Microsoft SQL Server™ 2005 SP1 Enterprise Edition (32-bit) Common Criteria Certification

Download SQL Server Books Online 123 MB Common Criteria Security Target 881 KB Microsoft Word file Commom Criteria Guidance Addendum 1.53 MB Microsoft Word file Get Office File Viewers SQL Script file 21 KB Text file

This document, its links and downloads contain important information and processes for understanding and using SQL Server 2005 SP1 Common Criteria (CC) version as evaluated and certified according to the Common Criteria and ISO 15408. The document contains:

An Introduction to the Common Criteria

Governments and commercial users of DBMS products need to understand the security functionalities and the quality of those functionalities that they purchase and use. Third party evaluation is the preferred method of security verification and for that each nation in the past required its own evaluation, an expensive proposition for vendors and customers alike. Sharing an evaluation between four nations, as the European ITSEC did, was an improvement on the time and costs of evaluation. But the real solution was the Common Criteria, where an evaluation under its strict conditions is formally recognized by twenty-four nations by an international agreement (the Common Criteria Mutual Recognition Arrangement or CCRA) and by dozens more countries and by many commercial users beyond the agreement.

The Common Criteria is more than just the concise definitions of security functionalities and assurance requirements. It is also a precise evaluation process defined in the Common Evaluation Methodology document. In addition, it is a formal and approved evaluation scheme for each nation performing CC evaluations. And it is a government certification based on government working with a private evaluation lab certified in that country.

While the CC certification represents an evaluation of security functions using specified assurance measures, there is no hierarchy of security functions, in part because many security functions are independent of each other. There is however an accepted ranking of assurance criteria within the CC documents called Evaluation Assurance Levels, EAL1 to EAL7. Of these, evaluations at EAL1 to EAL4+ (the “+” represents flaw remediation which is not part of EAL4) are mutually recognized by the 24 countries that signed the CCRA.

Another important aspect of the CC is that it recognizes Protection Profiles (PP). A PP, strictly defined in the CC documentation, is a set of security functionality requirements and assurance requirements. The original concept of PP’s is that the large customers or customer groups, governments and industries for example, would develop a specific set of security and assurance requirements, often the minimum requirements of the customer or group. This allows those customer groups to use a defined set of functionalities and assurance measures, the Common Criteria, when considering and determining the organizational IT needs and then allows them to formally define their security requirements with globally understood definitions. This is occurring with government and more slowly with industries. These PP’s allow vendors to clearly understand these requirements and to develop products that meet and exceed them.

Top of page

The CC Evaluations of Microsoft SQL Server 2005

This is the first of two CC evaluations of SQL Server 2005, for SP1 and SP2 respectively. Both efforts evaluate the security capabilities of SQL Server 2005 as described in the respective Security Targets. One major difference between the two evaluations is the levels of assurance (the EAL’s) and the time in takes to complete these evaluations. The other difference is that the later evaluation (for SP2) will provide a few added capabilities and will then comply with the recently developed and published NSA DBMS PP V1.1.

This evaluation, SQL Server 2005 SP1 at EAL1, will provide third party independent evaluation of the major security features of the DBMS in a timeframe requested by Microsoft’s customers. It will not effect the evaluation of SP2 at EAL4+.

Top of page

The Certifying Body, CC Certificate, and Evaluation Lab

SQL Server 2005 SP1 has been successfully evaluated using the Security Target referenced below at EAL1 by the Bundesamtes für Sicherheit in der Informationstechnik (BSI). Information about BSI, the certifying body of the German government, can be found at www.bsi.de/english/index.htm.

The SQL Server 2005 SP1 certification can be found at http://www.bsi.bund.de/zertifiz/zert/aktuelle.htm

Information about the evaluation lab, TUViT, can be found at www.tuvit.net .

Top of page

Downloads for CC SQL Server 2005 SP1

This web site provides links for downloads of documents and processes necessary for the proper installation and operation of SQL Server 2005 SP1 CC version. A short description of each follows:

Top of page

Microsoft’s Commitment to CC Certification

Microsoft is committed to security in the development of our products, security with and provided by these products, and security in the use of these products. Part of that commitment is the independent third-party evaluation of our products and in the Common Criteria as a proven and accepted process to ensure appropriate and necessary security. Microsoft is committed to using the Common Criteria, to making the CC better, and to security, evaluation, and assurance beyond the CC.

Top of page

Microsoft Common Criteria Evaluations

Top of page