Internet Security
and Acceleration
Server
Status: Final
Version: 1.5
Revision: 1
Last Saved: 2007-02-09
File Name: MS_ISAEE_ADD_1.5.doc
Abstract
This document describes the Guidance Documentation Addendum of ISA Server 2004
Enterprise Edition Common Criteria Certification that is the basis for the ISA Server 2004
Enterprise Edition Common Criteria evaluation.
Keywords
CC, ISA, Common Criteria, Firewall, Guidance Documentation Addendum
Guidance Documentation Addendum Page 2/30
Table of Contents
Page
1 INTRODUCTION TO USER'S GUIDE OR ADMINISTRATOR'S GUIDE .......................5
1.1 Overview ..................................................................................................................5
1.2 Security Functions and Associated Chapters ..........................................................7
1.3 Warnings About Functions and Privileges ...............................................................8
1.4 Installation of the Evaluated ISA Server 2004 Enterprise Edition ............................8
2 SECURITY FUNCTIONS ..............................................................................................13
2.1 SF1 - Web Identification and Authentication ..........................................................13
2.2 SF2 - Information Flow Control ..............................................................................15
2.3 SF3 - Audit .............................................................................................................16
2.4 Administration-Related Interfaces ..........................................................................16
2.5 TOE User Interfaces ..............................................................................................17
3 OPERATING ENVIRONMENT .....................................................................................18
3.1 Assumptions...........................................................................................................18
3.2 Organizational Security Policies.............................................................................19
3.3 Secure Usage Assumptions - IT Security Requirements for the IT Environment ..19
3.4 Security Objectives for the Environment ................................................................20
3.5 Requirements for the Operational Environment.....................................................20
4 SECURITY-RELEVANT EVENTS ................................................................................22
5 TOE INTEGRITY...........................................................................................................23
5.1 Integrity of the CD-ROM Content ...........................................................................23
5.2 Integrity of the Package .........................................................................................27
5.3 Version Number for the TOE..................................................................................27
6 REFERENCES AND GLOSSARY ................................................................................28
6.1 References.............................................................................................................28
6.2 Acronyms ...............................................................................................................28
6.3 Glossary .................................................................................................................29
Guidance Documentation Addendum Page 4/30
List of Tables
Page
List of Figures
Page
1.1 Overview
The ISA Server 2004 Enterprise Edition manual [MSISA] consists of the following chapters:
• Introducing ISA Server
• Installation and Upgrade
• Administration and Security
• Networking
• Firewall Policy
• Clients
• Virtual Private Networking
• Caching
• Monitoring
• Add-ins
• Deployment Scenarios
• Additional Resources
This document extends the manual by adding the following chapters:
• Security Functions
• Operating Environment
• Security-Relevant Events
• Target of evaluation (TOE) Integrity
• Reference and Glossary
These chapters provide the required information for the ISA Server 2004 Enterprise Edition
common criteria evaluation.
1
Note: According to the used Common Criteria wording: An administrator is the person who installs, configures,
and administrates the target of evaluation (TOE), and a user is the person who sends data through the firewall
(uses internal or external network resources where access is intercepted by the firewall).
2
Because of the nature of a firewall product (the filtering is a transparent process for the user), the manuals
provided are for administration purpose only.
Guidance Documentation Addendum Page 6/30
The evaluated Guidance Documentation is valid for ISA Server 2004 Enterprise Edition. Its
software version is ISA Server 2004 Enterprise Edition Service Pack 2 (SP2) (version
4.0.3443.594). The evaluated configuration is ISA Server 2004 Enterprise Edition.
Guidance Documentation Addendum Page 7/30
User name and product key (picture not shown completely) Installation options
After installation of ISA Server, the administrator must install Service Pack 2, which is
delivered separately on an additional CD-ROM (file \ENU\ISA2004EE-KB903676-x86-
ENU.msp).
2 Security Functions
This chapter identifies all the security functions available to the administrator. The security
functions are derived from the ISA Server 2004 Enterprise Edition security functions
described in the ISA Server 2004 Enterprise Edition Security Target (ST).
For administration, ISA Server 2004 Enterprise Edition includes graphical taskpads and
wizards. These simplify navigation and configuration for common tasks. These features are
embedded in the Microsoft Management Console and do not belong to the TOE. They are
provided by the environment.
The underlying operating system is the certified Windows Server 2003, Standard Edition
(English) SP1 including MS05-042 (KB899587), MS05-039 (KB899588), MS05-027
(KB896422), and update KB907865. (The same installation has been used for Windows
Server 2003 Common Criteria EAL 4+ evaluation; Validation Report Number CCEVS-VR-
05-0131, [WINST] and [WINVR], and referenced as Windows Server 2003 in this
document.)
Warnings
• The administrator must ensure that ISA Server 2004 Enterprise Edition is installed
and used with Windows Server 2003. More details can be found in the Security
Target of ISA Server 2004 Enterprise Edition [ST].
• The administrator has to observe the Security Bulletins, to ensure that all possible
countermeasures are used.
• The administrator should check http://www.microsoft.com/security/ regularly for the
latest ISA Server 2004 Enterprise Edition service packs and hotfixes.
• The administrator should only use programs that are required to administer and
operate the firewall. The administrator should not install additional software which
may compromise the security of the TOE or the underlying operating system.
The TOE has been evaluated using Basic authentication with SSL encryption for incoming
HTTP connections. The TOE verifies if the user credentials comply with data stored in the
local user database or a remote authentication server using Remote Authentication Dial-In
User Service (RADIUS).
Warnings
There is a change in the default behavior when SP2 is installed on ISA Server 2004:
When you try to connect to a Web site that is published by using ISA Server 2004 SP2, you
receive an error message. If the ISA Server Web listener has Basic authentication enabled,
you receive the following error message:
The page must be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact
the server administrator. (12211)
If the ISA Server Web listener has RADIUS authentication or Microsoft Outlook® Web
Access forms-based authentication (Cookie-auth) enabled, you receive the following error
message:
• Basic
• RADIUS
• Outlook Web Access forms-based
Guidance Documentation Addendum Page 15/30
This behavior occurs because these kinds of credentials should be encrypted. These
credentials should not be sent in plaintext over HTTP.
For ISA Server 2004 versions that are earlier than ISA Server 2004 SP2, you are prompted
to enter credentials in plaintext. This behavior may cause the credentials to be transmitted
over the network in plaintext if you have not implemented some other form of network
security, such as an external Secure Sockets Layer (SSL) accelerator or an encrypted
tunnel. ISA Server does not provide these forms of security.
ISA Server 2004 SP2 prevents you from entering credentials in plaintext. When you try to
do this, you receive an error message.
Warnings
• When using Basic authentication, the user name and password are sent in plaintext
(base-64 encoded). Basic authentication for Web requests must be secured using
an SSL channel, so user identification and authentication credentials are encrypted
during transmission. Use strong SSL encryption with at least 128 bit.
• When using Basic authentication, depending on the application on the information
technology (environment, an application could "cache" the password. So the user
must ensure that the environment is locked, when it is unattended.
ports 135, 137, 138, 445, and TCP ports 135, 139, 445, and 593, the Microsoft
Distributed Transaction Coordinator service is not vulnerable over those ports.
• MS06-032 required to disable IP source routing:
Disabling IP source routing will prevent an affected host from processing IP source-
related packets that could allow an attacker to execute code. IP source routing
processing can be disabled by the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
Add the DWORD Value: DisableIPSourceRouting. Set the value to 2. This value
disables IP source routing processing. By default, this key does not exist.
Warning
• It should be assured that there is always enough free disk space. Choosing the right
resource and the right parameters for logging is mandatory. Creating logs that are
too large or creating too many files can lead to problems. Nevertheless, it is possible
to create an alert, which will move or delete old or unneeded log files.
EXIF_MMC is the only external interface for administration. It is not used directly, but the
Microsoft Management Console uses this interface to provide the log viewer. The log viewer
component uses EXIF_MMC to communicate with the Microsoft Management Console.
There are two additional interfaces, which are used indirectly for administration.
Configuration data is read using EXIF_REG or EXIF_STORE from the local registry or the
file system. The TOE reads the configuration using the same interfaces from the registry or
the file system. So registry and/or file system changes may change the configuration of the
TOE.
Warning
By default, policy changes are applied within a time frame of 15 seconds since the relevant
configuration data has to be polled from ADAM.
3 Operating Environment
The security environment of the Evaluated Configuration of ISA Server 2004 Enterprise
Edition is described in the ISA Server 2004 Enterprise Edition Security Target [ST] and
identifies the threats to be countered by ISA Server 2004 Enterprise Edition, the
organizational security policies, and the usage assumptions as they relate to ISA Server
2004 Enterprise Edition. The administrator should ensure that the environment meets the
organizational policies and assumptions. They are repeated in the section that follows from
the Security Target.
To use the TOE in the evaluated configuration, the underlying environment must be the
Windows Server 2003 operating system.
3.1 Assumptions
Table 3.1 lists the TOE Secure Usage Assumptions for the IT environment and intended
usage.
Table 3.1 – Assumptions for the IT environment and intended usage
# Assumption name Description
1 A.DIRECT The TOE is available to authorized administrators only. A person who has
physical access to the TOE and can log on to the operating system is assumed
to act as an authorized TOE administrator.
2 A.GENPUR The TOE stores and executes security-relevant applications only. It stores only
data required for its secure operation. Nevertheless, the underlying operating
system may provide additional applications required for administrating the TOE
or the operating system.
3 A.NOEVIL Authorized administrators are non-hostile and follow all administrator guidance.
4 A.ENV The environment implements the following functionality:
Local identification and authentication of user credentials used for Web
publishing (see A.WEBI&A for RADIUS identification and authentication; in
case of a successful authentication, the TOE analyses the returned value and
allows or denies the access to network resources depending on that value),
reliable time stamp (log file audit), file protection (for log file access protection,
registry protection, and ADAM protection), cryptographic support (for SSL
encryption), administration access control, reliable ADAM implementation,
Network Load Balancing (disabled by default).
5 A.PHYSEC The TOE is physically secure. Only an authorized person has physical access
to the system that hosts the TOE.
6 A.SECINST Required certificates and user identities are installed using a confidential path.
7 A.SINGEN Information can not flow among the internal and external networks unless it
passes through the TOE.
8 A.WEBI&A User credentials are verified by a RADIUS server. The RADIUS server returns
a value if a valid account exists or not.
Web Identification & Authentication with a RADIUS server requires that the
RADIUS server is placed on the internal network, so that data (user credentials
and return values) transferred to and from the RADIUS server is secured by the
TOE from external entities.
Guidance Documentation Addendum Page 19/30
9 A.SSL All Web publishing rules that support Basic authentication have to be
configured by the administrator so that strong encryption for SSL is enforced (at
least 128 bit encryption).
3
online available: http://go.microsoft.com/fwlink/?LinkID=24507
Guidance Documentation Addendum Page 22/30
4 Security-Relevant Events
This subsection describes all types of security-relevant events and what administrator
action (if any) to take to maintain security. Security-relevant events that may occur during
operation of ISA Server 2004 Enterprise Edition must be adequately defined to allow
administrator intervention to maintain secure operation. Security-relevant events are defined
as events that signify a security related change in the system or environment. These
changes can be grouped as routine or abnormal. The routine events are already addressed
in subsection Security Functions.
Audit • Log file overflow. If the ISA Server [MSISA] Monitoring > Monitoring:
computer runs out of disk space, the How To > Configure logging >
administrator has to configure the Configure logging to an MSDE
maximum number of log files. database
Guidance Documentation Addendum Page 23/30
5 TOE Integrity
This chapter describes how the administrator can verify that the evaluated version of the
TOE is used.
4
Installation instruction and download link on following Web page:
http://support.microsoft.com/default.aspx?scid=kb;en-us;841290
Guidance Documentation Addendum Page 24/30
Figure 5.3 – Batch file (ISA Server 2004 Enterprise Edition CD) for CD-ROM integrity
check
@echo off
setlocal ENABLEDELAYEDEXPANSION
goto end
:usage
echo Usage:
echo %~nx0 x:
echo x: CD-ROM drive containing ISA Server 2004 EE CD (Volume Label: %ExpectedVL%)
echo Fciv.exe must be in the current directory or in the path.
echo You can download Fciv.exe from
http://support.microsoft.com/default.aspx?scid=kb;en-us;841290
echo.
:end
endlocal
Guidance Documentation Addendum Page 26/30
Figure 5.4 – Batch file (Service Pack 2 CD) for CD-ROM integrity check
@echo off
setlocal ENABLEDELAYEDEXPANSION
goto end
:usage
echo Usage:
echo %~nx0 x:
echo x: CD-ROM drive containing ISA Server 2004 EE CD (Volume Label: %ExpectedVL%)
echo Fciv.exe must be in the current directory or in the path.
echo You can download Fciv.exe from
http://support.microsoft.com/default.aspx?scid=kb;en-us;841290
echo.
:end
endlocal
Guidance Documentation Addendum Page 27/30
6.1 References
General Common Criteria Documents
[CC] Common Criteria for Information Technology Security Evaluation, version 2.1,
revision August 1999, Incorporated with interpretations as of 2003-12-31
Part 1: Introduction and general model, CCIMB-99-031,
Part 2: Security functional requirements, CCIMB-99-032,
Part 3: Security Assurance Requirements, CCIMB-99-033
[CEM] Common Methodology for Information Technology Security Evaluation, Part 1:
Introduction and general model, version 0.6, revision 11.01.1997,
Part 2: Evaluation Methodology, version 1.0, revision August 1999
Incorporated with interpretations as of 2003-12-31
ISA Server 2004 Administrator Guidance and Publicly Available Evaluation Developer Documents
[MSISA] Microsoft Internet Security and Acceleration Server 2004 Help – Enterprise
Edition, Microsoft Corp., Version 2004 Enterprise Edition
[ST] ISA Server 2004 Enterprise Edition Common Criteria Evaluation - Security
Target, Version 1.1, Final, 2006-05-11, Microsoft Corp.
[MSISAHARD] Security Hardening Guide - Microsoft Internet Security and Acceleration Server
2004, Microsoft Corp., Version 2006
[WINST] Microsoft Windows Server 2003 or Windows XP Security Target, Version 1.0.
28.09.2005, Microsoft Corporation
[WINVR] National Information Assurance Partnership, Common Criteria Evaluation and
Validation Scheme Validation Report Microsoft Windows Server 2003 and
Windows XP Workstation Report Number: CCEVS-VR-05-0131 Dated: November
6, 2005 Version: 1.1
Guidance Documentation Addendum Page 29/30
6.2 Acronyms
CC Common Criteria
EAL Evaluation Assurance Level
FCIV File Checksum Integrity Verifier
MSDN Microsoft Developer Network
PP Protection Profile
SF Security Function
SFP Security Function Policy
SSL Secure Sockets Layer
ST Security Target
TOE Target of Evaluation
6.3 Glossary
application filters Application filters can access the data stream or datagrams associated
with a session within the Microsoft Firewall service and work with some or
all application-level protocols.
authentication Authentication is "A positive identification, with a degree of certainty
sufficient for permitting certain rights or privileges to the person or thing
positively identified." In simpler terms, it is "The act of verifying the claimed
identity of an individual, station or originator" [Schou, Corey (1996).
Handbook of INFOSEC Terms, Version 2.0. CD-ROM (Idaho State
University & Information Systems Security Organization)].
Basic authentication Basic authentication is the standard authentication method for Hypertext
Transfer Protocol (HTTP). Although user information is encoded, no
encryption is used with Basic authentication.
feature pack A feature pack contains new product functionality that is distributed
outside the context of a product release, and usually is included in the
next full product release.
Firewall service log A firewall service log contains entries with connection establishments and
terminations.
identification Identification, according to a current compilation of information security
terms, is "the process that enables recognition of a user described to an
automated data processing system. This is generally by the use of unique
machine-readable names" [Schou, Corey (1996). Handbook of INFOSEC
Terms, Version 2.0. CD-ROM (Idaho State University & Information
Systems Security Organization)].
ISA Server In this document, ISA Server refers to Microsoft Internet Security and
Acceleration Server 2004.
Guidance Documentation Addendum Page 30/30