An Introduction to the Common Criteria

Governments and commercial users of DBMS products need to understand the security functionalities and the quality of those functionalities that they purchase and use. Third party evaluation is the preferred method of security verification and for that each nation in the past required its own evaluation, an expensive proposition for vendors and customers alike. Sharing an evaluation between four nations, as the European ITSEC did, was an improvement on the time and costs of evaluation. But the real solution was the Common Criteria, where an evaluation under its strict conditions is formally recognized currently by twenty-four nations by an international agreement (the Common Criteria Mutual Recognition Arrangement or CCRA) and by dozens more countries and by many commercial users beyond the agreement.

The Common Criteria is more than just the concise definitions of security functionalities and assurance requirements. It is also a precise evaluation process defined in the Common Evaluation Methodology document. In addition, it is a formal and approved evaluation scheme for each nation performing CC evaluations. And it is a government certification based on government working with a private evaluation lab certified in that country.

Another important aspect of the CC is that it recognizes Protection Profiles (PP). A PP, strictly defined in the CC documentation, is a set of security functionality requirements and assurance requirements. The original concept of PP’s is that the large customers or customer groups, governments and industries for example, would develop a specific set of security and assurance requirements, often the minimum requirements of the customer or group. This allows those customer groups to use a defined set of functionalities and assurance measures, the Common Criteria, when considering and determining the organizational IT needs and then allows them to formally define their security requirements with globally understood definitions. This is occurring with government and more slowly with industries. These PP’s allow vendors to clearly understand these requirements and to develop products that meet and exceed them.

SQL Server 2005 SP1 Enterprise Edition (32-Bit)

This page contains important information and processes for understanding and using SQL Server 2005 SP1 Common Criteria (CC) version as evaluated and certified according to the Common Criteria and ISO 15408.

The CC Evaluations of Microsoft SQL Server 2005

This is the first of two CC evaluations of SQL Server 2005, for SP1 and SP2 respectively. Both efforts evaluate the security capabilities of SQL Server 2005 as described in the respective Security Targets. One major difference between the two evaluations is the levels of assurance (the EAL’s) and the time in takes to complete these evaluations. The other difference is that the later evaluation (for SP2) will provide a few added capabilities and will then comply with the recently developed and published NSA DBMS PP V1.1.

This evaluation, SQL Server 2005 SP1 at EAL1, will provide third party independent evaluation of the major security features of the DBMS in a timeframe requested by Microsoft’s customers. It will not effect the evaluation of SP2 at EAL4+.

The Certifying Body, CC Certificate, and Evaluation Lab

SQL Server 2005 SP1 has been successfully evaluated using the Security Target referenced below at EAL1 by the Bundesamtes für Sicherheit in der Informationstechnik (BSI).

• Learn more about BSI, the certifying body of the German government
• View the SQL Server 2005 SP1 Certification

Downloads for CC SQL Server 2005 SP1

The following resources provide guidance on the proper installation and operation of SQL Server 2005 SP1 CC version:

• The Security Target document describes the security functionalities and assurance measures used to evaluate SQL Server 2005 SP1 and to which the product complies.
• Books-On-Line (BOL) provides the basic documentation for SQL Server 2005 SP1 and is augmented by the CC Guidance document to represent the CC version.
• CC Guidance Addendum document provides guidance information to be used with and modifies the Books-On-Line documentation specifically for the operation and use of the Common Criteria version. It also contains instructions for installing SQL Server 2005 SP1 such that it is properly configured as the CC version.
• Start-up Script can be run to install the trace process as required by the CC version.

SQL Server 2005 SP2 Enterprise Edition (32-Bit)

This page contains important information and processes for understanding and using SQL Server 2005 SP2 Common Criteria (CC) version as evaluated and certified according to the Common Criteria and ISO 15408.

The CC Evaluations of Microsoft SQL Server 2005

This evaluation, SQL Server 2005 SP2 at EAL1, will provide third party independent evaluation of the major security features of the DBMS in a timeframe requested by Microsoft’s customers. It will not effect the evaluation of SP2 at EAL4+.

The Certifying Body, CC Certificate, and Evaluation Lab

SQL Server 2005 SP2 has been successfully evaluated using the Security Target referenced below at EAL1 by the Bundesamtes für Sicherheit in der Informationstechnik (BSI). Click here to learn more about BSI, the certifying body of the German government.

Important Download Instructions

Please perform the following steps in order to ensure the integrity of your downloads from this site:

1. Download the FCIV Tool. The sha-1 value of this download is 99fb35d97a5ee0df703f0cdd02f2d787d6741f65 (hex) and shall be verified before executing the download. This can be done using any tool capable of calculating SHA-1 values.
2. Download the CC Guidance Addendum to the directory where FCIV has been extracted.
3. Check the integrity of the CC Guidance Addendum using MS_SQL_AGD_ADD_1.2.pdf -shfciv sql2005_sp2_eal4_hashes.zip -sha1 and verify that the result is 0be74f149b741acf54ed6f6117813cec6c0abbcb ms_sql_agd_add_1.3.pdf.
4. Follow the CC Guidance Addendum for further installation and configuration of the TOE (Target of Evaluation, for details see “Security Target").

Downloads for CC SQL Server 2005 SP2

The following resources provide guidance on the proper installation and operation of SQL Server 2005 SP2 CC version.

• The Security Target document describes the security functionalities and assurance measures used to evaluate SQL Server 2005 SP2 and to which the product complies.
• Books-On-Line (BOL) provides the basic documentation for SQL Server 2005 SP2 and is augmented by the CC Guidance document to represent the CC version.
• CC Guidance Addendum document provides guidance information to be used with and modifies the Books-On-Line documentation specifically for the operation and use of the Common Criteria version. It also contains instructions for installing SQL Server 2005 SP2 such that it is properly configured as the CC version.
• Integrity Check Validation Data
• Verification Scripts
• Permissions Hierarchy

Start-Up Process

• Server Trace
• CC Version Processes

SQL Server 2008 Enterprise Edition (x64 and x86)

This page contains important information and processes for understanding and using SQL Server 2008 Common Criteria (CC) version as evaluated and certified according to the Common Criteria and ISO 15408.

The CC Evaluations of Microsoft SQL Server 2008

This is the first CC evaluation of SQL Server 2008. It evaluated the comprehensive set of security capabilities of SQL Server 2008 as described in the Security Target. To provide a timely formal evaluation as requested by Microsoft customers, this evaluation was performed at the basic Evaluation Assurance Level augmented (EAL1+) by a complete Security Target.

The Certifying Body, CC Certificate, and Evaluation Lab

SQL Server 2008 has been successfully evaluated using the Security Target referenced below at EAL1+ by the Bundesamtes für Sicherheit in der Informationstechnik (BSI). Click here to learn more about BSI, the certifying body of the German government.

• View the SQL Server 2008 Certification
• Learn more about the evaluation lab, TUViT

Important Download Instructions

Please perform the following steps in order to ensure the integrity of your downloads from this site:

1. Download the FCIV Tool. The sha-1 value of this download is 99fb35d97a5ee0df703f0cdd02f2d787d6741f65 (hex) and shall be verified before executing the download. This can be done using any tool capable of calculating SHA-1 values.
2. Download the Integrity Check Validation Data and CC Guidance Addendum to the directory where FCIV has been extracted.
3. Open a command prompt and change to directory where FCIV has been extracted.
4. Check the integrity of the CC Guidance Addendum using FCIV MS_SQL_AGD_IGS_1.5.pdf -sha1 and verify that the result is b03ddbe475bd1971a16cd17ad50c96647ce6097c ms_sql_agd_igs_1.5.pdf.

Downloads for CC SQL Server 2008

The following resources provide guidance on the proper installation and operation of SQL Server 2008 CC version.

• The Security Target document describes the security functionalities and assurance measures used to evaluate SQL Server 2008 and to which the product complies.
• Books-On-Line (BOL) provides the basic documentation for SQL Server 2008 and is augmented by the CC Guidance document to represent the CC version.
• CC Guidance Addendum document provides guidance information to be used with and modifies the Books-On-Line documentation specifically for the operation and use of the Common Criteria version. It also contains instructions for installing SQL Server 2008 such that it is properly configured as the CC version.
• Integrity Check Validation Data
• Verification Scripts
• Permissions Hierarchy

Start-Up Process

• Server Trace
• CC Version Processes

SQL Server 2008 SP2 Enterprise Edition (x64 and x86)

This page contains important information and processes for understanding and using SQL Server 2008 SP2 CC Version (10.0.4000.0) as evaluated and certified according to the Common Criteria and ISO 15408.

The Certifying Body, CC Certificate, and Evaluation Lab

SQL Server 2008 SP2 has been successfully evaluated using the Security Target referenced below at EAL4+ by the Bundesamtes für Sicherheit in der Informationstechnik (BSI). Click here to learn more about BSI, the certifying body of the German government.

• View the SQL Server 2008 SP2 Certification
• Learn more about the evaluation lab, TUViT

Important Download Instructions

Please perform the following steps in order to ensure the integrity of your downloads from this site:

1. Download the FCIV Tool. The sha-1 value of this download is 99fb35d97a5ee0df703f0cdd02f2d787d6741f65 (hex) and shall be verified before executing the download. This can be done using any tool capable of calculating SHA-1 values.
2. Download the Integrity Check Validation Data and the CC Guidance Addendum to the directory where FCIV has been extracted.
3. Open a command prompt and change to directory where FCIV has been extracted.
4. Check the integrity of the CC Guidance Addendum using MS_SQL_AGD_ADD_1.42.pdf -sha1 and verify that the result is a3f5e1f8d5ba0c2442174d0afd5d4a99555b032c ms_sql_agd_add_1.42.pdf.

Downloads for CC SQL Server 2008 SP2

The following resources provide guidance on the proper installation and operation of SQL Server 2008 SP2 CC version.

• The Security Target document describes the security functionalities and assurance measures used to evaluate SQL Server 2008 SP2 and to which the product complies.
• CC Guidance Addendum document provides guidance information to be used with and modifies the Books-On-Line documentation specifically for the operation and use of the Common Criteria version. It also contains instructions for installing SQL Server 2008 SP2 such that it is properly configured as the CC version.
• Integrity Check Validation Data
• Verification Scripts
• Permissions Hierarchy

Start-Up Process

• Server Trace
• CC Version Processes

SQL Server 2008 R2 SP1 Enterprise and Datacenter Edition (x64)

This page contains important information and processes for understanding and using SQL Server 2008 R2 SP1 CC Version (10.50.2500.0) as evaluated and certified according to the Common Criteria and ISO 15408.

The Certifying Body, CC Certificate, and Evaluation Lab

SQL Server 2008 R2 SP1 has been successfully evaluated using the Security Target referenced below at EAL4+ by the Bundesamtes für Sicherheit in der Informationstechnik (BSI). Click here to learn more about BSI, the certifying body of the German government.

• View the SQL Server 2008 R2 SP1 Certification
• Learn more about the evaluation lab, TUViT

Important Download Instructions

Please perform the following steps in order to ensure the integrity of your downloads from this site:

1. Download the FCIV Tool. The sha-1 value of this download is 99fb35d97a5ee0df703f0cdd02f2d787d6741f65 (hex) and shall be verified before executing the download. This can be done using any tool capable of calculating SHA-1 values.
2. Download the Integrity Check Validation Data and the CC Guidance Addendum to the directory where FCIV has been extracted.
3. Open a command prompt and change to directory where FCIV has been extracted.
4. Check the integrity of the CC Guidance Addendum using MS_SQL_AGD_ADD_1.05.pdf -sha1 and verify that the result is ff4974f5e6c8fd303dc8dee7067e9a03eb6e465f ms_sql_agd_add_1.05.pdf.

Downloads for CC SQL Server 2008 R2 SP1

The following resources provide guidance on the proper installation and operation of SQL Server 2008 R2 SP1 CC version.

• The Security Target document describes the security functionalities and assurance measures used to evaluate SQL Server 2008 R2 SP1 and to which the product complies.
• CC Guidance Addendum document provides guidance information to be used with and modifies the Books-On-Line documentation specifically for the operation and use of the Common Criteria version. It also contains instructions for installing SQL Server 2008 R2 SP1 such that it is properly configured as the CC version.
• Integrity Check Validation Data
• Verification Scripts
• Permissions Hierarchy

Start-Up Process

• Server Trace
• CC Version Processes

SQL Server 2012 Enterprise Edition (x64)

This document and its links contain important information and processes for understanding and using SQL Server 2012 CC Version (11.0.2100.60) as evaluated and certified according to the Common Criteria (CC).

The Certifying Body, CC Certificate, and Evaluation Lab

SQL Server 2012 has been successfully evaluated using the Security Target referenced below at EAL2 by the Information-technology Promotion Agency (IPA). Information about IPA, the certifying body of the Japanese government can be found here.

• View the SQL Server 2012 Certification
• Learn more about the evaluation lab, TUViT

Important Download Instructions

Please perform the following steps in order to ensure the integrity of your downloads from this site:

1. Download the FCIV Tool. The sha-1 value of this download is 99fb35d97a5ee0df703f0cdd02f2d787d6741f65 (hex) and shall be verified before executing the download. This can be done using any tool capable of calculating SHA-1 values.
2. Download the CC Guidance Addendum to the directory where FCIV has been extracted.
3. Open a command prompt and change to directory where FCIV has been extracted.
4. Open a command prompt and change to directory where FCIV has been extracted.
5. Check the integrity of the CC Guidance Addendum using MS_SQL_AGD_ADD_1.2.pdf -sha1 and verify that the result is 8f0c2ed9cb6ae127b7e972c04c260769f861932d ms_sql_agd_add_1.2.pdf.
6. Follow the CC Guidance Addendum for further installation and configuration of the TOE (Target of Evaluation, for details see “Security Target").

Downloads for CC SQL Server 2012

This web site provides links for downloads of documents and processes necessary for the proper installation and operation of SQL Server 2012 CC version based on SQL Server 2012. A short description of each follows:

• Security Target - This document describes the security functionalities and assurance measures used to evaluate SQL Server 2012 and to which the product complies.
• CC Guidance Addendum - This document provides guidance information to be used with and modifies the Books Online documentation specifically for the operation and use of the Common Criteria version.
• Books Online Documentation Package - This file contains the product documentation and guidance.
• Check Validation Data - This file contains hash values in form of XML files and a cmd-file that can be used to verify the integrity of the product as described in the Guidance Addendum.
• Permissions Hierarchy - This file contains the complete hierarchy of permissions within SQL Server Database Engine.

Microsoft's Commitment to CC Certification

Microsoft is committed to security in the development of our products, security with and provided by these products, and security in the use of these products. Part of that commitment is the independent third-party evaluation of our products and in the Common Criteria as a proven and accepted process to ensure appropriate and necessary security. Microsoft is committed to using the Common Criteria, to making the CC better, and to security, evaluation, and assurance beyond the CC.

Recent Microsoft Common Criteria Evaluations

• Microsoft SQL Server 2008 R2 SP1
• Microsoft SQL Server 2008 SP2
• Microsoft SQL Server 2008
• Microsoft SQL Server 2005 SP2
• Microsoft SQL Server 2005 SP1
• Exchange Server 2007 SP2
• Exchange Server 2010
• Exchange Server 2010 SP1
• Forefront Identity Manager 2010
• Forefront Threat Management Gateway 2010
• Forefront Unified Access Gateway 2010
• Microsoft Internet Security and Acceleration Server 2006
• Microsoft SDK for Open XML Formats V1.0
• Windows Mobile 5.0
• Windows Mobile 6.0
• Windows Mobile 6.1
• Windows Mobile System Center Mobile Device Manage 2008
• Windows Mobile 6.5
• Windows Server 2003
• Windows Vista/Windows Server 2008
• Windows Server 2008 Hyper-V Role
• Windows 7/Windows Server 2008 R2
• Microsoft Windows Server 2008 R2 Hyper-V