Microsoft SQL Server 2008 Enterprise Edition (x64 and x86) Common Criteria Certification
This document and its links contain important information and processes for understanding and using SQL Server 2008 CC Version as evaluated and certified according to the Common Criteria (CC). The document contains:
| • | An Introduction to the Common Criteria | ||||||||||||
| • | The CC Evaluations of SQL Server 2008 | ||||||||||||
| • | Downloads
| ||||||||||||
| • | Microsoft’s Commitment to CC Certification | ||||||||||||
| • | Microsoft Common Criteria Evaluations |
Important Note
Please perform the following steps in order to ensure the integrity of your downloads from this website:
1. | Download the FCIV tool from http://support.microsoft.com/default.aspx?scid=kb;en-us;841290. The sha-1 value of this download is 99fb35d97a5ee0df703f0cdd02f2d787d6741f65 (hex) and shall be verified before executing the download. This can be done using any tool capable of calculating SHA-1 values. |
2. | Download the "CC Guidance Addendum" to the directory where FCIV has been extracted. |
3. | Open a command prompt and change to the directory where FCIV has been extracted. |
4. |
Check the integrity of the CC Guidance Addendum using |
5. | Follow the CC Guidance Addendum for further installation and configuration of the TOE (Target of Evaluation; for details see “Security Target”). |
An Introduction to the Common Criteria
Governments and commercial users of DBMS products need to understand the security functionalities and the quality of those functionalities that they purchase and use. Third-party evaluation is the preferred method of security verification and for that each nation in the past required its own evaluation, an expensive proposition for vendors and customers alike. Sharing an evaluation between four nations, as the European ITSEC did, was an improvement on the time and costs of evaluation. But the real solution was the Common Criteria, where an evaluation under its strict conditions is formally recognized by twenty-five nations by an international agreement and by many more countries and by many commercial users beyond the agreement.
The Common Criteria is more than just the concise definitions of security functionalities and assurance requirements. It is also a precise evaluation process defined in the Common Evaluation Methodology document. In addition, it is a formal and approved evaluation scheme for each nation performing CC evaluations. And it is a government certification based on government working with a private evaluation lab certified in that country.
While the CC certification represents an evaluation of security functions using specified assurance measures, there is no hierarchy of security functions, in part because many security functions are independent of each other. There is however an accepted ranking of assurance criteria within the CC documents called Evaluation Assurance Levels, EAL1 to EAL7. Of these, evaluations at EAL1 to EAL4+ (the “+” after EAL4 represents flaw remediation, which is not part of EAL4) are mutually recognized by the 25 countries that signed the CCRA.
Another important aspect of the CC is that it recognizes Protection Profiles (PP). A PP, strictly defined in the CC documentation, is a set of security functionality requirements and assurance requirements. The original concept of PP’s was that the large customers or customer groups, governments and industries for example, would develop specific sets of security and assurance requirements, often the minimum requirements of the customer or group. This would allow those customer groups to use a defined set of functionalities and assurance measures, the Common Criteria, when considering organizational needs and then allow them to formally define their security requirements. This is occurring with governments and more slowly with industries. These PP’s allow vendors to understand these requirements and to develop products that meet and exceed them.
The CC Evaluations of Microsoft SQL Server 2008
This is the first CC evaluation of SQL Server 2008. It evaluated the comprehensive set of security capabilities of SQL Server 2008 as described in the Security Target. To provide a timely formal evaluation as requested by Microsoft customers, this evaluation was performed at the basic Evaluation Assurance Level augmented (EAL1+) by a complete Security Target.
The Certifying Body, CC Certificate, and Evaluation Lab
SQL Server 2008 has been successfully evaluated using the Security Target referenced below at EAL1+ by the Bundesamt für Sicherheit in der Informationstechnik (BSI). Information about BSI, the certifying body of the German government, can be found at www.bsi.de/english/index.htm.
The SQL Server 2008 certification can be found at http://www.bsi.bund.de/zertifiz/zert/aktuelle.htm.
Information about the evaluation lab, TUViT, can be found at www.tuvit.net.
Downloads for CC SQL Server 2008
This web site provides links for downloads of documents and processes necessary for the proper installation and operation of SQL Server 2008 CC version based on SQL Server 2008. A short description of each follows:
| • | Security Target |
| • | CC Guidance Addendum |
| • | Integrity Check Validation Data |
| • | Permission Hierarchy |
| • | SQL_Server2008_EAL1_trace.sql |
Microsoft’s Commitment to CC Certification
Microsoft is committed to security in the development of our products, security with and provided by these products, and security in the use of these products. Part of that commitment is the independent third-party evaluation of our products and in the Common Criteria as a proven and accepted process to ensure appropriate and necessary security. Microsoft is committed to using the Common Criteria, to making the CC better, and to security, evaluation, and assurance beyond the CC.
Microsoft Common Criteria Evaluations
| • | Microsoft Windows Server 2000 |
| • | Microsoft Windows Server 2003 |
| • | Microsoft Windows XP |
| • | Microsoft Windows Certificate Server |
| • | ISA Server 2000 |
| • | ISA Server 2004 |
| • | Microsoft Exchange 2003 |
| • | Microsoft Exchange 2007 (in process) |
| • | Microsoft SQL Server 2005 SP1 |
| • | Microsoft SQL Server 2005 SP2 |
| • | Microsoft SQL Server 2008 |