Microsoft

Internet Security and Acceleration Server

ISA Server 2004 Enterprise Edition Common Criteria Evaluation

Guidance Documentation Addendum
Internet Security and Acceleration Server Team
Microsoft Corp.

Author:

Status: Version: Revision: Last Saved: File Name:

Final 1.5 1 2007-02-09 MS_ISAEE_ADD_1.5.doc

Abstract

This document describes the Guidance Documentation Addendum of ISA Server 2004 Enterprise Edition Common Criteria Certification that is the basis for the ISA Server 2004 Enterprise Edition Common Criteria evaluation.

Keywords
CC, ISA, Common Criteria, Firewall, Guidance Documentation Addendum

Guidance Documentation Addendum

Page 2/30

This page intentionally left blank

Guidance Documentation Addendum

Page 3/30

Table of Contents
Page

INTRODUCTION TO USER'S GUIDE OR ADMINISTRATOR'S GUIDE .......................5 1.1 Overview ..................................................................................................................5 1.2 Security Functions and Associated Chapters ..........................................................7 1.3 Warnings About Functions and Privileges ...............................................................8 1.4 Installation of the Evaluated ISA Server 2004 Enterprise Edition ............................8 2 SECURITY FUNCTIONS ..............................................................................................13 2.1 SF1 - Web Identification and Authentication ..........................................................13 2.2 SF2 - Information Flow Control ..............................................................................15 2.3 SF3 - Audit .............................................................................................................16 2.4 Administration-Related Interfaces ..........................................................................16 2.5 TOE User Interfaces ..............................................................................................17 3 OPERATING ENVIRONMENT .....................................................................................18 3.1 Assumptions...........................................................................................................18 3.2 Organizational Security Policies.............................................................................19 3.3 Secure Usage Assumptions - IT Security Requirements for the IT Environment ..19 3.4 Security Objectives for the Environment ................................................................20 3.5 Requirements for the Operational Environment.....................................................20 4 SECURITY-RELEVANT EVENTS ................................................................................22 5 TOE INTEGRITY...........................................................................................................23 5.1 Integrity of the CD-ROM Content ...........................................................................23 5.2 Integrity of the Package .........................................................................................27 5.3 Version Number for the TOE..................................................................................27 6 REFERENCES AND GLOSSARY ................................................................................28 6.1 References.............................................................................................................28 6.2 Acronyms ...............................................................................................................28 6.3 Glossary .................................................................................................................29

Guidance Documentation Addendum

Page 4/30

List of Tables
Page

Table 1.1 Security functions and associated chapters ........................................................7 Table 1.2 Warnings about functions and privileges.............................................................8 Table 3.1 Assumptions for the IT environment and intended usage .................................18 Table 3.2 Security policies addressed by the TOE............................................................19 Table 3.3 TOE functional security requirements for the environment ...............................19 Table 3.4 Security objectives for the environment.............................................................20 Table 4.1 Security-relevant events ....................................................................................22

List of Figures
Page

Figure 5.1 Integrity check I (successful) ............................................................................24 Figure 5.2 Integrity check II (missing FCIV tool)................................................................24 Figure 5.3 Batch file (ISA Server 2004 Enterprise Edition CD) for CD-ROM integrity check ......................................................................................................................................25 Figure 5.4 Batch file (Service Pack 2 CD) for CD-ROM integrity check ............................26 Figure 5.5 ISA Server 2004 Enterprise Edition (CD-ROM) ...............................................27 Figure 5.6 Version number of ISA Server 2004 Enterprise Edition ...................................27

Guidance Documentation Addendum

Page 5/30

1 Introduction to User's Guide or Administrator's Guide

This document is required by Common Criteria for the Microsoft Internet Security and Acceleration (ISA) Server 2004 Enterprise Edition evaluation. The document contains the User's1 Guide and the Administrator's Guide2. It should be used by any administrator who wants to ensure that the deployed ISA Server 2004 Enterprise Edition is the evaluated version (see [ST]).

1.1 Overview
The ISA Server 2004 Enterprise Edition manual [MSISA] consists of the following chapters: Introducing ISA Server Installation and Upgrade Administration and Security Networking Firewall Policy Clients Virtual Private Networking Caching Monitoring Add-ins Deployment Scenarios Additional Resources Security Functions Operating Environment Security-Relevant Events Target of evaluation (TOE) Integrity Reference and Glossary

This document extends the manual by adding the following chapters:

These chapters provide the required information for the ISA Server 2004 Enterprise Edition common criteria evaluation.

Note: According to the used Common Criteria wording: An administrator is the person who installs, configures, and administrates the target of evaluation (TOE), and a user is the person who sends data through the firewall (uses internal or external network resources where access is intercepted by the firewall). Because of the nature of a firewall product (the filtering is a transparent process for the user), the manuals provided are for administration purpose only.

Guidance Documentation Addendum

Page 6/30

The evaluated Guidance Documentation is valid for ISA Server 2004 Enterprise Edition. Its software version is ISA Server 2004 Enterprise Edition Service Pack 2 (SP2) (version 4.0.3443.594). The evaluated configuration is ISA Server 2004 Enterprise Edition.

Guidance Documentation Addendum

Page 7/30

1.2 Security Functions and Associated Chapters

The relevant chapters of the security functionality are summarized in the following table. Table 1.1 Security functions and associated chapters
Security function (see [ST]) SF1 Web Identification and Authentication Relevant chapters [MSISA] [MSISA] Firewall Policy > Firewall Policy: Concepts > Authentication > Authentication methods for Web requests > Basic authentication [MSISA] Firewall Policy > Firewall Policy: Concepts > Toolbox > Web listeners > Web listeners overview, Section: Authentication [MSISA] Firewall Policy > Firewall Policy: Concepts > Authentication > Authentication methods for Web requests > RADIUS authentication SF2 - Information Flow Control Access Rules: [MSISA] Firewall Policy > Firewall Policy: Concepts > Firewall Policy Rules > Access Rules Server Publishing Rules: [MSISA] Firewall Policy > Firewall Policy: Concepts > Firewall Policy Rules > Server publishing rules Mail Server Publishing Rules: [MSISA] Firewall Policy > Firewall Policy: Concepts > Firewall Policy Rules > Mail Server publishing rules Web Publishing Rules: [MSISA] Firewall Policy > Firewall Policy: Concepts > Firewall Policy Rules > Web publishing rules [MSISA] Firewall Policy > Firewall Policy: Concepts > Firewall Policy Rules > Secure Web publishing rules [MSISA] Firewall Policy > Firewall Policy: Concepts > Firewall Policy Rules > Outlook Web Access Server publishing System Policy: [MSISA] Firewall Policy > Firewall Policy: Concepts > System policy Application Filter: [MSISA] Add-ins > Add-ins: Concepts > Application Filters > RPC filter [MSISA] Add-ins > Add-ins: Concepts > Application Filters > SMTP filtering > SMTP filter [MSISA] Add-ins > Add-ins: Concepts > Application Filters > FTP access filter Web Application Filter: [MSISA] Add-ins > Add-ins: Concepts > Web Filters > HTTP filter [MSISA] Add-ins > Add-ins: Concepts > Web Filters > Authentication filters > OWA forms-based authentication Web filter [MSISA] Add-ins > Add-ins: Concepts > Web Filters > Authentication filters > RADIUS authentication Web filter

Guidance Documentation Addendum Security function (see [ST]) SF3 - Audit Relevant chapters [MSISA]

Page 8/30

[MSISA] Monitoring > Monitoring: Concepts > Logs > Log storage format > Section: MSDE 2000 database [MSISA] Monitoring > Monitoring: Concepts > Logs > Log Viewer [MSISA] Monitoring > Monitoring: Concepts > Logs > Microsoft Firewall service log fields [MSISA] Monitoring > Monitoring: Concepts > Logs > Web proxy log fields

1.3 Warnings About Functions and Privileges

The administrator guidance contains warnings about functions and privileges that should be controlled in a secure processing environment. These are listed in following table. Table 1.2 Warnings about functions and privileges
Aspect Overview Manual Warnings Relevant chapters [MSISA] Administration and Security > Administration and Security: Concepts > Administrative roles [MSISA] Administration and Security > Administration and Security: How To > Assign Administrative roles Each chapter identifies and describes the warnings, the assumptions and the security parameters related to that SF when necessary. The identification and description are made in a complete and consistent way. Examples for chapters that contain additional hints: Important (marked with a blue sign) [MSISA] Firewall Policy > Firewall Policy: Concepts > Authentication > Authentication methods for Web requests > Basic authentication

Caution (marked with a red flag) [MSISA] Firewall Policy > Firewall Policy: Concepts > Authentication > Authentication methods for Web requests

Warning (marked with a yellow sign) [MSISA] Caching > Caching: Concepts > Content download jobs: (Note: This is not a security function according the Security Target but gives an example for a warning.) [MSISA_ADD] Chapter 2 Security Functions

1.4 Installation of the Evaluated ISA Server 2004 Enterprise Edition

Before you install ISA Server 2004 Enterprise Edition SP2 (Version 4.0.3443.594), ensure that the underlying operating system is Microsoft Windows Server 2003, Standard Edition (English) Service Pack 1 (SP1) including MS05-042 (KB899587), MS05-039 (KB899588), MS05-027 (KB896422), and update KB907865. Also, ensure that no additional software products have been installed on this computer.

Guidance Documentation Addendum

Page 9/30

ISA Server 2004 Enterprise Edition is composed of the following components: ISA Server Management. The console through which the administrator manages the enterprise. Configuration Storage server. The repository of the enterprise layout and the configuration for each server in the enterprise. This repository is an instance of Active Directory Application Mode (ADAM). Each ISA Server computer has a local copy of its configuration that is a replica of the servers configuration, which is located on the Configuration Storage server. ISA Server services. This is the computer that runs the firewall, virtual private network (VPN), and caching functions of ISA Server. The computer running ISA Server services is connected to a Configuration Storage server, which stores the configuration information. Additional components. Additional components (Advanced Logging, Firewall Client Share, and Message Screener) can be installed on separate computers. Note that the Advanced Logging component can only be installed on a computer running ISA Server services.

Warnings To install the evaluated version, the administrator must install ISA Server Management and the Configuration Storage server (file \ISAAutorun.exe). The following pictures show the step-by-step installation process for ISA Server 2004 Enterprise Edition.

Startup screen

License Agreement

Guidance Documentation Addendum

Page 10/30

User name and product key (picture not shown completely)

Installation options

No additional components (default)

New ISA Server enterprise (default)

Installation note

Specify internal networks (example)

Guidance Documentation Addendum

Page 11/30

Do not allow non-encrypted Firewall clients (default)

Service warning

Start of installation process

Completion of installation process

After installation of ISA Server, the administrator must install Service Pack 2, which is delivered separately on an additional CD-ROM (file \ENU\ISA2004EE-KB903676-x86ENU.msp).

Start of installation process

License Agreement

Guidance Documentation Addendum

Page 12/30

Completion of installation process

Pop-up note

Guidance Documentation Addendum

Page 13/30

2 Security Functions
This chapter identifies all the security functions available to the administrator. The security functions are derived from the ISA Server 2004 Enterprise Edition security functions described in the ISA Server 2004 Enterprise Edition Security Target (ST). For administration, ISA Server 2004 Enterprise Edition includes graphical taskpads and wizards. These simplify navigation and configuration for common tasks. These features are embedded in the Microsoft Management Console and do not belong to the TOE. They are provided by the environment. The underlying operating system is the certified Windows Server 2003, Standard Edition (English) SP1 including MS05-042 (KB899587), MS05-039 (KB899588), MS05-027 (KB896422), and update KB907865. (The same installation has been used for Windows Server 2003 Common Criteria EAL 4+ evaluation; Validation Report Number CCEVS-VR05-0131, [WINST] and [WINVR], and referenced as Windows Server 2003 in this document.) Warnings The administrator must ensure that ISA Server 2004 Enterprise Edition is installed and used with Windows Server 2003. More details can be found in the Security Target of ISA Server 2004 Enterprise Edition [ST]. The administrator has to observe the Security Bulletins, to ensure that all possible countermeasures are used. The administrator should check http://www.microsoft.com/security/ regularly for the latest ISA Server 2004 Enterprise Edition service packs and hotfixes. The administrator should only use programs that are required to administer and operate the firewall. The administrator should not install additional software which may compromise the security of the TOE or the underlying operating system.

2.1 SF1 - Web Identification and Authentication

The TOE can be configured in a way that only particular users are allowed to access the networks through the TOE using Basic authentication. Basic authentication is the standard method of authentication for Hypertext Transfer Protocol (HTTP) transmissions for incoming and outgoing requests. Basic authentication sends and receives user information in plaintext. No encryption is used with Basic authentication. Secure Sockets Layer (SSL) encryption has to be used to secure the transferred user identification and authentication credentials, so these credentials cannot be monitored during transmission to the TOE. To secure the transferred user credentials, ensure that strong SSL encryption (at least 128 bit) is enforced.

Guidance Documentation Addendum

Page 14/30

The TOE has been evaluated using Basic authentication with SSL encryption for incoming HTTP connections. The TOE verifies if the user credentials comply with data stored in the local user database or a remote authentication server using Remote Authentication Dial-In User Service (RADIUS). Warnings There is a change in the default behavior when SP2 is installed on ISA Server 2004: When you try to connect to a Web site that is published by using ISA Server 2004 SP2, you receive an error message. If the ISA Server Web listener has Basic authentication enabled, you receive the following error message: Error Code: 403 Forbidden. The page must be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the server administrator. (12211) If the ISA Server Web listener has RADIUS authentication or Microsoft Outlook Web Access forms-based authentication (Cookie-auth) enabled, you receive the following error message: Error Code: 500 Internal Server Error. An internal error occurred. (1359) This issue occurs if all the following conditions are true: The ISA Server 2004 Web listener has any one of the following authentication methods enabled: o o o Basic RADIUS Outlook Web Access forms-based

The ISA Server 2004 Web listener is configured to listen for HTTP traffic. The Require all users to authenticate check box is selected for the Web listener or the Web publishing rules apply to a user set other than the default All Users user set. You connect to the published Web site by using HTTP instead of by using HTTPS.

This issue occurs because of a security modification that is included in ISA Server 2004 SP2. When you use HTTP-to-HTTP bridging, ISA Server 2004 SP2 does not enable traffic on the external HTTP port if the Web listener is configured to request one or more of the following kinds of credentials: Basic RADIUS Outlook Web Access forms-based

Guidance Documentation Addendum

Page 15/30

This behavior occurs because these kinds of credentials should be encrypted. These credentials should not be sent in plaintext over HTTP. For ISA Server 2004 versions that are earlier than ISA Server 2004 SP2, you are prompted to enter credentials in plaintext. This behavior may cause the credentials to be transmitted over the network in plaintext if you have not implemented some other form of network security, such as an external Secure Sockets Layer (SSL) accelerator or an encrypted tunnel. ISA Server does not provide these forms of security. ISA Server 2004 SP2 prevents you from entering credentials in plaintext. When you try to do this, you receive an error message. Warnings When using Basic authentication, the user name and password are sent in plaintext (base-64 encoded). Basic authentication for Web requests must be secured using an SSL channel, so user identification and authentication credentials are encrypted during transmission. Use strong SSL encryption with at least 128 bit. When using Basic authentication, depending on the application on the information technology (environment, an application could "cache" the password. So the user must ensure that the environment is locked, when it is unattended.

2.2 SF2 - Information Flow Control

The TOE combines several security mechanisms to enforce the security policies at different network layers: a rule base for incoming and outgoing requests, Web and application filters, and system security configuration options. The TOE controls the flow of incoming and outgoing packets and controls information flow on protocol level. This control has to be active before any information can be transmitted through the TOE. Information flow control is subdivided into firewall policy rules that consist of access rules, server publishing rules, mail server publishing rules, Web publishing rules, system policy, Web application filters, and application filters. Warning The following Windows Server 2003 vulnerabilities require that the administrator, on computers without updates, does not publish certain ports from the local host to the external interface or that the administrator ensure that a certain configuration has been applied: MS06-018 requires blocking following ports to the local host at the firewall: - All unsolicited inbound traffic on ports greater than 1024 - Any other specifically configured RPC port These ports can be used to initiate a connection with the Microsoft Distributed Transaction Coordinator. Blocking them at the firewall (to local host) will protect the operating system to exploit this vulnerability. Also, make sure that you block any other specifically configured RPC port on the local host. While RPC can use UDP

Guidance Documentation Addendum

Page 16/30

ports 135, 137, 138, 445, and TCP ports 135, 139, 445, and 593, the Microsoft Distributed Transaction Coordinator service is not vulnerable over those ports. MS06-032 required to disable IP source routing: Disabling IP source routing will prevent an affected host from processing IP sourcerelated packets that could allow an attacker to execute code. IP source routing processing can be disabled by the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ Add the DWORD Value: DisableIPSourceRouting. Set the value to 2. This value disables IP source routing processing. By default, this key does not exist.

2.3 SF3 - Audit

The TOE stores logging information in different log files: Firewall service log The Firewall log contains records of packets that were dropped in the packet filter level. It is possible to turn on logging for packets that were permitted to traverse the firewall. Access rules can be configured selectively to create or not to create a log file entry when a packet has been blocked or permitted. Web proxy service log The Web Proxy log stores a line per HTTP request that it gets. Each request (incoming and outgoing) is always logged. Windows application event log The Windows application event log stores important system events and failures. Warning It should be assured that there is always enough free disk space. Choosing the right resource and the right parameters for logging is mandatory. Creating logs that are too large or creating too many files can lead to problems. Nevertheless, it is possible to create an alert, which will move or delete old or unneeded log files.

2.4 Administration-Related Interfaces

The administrator interacts with the TOE via an Microsoft Management Console snap-in. (The Microsoft Management Console is provided by the IT environment.) The application interacts with the local registry and local file system of the operating system (Windows Server 2003) and finally with the TOE.

Guidance Documentation Addendum

Page 17/30

EXIF_MMC is the only external interface for administration. It is not used directly, but the Microsoft Management Console uses this interface to provide the log viewer. The log viewer component uses EXIF_MMC to communicate with the Microsoft Management Console. There are two additional interfaces, which are used indirectly for administration. Configuration data is read using EXIF_REG or EXIF_STORE from the local registry or the file system. The TOE reads the configuration using the same interfaces from the registry or the file system. So registry and/or file system changes may change the configuration of the TOE. Warning By default, policy changes are applied within a time frame of 15 seconds since the relevant configuration data has to be polled from ADAM.

2.5 TOE User Interfaces

There are no user-related manuals provided. (Due to the nature of a firewall product, the filtering process is transparent to the user.) EXIF_NET is the only external interface available for the user. To protect communication between networks, the TOE has an interface to the network layer of the operating system. Traffic from one network to another network is always passed though the TOE using this interface. All network traffic generated by users has to pass this interface.

Guidance Documentation Addendum

Page 18/30

3 Operating Environment
The security environment of the Evaluated Configuration of ISA Server 2004 Enterprise Edition is described in the ISA Server 2004 Enterprise Edition Security Target [ST] and identifies the threats to be countered by ISA Server 2004 Enterprise Edition, the organizational security policies, and the usage assumptions as they relate to ISA Server 2004 Enterprise Edition. The administrator should ensure that the environment meets the organizational policies and assumptions. They are repeated in the section that follows from the Security Target. To use the TOE in the evaluated configuration, the underlying environment must be the Windows Server 2003 operating system.

3.1 Assumptions
Table 3.1 lists the TOE Secure Usage Assumptions for the IT environment and intended usage. Table 3.1 Assumptions for the IT environment and intended usage
# 1 Assumption name A.DIRECT Description The TOE is available to authorized administrators only. A person who has physical access to the TOE and can log on to the operating system is assumed to act as an authorized TOE administrator. The TOE stores and executes security-relevant applications only. It stores only data required for its secure operation. Nevertheless, the underlying operating system may provide additional applications required for administrating the TOE or the operating system. Authorized administrators are non-hostile and follow all administrator guidance. The environment implements the following functionality: Local identification and authentication of user credentials used for Web publishing (see A.WEBI&A for RADIUS identification and authentication; in case of a successful authentication, the TOE analyses the returned value and allows or denies the access to network resources depending on that value), reliable time stamp (log file audit), file protection (for log file access protection, registry protection, and ADAM protection), cryptographic support (for SSL encryption), administration access control, reliable ADAM implementation, Network Load Balancing (disabled by default). 5 6 7 8 A.PHYSEC A.SECINST A.SINGEN A.WEBI&A The TOE is physically secure. Only an authorized person has physical access to the system that hosts the TOE. Required certificates and user identities are installed using a confidential path. Information can not flow among the internal and external networks unless it passes through the TOE. User credentials are verified by a RADIUS server. The RADIUS server returns a value if a valid account exists or not. Web Identification & Authentication with a RADIUS server requires that the RADIUS server is placed on the internal network, so that data (user credentials and return values) transferred to and from the RADIUS server is secured by the TOE from external entities.

A.GENPUR

3 4

A.NOEVIL A.ENV

Guidance Documentation Addendum 9 A.SSL

Page 19/30

All Web publishing rules that support Basic authentication have to be configured by the administrator so that strong encryption for SSL is enforced (at least 128 bit encryption).

3.2 Organizational Security Policies

Security policies to be fulfilled by the TOE are defined in Table 3.2. Table 3.2 Security policies addressed by the TOE
# 1 Policy name P.AUDACC Description Persons must be accountable for the actions that they conduct. Therefore, audit records must contain sufficient information to prevent an attacker to escape detection.

3.3 Secure Usage Assumptions - IT Security Requirements for the IT Environment

This chapter defines the TOE security functional requirements for the IT environment. Further information about the Security Functional Requirements can be found in [ST].

Table 3.3 TOE security functional requirements for the environment

# Functional requirement Title Identification & Authentication 1 2 3 4 FIA_ATD.1 FIA_UID.2 FIA_UAU.2 FCS_COP.1 User attribute definition User identification before any action User authentication before any action Cryptographic operation Information Flow Control 5 6 7 FMT_MSA.1 (1) FMT_MSA.1 (2) FMT_MSA.1 (3) Management of security attributes (1) UNAUTHENTICATED SFP Management of security attributes (2) UNAUTHENTICATED_APPL SFP Management of security attributes (3) AUTHENTICATED SFP Audit 8 9 10 FPT_STM.1 FAU_SAR.2 FAU_STG.1 Reliable time stamps Restricted audit review Protected audit trail storage Security Management 11 FMT_SMR.1 Security roles

Guidance Documentation Addendum

Page 20/30

3.4 Security Objectives for the Environment

Table 3.4 lists security objectives for the environment (covers objectives for the IT environment and non-IT environment). Table 3.4 Security objectives for the environment
# 1 2 3 4 Objective Name OE.DIRECT OE.GENPUR OE.NOEVIL OE.ENV Objective Description The TOE should be available to authorized administrators only. The environment should store and execute security-relevant applications only and should store only data required for its secure operation. Authorized administrators should be non-hostile and should follow all administrator guidance. The environment should implement the following functionality: Local identification and authentication of user credentials used for Web publishing (see OE.WEBI&A for RADIUS identification and authentication; in case of a successful authentication, the TOE analyses the returned value and allows or denies the access to network resources depending on that value), reliable time stamp (log file audit), file protection (for log file access protection, registry protection, and ADAM protection), cryptographic support (for SSL encryption), administration access control, reliable ADAM implementation, Network Load Balancing (disabled by default). 5 6 OE.PHYSEC OE.SECINST The system which hosts the TOE should be physically secure. The required user identities (used for user authentication) and required SSL certificates for server authentication (HTTPS encryption) should be stored using a confidential path. That means that created certificates and user passwords should not be available to unauthorized persons (OE.DIRECT ensures that unauthorized persons cannot get this information by accessing the TOE). Information should not flow among the internal and external networks unless it passes through the TOE. Thereby the TOE administrator has to guarantee an adequate integration of the TOE into the environment. The RADIUS server should verify provided user credentials and return if a valid account exists or not. Data (user credentials and return values) between TOE and the RADIUS server should be transferred inside the TOE secured environment, which means that the RADIUS server should be placed on the internal network for Web Identification & Authentication. 9 OE.SSL

OE.SINGEN

OE.WEBI&A

All Web publishing rules that support Basic authentication should be configured by the administrator so that strong encryption for SSL is enforced (at least 128 bit encryption).

3.5 Requirements for the Operational Environment

The operational environment is a certified Windows Server 2003 Standard Edition (English) SP1 including MS05-042 (KB899587), MS05-039 (KB899588), MS05-027 (KB896422), and patch KB907865 (same installation that has been used for Windows Server 2003 Common

Guidance Documentation Addendum

Page 21/30

Criteria EAL 4+ Evaluation; Validation Report Number CCEVS-VR-05-0131, [WINST] and [WINVR]). The update number listed on the security bulletin corresponds to the Microsoft Knowledge Base (KB) article ID number. The Microsoft Knowledge Base is a database of technical articles about Microsoft products and technologies. These articles range from "how to" articles describing how to complete a specific task to "bug" articles documenting known issues with Microsoft products. When you scan your computer for available updates, through the Windows Update Web site, the Windows Update Web site displays a number along with the title of the update, for example, "Update for Windows Media Player 9 Series (KB837272)." This KB number is included in the security bulletin to help identify the corresponding KB article in the Microsoft Knowledge Base. The previously mentioned configuration for the operational environment has been used as an underlying operating system for evaluation. Some more directives for security best practices are given in [MSISA] > Administration and Security > Administration and Security Concepts > Security best practices. Because the computer on which ISA Server 2004 is running is often the primary interface to the External network, we recommend this computer be secured. The Security Best Practices [MSISAHARD]3 document ISA Server 2004 Security Hardening Guide, available on the ISA Server Web site, details how to secure the ISA Server 2004 Enterprise Edition computer, and is updated periodically with new information. Warning The administrator should check http://www.microsoft.com/security/ regularly for the latest Windows Server 2003 hotfixes.

online available: http://go.microsoft.com/fwlink/?LinkID=24507

Guidance Documentation Addendum

Page 22/30

4 Security-Relevant Events
This subsection describes all types of security-relevant events and what administrator action (if any) to take to maintain security. Security-relevant events that may occur during operation of ISA Server 2004 Enterprise Edition must be adequately defined to allow administrator intervention to maintain secure operation. Security-relevant events are defined as events that signify a security related change in the system or environment. These changes can be grouped as routine or abnormal. The routine events are already addressed in subsection Security Functions.

Table 4.1 Security-relevant events

Security function Web Identification and Authentication Security-relevant event Configure Basic authentication. Enable strong SSL encryption (at least 128 bit) for HTTPS. The user has a missing permission to access the Internet. A user is leaving the company, so his or her rights have to be withdrawn. Relevant chapters [MSISA] Firewall Policy > Firewall Policy: Concepts > Authentication > Authentication methods for Web requests > Basic authentication [MSISA] Firewall Policy > Firewall Policy: Concepts > Toolbox > Web listeners > Web listeners overview, Section: Authentication [MSISA] Firewall Policy > Firewall Policy: Concepts > Authentication > Authentication methods for Web requests > RADIUS authentication To enable strong SSL encryption, open the corresponding Web publishing rule > Traffic and select Require 128-bit encryption for HTTP traffic. [MSISA] Monitoring > Monitoring: Concepts > Logs > Log storage format > Section: MSDE 2000 database Information Flow Control An alert occurs, so the administrator has to monitor the alert. The administrator has to report some events. Log file overflow. If the ISA Server computer runs out of disk space, the administrator has to configure the maximum number of log files. [MSISA] Monitoring > Monitoring: Concepts > Alerts [MSISA] Monitoring > Monitoring: How To > Configure Alerting

Audit

[MSISA] Monitoring > Monitoring: How To > Configure logging > Configure logging to an MSDE database

Guidance Documentation Addendum

Page 23/30

5 TOE Integrity
This chapter describes how the administrator can verify that the evaluated version of the TOE is used.

5.1 Integrity of the CD-ROM Content

Customers can check the CD content by using the publicly available Microsoft File Checksum Integrity Verifier (FCIV) tool4. This tool uses SHA-1 hash values to verify the integrity of the: ISA Server 2004 Enterprise Edition (on CD) ISA 2004 Enterprise Edition Service Pack 2 (on CD) ISA 2004 Enterprise Edition Service Pack 2 (Web download)

The corresponding hash files are available from the Microsoft corporate Web site, as well as a batch file that runs the tool and a Readme file that explains the usage for users that do not have access to this document. The hash file contains SHA-1 values for each of the relevant files that must be verified and is downloadable using a secured channel from the ISA Server 2004 common criteria Web page: http://go.microsoft.com/fwlink/?linkid=49507 The FCIV is a command-prompt utility that computes and verifies cryptographic hash values of files (MD5 and SHA-1 cryptographic hash values are possible). The tool is run by the supplied batch file. To run the batch file the user opens a Command Prompt window and changes to the folder into which the validation files were downloaded. The user then types the following (the exact file name depends what CD or file the user wants to verify): integritycheck.cmd X: Where x: is the local CD-ROM drive that contains the ISA Server 2004 Enterprise Edition CD or the ISA Server 2004 SP2 CD. To verify the Service Pack 2 (download from Web), the batch file must be copied into the same folder with SP2. Figure 5.1 shows a successful verification of the TOE. Figure 5.2 shows an error message because of the missing FCIV tool.

Installation instruction and download link on following Web page: http://support.microsoft.com/default.aspx?scid=kb;en-us;841290

Guidance Documentation Addendum

Page 24/30

Figure 5.1 Integrity check I (successful)

Figure 5.2 Integrity check II (missing FCIV tool)

Guidance Documentation Addendum

Page 25/30

Figure 5.3 Batch file (ISA Server 2004 Enterprise Edition CD) for CD-ROM integrity check
@echo off setlocal ENABLEDELAYEDEXPANSION if "%1"=="" goto usage set DriveLetter=%1 set ExpectedVL=ISA2K4SELE_EN set ExpectedDirs=150 set ExpectedFiles=661 set Dirs= set Files= set MisCount= REM Verify that fciv.exe exists in the path fciv -? >NUL if NOT [%errorlevel%]==[0] goto usage REM Verify there is a valid CD in the drive vol %1 > NUL if NOT [%errorlevel%]==[0] goto usage REM Check Volume ID for /f "usebackq tokens=6 delims= " %%V in (`vol %1 `) do set VolumeID=%%V&echo. if NOT %VolumeID%==%ExpectedVL% ( echo The volume label of the CD in drive %1 is %VolumeID% echo This integrity check can identify only original CDs with Volume Label: %ExpectedVL% echo Please insert the CD with volume label %ExpectedVL%. Then try again. echo. goto end ) @REM *** Count directories and Files for /F "usebackq tokens=1 delims= " %%J in (`dir /s /A:D %DriveLetter% ^| findstr /c:"Dir(s)"`) do (set Dirs=%%J) for /F "usebackq tokens=1 delims= " %%J in (`dir /s /A-D %DriveLetter% ^| findstr /c:"File(s)"`) do (set Files=%%J) if NOT [%Dirs%]==[%ExpectedDirs%] Set MisCount=Yes&echo *** The CD in %1 contains %Dirs% directories instead of %ExpectedDirs% *** if NOT [%Files%]==[%ExpectedFiles%] Set MisCount=Yes&echo *** The CD in %1 contains %Files% directories instead of %ExpectedFiles% *** if [%MisCount%]==[Yes] goto end echo echo echo echo. The verification process may take several minutes... The files on the CD are being scanned to validate their integrity ......

@REM *** Run the integrity check fciv -v %1\ -r -sha1 -bp %1\ -xml %ExpectedVL%.xml > integritycheck.log findstr /c:"All files verified successfully" integritycheck.log if NOT [%errorlevel%]==[0] ( echo The integrity check could not validate all the files on the CD echo The integrity check log file is saved in the current directory... pause notepad integritycheck.log echo. goto end ) else ( echo. echo The CD in drive %1 is an authentic ISA Server 2004 Enterprise Edition - English Microsoft Licensing CD echo. del integritycheck.log ) goto end :usage echo Usage: echo %~nx0 x: echo x: CD-ROM drive containing ISA Server 2004 EE CD (Volume Label: %ExpectedVL%) echo Fciv.exe must be in the current directory or in the path. echo You can download Fciv.exe from http://support.microsoft.com/default.aspx?scid=kb;en-us;841290 echo. :end endlocal

Guidance Documentation Addendum

Page 26/30

Figure 5.4 Batch file (Service Pack 2 CD) for CD-ROM integrity check
@echo off setlocal ENABLEDELAYEDEXPANSION if "%1"=="" goto usage set DriveLetter=%1 set ExpectedVL=ISA2004-SP2-CD set ExpectedDirs=150 set ExpectedFiles=661 set Dirs= set Files= set MisCount= REM Verify that fciv.exe exists in the path fciv -? >NUL if NOT [%errorlevel%]==[0] goto usage REM Verify there is a valid CD in the drive vol %1 > NUL if NOT [%errorlevel%]==[0] goto usage REM Check Volume ID for /f "usebackq tokens=6 delims= " %%V in (`vol %1 `) do set VolumeID=%%V&echo. if NOT %VolumeID%==%ExpectedVL% ( echo The volume label of the CD in drive %1 is %VolumeID% echo This integrity check can identify only original CDs with Volume Label: %ExpectedVL% echo Please insert the CD with volume label %ExpectedVL%. Then try again. echo. goto end ) echo echo echo echo. The verification process may take several minutes... The files on the CD are being scanned to validate their integrity ......

@REM *** Run the integrity check fciv -v %1\ENU\ISA2004EE-KB903676-x86-ENU.msp -sha1 -bp %1\ -xml %ExpectedVL%.xml > integritycheck.log findstr /c:"All files verified successfully" integritycheck.log if NOT [%errorlevel%]==[0] ( echo The integrity check could not validate all the files on the CD echo The integrity check log file is saved in the current directory... pause notepad integritycheck.log echo. goto end ) else ( echo. echo The CD in drive %1 contains an authentic ISA Server 2004 Enterprise Edition SP2 English Version echo. del integritycheck.log ) goto end :usage echo Usage: echo %~nx0 x: echo x: CD-ROM drive containing ISA Server 2004 EE CD (Volume Label: %ExpectedVL%) echo Fciv.exe must be in the current directory or in the path. echo You can download Fciv.exe from http://support.microsoft.com/default.aspx?scid=kb;en-us;841290 echo. :end endlocal

Guidance Documentation Addendum

Page 27/30

5.2 Integrity of the Package

Because ISA Server 2004 Enterprise Edition is available in a volume license (see Figure 5.5), there is no certificate of authenticity (COA) label on a box like for ISA Server 2004 Standard Edition. The end user should check the integrity as described in chapter 5.1 for ISA Server 2004 Enterprise Edition and for ISA Server 2004 Enterprise Edition Service Pack 2. Figure 5.5 ISA Server 2004 Enterprise Edition (CD-ROM)

5.3 Version Number for the TOE

The method to examine the ISA Server version number is included in the Microsoft Management Console. The user can identify the version of the TOE in the Help menu (HelpAbout ISA Server 2004; see Figure 5.6). The version number presented in the Microsoft Management Console is 4.0.3443.594. That version corresponds to the evaluated version named in the ST ISA Server 2004 Enterprise Edition. Figure 5.6 Version number of ISA Server 2004 Enterprise Edition

Guidance Documentation Addendum

Page 28/30

6 References and Glossary

This section provides references and a glossary.

6.1 References
General Common Criteria Documents [CC] Common Criteria for Information Technology Security Evaluation, version 2.1, revision August 1999, Incorporated with interpretations as of 2003-12-31 Part 1: Introduction and general model, CCIMB-99-031, Part 2: Security functional requirements, CCIMB-99-032, Part 3: Security Assurance Requirements, CCIMB-99-033 Common Methodology for Information Technology Security Evaluation, Part 1: Introduction and general model, version 0.6, revision 11.01.1997, Part 2: Evaluation Methodology, version 1.0, revision August 1999 Incorporated with interpretations as of 2003-12-31 General Microsoft Developer Documents [MSDN] [MSDNDVD] Microsoft Developer Network, http://msdn.microsoft.com/, Microsoft Corp. Microsoft Developer Network, DVD Version, January 2006, Microsoft Corp.

[CEM]

ISA Server 2004 Administrator Guidance and Publicly Available Evaluation Developer Documents [MSISA] [ST] [MSISAHARD] [WINST] [WINVR] Microsoft Internet Security and Acceleration Server 2004 Help Enterprise Edition, Microsoft Corp., Version 2004 Enterprise Edition ISA Server 2004 Enterprise Edition Common Criteria Evaluation - Security Target, Version 1.1, Final, 2006-05-11, Microsoft Corp. Security Hardening Guide - Microsoft Internet Security and Acceleration Server 2004, Microsoft Corp., Version 2006 Microsoft Windows Server 2003 or Windows XP Security Target, Version 1.0. 28.09.2005, Microsoft Corporation National Information Assurance Partnership, Common Criteria Evaluation and Validation Scheme Validation Report Microsoft Windows Server 2003 and Windows XP Workstation Report Number: CCEVS-VR-05-0131 Dated: November 6, 2005 Version: 1.1

Guidance Documentation Addendum

Page 29/30

6.2 Acronyms
CC EAL FCIV MSDN PP SF SFP SSL ST TOE Common Criteria Evaluation Assurance Level File Checksum Integrity Verifier Microsoft Developer Network Protection Profile Security Function Security Function Policy Secure Sockets Layer Security Target Target of Evaluation

6.3 Glossary
application filters Application filters can access the data stream or datagrams associated with a session within the Microsoft Firewall service and work with some or all application-level protocols. Authentication is "A positive identification, with a degree of certainty sufficient for permitting certain rights or privileges to the person or thing positively identified." In simpler terms, it is "The act of verifying the claimed identity of an individual, station or originator" [Schou, Corey (1996). Handbook of INFOSEC Terms, Version 2.0. CD-ROM (Idaho State University & Information Systems Security Organization)]. Basic authentication is the standard authentication method for Hypertext Transfer Protocol (HTTP). Although user information is encoded, no encryption is used with Basic authentication. A feature pack contains new product functionality that is distributed outside the context of a product release, and usually is included in the next full product release. A firewall service log contains entries with connection establishments and terminations. Identification, according to a current compilation of information security terms, is "the process that enables recognition of a user described to an automated data processing system. This is generally by the use of unique machine-readable names" [Schou, Corey (1996). Handbook of INFOSEC Terms, Version 2.0. CD-ROM (Idaho State University & Information Systems Security Organization)]. In this document, ISA Server refers to Microsoft Internet Security and Acceleration Server 2004.

authentication

Basic authentication

feature pack

Firewall service log identification

ISA Server

Guidance Documentation Addendum

Page 30/30

Microsoft Management Console NTLM

The Microsoft Management Console is a configuration management tool supplied with Windows that can be extended with snap-ins. NTLM is an authentication scheme used by Microsoft browsers, proxies, and servers (Microsoft Internet Explorer, Internet Information Services, and others). This scheme is also sometimes referred to as the Windows NT Challenge/Response authentication scheme or Integrated Windows authentication. A packet filter log file contains records of packets that were dropped or allowed. A port number identifies a certain Internet application with a specific connection. Using publishing rules, you can publish virtually any computer on an internal network to the Internet (see Web publishing and server publishing). SSL is a protocol that supplies secure data communication through data encryption and decryption. SSL enables communications privacy over networks. Server publishing allows virtually any computer on an internal network to publish to the Internet. A service pack contains a cumulative set of all hotfixes, security updates, critical updates, and updates created and fixes for defects found by Microsoft since the release of the product. Service packs may also contain a limited number of customer requested design changes or features. W3C develops interoperable technologies (specifications, guidelines, software, and tools) concerning Web technology (http://www.w3c.org). Web publishing publishes Web content to the Internet.

packet filter log file port number publishing rules

Secure Sockets Layer (SSL) server publishing service pack

World Wide Web Consortium (W3C) Web publishing