Citrix has a long history of achieving the Common Criteria security certification for XenApp and XenDesktop. I am pleased to announce that XenApp and XenDesktop 7.15 LTSR is now formally “in evaluation” status. We are listed as such on the Canadian government CC website, here. Common Criteria is essential for many government customers, but even if this doesn’t apply, you might well find the associated security guidance we will publish helpful for your deployment.
Common Criteria certification makes a significant statement as to the security of the associated product and with Citrix, this present certification is the latest in a long line of evaluations including XenApp 6.0 and XenApp and XenDesktop 7.6. Once the evaluation is complete and an Evaluation Assurance Certificate is issued by the evaluating authority, the certification will be recognized by all the member nations of common criteria (currently 28 nations).
More information on CC can be found here: https://www.commoncriteriaportal.org/
What are we doing differently this time?
We’ve shifted the certification process to Canada for the first time after many years of certification in the UK. With the shift to Canada, we selected a new certification partner, using DXC as the evaluation facility.
We are continuing to seek an EAL 2+ certification, as for previous XenApp and XenDesktop evaluations. Since recent changes, EAL 2+ is now the highest level accepted without a Protection Profile under the new Common Criteria Recognition Arrangement. Protection Profiles are only applicable for specific types of product, and at present there is no Protection Profile suitable for XenApp and XenDesktop.
As with previous certifications, we’ve thought hard about the likely LTSR configurations for XenApp and XenDesktop deployments. We’ve chosen to evaluate XenApp and XenDesktop running on Windows Server 2016 and Window 10, as this will represent what we think a typical deployment will look like for the timespan of the LTSR. The security guidance and Group Policy lockdowns have been updated and hundreds of new settings added to take advantage of the latest product functionality and Windows security features.
In the last certification, we made a first step towards automated Common Criteria testing. This provided a consistent, well defined, repeatable approach for evaluation of the security requirements. This time we invested even more heavily in a dedicated test automation team, to automate as much as possible of the setup and actual testing. (Some test cases still can’t be automated, especially where manual activities are required, e.g. smartcard testing.) This successful automation effort has also meant we were able to run the tests much earlier, before the release of XenApp and XenDesktop 7.15 LTSR itself, and so contribute to the overall product quality.
We’re proud of our progress with this project: for XenApp and XenDesktop 7.15 LTSR, we have passed our first external milestone and have started the formal evaluation.
