevatin f Privilege and Denial f Service (KB890859) 16

20 MS05-011: Vulnerability in Server Message Blck Culd Allw Remte Cde Executin (KB885250) MS05-007: Vulnerability in Windws Culd Allw Infrmatin Disclsure (KB888302) MS04-044: Vulnerabilities in Windws Kernel and LSASS Culd Allw Elevatin f Privilege (KB885835) 9 Validatr Cmments The TOE develper and spnsr, and the Evaluatin Team are cmmended fr their effrt t develp tests fr such a cmplex system. The Evaluatin Team is cmmended fr their painstaking effrts t validate the evaluated cnfiguratin during team testing. The security functinal testing activities were limited t verifying that the security checks at each TSFI are enfrced. The TSFI input parameters were nt exercised fr errneus and anmalus inputs during security functinal testing r during penetratin testing. While n specific security functinal requirements r TSFI are listed fr the fllwing cmpnents f the TOE, the TOE was nt evaluated in the fllwing areas and is knwn t be nt cmpliant with applicable standards and hence can cause security and interperability prblems: The Micrsft Cryptgraphic Applicatins Prgramming Interface (CAPI) des nt perfrm X.509 certificatin path validatin in accrdance with applicable ISO and Internet standards. The Internet Infrmatin Server (IIS) Transprt Layer Security (TLS) and Secure Scket Layer (SSL) d nt perfrm X.509 certificatin path validatin fr client authenticatin in accrdance with applicable ISO and Internet standards Cnsumer shuld lk at the Develper s vulnerability analysis fr residual vulnerabilities when the TOE is cnnected t the Internet. The value f WSUS in the evaluated cnfiguratin is limited. Only the updates explicitly listed in the ST can be distributed with WSUS. 10 Security Target See Table 1 in this validatin reprt. 17