ISA Server 2004

Microsoft
Internet Security
and Acceleration
Server
ISA Server 2004 Enterprise Edition Common

Criteria Evaluation
Guidance Documentation Addendum
Internet Security and Acceleration Server Team
Author: Microsoft Corp.
Status: Final
Version: 1.5
Revision: 1
Last Saved: 2007-02-09
File Name: MS_ISAEE_ADD_1.5.doc
Abstract
This document describes the Guidance Documentation Addendum of ISA Server 2004
Enterprise Edition Common Criteria Certification that is the basis for the ISA Server 2004
Enterprise Edition Common Criteria evaluation.
Keywords
CC, ISA, Common Criteria, Firewall, Guidance Documentation Addendum
Guidance Documentation Addendum Page 2/30
This page intentionally left blank

Table of Contents
Page
1 INTRODUCTION TO USER'S GUIDE OR ADMINISTRATOR'S GUIDE .......................5
1.1 Overview ..................................................................................................................5
1.2 Security Functions and Associated Chapters ..........................................................7
1.3 Warnings About Functions and Privileges ...............................................................8
1.4 Installation of the Evaluated ISA Server 2004 Enterprise Edition ............................8
2 SECURITY FUNCTIONS ..............................................................................................13
2.1 SF1 - Web Identification and Authentication ..........................................................13
2.2 SF2 - Information Flow Control ..............................................................................15
2.3 SF3 - Audit .............................................................................................................16
2.4 Administration-Related Interfaces ..........................................................................16
2.5 TOE User Interfaces ..............................................................................................17
3 OPERATING ENVIRONMENT .....................................................................................18
3.1 Assumptions...........................................................................................................18
3.2 Organizational Security Policies.............................................................................19
3.3 Secure Usage Assumptions - IT Security Requirements for the IT Environment ..19
3.4 Security Objectives for the Environment ................................................................20
3.5 Requirements for the Operational Environment.....................................................20
4 SECURITY-RELEVANT EVENTS ................................................................................22
5 TOE INTEGRITY...........................................................................................................23
5.1 Integrity of the CD-ROM Content ...........................................................................23
5.2 Integrity of the Package .........................................................................................27
5.3 Version Number for the TOE..................................................................................27
6 REFERENCES AND GLOSSARY ................................................................................28
6.1 References.............................................................................................................28
6.2 Acronyms ...............................................................................................................28
6.3 Glossary .................................................................................................................29
List of Tables
Page
Table 1.1 – Security functions and associated chapters ........................................................7

Table 1.2 – Warnings about functions and privileges.............................................................8
Table 3.1 – Assumptions for the IT environment and intended usage .................................18
Table 3.2 – Security policies addressed by the TOE............................................................19
Table 3.3 – TOE functional security requirements for the environment ...............................19
Table 3.4 – Security objectives for the environment.............................................................20
Table 4.1 – Security-relevant events ....................................................................................22
List of Figures
Page
Figure 5.1 – Integrity check I (successful) ............................................................................24

Figure 5.2 – Integrity check II (missing FCIV tool)................................................................24
Figure 5.3 – Batch file (ISA Server 2004 Enterprise Edition CD) for CD-ROM integrity check
......................................................................................................................................25
Figure 5.4 – Batch file (Service Pack 2 CD) for CD-ROM integrity check ............................26
Figure 5.5 – ISA Server 2004 Enterprise Edition (CD-ROM) ...............................................27
Figure 5.6 – Version number of ISA Server 2004 Enterprise Edition ...................................27
1 Introduction to User's Guide or Administrator's Guide

This document is required by Common Criteria for the Microsoft® Internet Security and
Acceleration (ISA) Server 2004 Enterprise Edition evaluation. The document contains the
User's1 Guide and the Administrator's Guide2. It should be used by any administrator who
wants to ensure that the deployed ISA Server 2004 Enterprise Edition is the evaluated
version (see [ST]).
1.1 Overview
The ISA Server 2004 Enterprise Edition manual [MSISA] consists of the following chapters:
• Introducing ISA Server
• Installation and Upgrade
• Administration and Security
• Networking
• Firewall Policy
• Clients
• Virtual Private Networking
• Caching
• Monitoring
• Add-ins
• Deployment Scenarios
• Additional Resources
This document extends the manual by adding the following chapters:
• Security Functions
• Operating Environment
• Security-Relevant Events
• Target of evaluation (TOE) Integrity
• Reference and Glossary
These chapters provide the required information for the ISA Server 2004 Enterprise Edition
common criteria evaluation.
1
Note: According to the used Common Criteria wording: An administrator is the person who installs, configures,
and administrates the target of evaluation (TOE), and a user is the person who sends data through the firewall
(uses internal or external network resources where access is intercepted by the firewall).
2
Because of the nature of a firewall product (the filtering is a transparent process for the user), the manuals
provided are for administration purpose only.
The evaluated Guidance Documentation is valid for ISA Server 2004 Enterprise Edition. Its
software version is ISA Server 2004 Enterprise Edition Service Pack 2 (SP2) (version
4.0.3443.594). The evaluated configuration is ISA Server 2004 Enterprise Edition.
1.2 Security Functions and Associated Chapters

The relevant chapters of the security functionality are summarized in the following table.
Table 1.1 – Security functions and associated chapters
Security function (see [ST]) Relevant chapters [MSISA]
SF1 – Web Identification and [MSISA] Firewall Policy > Firewall Policy: Concepts > Authentication >
Authentication Authentication methods for Web requests > Basic authentication
[MSISA] Firewall Policy > Firewall Policy: Concepts > Toolbox > Web
listeners > Web listeners overview, Section: Authentication
[MSISA] Firewall Policy > Firewall Policy: Concepts > Authentication >
Authentication methods for Web requests > RADIUS authentication
SF2 - Information Flow Control Access Rules:
[MSISA] Firewall Policy > Firewall Policy: Concepts > Firewall Policy Rules >
Access Rules
Server Publishing Rules:
Server publishing rules
Mail Server Publishing Rules:
Mail Server publishing rules
Web Publishing Rules:
Web publishing rules
Secure Web publishing rules
Outlook Web Access Server publishing
System Policy:
[MSISA] Firewall Policy > Firewall Policy: Concepts > System policy
Application Filter:
[MSISA] Add-ins > Add-ins: Concepts > Application Filters > RPC filter
[MSISA] Add-ins > Add-ins: Concepts > Application Filters > SMTP filtering
> SMTP filter
[MSISA] Add-ins > Add-ins: Concepts > Application Filters > FTP access
filter
Web Application Filter:
[MSISA] Add-ins > Add-ins: Concepts > Web Filters > HTTP filter
[MSISA] Add-ins > Add-ins: Concepts > Web Filters > Authentication filters >
OWA forms-based authentication Web filter
[MSISA] Add-ins > Add-ins: Concepts > Web Filters > Authentication filters >
RADIUS authentication Web filter
Security function (see [ST]) Relevant chapters [MSISA]

SF3 - Audit [MSISA] Monitoring > Monitoring: Concepts > Logs > Log storage format >
Section: MSDE 2000 database
[MSISA] Monitoring > Monitoring: Concepts > Logs > Log Viewer
[MSISA] Monitoring > Monitoring: Concepts > Logs > Microsoft Firewall
service log fields
[MSISA] Monitoring > Monitoring: Concepts > Logs > Web proxy log fields
1.3 Warnings About Functions and Privileges

The administrator guidance contains warnings about functions and privileges that should be
controlled in a secure processing environment. These are listed in following table.
Table 1.2 – Warnings about functions and privileges
Aspect Relevant chapters
Overview [MSISA] Administration and Security > Administration and Security: Concepts >
Administrative roles
Manual [MSISA] Administration and Security > Administration and Security: How To > Assign
Administrative roles
Warnings Each chapter identifies and describes the warnings, the assumptions and the security
parameters related to that SF when necessary. The identification and description are
made in a complete and consistent way.
Examples for chapters that contain additional hints:
Important (marked with a blue sign)
• [MSISA] Firewall Policy > Firewall Policy: Concepts > Authentication >
Authentication methods for Web requests > Basic authentication
Caution (marked with a red flag)
• [MSISA] Firewall Policy > Firewall Policy: Concepts > Authentication >
Authentication methods for Web requests
Warning (marked with a yellow sign)
• [MSISA] Caching > Caching: Concepts > Content download jobs: (Note: This is
not a security function according the Security Target but gives an example for a
warning.)
• [MSISA_ADD] Chapter 2 “Security Functions”
1.4 Installation of the Evaluated ISA Server 2004 Enterprise Edition

Before you install ISA Server 2004 Enterprise Edition SP2 (Version 4.0.3443.594), ensure
that the underlying operating system is Microsoft Windows Server® 2003, Standard Edition
(English) Service Pack 1 (SP1) including MS05-042 (KB899587), MS05-039 (KB899588),
MS05-027 (KB896422), and update KB907865. Also, ensure that no additional software
products have been installed on this computer.
ISA Server 2004 Enterprise Edition is composed of the following components:

• ISA Server Management. The console through which the administrator manages
the enterprise.
• Configuration Storage server. The repository of the enterprise layout and the
configuration for each server in the enterprise. This repository is an instance of
Active Directory® Application Mode (ADAM). Each ISA Server computer has a local
copy of its configuration that is a replica of the server’s configuration, which is
located on the Configuration Storage server.
• ISA Server services. This is the computer that runs the firewall, virtual private
network (VPN), and caching functions of ISA Server. The computer running ISA
Server services is connected to a Configuration Storage server, which stores the
configuration information.
• Additional components. Additional components (Advanced Logging, Firewall
Client Share, and Message Screener) can be installed on separate computers. Note
that the Advanced Logging component can only be installed on a computer running
ISA Server services.
Warnings
To install the evaluated version, the administrator must install ISA Server Management and
the Configuration Storage server (file \ISAAutorun.exe). The following pictures show the
step-by-step installation process for ISA Server 2004 Enterprise Edition.
Startup screen License Agreement

User name and product key (picture not shown completely) Installation options
No additional components (default) New ISA Server enterprise (default)
Installation note Specify internal networks (example)

Do not allow non-encrypted Firewall clients (default) Service warning
Start of installation process Completion of installation process
After installation of ISA Server, the administrator must install Service Pack 2, which is
delivered separately on an additional CD-ROM (file \ENU\ISA2004EE-KB903676-x86-
ENU.msp).
Start of installation process License Agreement

Completion of installation process Pop-up note

2 Security Functions
This chapter identifies all the security functions available to the administrator. The security
functions are derived from the ISA Server 2004 Enterprise Edition security functions
described in the ISA Server 2004 Enterprise Edition Security Target (ST).
For administration, ISA Server 2004 Enterprise Edition includes graphical taskpads and
wizards. These simplify navigation and configuration for common tasks. These features are
embedded in the Microsoft Management Console and do not belong to the TOE. They are
provided by the environment.
The underlying operating system is the certified Windows Server 2003, Standard Edition
(English) SP1 including MS05-042 (KB899587), MS05-039 (KB899588), MS05-027
(KB896422), and update KB907865. (The same installation has been used for Windows
Server 2003 Common Criteria EAL 4+ evaluation; Validation Report Number CCEVS-VR-
05-0131, [WINST] and [WINVR], and referenced as Windows Server 2003 in this
document.)
Warnings
• The administrator must ensure that ISA Server 2004 Enterprise Edition is installed
and used with Windows Server 2003. More details can be found in the Security
Target of ISA Server 2004 Enterprise Edition [ST].
• The administrator has to observe the Security Bulletins, to ensure that all possible
countermeasures are used.
• The administrator should check http://www.microsoft.com/security/ regularly for the
latest ISA Server 2004 Enterprise Edition service packs and hotfixes.
• The administrator should only use programs that are required to administer and
operate the firewall. The administrator should not install additional software which
may compromise the security of the TOE or the underlying operating system.
2.1 SF1 - Web Identification and Authentication

The TOE can be configured in a way that only particular users are allowed to access the
networks through the TOE using Basic authentication.
Basic authentication is the standard method of authentication for Hypertext Transfer
Protocol (HTTP) transmissions for incoming and outgoing requests. Basic authentication
sends and receives user information in plaintext. No encryption is used with Basic
authentication.
Secure Sockets Layer (SSL) encryption has to be used to secure the transferred user
identification and authentication credentials, so these credentials cannot be monitored
during transmission to the TOE. To secure the transferred user credentials, ensure that
strong SSL encryption (at least 128 bit) is enforced.
The TOE has been evaluated using Basic authentication with SSL encryption for incoming
HTTP connections. The TOE verifies if the user credentials comply with data stored in the
local user database or a remote authentication server using Remote Authentication Dial-In
User Service (RADIUS).
Warnings
There is a change in the default behavior when SP2 is installed on ISA Server 2004:
When you try to connect to a Web site that is published by using ISA Server 2004 SP2, you
receive an error message. If the ISA Server Web listener has Basic authentication enabled,
you receive the following error message:
Error Code: 403 Forbidden.
The page must be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact
the server administrator. (12211)
If the ISA Server Web listener has RADIUS authentication or Microsoft Outlook® Web
Access forms-based authentication (Cookie-auth) enabled, you receive the following error
message:
Error Code: 500 Internal Server Error.
An internal error occurred. (1359)
This issue occurs if all the following conditions are true:

• The ISA Server 2004 Web listener has any one of the following authentication
methods enabled:
o Basic
o RADIUS
o Outlook Web Access forms-based
• The ISA Server 2004 Web listener is configured to listen for HTTP traffic.
• The Require all users to authenticate check box is selected for the Web listener or
the Web publishing rules apply to a user set other than the default All Users user
set.
• You connect to the published Web site by using HTTP instead of by using HTTPS.
This issue occurs because of a security modification that is included in ISA Server 2004
SP2. When you use HTTP-to-HTTP bridging, ISA Server 2004 SP2 does not enable traffic
on the external HTTP port if the Web listener is configured to request one or more of the
following kinds of credentials:
• Basic
• RADIUS
• Outlook Web Access forms-based
This behavior occurs because these kinds of credentials should be encrypted. These
credentials should not be sent in plaintext over HTTP.
For ISA Server 2004 versions that are earlier than ISA Server 2004 SP2, you are prompted
to enter credentials in plaintext. This behavior may cause the credentials to be transmitted
over the network in plaintext if you have not implemented some other form of network
security, such as an external Secure Sockets Layer (SSL) accelerator or an encrypted
tunnel. ISA Server does not provide these forms of security.
ISA Server 2004 SP2 prevents you from entering credentials in plaintext. When you try to
do this, you receive an error message.
Warnings
• When using Basic authentication, the user name and password are sent in plaintext
(base-64 encoded). Basic authentication for Web requests must be secured using
an SSL channel, so user identification and authentication credentials are encrypted
during transmission. Use strong SSL encryption with at least 128 bit.
• When using Basic authentication, depending on the application on the information
technology (environment, an application could "cache" the password. So the user
must ensure that the environment is locked, when it is unattended.
2.2 SF2 - Information Flow Control

The TOE combines several security mechanisms to enforce the security policies at different
network layers: a rule base for incoming and outgoing requests, Web and application filters,
and system security configuration options.
The TOE controls the flow of incoming and outgoing packets and controls information flow
on protocol level. This control has to be active before any information can be transmitted
through the TOE. Information flow control is subdivided into firewall policy rules that consist
of access rules, server publishing rules, mail server publishing rules, Web publishing rules,
system policy, Web application filters, and application filters.
Warning
The following Windows Server 2003 vulnerabilities require that the administrator, on
computers without updates, does not publish certain ports from the local host to the external
interface or that the administrator ensure that a certain configuration has been applied:
• MS06-018 requires blocking following ports to the local host at the firewall:
- All unsolicited inbound traffic on ports greater than 1024
- Any other specifically configured RPC port
These ports can be used to initiate a connection with the Microsoft Distributed
Transaction Coordinator. Blocking them at the firewall (to local host) will protect the
operating system to exploit this vulnerability. Also, make sure that you block any
other specifically configured RPC port on the local host. While RPC can use UDP
ports 135, 137, 138, 445, and TCP ports 135, 139, 445, and 593, the Microsoft
Distributed Transaction Coordinator service is not vulnerable over those ports.
• MS06-032 required to disable IP source routing:
Disabling IP source routing will prevent an affected host from processing IP source-
related packets that could allow an attacker to execute code. IP source routing
processing can be disabled by the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
Add the DWORD Value: DisableIPSourceRouting. Set the value to 2. This value
disables IP source routing processing. By default, this key does not exist.
2.3 SF3 - Audit

The TOE stores logging information in different log files:
• Firewall service log
The Firewall log contains records of packets that were dropped in the packet filter
level. It is possible to turn on logging for packets that were permitted to traverse the
firewall. Access rules can be configured selectively to create or not to create a log
file entry when a packet has been blocked or permitted.
• Web proxy service log
The Web Proxy log stores a line per HTTP request that it gets. Each request
(incoming and outgoing) is always logged.
• Windows application event log
The Windows application event log stores important system events and failures.
Warning
• It should be assured that there is always enough free disk space. Choosing the right
resource and the right parameters for logging is mandatory. Creating logs that are
too large or creating too many files can lead to problems. Nevertheless, it is possible
to create an alert, which will move or delete old or unneeded log files.
2.4 Administration-Related Interfaces

The administrator interacts with the TOE via an Microsoft Management Console snap-in.
(The Microsoft Management Console is provided by the IT environment.) The application
interacts with the local registry and local file system of the operating system (Windows
Server 2003) and finally with the TOE.
EXIF_MMC is the only external interface for administration. It is not used directly, but the
Microsoft Management Console uses this interface to provide the log viewer. The log viewer
component uses EXIF_MMC to communicate with the Microsoft Management Console.
There are two additional interfaces, which are used indirectly for administration.
Configuration data is read using EXIF_REG or EXIF_STORE from the local registry or the
file system. The TOE reads the configuration using the same interfaces from the registry or
the file system. So registry and/or file system changes may change the configuration of the
TOE.
Warning
By default, policy changes are applied within a time frame of 15 seconds since the relevant
configuration data has to be polled from ADAM.
2.5 TOE User Interfaces

There are no user-related manuals provided. (Due to the nature of a firewall product, the
filtering process is transparent to the user.)
EXIF_NET is the only external interface available for the user. To protect communication
between networks, the TOE has an interface to the network layer of the operating system.
Traffic from one network to another network is always passed though the TOE using this
interface. All network traffic generated by users has to pass this interface.
3 Operating Environment
The security environment of the Evaluated Configuration of ISA Server 2004 Enterprise
Edition is described in the ISA Server 2004 Enterprise Edition Security Target [ST] and
identifies the threats to be countered by ISA Server 2004 Enterprise Edition, the
organizational security policies, and the usage assumptions as they relate to ISA Server
2004 Enterprise Edition. The administrator should ensure that the environment meets the
organizational policies and assumptions. They are repeated in the section that follows from
the Security Target.
To use the TOE in the evaluated configuration, the underlying environment must be the
Windows Server 2003 operating system.
3.1 Assumptions
Table 3.1 lists the TOE Secure Usage Assumptions for the IT environment and intended
usage.
Table 3.1 – Assumptions for the IT environment and intended usage
# Assumption name Description
1 A.DIRECT The TOE is available to authorized administrators only. A person who has
physical access to the TOE and can log on to the operating system is assumed
to act as an authorized TOE administrator.
2 A.GENPUR The TOE stores and executes security-relevant applications only. It stores only
data required for its secure operation. Nevertheless, the underlying operating
system may provide additional applications required for administrating the TOE
or the operating system.
3 A.NOEVIL Authorized administrators are non-hostile and follow all administrator guidance.
4 A.ENV The environment implements the following functionality:
Local identification and authentication of user credentials used for Web
publishing (see A.WEBI&A for RADIUS identification and authentication; in
case of a successful authentication, the TOE analyses the returned value and
allows or denies the access to network resources depending on that value),
reliable time stamp (log file audit), file protection (for log file access protection,
registry protection, and ADAM protection), cryptographic support (for SSL
encryption), administration access control, reliable ADAM implementation,
Network Load Balancing (disabled by default).
5 A.PHYSEC The TOE is physically secure. Only an authorized person has physical access
to the system that hosts the TOE.
6 A.SECINST Required certificates and user identities are installed using a confidential path.
7 A.SINGEN Information can not flow among the internal and external networks unless it
passes through the TOE.
8 A.WEBI&A User credentials are verified by a RADIUS server. The RADIUS server returns
a value if a valid account exists or not.
Web Identification & Authentication with a RADIUS server requires that the
RADIUS server is placed on the internal network, so that data (user credentials
and return values) transferred to and from the RADIUS server is secured by the
TOE from external entities.
9 A.SSL All Web publishing rules that support Basic authentication have to be
configured by the administrator so that strong encryption for SSL is enforced (at
least 128 bit encryption).
3.2 Organizational Security Policies

Security policies to be fulfilled by the TOE are defined in Table 3.2.
Table 3.2 – Security policies addressed by the TOE
# Policy name Description
1 P.AUDACC Persons must be accountable for the actions that they conduct. Therefore,
audit records must contain sufficient information to prevent an attacker to
escape detection.
3.3 Secure Usage Assumptions - IT Security Requirements for the

IT Environment
This chapter defines the TOE security functional requirements for the IT environment.
Further information about the Security Functional Requirements can be found in [ST].
Table 3.3 – TOE security functional requirements for the environment

# Functional requirement Title
Identification & Authentication
1 FIA_ATD.1 User attribute definition
2 FIA_UID.2 User identification before any action
3 FIA_UAU.2 User authentication before any action
4 FCS_COP.1 Cryptographic operation
Information Flow Control
5 FMT_MSA.1 (1) Management of security attributes (1)– UNAUTHENTICATED SFP
6 FMT_MSA.1 (2) Management of security attributes (2) – UNAUTHENTICATED_APPL SFP
7 FMT_MSA.1 (3) Management of security attributes (3) – AUTHENTICATED SFP
Audit
8 FPT_STM.1 Reliable time stamps
9 FAU_SAR.2 Restricted audit review
10 FAU_STG.1 Protected audit trail storage
Security Management
11 FMT_SMR.1 Security roles
3.4 Security Objectives for the Environment

Table 3.4 lists security objectives for the environment (covers objectives for the IT
environment and non-IT environment).
Table 3.4 – Security objectives for the environment
# Objective Name Objective Description
1 OE.DIRECT The TOE should be available to authorized administrators only.
2 OE.GENPUR The environment should store and execute security-relevant applications
only and should store only data required for its secure operation.
3 OE.NOEVIL Authorized administrators should be non-hostile and should follow all
administrator guidance.
4 OE.ENV The environment should implement the following functionality:
Local identification and authentication of user credentials used for Web
publishing (see OE.WEBI&A for RADIUS identification and authentication; in
case of a successful authentication, the TOE analyses the returned value
and allows or denies the access to network resources depending on that
value), reliable time stamp (log file audit), file protection (for log file access
protection, registry protection, and ADAM protection), cryptographic support
(for SSL encryption), administration access control, reliable ADAM
implementation, Network Load Balancing (disabled by default).
5 OE.PHYSEC The system which hosts the TOE should be physically secure.
6 OE.SECINST The required user identities (used for user authentication) and required SSL
certificates for server authentication (HTTPS encryption) should be stored
using a confidential path. That means that created certificates and user
passwords should not be available to unauthorized persons (OE.DIRECT
ensures that unauthorized persons cannot get this information by accessing
the TOE).
7 OE.SINGEN Information should not flow among the internal and external networks unless
it passes through the TOE. Thereby the TOE administrator has to guarantee
an adequate integration of the TOE into the environment.
8 OE.WEBI&A The RADIUS server should verify provided user credentials and return if a
valid account exists or not.
Data (user credentials and return values) between TOE and the RADIUS
server should be transferred inside the TOE secured environment, which
means that the RADIUS server should be placed on the internal network for
Web Identification & Authentication.
9 OE.SSL All Web publishing rules that support Basic authentication should be
configured by the administrator so that strong encryption for SSL is
enforced (at least 128 bit encryption).
3.5 Requirements for the Operational Environment

The operational environment is a certified Windows Server 2003 Standard Edition (English)
SP1 including MS05-042 (KB899587), MS05-039 (KB899588), MS05-027 (KB896422), and
patch KB907865 (same installation that has been used for Windows Server 2003 Common
Criteria EAL 4+ Evaluation; Validation Report Number CCEVS-VR-05-0131, [WINST] and

[WINVR]).
The update number listed on the security bulletin corresponds to the Microsoft Knowledge
Base (KB) article ID number. The Microsoft Knowledge Base is a database of technical
articles about Microsoft products and technologies. These articles range from "how to"
articles describing how to complete a specific task to "bug" articles documenting known
issues with Microsoft products.
When you scan your computer for available updates, through the Windows Update Web
site, the Windows Update Web site displays a number along with the title of the update, for
example, "Update for Windows Media Player 9 Series (KB837272)." This KB number is
included in the security bulletin to help identify the corresponding KB article in the Microsoft
Knowledge Base.
The previously mentioned configuration for the operational environment has been used as
an underlying operating system for evaluation.
Some more directives for security best practices are given in [MSISA] > Administration and
Security > Administration and Security Concepts > Security best practices.
Because the computer on which ISA Server 2004 is running is often the primary interface to
the External network, we recommend this computer be secured. The Security Best
Practices [MSISAHARD]3 document “ISA Server 2004 Security Hardening Guide,” available
on the ISA Server Web site, details how to secure the ISA Server 2004 Enterprise Edition
computer, and is updated periodically with new information.
Warning
The administrator should check http://www.microsoft.com/security/ regularly for the latest
Windows Server 2003 hotfixes.
3
online available: http://go.microsoft.com/fwlink/?LinkID=24507
4 Security-Relevant Events
This subsection describes all types of security-relevant events and what administrator
action (if any) to take to maintain security. Security-relevant events that may occur during
operation of ISA Server 2004 Enterprise Edition must be adequately defined to allow
administrator intervention to maintain secure operation. Security-relevant events are defined
as events that signify a security related change in the system or environment. These
changes can be grouped as routine or abnormal. The routine events are already addressed
in subsection Security Functions.
Table 4.1 – Security-relevant events

Security function Security-relevant event Relevant chapters
Web Identification and • Configure Basic authentication. [MSISA] Firewall Policy > Firewall
Authentication Policy: Concepts > Authentication
• Enable strong SSL encryption (at > Authentication methods for
least 128 bit) for HTTPS. Web requests > Basic
• The user has a missing permission to authentication
access the Internet. [MSISA] Firewall Policy > Firewall
• A user is leaving the company, so his Policy: Concepts > Toolbox >
or her rights have to be withdrawn. Web listeners > Web listeners
overview, Section: Authentication
[MSISA] Firewall Policy > Firewall
Policy: Concepts > Authentication
> Authentication methods for
Web requests > RADIUS
authentication
To enable strong SSL encryption,
open the corresponding Web
publishing rule > Traffic and
select Require 128-bit
encryption for HTTP traffic.
[MSISA] Monitoring > Monitoring:
Concepts > Logs > Log storage
format > Section: MSDE 2000
database
Information Flow • An alert occurs, so the administrator [MSISA] Monitoring > Monitoring:
Control has to monitor the alert. Concepts > Alerts
• The administrator has to report some [MSISA] Monitoring > Monitoring:
events. How To > Configure Alerting
Audit • Log file overflow. If the ISA Server [MSISA] Monitoring > Monitoring:
computer runs out of disk space, the How To > Configure logging >
administrator has to configure the Configure logging to an MSDE
maximum number of log files. database
5 TOE Integrity
This chapter describes how the administrator can verify that the evaluated version of the
TOE is used.
5.1 Integrity of the CD-ROM Content

Customers can check the CD content by using the publicly available Microsoft File
Checksum Integrity Verifier (FCIV) tool4.
This tool uses SHA-1 hash values to verify the integrity of the:
• ISA Server 2004 Enterprise Edition (on CD)
• ISA 2004 Enterprise Edition Service Pack 2 (on CD)
• ISA 2004 Enterprise Edition Service Pack 2 (Web download)
The corresponding hash files are available from the Microsoft corporate Web site, as well as
a batch file that runs the tool and a Readme file that explains the usage for users that do
not have access to this document. The hash file contains SHA-1 values for each of the
relevant files that must be verified and is downloadable using a secured channel from the
ISA Server 2004 common criteria Web page:
http://go.microsoft.com/fwlink/?linkid=49507
The FCIV is a command-prompt utility that computes and verifies cryptographic hash values
of files (MD5 and SHA-1 cryptographic hash values are possible). The tool is run by the
supplied batch file. To run the batch file the user opens a Command Prompt window and
changes to the folder into which the validation files were downloaded. The user then types
the following (the exact file name depends what CD or file the user wants to verify):
integritycheck.cmd X:
Where “x:” is the local CD-ROM drive that contains the ISA Server 2004 Enterprise Edition
CD or the ISA Server 2004 SP2 CD. To verify the Service Pack 2 (download from Web), the
batch file must be copied into the same folder with SP2.
Figure 5.1 shows a successful verification of the TOE. Figure 5.2 shows an error message
because of the missing FCIV tool.
4
Installation instruction and download link on following Web page:
http://support.microsoft.com/default.aspx?scid=kb;en-us;841290
Figure 5.1 – Integrity check I (successful)
Figure 5.2 – Integrity check II (missing FCIV tool)

Figure 5.3 – Batch file (ISA Server 2004 Enterprise Edition CD) for CD-ROM integrity
check
@echo off
setlocal ENABLEDELAYEDEXPANSION
if "%1"=="" goto usage

set DriveLetter=%1
set ExpectedVL=ISA2K4SELE_EN
set ExpectedDirs=150
set ExpectedFiles=661
set Dirs=
set Files=
set MisCount=
REM Verify that fciv.exe exists in the path

fciv -? >NUL
if NOT [%errorlevel%]==[0] goto usage
REM Verify there is a valid CD in the drive

vol %1 > NUL
REM Check Volume ID

for /f "usebackq tokens=6 delims= " %%V in (`vol %1 `) do set VolumeID=%%V&echo.
if NOT %VolumeID%==%ExpectedVL% (
echo The volume label of the CD in drive %1 is %VolumeID%
echo This integrity check can identify only original CDs with Volume Label: %ExpectedVL%
echo Please insert the CD with volume label %ExpectedVL%. Then try again.
echo.
goto end
)
@REM *** Count directories and Files

for /F "usebackq tokens=1 delims= " %%J in (`dir /s /A:D %DriveLetter% ^| findstr
/c:"Dir(s)"`) do (set Dirs=%%J)
for /F "usebackq tokens=1 delims= " %%J in (`dir /s /A-D %DriveLetter% ^| findstr
/c:"File(s)"`) do (set Files=%%J)
if NOT [%Dirs%]==[%ExpectedDirs%] Set MisCount=Yes&echo *** The CD in %1 contains %Dirs%

directories instead of %ExpectedDirs% ***
if NOT [%Files%]==[%ExpectedFiles%] Set MisCount=Yes&echo *** The CD in %1 contains %Files%
directories instead of %ExpectedFiles% ***
if [%MisCount%]==[Yes] goto end
echo The verification process may take several minutes...

echo The files on the CD are being scanned to validate their integrity
echo ......
echo.
@REM *** Run the integrity check

fciv -v %1\ -r -sha1 -bp %1\ -xml %ExpectedVL%.xml > integritycheck.log
findstr /c:"All files verified successfully" integritycheck.log
if NOT [%errorlevel%]==[0] (
echo The integrity check could not validate all the files on the CD
echo The integrity check log file is saved in the current directory...
pause
notepad integritycheck.log
echo.
goto end
) else (
echo.
echo The CD in drive %1 is an authentic ISA Server 2004 Enterprise Edition - English
Microsoft Licensing CD
echo.
del integritycheck.log
)
goto end
:usage
echo Usage:
echo %~nx0 x:
echo x: CD-ROM drive containing ISA Server 2004 EE CD (Volume Label: %ExpectedVL%)
echo Fciv.exe must be in the current directory or in the path.
echo You can download Fciv.exe from
echo.
:end
endlocal
Figure 5.4 – Batch file (Service Pack 2 CD) for CD-ROM integrity check
@echo off
setlocal ENABLEDELAYEDEXPANSION
if "%1"=="" goto usage

set DriveLetter=%1
set ExpectedVL=ISA2004-SP2-CD
set ExpectedDirs=150
set ExpectedFiles=661
set Dirs=
set Files=
set MisCount=
REM Verify that fciv.exe exists in the path

fciv -? >NUL
REM Verify there is a valid CD in the drive

vol %1 > NUL
REM Check Volume ID

for /f "usebackq tokens=6 delims= " %%V in (`vol %1 `) do set VolumeID=%%V&echo.
if NOT %VolumeID%==%ExpectedVL% (
echo The volume label of the CD in drive %1 is %VolumeID%
echo This integrity check can identify only original CDs with Volume Label: %ExpectedVL%
echo Please insert the CD with volume label %ExpectedVL%. Then try again.
echo.
goto end
)
echo The verification process may take several minutes...

echo The files on the CD are being scanned to validate their integrity
echo ......
echo.
@REM *** Run the integrity check

fciv -v %1\ENU\ISA2004EE-KB903676-x86-ENU.msp -sha1 -bp %1\ -xml %ExpectedVL%.xml >
integritycheck.log
findstr /c:"All files verified successfully" integritycheck.log
if NOT [%errorlevel%]==[0] (
echo The integrity check could not validate all the files on the CD
echo The integrity check log file is saved in the current directory...
pause
notepad integritycheck.log
echo.
goto end
) else (
echo.
echo The CD in drive %1 contains an authentic ISA Server 2004 Enterprise Edition SP2 -
English Version
echo.
del integritycheck.log
)
goto end
:usage
echo Usage:
echo %~nx0 x:
echo x: CD-ROM drive containing ISA Server 2004 EE CD (Volume Label: %ExpectedVL%)
echo Fciv.exe must be in the current directory or in the path.
echo You can download Fciv.exe from
echo.
:end
endlocal
5.2 Integrity of the Package

Because ISA Server 2004 Enterprise Edition is available in a volume license (see Figure
5.5), there is no certificate of authenticity (COA) label on a box like for ISA Server 2004
Standard Edition. The end user should check the integrity as described in chapter 5.1 for
ISA Server 2004 Enterprise Edition and for ISA Server 2004 Enterprise Edition Service
Pack 2.
Figure 5.5 – ISA Server 2004 Enterprise Edition (CD-ROM)
5.3 Version Number for the TOE

The method to examine the ISA Server version number is included in the Microsoft
Management Console. The user can identify the version of the TOE in the Help menu
(HelpÆAbout ISA Server 2004; see Figure 5.6). The version number presented in the
Microsoft Management Console is 4.0.3443.594. That version corresponds to the evaluated
version named in the ST ISA Server 2004 Enterprise Edition.
Figure 5.6 – Version number of ISA Server 2004 Enterprise Edition
6 References and Glossary

This section provides references and a glossary.
6.1 References
General Common Criteria Documents
[CC] Common Criteria for Information Technology Security Evaluation, version 2.1,
revision August 1999, Incorporated with interpretations as of 2003-12-31
Part 1: Introduction and general model, CCIMB-99-031,
Part 2: Security functional requirements, CCIMB-99-032,
Part 3: Security Assurance Requirements, CCIMB-99-033
[CEM] Common Methodology for Information Technology Security Evaluation, Part 1:
Introduction and general model, version 0.6, revision 11.01.1997,
Part 2: Evaluation Methodology, version 1.0, revision August 1999
Incorporated with interpretations as of 2003-12-31
General Microsoft Developer Documents

[MSDN] Microsoft Developer Network, http://msdn.microsoft.com/, Microsoft Corp.
[MSDNDVD] Microsoft Developer Network, DVD Version, January 2006, Microsoft Corp.
ISA Server 2004 Administrator Guidance and Publicly Available Evaluation Developer Documents
[MSISA] Microsoft Internet Security and Acceleration Server 2004 Help – Enterprise
Edition, Microsoft Corp., Version 2004 Enterprise Edition
[ST] ISA Server 2004 Enterprise Edition Common Criteria Evaluation - Security
Target, Version 1.1, Final, 2006-05-11, Microsoft Corp.
[MSISAHARD] Security Hardening Guide - Microsoft Internet Security and Acceleration Server
2004, Microsoft Corp., Version 2006
[WINST] Microsoft Windows Server 2003 or Windows XP Security Target, Version 1.0.
28.09.2005, Microsoft Corporation
[WINVR] National Information Assurance Partnership, Common Criteria Evaluation and
Validation Scheme Validation Report Microsoft Windows Server 2003 and
Windows XP Workstation Report Number: CCEVS-VR-05-0131 Dated: November
6, 2005 Version: 1.1
6.2 Acronyms
CC Common Criteria
EAL Evaluation Assurance Level
FCIV File Checksum Integrity Verifier
MSDN Microsoft Developer Network
PP Protection Profile
SF Security Function
SFP Security Function Policy
SSL Secure Sockets Layer
ST Security Target
TOE Target of Evaluation
6.3 Glossary
application filters Application filters can access the data stream or datagrams associated
with a session within the Microsoft Firewall service and work with some or
all application-level protocols.
authentication Authentication is "A positive identification, with a degree of certainty
sufficient for permitting certain rights or privileges to the person or thing
positively identified." In simpler terms, it is "The act of verifying the claimed
identity of an individual, station or originator" [Schou, Corey (1996).
Handbook of INFOSEC Terms, Version 2.0. CD-ROM (Idaho State
University & Information Systems Security Organization)].
Basic authentication Basic authentication is the standard authentication method for Hypertext
Transfer Protocol (HTTP). Although user information is encoded, no
encryption is used with Basic authentication.
feature pack A feature pack contains new product functionality that is distributed
outside the context of a product release, and usually is included in the
next full product release.
Firewall service log A firewall service log contains entries with connection establishments and
terminations.
identification Identification, according to a current compilation of information security
terms, is "the process that enables recognition of a user described to an
automated data processing system. This is generally by the use of unique
machine-readable names" [Schou, Corey (1996). Handbook of INFOSEC
Terms, Version 2.0. CD-ROM (Idaho State University & Information
Systems Security Organization)].
ISA Server In this document, ISA Server refers to Microsoft Internet Security and
Acceleration Server 2004.
Microsoft The Microsoft Management Console is a configuration management tool

Management Console supplied with Windows that can be extended with snap-ins.
NTLM NTLM is an authentication scheme used by Microsoft browsers, proxies,
and servers (Microsoft Internet Explorer®, Internet Information Services,
and others). This scheme is also sometimes referred to as the Windows
NT Challenge/Response authentication scheme or Integrated Windows
authentication.
packet filter log file A packet filter log file contains records of packets that were dropped or
allowed.
port number A port number identifies a certain Internet application with a specific
connection.
publishing rules Using publishing rules, you can publish virtually any computer on an
internal network to the Internet (see Web publishing and server
publishing).
Secure Sockets Layer SSL is a protocol that supplies secure data communication through data
(SSL) encryption and decryption. SSL enables communications privacy over
networks.
server publishing Server publishing allows virtually any computer on an internal network to
publish to the Internet.
service pack A service pack contains a cumulative set of all hotfixes, security updates,
critical updates, and updates created and fixes for defects found by
Microsoft since the release of the product. Service packs may also contain
a limited number of customer requested design changes or features.
World Wide Web W3C develops interoperable technologies (specifications, guidelines,
Consortium (W3C) software, and tools) concerning Web technology (http://www.w3c.org).
Web publishing Web publishing publishes Web content to the Internet.

ISA Server 2004

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

ISA Server 2004

Diunggah oleh

Hak Cipta:

Format Tersedia

Microsoft

ISA Server 2004 Enterprise Edition Common

Author: Microsoft Corp.

This page intentionally left blank

Table 1.1 – Security functions and associated chapters ........................................................7

Figure 5.1 – Integrity check I (successful) ............................................................................24

1 Introduction to User's Guide or Administrator's Guide

1.2 Security Functions and Associated Chapters

Security function (see [ST]) Relevant chapters [MSISA]

1.3 Warnings About Functions and Privileges

1.4 Installation of the Evaluated ISA Server 2004 Enterprise Edition

ISA Server 2004 Enterprise Edition is composed of the following components:

Startup screen License Agreement

No additional components (default) New ISA Server enterprise (default)

Installation note Specify internal networks (example)

Do not allow non-encrypted Firewall clients (default) Service warning

Start of installation process Completion of installation process

Start of installation process License Agreement

Completion of installation process Pop-up note

2.1 SF1 - Web Identification and Authentication

Error Code: 403 Forbidden.

Error Code: 500 Internal Server Error.

An internal error occurred. (1359)

This issue occurs if all the following conditions are true:

2.2 SF2 - Information Flow Control

2.3 SF3 - Audit

2.4 Administration-Related Interfaces

2.5 TOE User Interfaces

3.2 Organizational Security Policies

3.3 Secure Usage Assumptions - IT Security Requirements for the

Table 3.3 – TOE security functional requirements for the environment

3.4 Security Objectives for the Environment

3.5 Requirements for the Operational Environment

Criteria EAL 4+ Evaluation; Validation Report Number CCEVS-VR-05-0131, [WINST] and

Table 4.1 – Security-relevant events

5.1 Integrity of the CD-ROM Content

Figure 5.1 – Integrity check I (successful)

Figure 5.2 – Integrity check II (missing FCIV tool)

if "%1"=="" goto usage

REM Verify that fciv.exe exists in the path

REM Verify there is a valid CD in the drive

REM Check Volume ID

@REM *** Count directories and Files

if NOT [%Dirs%]==[%ExpectedDirs%] Set MisCount=Yes&echo *** The CD in %1 contains %Dirs%

echo The verification process may take several minutes...

@REM *** Run the integrity check

if "%1"=="" goto usage

REM Verify that fciv.exe exists in the path

REM Verify there is a valid CD in the drive

REM Check Volume ID

echo The verification process may take several minutes...

@REM *** Run the integrity check

5.2 Integrity of the Package

5.3 Version Number for the TOE

6 References and Glossary

General Microsoft Developer Documents

Microsoft The Microsoft Management Console is a configuration management tool

Anda mungkin juga menyukai