CMPS 476 - Lab 7

Lab 7 - Common Criteria

Due: Wednesday at 5:00pm

Last week's topic in class was trusted operating systems and evaluation standards. For lab this week, we will look at what one has to do to modify a commercial operating system to meet minimum evaluation criteria as defined by the Common Criteria standard. A list of currently certified operating systems and what level they have been certified at can be found here.

Systems that have been certified do not always meet the specified security target and protection profile "out of the box". Most have been highly customized to achieve their certification. To replicate the certified systems, one has to perform a series of configuration changes to increase the assurance one has in certain features of the system. For example, we might increase the assurance that the audit trail keeps an accurate record of events by setting certain configuration options for the audit system.

Most operating systems that have been certified will publish a checklist of all the configuration changes needed to obtain that certification. In this lab, we will look at a few of those checklists to see what one has to do to secure an operating system "after the fact" rather than using a trusted OS.

Browse through the configuration guides for the following operating systems:

Microsoft Windows 2000 - This is the main page for Windows 2000's evaluation under the Common Criteria certification method. The Security Configuration Guide contains the checklist of all changes needed to Windows 2000 to get it to the level of assurance for the Common Criteria evaluation level listed on the website.
Microsoft Windows XP and Windows Server 2003 - This is the main page for these two Microsoft operating systems, also under the Common Criteria method. There are several configuration guides depending on which flavor of XP or 2003 you need to configure. Choose one flavor (such as XP Professional or 2003 with x64 hardware) and browse through its configuration guide. Note that these configuration guides are all zip files, so save to disk and unzip to read.
In case you are wondering, Vista has completed the certification process but there is no "official" checklist yet. And Windows 7 has not completed the process.
Solaris 10 - Solaris has also been evaluated under Common Criteria. This website has a list of the various versions of Solaris 9 and 10 that have been certified. Browse Chapter 3 of Solaris 10 11/06 Security Release Notes to see the configuration changes (beyond applying the patch set mentioned on the webpage) needed.
Mac OS X - Again, Mac OS X has been evaluated under the Common Criteria method. Browse the Common Criteria Configuration and Administration Guide.

Lab Writeup

For your writeup, give your overall impression of the ease (or lack of) of securing each system for their Common Criteria evaluation level. What do you see as the biggest issue when implementing the configuration changes listed in the documents? Do you think it would be more difficult (or less difficult) to instead use a trusted operating system? Your writeup should be 2-3 paragraphs of thoughts on these matters.