Professional Documents
Culture Documents
TM
Validation Report
Microsoft Cor por ation, Cor por ate Headquar ter s, One
Microsoft Way, Redmond, WA 98052-6399
Microsoft Windows Vista and Windows Ser ver 2008
Report Number:
Dated:
Version:
CCEVS-VR-VID10291-2009
15 August 2009
1.0
ACKNOWLEDGEMENTS
Validation Team
James Donndelinger
Aerospace Corporation
Columbia, MD
Shaun Gilmore
National Security Agency
Ft. Meade, MD
ii
Table of Contents
1
2
3
iii
1 Executive Summar y
This report documents the assessment of the National Information Assurance Partnership
(NIAP) validation team of the evaluation of Microsoft Windows Vista and Windows
Server 2008. It presents the evaluation results, their justifications, and the conformance
results. This Validation Report is not an endorsement of the Target of Evaluation by any
agency of the U.S. government, and no warranty is either expressed or implied.
The evaluation was performed by the Science Applications International Corporation
(SAIC) Common Criteria Testing Laboratory (CCTL) in Columbia, Maryland, United
States of America, as well as evaluators from the National Security Agency (NSA) and was
completed in August 2009. The information in this report is largely derived from the
Evaluation Technical Report (ETR) and associated test reports, written in part by SAIC and
in part by NSA. The evaluation determined that the product is both Common Criteria
Part 2 Extended and Part 3 Conformant, and meets the assurance requirements of EAL
4 augmented with ALC_FLR.3, AVA_VLA.3.
The Target of Evaluation (TOE) is Windows Vista and Windows Server 2008 provided by
Microsoft, Corp. Windows Vista and Windows Server 2008 are preemptive multitasking,
multiprocessor, and multi-user operating systems. In general, operating systems provide
users with a convenient interface to manage underlying hardware. They control the
allocation and manage computing resources such as processors, memory, and Input/Output
(I/O) devices. Windows Vista and Windows Server 2008 expand these basic operating
system capabilities to controlling the allocation and managing higher level IT resources
including security principals (user and machine accounts), files, printing objects, services,
windowstation, desktops, cryptographic keys, network ports/traffics, directory objects, and
web content. Multi-user operating systems such as Windows Vista and Windows Server
2008, keep track of which user is using which resource, grant resource requests, account for
resource usage, and mediate conflicting requests from different programs and users.
The Target of Evaluation (TOE) identified in this Validation Report has been evaluated in
part at a NIAP approved Common Criteria Testing Laboratory using the Common
Methodology for IT Security Evaluation (Version 2.3) and in part by NSA for conformance
to the Common Criteria for IT Security Evaluation (Version 2.3). This Validation Report
applies only to the specific version of the TOE as evaluated. The evaluation has been
conducted in accordance with the provisions of the NIAP Common Criteria Evaluation and
Validation Scheme and NSA and the conclusions of the testing laboratory in the evaluation
technical report are consistent with the evidence provided.
The validation team monitored the activities of the evaluation team, observed evaluation
testing activities, provided guidance on technical issues and evaluation processes, and
reviewed the individual work units and successive versions of the ETR. The validation
team found that the evaluation showed that the product satisfies all of the functional
requirements and assurance requirements stated in the Security Target (ST). Therefore the
validation team concludes that the testing laboratorys findings are accurate, the
conclusions justified, and the conformance results are correct. The conclusions of the
testing laboratory in the evaluation technical report are consistent with the evidence
produced.
1
Based upon the work of the SAIC evaluation team and NSA evaluation team, the CCEVS
concluded that the Common Criteria requirements for Evaluation Assurance Level (EAL 4)
augmented with ALC_FLR.3 have been met.
The technical information included in this report was obtained from the Windows Vista and
Windows Server 2008 Security Target and analysis performed by the Validation Team.
2 Identification
The CCEVS is a joint National Security Agency (NSA) and National Institute of Standards
effort to establish commercial facilities to perform trusted product evaluations. Under this
program, security evaluations are conducted by commercial testing laboratories called
Common Criteria Testing Laboratories (CCTLs) using the Common Evaluation
Methodology (CEM) for Evaluation Assurance Level (EAL) 1 through 4 in accordance
with National Voluntary Laboratory Assessment Program (NVLAP) accreditation.
The NIAP Validation Body assigns Validators to monitor the CCTLs to ensure quality and
consistency across evaluations. Developers of information technology products desiring a
security evaluation contract with a CCTL and pay a fee for their products evaluation.
Upon successful completion of the evaluation, the product is added to NIAPs Validated
Products List.
Table 1 provides information needed to completely identify the product, including:
The Target of Evaluation (TOE): the fully qualified identifier of the product as
evaluated.
The Security Target (ST), describing the security features, claims, and assurances of the
product.
Item
Identifier
Evaluation Scheme
TOE:
Protection Profile
ST:
Windows Vista and Windows Server 2008 Security Target, Version 1.0, July 24,
2009
Evaluation Technical
Report
Evaluation Technical Report For Windows Vista and Windows Server 2008
(Proprietary), Version 2.0, August 3, 2009
CC Version
Conformance Result
Item
Identifier
Sponsor
Microsoft Corporation
Developer
Microsoft Corporation
Common Criteria
Testing Lab (CCTL)
SAIC, Columbia, MD
CCEVS Validators
user switching). The features identified and described in this section are included in the
TOE and as such are within the scope of the evaluation.
The following table summarizes the TOE configurations included in the evaluation.
Single Processor
Multiple
Processor
Stand-alone
Domain Member
Domain
Controller
Variations as a
Domain Element
Total Variations
Windows
Vista
Enterprise
(32 bit and 64
bit)
X
X
Windows
Server 2008
Standard (64
bit)
Windows
Server 2008
Enterprise (64
bit)
Windows
Server 2008
Datacenter
X
X
X
X
N/A
X
X
X
N/A
X
X
N/A
X
X
X
X
X
X
Display Monitor,
Keyboard,
Mouse,
CD-ROM Drive
Printer,
Audio Adaptor,
The TOE does not include any physical network components between network adaptors of
a connection. The ST assumes that any network connections, equipment, and cables are
appropriately protected in the TOE security environment.
Security Audit
Security management
Cryptographic protection
Resource Utilization
Session Locking
interactive user invokes a trusted path in order to protect his I&A information. Windows
Vista and Windows Server 2008 maintain databases of accounts including their identities,
authentication information, group associations, and privilege and logon rights associations.
Windows Vista and Windows Server 2008 include a set of account policy functions that
include the ability to define minimum password length, number of failed logon attempts,
duration of lockout, and password age.
4 Assumptions
The following assumptions were made during the evaluation of Windows Vista and
Windows Server 2008:
All connections to peripheral devices reside within the controlled access facilities.
The TOE only addresses security concerns related to the manipulation of the TOE
through its authorized access points. Internal communication paths to access points
such as terminals are assumed to be adequately protected.
Any other systems with which the TOE communicates are assumed to be under the
same management control and operate under the same security policy constraints.
The TOE is applicable to networked or distributed environments only if the entire
network operates under the same constraints and resides within a single
management domain. There are no security requirements that address the need to
trust external systems or the communications links to such systems.
Authorized users possess the necessary authorization to access at least some of the
information managed by the TOE and are expected to act in a cooperating manner
in a benign environment.
There will be one or more competent individuals assigned to manage the TOE and
the security of the information it contains.
The system administrative personnel are not careless, willfully negligent, or hostile,
and will follow and abide by the instructions provided by the administrator
documentation.
The processing resources of the TOE will be located within controlled access
facilities that will prevent unauthorized physical access.
The TOE hardware and software critical to security policy enforcement will be
protected from unauthorized physical modification.
5 Documentation
The following documentation was used as evidence for the evaluation of the Windows
Vista and Windows Server 2008:
5.6 Testing
1. Microsoft Windows Common Criteria Evaluation Test Plan, Rev: 14,
7/29/2009
2. 64 Bit Kernel Debug Support Test Suite, Rev: 1, 11/30/2007
3. Access Control (ACL) Test Suite, Rev: 5, 07/19/2009
4. ACPI Driver Test Suite,, Rev: 3, 02/09/2009
5. Administrator Access Test Suite, Rev: 22, 07/19/2009
6. Advanced Local Process Communication Test Suite, Rev: 4, 06/25/2009
7. Application Compatibility Support Test Suite, Rev: 5, 06/13/2009
8. Application Experience Lookup Service Test Suite, Rev: 2, 05/12/2008
9. Application Information Service Test Suite, Rev: 3, 04/23/2009
10. Authentication Provider Test Suite, Rev: 1.3, 05/27/2009
11. Background Intelligent Transfer Service Test Suite, Rev: 11, 07/04/2009
12. Base Filtering Engine Service Test Suite, Rev: 2, 04/09/2009
13. Bits Server ISAPI Extensions Test Suite, Rev: 2, 04/29/2009
14. Bowser Driver Test Suite, Rev: 1, 06/23/2009
15. (OS) Certificate Server Test Suite, Rev 2.0, 06/04/2009
16. Client Side Caching Driver Test Suite, Rev: 4, 06/30/2009
17. COM+ Test Suite, Rev: 4, 07/06/2009
18. COM+ Event System Service Test Suite, Rev: 2.1, 07/03/2009
8
10
6 IT Pr oduct Testing
This section describes the testing efforts of the developer and the Evaluation Team. It is
derived from information contained in the Evaluation Team Test Report for the Windows
Vista and Windows Server 2008, Version 1.0, July 31, 2009.
11
software listed in this section maintains its security rating when operated using the secure
usage assumptions listed in Section 4 of this validation report.
TOE Software Identification The following Windows Operating Systems (OS):
The following security updates and patches must be applied to the above Vista products:
All security updates as of 9 June 2009, excluding the Service Pack 2 update.
The following security updates must be applied to the above Windows Server 2008
products:
All security updates as of 9 June 2009, excluding the Service Pack 2 update.
TOE Hardware Identification The following hardware platforms are included in the
evaluated configuration:
Dell Optiplex 755, 3.0 GHz Intel Core 2 Duo E8400, 64-bit
Dell PowerEdge SC1420, 3.6 GHz Intel Xeon Processor (1 CPU), 32-bit
Dell PowerEdge 1800, 3.2 GHz Intel Xeon Processor (1 CPU), 32-bit
Dell PowerEdge 2970, 1.7 GHz quad core AMD Opteron 2344 Processor (2 CPUs),
64-bit
HP Proliant DL385 G5, 2.1 GHz quad core AMD Opteron 2352 Processor (2
CPUs), 64-bit
HP Proliant DL385, 2.6 GHz AMD Opteron 252 Processor (2 CPUs), 64-bit
Unisys ES7000 Model 7600R, 2.6 GHz Intel Xeon (6-core) (8 CPUs), 64-bit
To use the product in the evaluated configuration, the product must be configured as
specified in the Microsoft Windows Common Criteria Evaluation Document, version 6,
July 29, 2009.
Vista and Windows Server 2008 TOE to be Part 2 extended, and to meet the Part 3
Evaluation Assurance Level (EAL 4) augmented with ALC_FLR.3 requirements.
The following evaluation results are extracted from the non-proprietary Evaluation
Technical Report provided by the CCTL as well as input from the NSA evaluators, and are
augmented with the validators observations thereof.
13
8.6 Evaluation of the Test Documentation and the Test Activity (ATE)
The evaluation team applied the coverage and independent testing CEM work units.
Specifically, the evaluation team ensured that the vendor test documentation sufficiently
addresses the security functions as described in the functional specification. The evaluation
team re-ran the entire vendor test suite,, and devised an independent set of team tests.
The validator reviewed the work of the evaluation team, and found that sufficient evidence
and justification was provided by the evaluation team to confirm that the evaluation was
conducted in accordance with the requirements of the CEM, and that the conclusion
reached by the evaluation team was justified.
9 Validator Comments/Recommendations
The Evaluation Team is commended for their testing activities of such a complex system,
and their efforts to validate the evaluated configuration during team testing.
The validators of this evaluation want to make it clear to those deploying these products in
their systems that the analysis and testing for this evaluation was predicated on the notion
of a homogeneous network. This means the analysis and security functional testing did not
14
address the possibility of an untrusted user from injecting a raw frame on the network,
since users of the windows machines are prohibited from doing this.
.
10 Annexes
Not applicable.
15
12 Glossar y
The following definitions are used throughout this document:
Evaluation. The assessment of an IT product against the Common Criteria using the
Common Criteria Evaluation Methodology to determine whether or not the claims
made are justified; or the assessment of a protection profile against the Common
Criteria using the Common Evaluation Methodology to determine if the Profile is
complete, consistent, technically sound and hence suitable for use as a statement of
requirements for one or more TOEs that may be evaluated.
Evaluation Evidence. Any tangible resource (information) required from the sponsor
or developer by the evaluator to perform one or more evaluation activities.
Feature. Part of a product that is either included with the product or can be ordered
separately.
Validation. The process carried out by the CCEVS Validation Body leading to the
issue of a Common Criteria certificate.
13 Bibliogr aphy
The Validation Team used the following documents to produce this Validation Report:
[1]
[2]
[3]
16
[4]
[5]
[6]
[7]
[8]
[10]
Windows Vista and Windows Server 2008 Security Target, Version 1.0, July 24,
2009.
17
Version
Date
12 2/12/2009
2 5/28/2009
2 7/22/2009
2 7/22/2009
4 7/22/2009
0.03
0.06
0.07
0.03
7/22/2009
7/28/2009
7/28/2009
7/28/2009
9
12
6
3
0.08
3
0.07
6
7/22/2009
7/22/2009
7/22/2009
7/22/2009
7/22/2009
7/22/2009
7/28/2009
7/23/2009
18
2 7/22/2009
13
15
0.03
0.09
9
8
0.04
15
0.02
3
7
7/22/2009
7/22/2009
7/10/2009
7/22/2009
7/22/2009
7/22/2009
7/20/2009
7/22/2009
7/22/2009
7/22/2009
7/22/2009
0.07
12
2
0.08
16
2
0.08
7/22/2009
7/22/2009
7/22/2009
7/22/2009
7/22/2009
7/22/2009
7/22/2009
13 5/31/2009
12 5/31/2009
6
4
2
3
2
5
6
0.04
6
2
2
4
2
3
2
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
3
3
0.06
0.06
3
6/2/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
Mount Manager.doc
User Mode Driver Framework Reflector.xlsm
I/O Devices Component
ACPI Driver.doc
Advanced Host Controller Interface Driver.xlsmdoc
ALI IDE Miniport Driver
AMD IDE Miniport Driver
AMD K8 Processor Driver.xlsm
ATAport Driver Extension.xlsm
ATI ATI2MTAD Miniport Driver.doc
AudioPortClassDriver.doc
Beep Driver.doc
Broadcom BCM5708C NetXtreme Gigabit NIC
Miniport Driver.doc
Composite Battery Driver.xlsm
File System Filter Manager.doc
Hardware Error Device Driver.xlsm
HID Class Library.doc
HID Keyboard Filter Driver.doc
HID Mouse Filter Driver.doc
HID Parsing Library.doc
HP Proliant Smart Array.doc
i8042 Port Driver.doc
IDE ATAPI Port Driver.doc
Intel Pro 1000 e1e6032e NIC Miniport Driver.doc
Intel Pro 1000 e1g6032e NIC Miniport Driver.doc
Intelligent IO Miniport Driver.doc
Intelligent IO Utility Filter Driver.doc
Intelligent Platform Management Interface
Driver.xlsm
ISA and EISA Class Driver.xlsm
Keyboard Class Driver.doc
LSI Serial Attached SCSI Driver.doc
Microsoft System Management BIOS Driver.xlsm
Monitor Class Function Driver.xlsm
Mouse Class Driver.doc
NULL Driver.doc
Parallel Port Driver.doc
Partition Manager.doc
Plug and Play PCI Enumerator.doc
Plug and Play Software Device Enumerator.doc
PnP Disk Driver.doc
PNP ISA Bus Driver.doc
Processor Device Driver.doc
SCSI CD-ROM Driver.doc
SCSI Class System DLL.doc
19
3 7/23/2009
0.07 7/23/2009
7
0.5
0.3
0.3
0.2
0.6
7
3
4
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
3
0.4
5
0.3
5
4
4
4
4
3
2
7
3
3
3
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
0.6
0.4
3
3
0.2
0.4
3
3
3
4
3
17
3
3
3
4
4
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
6/3/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
20
17
11
3
3
3
18
3
3
3
3
3
3
3
0.3
0.5
3
0.3
3
4
3
3
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
7/23/2009
5
2
3
0.06
22
26
6
2
0.09
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
4
3
0.07
0.07
5
0.03
7
4
2
3
4
5
0.04
8
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
21
0.07
0.04
23
3
4
0.05
3
0.03
0.05
9
0.06
0.05
4
4
3
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
15
7
7
8
5
6
3
0.07
0.05
7
9
7
3
3
3
3
19
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
6/30/2009
6/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
12
6
7
5
2
0.04
7
26
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
5 7/24/2009
3 7/24/2009
6 7/24/2009
22
5
5
8
0.02
4
39
4
3
0.06
4
3
4
5
4
4
2
9
0.03
6
4
3
3
7
4
3
3
0.04
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
6/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
6
0.04
3
6
0.06
6
2
0.03
5
4
4
7
5
5
2
0.03
2
28
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
23
0.06
6
3
0.06
4
5
3
5
5
4
4
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
2 7/24/2009
2 7/24/2009
4 7/24/2009
3
0.09
3
3
3
3
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
12
4
4
0.07
3
3
0.05
4
3
4
0.03
0.05
0.04
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
0.4
0.3
1.3
0.2
0.4
0.8
0.2
0.5
0.2
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
24
2
0.2
0.3
0.2
0.2
0.2
0.2
0.2
0.3
0.2
2
0.2
0.3
0.2
0.2
0.2
0.8
0.2
0.2
2
0.2
0.2
8
0.2
0.2
0.4
0.2
0.2
0.2
0.2
0.2
0.2
1.9
0.2
0.2
0.2
0.2
2
0.2
0.2
0.7
0.2
0.2
0.2
0.2
0.2
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
7/24/2009
0.2 7/24/2009
3 7/24/2009
25