This article describes the new Crypto Operators security group that was added to Windows Vista Service Pack 1 (SP1) to configure Windows Firewall for IPsec in Common Criteria mode.
Common Criteria certification is an international standard
that enables you to verify that products have been certifiably tested and designed
to operate at a certain security level.
Windows has had Common
Criteria certification at Evaluation Assurance Level 4 (EAL-4) since Windows 2000 was released.
Recently, a new requirement was added to the Common Criteria operating
system profile. This requirement requires that a non-administrator role that can control cryptographic settings be present in an
operating system. These cryptographic settings are not controllable by the administrator. This new role is called the Crypto
Operators security group in Windows Vista SP1.
Windows Vista-based computers can be deployed in
default mode or in Common Criteria mode. In default mode, administrators
can read and write advanced firewall policies. However, in Common
Criteria mode, administrators can read and write everything except the
cryptographic settings of the IPsec policy. Administrators can read these
settings, but only Crypto Operators can write to these settings.
A
Windows Vista-based computer must have its IPsec policies reconfigured every
time that the mode changes. Otherwise, the correct separation of roles is not guaranteed in Common Criteria mode.
The following list describes support scenarios for using Common Criteria mode in Windows Vista
SP1:
- Common Criteria mode is enabled when Windows Vista SP1 is installed
An administrator installs Windows Vista SP1 on a computer
that must comply with Common Criteria mode. Common Criteria mode is
enabled during the installation and configuration processes. When the administrator configures
IPsec policies, the administrator must change his or her logon sessions by using a Crypto
Operators user account so that he or she can configure IPsec rules and cryptographic
settings. - An existing installation of Windows Vista SP1 must operate in Common Criteria mode
An administrator has an existing Windows Vista
SP1-based computer that must operate in Common Criteria mode. The
administrator must delete all existing IPsec policies, enable Common
Criteria mode, and then configure the IPsec policies in
cooperation with a Crypto Operators user account. The firewall configuration
for IPsec operates in Common Criteria mode when the cryptographic settings are
enabled.
When Windows Vista is already installed, the administrator should change a Windows Vista
SP1-based computer that is configured to run in Common Criteria mode to run in
default mode. After the administrator changes Common Criteria mode to
default mode, he or she should reconfigure IPsec policies as needed.
To enable Windows Firewall configuration
for IPsec in Common Criteria mode, follow these steps.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756
(http://support.microsoft.com/kb/322756/
)
How to back up and restore the registry in Windows
- Click Start, type
regedit in the Start Search box, and
then press ENTER.
If you are prompted for an administrator password
or for confirmation, type the password, or provide confirmation. - Locate and then click the following registry
subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
- Right-click Enabled, and then click
Modify.
- In the Value date box, type
1, and then click OK.
- Exit Registry Editor.
The
following table describes the details of how
netsh advfirewall consec
commands work in Common Criteria mode.
Collapse this tableExpand this table
| Action | User | netsh advfirewall consec commands |
|---|
| Add a rule by using defaults | Administrator | netsh
advfirewall consec add rule |
| Add a rule that uses a custom
qmsecmethod object | Administrator | netsh advfirewall consec add
rule |
| Add a rule that uses a custom qmsecmethod object | Crypto
Operators | netsh advfirewall consec set rule
new qmsecmethods=value |
Set a rule
Note The administrator can set everything but qmsecmethod objects. However,
the administrator can continue to use the existing qmsemethod
object. | Administrator | netsh advfirewall consec set
rule new new name for the rule
Note The qmsecmethod object is set to the default or existing object. |
Set a rule
Note The administrator can set everything but qmsecmethod objects. However,
the administrator can continue to use the existing qmsemethod
object. | Crypto Operators | netsh advfirewall consec set
rule new
qmsecmethods=value |
| Delete a rule that uses a custom
qmsecmethod object | Administrator | netsh advfirewall consec set
rule new qmsecmethod=default |
| Delete a rule that uses a custom qmsecmethod object | Crypto
Operators | netsh advfirewall consec set rule
new qmsemethods=none |
| Delete a rule that uses the default qmsecmethod
object | Administrator | netsh advfirewall consec delete
rule |
| Restore defaults | Administrator | reset |
| Restore defaults | Crypto Operators | reset |
| Set main mode policy | Crypto Operators | Set
profile
mmsecmethod=value |
| Display rules | Administrator and Crypto Operators | Show
rule identifiers |
| Display rules | non-Administrator or Crypto Operators | Show
rule identifiers |
Back to the top
