This article describes the new Crypto Operators security group that was added to Windows Vista Service Pack 1 (SP1) to configure Windows Firewall for IPsec in Common Criteria mode.
Common Criteria certification is an international standard that enables you to verify that products have been certifiably tested and designed to operate at a certain security level.
Windows has had Common Criteria certification at Evaluation Assurance Level 4 (EAL-4) since Windows 2000 was released. Recently, a new requirement was added to the Common Criteria operating system profile. This requirement requires that a non-administrator role that can control cryptographic settings be present in an operating system. These cryptographic settings are not controllable by the administrator. This new role is called the Crypto Operators security group in Windows Vista SP1.
Windows Vista-based computers can be deployed in default mode or in Common Criteria mode. In default mode, administrators can read and write advanced firewall policies. However, in Common Criteria mode, administrators can read and write everything except the cryptographic settings of the IPsec policy. Administrators can read these settings, but only Crypto Operators can write to these settings.
A Windows Vista-based computer must have its IPsec policies reconfigured every time that the mode changes. Otherwise, the correct separation of roles is not guaranteed in Common Criteria mode.
The following list describes support scenarios for using Common Criteria mode in Windows Vista SP1:
Common Criteria mode is enabled when Windows Vista SP1 is installed
An administrator installs Windows Vista SP1 on a computer that must comply with Common Criteria mode. Common Criteria mode is enabled during the installation and configuration processes. When the administrator configures IPsec policies, the administrator must change his or her logon sessions by using a Crypto Operators user account so that he or she can configure IPsec rules and cryptographic settings.
An existing installation of Windows Vista SP1 must operate in Common Criteria mode
An administrator has an existing Windows Vista SP1-based computer that must operate in Common Criteria mode. The administrator must delete all existing IPsec policies, enable Common Criteria mode, and then configure the IPsec policies in cooperation with a Crypto Operators user account. The firewall configuration for IPsec operates in Common Criteria mode when the cryptographic settings are enabled.
When Windows Vista is already installed, the administrator should change a Windows Vista SP1-based computer that is configured to run in Common Criteria mode to run in default mode. After the administrator changes Common Criteria mode to default mode, he or she should reconfigure IPsec policies as needed.
To enable Windows Firewall configuration for IPsec in Common Criteria mode, follow these steps.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
Click Start, type regedit in the Start Search box, and then press ENTER.
If you are prompted for an administrator password or for confirmation, type the password, or provide confirmation.
Locate and then click the following registry subkey:
Windows Vista Business, Windows Vista Enterprise, Windows Vista Home Basic, Windows Vista Home Premium, Windows Vista Ultimate, Windows Vista Business 64-bit Edition, Windows Vista Enterprise 64-bit Edition, Windows Vista Home Basic 64-bit Edition, Windows Vista Home Premium 64-bit Edition, Windows Vista Ultimate 64-bit Edition