Description of the Crypto Operators security group that was added to Windows Vista Service Pack 1 to configure Windows Firewall for IPsec in Common Criteria mode

Article translations Article translations
Article ID: 949299 - View products that this article applies to.
Expand all | Collapse all

INTRODUCTION

This article describes the new Crypto Operators security group that was added to Windows Vista Service Pack 1 (SP1) to configure Windows Firewall for IPsec in Common Criteria mode.

Common Criteria certification is an international standard that enables you to verify that products have been certifiably tested and designed to operate at a certain security level.

Windows has had Common Criteria certification at Evaluation Assurance Level 4 (EAL-4) since Windows 2000 was released. Recently, a new requirement was added to the Common Criteria operating system profile. This requirement requires that a non-administrator role that can control cryptographic settings be present in an operating system. These cryptographic settings are not controllable by the administrator. This new role is called the Crypto Operators security group in Windows Vista SP1.

MORE INFORMATION

Windows Vista-based computers can be deployed in default mode or in Common Criteria mode. In default mode, administrators can read and write advanced firewall policies. However, in Common Criteria mode, administrators can read and write everything except the cryptographic settings of the IPsec policy. Administrators can read these settings, but only Crypto Operators can write to these settings.

A Windows Vista-based computer must have its IPsec policies reconfigured every time that the mode changes. Otherwise, the correct separation of roles is not guaranteed in Common Criteria mode.

The following list describes support scenarios for using Common Criteria mode in Windows Vista SP1:
  • Common Criteria mode is enabled when Windows Vista SP1 is installed

    An administrator installs Windows Vista SP1 on a computer that must comply with Common Criteria mode. Common Criteria mode is enabled during the installation and configuration processes. When the administrator configures IPsec policies, the administrator must change his or her logon sessions by using a Crypto Operators user account so that he or she can configure IPsec rules and cryptographic settings.
  • An existing installation of Windows Vista SP1 must operate in Common Criteria mode

    An administrator has an existing Windows Vista SP1-based computer that must operate in Common Criteria mode. The administrator must delete all existing IPsec policies, enable Common Criteria mode, and then configure the IPsec policies in cooperation with a Crypto Operators user account. The firewall configuration for IPsec operates in Common Criteria mode when the cryptographic settings are enabled.
When Windows Vista is already installed, the administrator should change a Windows Vista SP1-based computer that is configured to run in Common Criteria mode to run in default mode. After the administrator changes Common Criteria mode to default mode, he or she should reconfigure IPsec policies as needed.

To enable Windows Firewall configuration for IPsec in Common Criteria mode, follow these steps.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
  1. Click Start, type regedit in the Start Search box, and then press ENTER.

    If you are prompted for an administrator password or for confirmation, type the password, or provide confirmation.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
  3. Right-click Enabled, and then click Modify.
  4. In the Value date box, type 1, and then click OK.
  5. Exit Registry Editor.
The following table describes the details of how netsh advfirewall consec commands work in Common Criteria mode.
Collapse this tableExpand this table
ActionUsernetsh advfirewall consec commands
Add a rule by using defaultsAdministratornetsh advfirewall consec add rule
Add a rule that uses a custom qmsecmethod objectAdministratornetsh advfirewall consec add rule
Add a rule that uses a custom qmsecmethod objectCrypto Operatorsnetsh advfirewall consec set rule new qmsecmethods=value
Set a rule

Note The administrator can set everything but qmsecmethod objects. However, the administrator can continue to use the existing qmsemethod object.
Administratornetsh advfirewall consec set rule new new name for the rule

Note The qmsecmethod object is set to the default or existing object.
Set a rule

Note The administrator can set everything but qmsecmethod objects. However, the administrator can continue to use the existing qmsemethod object.
Crypto Operatorsnetsh advfirewall consec set rule new qmsecmethods=value
Delete a rule that uses a custom qmsecmethod objectAdministratornetsh advfirewall consec set rule new qmsecmethod=default
Delete a rule that uses a custom qmsecmethod object Crypto Operatorsnetsh advfirewall consec set rule new qmsemethods=none
Delete a rule that uses the default qmsecmethod objectAdministratornetsh advfirewall consec delete rule
Restore defaultsAdministratorreset
Restore defaultsCrypto Operatorsreset
Set main mode policy Crypto OperatorsSet profile mmsecmethod=value
Display rulesAdministrator and Crypto OperatorsShow rule identifiers
Display rulesnon-Administrator or Crypto OperatorsShow rule identifiers

Properties

Article ID: 949299 - Last Review: March 5, 2008 - Revision: 1.1
APPLIES TO
  • Windows Vista Business
  • Windows Vista Enterprise
  • Windows Vista Home Basic
  • Windows Vista Home Premium
  • Windows Vista Ultimate
  • Windows Vista Business 64-bit Edition
  • Windows Vista Enterprise 64-bit Edition
  • Windows Vista Home Basic 64-bit Edition
  • Windows Vista Home Premium 64-bit Edition
  • Windows Vista Ultimate 64-bit Edition
Keywords: 
kbhowto kbexpertiseinter kbinfo KB949299

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com