Microsoft Windows and the Common Criteria Certification Part II

“For a complete guide to security, check out ‘Security+ Study Guide and DVD Training System’ from Amazon.com“

Using the Windows 2000 Common Criteria Security Configuration Templates

Many times when working with the Common Criteria Certification templates, you simply hear or refer to them as the ‘Security Templates’. Well, the security configuration templates you work with on Windows 2000 are based on the Common Criteria. The actual name for them is Windows 2000 Common Criteria security configuration templates. Now, from reading part I of this article, you should be well informed about what the Common Criteria Certification is. Now you can understand it better as you actually apply it to an EAL 4 class server based operating system – Windows 2000 Server. Like I mentioned in the first part of this article, Windows Server 2003 is in the process of becoming certified. In this article we will look at how the templates provided with Windows 2000 really apply that security and you can see how to actually apply it. One word of advice before we continue is, you should do this on a test system. Do not arbitrarily apply a security template to a production system without first testing the template and its effects on a test system. It’s imperative that you ‘understand’ each feature of the each template before you apply them because each template does something different, as well, an applied template can really set your world up for disaster when you apply it and it shuts off a production web site that was accessed by thousands. For instance, there is a difference between the Common Criteria and ‘recommended settings’ as in the common criteria templates apply only that of which is needed to comply with the common criteria, and then there are other templates that apply both the common criteria and the ‘recommended settings’. In basic terminology the baseline configuration templates used will apply Common Criteria settings, where the High Security ones will apply both. You should be aware of this so you know which is which. Table 1 shows you the breakdown of the template files for the Windows 2000 operating system.

CC_Baseline_W2K_Server.inf	Windows 2000 Server	Common Criteria
CC_Baseline_W2K_Professional.inf	Windows 2000 Professional	Common Criteria
CC_Baseline_W2K_Domain.inf	Windows 2000 Domain Controller	Common Criteria
CC_Baseline_W2K_DC.inf	Windows 2000 Domain Controller	Common Criteria
CC_HiSec_W2K_Server.inf	Windows 2000 Server	Common Criteria and High Security
CC_HiSec_W2K_Professional.inf	Windows 2000 Professional	Common Criteria and High Security
CC_HiSec_W2K_Domain.inf	Windows 2000 Domain Controller	Common Criteria and High Security
CC_HiSec_W2K_DC.inf	Windows 2000 Domain Controller	Common Criteria and High Security

  Table 1

From the table, you can see that there are four templates that offer baseline protection (Common Criteria) and four templates that add in the recommended settings which would provide for higher security. So now that we know all about how the Common Criteria ties into Microsoft Window 2000, and how it has direct ties to the security templates included with the operating system, let’s begin to look at how to apply such settings to a Windows 2000 server to get it ready to meet the ‘Common Criteria’. Also remember, Windows 2000 is EAL 4, also covered in part I of this article.

Getting Started

To apply a template you need to set the server up to allow for it. Templates are not readily available to the novice Windows user. A server administrator with skill is going to need to apply it because like I mentioned before, its not readily available and applying a template to a production server is dangerous – one example may be that the template kills a service needed for one of your applications to run. You are down.

To get your server ready, follow these steps:

1. Go to Start => Run
2. Type MMC /a in the Run dialog box Open: field and hit the Enter key
3. On the Console menu => click Add/Remove Snap-in => click Add
4. Select Security Templates => click Add => click Close => click OK
5. To save the snap-in setting => click Save on the Console menu
6. Type a name for this console (you can name is something like security.msc) => click Save
7. In the Security Templates snap-in => double-click Security Templates

Security Configuration Template Application Tools

To edit and apply the Common Criteria security configuration templates you need to be logged on as an Administrator with the proper rights to do so. That being said, you have two main snap-ins that you need to consider. One is the Security Templates already discussed and the Security Configuration and Analysis snap-in as well. There are two tools that you can use to configure security on your system. Both are MMC (Microsoft Management Console) snap-ins not readily available without additional configuration of your system. This article shows you how to configure those. Let’s take a quick look at both and what they are, the rest of the article shows you how to manipulate them so that you can use them. Security Templates (Snap-In): As mentioned earlier, the templates we are refereeing to are those that help apply the Common Criteria as well as the Common Criteria and additional high security configurations if chosen. The snap-in will allow you to access these templates. This snap-in allows for the creation of a text-based template file that contains security settings – each template applying different kinds of settings to different types of systems (refer to Table 1). Security Configuration and Analysis (Snap-In): Although we will not be using this snap-in in this article, you should be aware of it and what its usefulness is. The Security Configuration and Analysis snap-in is a tool that will help to ‘analyze’ what your current systems security posture is. It does this by bouncing your systems configuration settings off a template (Common Criteria templates) and looking at the difference. This helps you get a baseline security reading of your system. Another article dealing with this subject in particular subject Windows Server 2003 System Security Analysis ‘Quick and Easy’ By Robert J. Shimonski

    8.   Now, when you have the console up running with the snap-ins added, you will see it as seen in figure 1.

Figure 1

Note: This console is shown with a Windows XP Professional system, you can use the Security templates on both workstations and servers.

9. Once you have the console open (as seen in figure 1), then you can then select the Common Criteria template you wish to work with. Here I have chosen DIFFXP. It really doesn’t matter what you select for purposes of this article, just remember that you really should be running this on a test system first so you don’t ruin your production system if you remove something that needed to be there. Just be cautious and test it before you apply it to a production system.
10. You can now customize the templates or just peruse them for your own study and analysis. Take a look at each one and try to see how to modify them to your own needs. For a list of the XP templates and more depth, click on this TechNet link.

Applying Common Criteria Security Templates

Now that you know what the Common Criteria is (Part I of article) and now how to get to them and work with them (Beginning of this article), our last step is to apply one.

1. Log into the system you want to install the template on. Make sure you log in with Administrative rights.
2. Open the MMC that you made in the first part of this article.
3. Select Security Configuration and Analysis
4. Right-click Security Configuration and Analysis
5. You will need to start a working database. To do this, right click the Configuration and Analysis icon and select to Open Database. You can name the database anything that makes sense to you when you need to review it again, usually a date and time standard is common to use. Click Open and then you can select a template to analyze this computer against. You will have to review what the templates mean before you run them or you won’t know what you are looking for.
6. Once the database is set, right click Configuration and Analysis again and then select to Import Template. Select the Common Criteria security configuration template that you want to use.
7. Right-click Security Configuration and Analysis => select Configure Computer Now
8. A window will appear showing the path to the error log file => click OK.
9. The last thing is to reboot your system. Some setting take effect immediately, others need to take effect once you reboot.  

You have successfully installed a Common Criteria Security Template on your system.

Summary

In this article we covered why you should know and understand the Common Criteria Certification and how it directly reflects against Windows products. We took it one step further and explained how to install a Common Criteria Certificate on your system. For more information about the Common Criteria and how it directly effects Windows systems, please use the links before for more information.

References and Links

http://www.microsoft.com/technet/Security/topics/issues/w2kccscg/w2kscgcf.mspx

Microsoft.com site common criteria
http://www.microsoft.com/presspass/features/2003/apr03/04-14WS03Security.asp

Common Criteria Websites

UK
http://www.cesg.gov.uk 

US
http://niap.nist.gov

Common Criteria Scheme
http://niap.nist.gov/cc-scheme/

EAL Levels
http://www.cesg.gov.uk/site/iacs/index.cfm?menuSelected=1&displayPage=13

ITSEC Levels
http://www.cesg.gov.uk/site/iacs/index.cfm?menuSelected=1&displayPage=12