4
1.2
C2/CC Security Compliancy Overview
This document also describes network and server system modification steps required for
Administrators to meet C2 / CC v2.1(ISO/ IEC15408) security requirements. C2 security
requirements are based upon the US Department of Defense (DoD) “Trusted Computer System
Evaluation Criteria” security paper, a.k.a. the “Orange book”, at
http://www.fas.org/irp/nsa/rainbow/tg003.htm
. The Common Criteria (CC) v2.1) security
requirements are updated version requirements of the C2 security requirements. CC security
requirements listed below are based upon the National Information Assurance Partnership (NIAP)
Common Criteria Evaluation and Validation Scheme (CCEVS) secuirty documents located at
http://www.niap.nist.gov/cc-scheme/defining-ccevs.html
. The CC modification steps described below
within Chapter 3, “C2 / CC Security Compliancy”, should achieve an NIAP Evaluation Assurance
Level (EAL) 4 augmented with ALC_FLR.3 and a TOE minimum function strength of SOF-medium.
1.3
E3/F-C2 Security Compliancy Overview
This document also depicts the modification steps necessary for Administrators to meet E3/F-C2
security requirements. All E3/F-C2 system modifications within this document are based upon the
Information Technology Evaluation Manual (ITSEM) at
http://www.boran.com/security/itsem.html
to meet
Information Technology Security Evaluation Criteria (ITSEC) security requirements within the United
Kingdom, Germany, France, and the Netherlands.
2
NSA Security Compliancy
This section provides detail steps in modifying the NAS system and other systems within the network
to meet NSA security compliancy based on Microsoft’s “Windows Server 2003 Security Guide:
Patterns and Practices”.
Not all network environments are the same. As such, NSA security requirements vary depending
upon the network environment. These network infrastructures have been separated into 3 category
levels:
Legacy Client
The Legacy Client level is specific to environments with legacy clients which includes Microsoft
Windows® 98, Microsoft Windows NT® version 4.0 Workstation, Window 2000 Professional, and
Windows XP Professional workstations. Since Windows NT 4.0 domain controllers do have certain
required NSA security feature sets, this environment can only contain Windows 2000 or later domain
controllers. Although there are no Windows NT 4.0 domain controllers in this environment, Windows
NT member servers may exist. This environment is the lowest NSA lockdown level. Customers are
recommended to start at this level first to meet minimal NSA security requirements and increase
security level modifications as they see fit to meet their company security requirements.
Enterprise Client
This business environment includes clients running Windows 2000 Professional and Windows XP
Professional. All domain controllers and member servers in this environment are Windows 2000
Server or later.