Microsoft Windows Common Criteria Evaluation Microsoft Windows 10 (Anniversary Update) Microsoft Windows Server 2016



Yüklə 0,57 Mb.
səhifə1/14
tarix14.10.2017
ölçüsü0,57 Mb.
#4533
  1   2   3   4   5   6   7   8   9   ...   14

Windows 10 Anniversary Update, Windows Server 2016 Security Target

msft_logo_rgb_c_small-gray

Microsoft Windows

Common Criteria Evaluation

Microsoft Windows 10 (Anniversary Update)

Microsoft Windows Server 2016

Security Target



Document Information




Version Number

0.06

Updated On

December 2, 2016


This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. This work is licensed under the Creative Commons Attribution-NoDerivs-NonCommercial License (which allows redistribution of the work). To view a copy of this license, visit http://creativecommons.org/licenses/by-nd-nc/1.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred.

© 2016 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Visual Basic, Visual Studio, Windows, the Windows logo, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Table of Contents

1.Security Target Introduction 4

1.1ST Reference 4

1.2TOE Reference 4

1.3TOE Overview 5

1.3.1TOE Types 5

1.3.2TOE Usage 5

1.3.3TOE Security Services 6

1.3.4Non-TOE Hardware, Software, Firmware in the Evaluation 8

1.4TOE Description 8

1.4.1Evaluated Configurations 8

1.4.2Security Environment and TOE Boundary 9

1.4.2.1Logical Boundaries 9

1.4.2.2Physical Boundaries 10

1.5Product Description 11

1.6Conventions, Terminology, Acronyms 12

1.6.1Conventions 12

1.6.2Terminology 12

1.6.3Acronyms 16



1.7ST Overview and Organization 16

2.CC Conformance Claims 18

3.Security Problem Definition 19

3.1Threats to Security 19

3.2Organizational Security Policies 19

3.3Secure Usage Assumptions 20

4.Security Objectives 21

4.1TOE Security Objectives 21

4.2Security Objectives for the Operational Environment 22

5.Security Requirements 23

5.1TOE Security Functional Requirements 23

5.1.1Security Audit (FAU) 25

5.1.1.1Audit Data Generation (FAU_GEN.1) 25

5.1.2Cryptographic Support (FCS) 26

5.1.2.1Cryptographic Key Generation (FCS_CKM.1(1)) 26

5.1.2.2Cryptographic Key Establishment (FCS_CKM.2(1)) 26

5.1.2.3Cryptographic Key Destruction (FCS_CKM_EXT.3) 26

5.1.2.4Cryptographic Operation for Encryption / Decryption (FCS_COP.1(SYM)) 27

5.1.2.5Cryptographic Operation for Hashing (FCS_COP.1(HASH)) 27

5.1.2.6Cryptographic Operation for Signing (FCS_COP.1(SIGN)) 27

5.1.2.7Cryptographic Operation for Keyed Hash Algorithms (FCS_COP.1(HMAC)) 28

5.1.2.8Random Bit Generation (FCS_RBG_EXT.1) 28

5.1.2.9Storage of Sensitive Data (FCS_STO_EXT.1) 28

5.1.2.10TLS Client Protocol (FCS_TLSC_EXT.1) 28

5.1.2.11TLS Client Protocol (FCS_TLSC_EXT.2) 29

5.1.2.12TLS Client Protocol (FCS_TLSC_EXT.3) 29

5.1.2.13TLS Client Protocol (FCS_TLSC_EXT.4) 29

5.1.2.14DTLS Implementation (FCS_DTLS_EXT.1) 29

5.1.3User Data Protection (FDP) 30

5.1.3.1Access Controls for Protecting User Data (FDP_ACF_EXT.1) 30

5.1.3.2Information Flow Control (FDP_IFC_EXT.1) 30

5.1.4Identification and Authentication (FIA) 30

5.1.4.1Authentication Failure Handling (FIA_AFL.1) 30

5.1.4.2Multiple Authentication Mechanisms (FIA_UAU.5) 30

5.1.4.3X.509 Certification Validation (FIA_X509_EXT.1) 30

5.1.4.4X.509 Certificate Authentication (FIA_X509_EXT.2) 31

5.1.5Security Management (FMT) 32

5.1.5.1Management of Security Functions Behavior (FMT_MOF_EXT.1) 32

5.1.6Protection of the TSF (FPT) 33

5.1.6.1Access Controls (FPT_ACF_EXT.1) 33

5.1.6.2Address Space Layout Randomization (FPT_ASLR_EXT.1) 33

5.1.6.3Stack Buffer Overflow Protection (FPT_SBOP_EXT.1) 33

5.1.6.4Software Restriction Policies (FPT_SRP_EXT.1) 34

5.1.6.5Boot Integrity (FPT_TST_EXT.1) 34

5.1.6.6Trusted Update (FPT_TUD_EXT.1) 34

5.1.6.7Trusted Update for Application Software (FPT_TUD_EXT.2) 34

5.1.7TOE Access (FTA) 35

5.1.7.1Default TOE Access Banners (FTA_TAB.1) 35

5.1.8Trusted Path / Channels (FTP) 35

5.1.8.1Trusted Path (FTP_TRP.1) 35

5.1.8.2Trusted Channel Communication (FTP_ITC_EXT.1(TLS)) 35

5.1.8.3Trusted Channel Communication (FTP_ITC_EXT.1(DTLS)) 35



5.2TOE Security Assurance Requirements 36

5.2.1CC Part 3 Assurance Requirements 36

5.2.1.1Timely Security Updates (ALC_TSU_EXT.1) 36

5.2.2General Purpose OS PP Assurance Activities 37

5.2.2.1Security Audit (FAU) 37

6.FAU_GEN.1.1 37

7.FAU_GEN.1.2 37

7.1.1.1Cryptographic Support (FCS) 37



8.FCS_RBG_EXT.1.1 50

9.FCS_RBG_EXT.1.2 50

10.FCS_TLSC_EXT.1.1 51

11.FCS_TLSC_EXT.1.2 52

12.FCS_TLSC_EXT.1.3 54

13.FCS_DTLS_EXT.1.1 55

14.FCS_DTLS_EXT.1.2 55

14.1.1.1User Data Protection (FDP) 55

14.1.1.2Identification and Authentication (FIA) 56

15.FIA_AFL.1.1 56

16.FIA_AFL.1.2 56

17.FIA_X509_EXT.1.1 57

18.FIA_X509_EXT.1.2 59

18.1.1.2Security Management (FMT) 59

18.1.1.3Protection of the TSF (FPT) 59

19.FPT_ACF_EXT.1.1 59

20.FPT_ACF_EXT.1.2 60

21.FPT_TUD_EXT.1.1 62

22.FPT_TUD_EXT.1.2 63

23.FPT_TUD_EXT.2.1 63

24.FPT_TUD_EXT.2.2 63

24.1.1.1TOE Access (FTA) 64

24.1.1.2Trusted Path / Channels (FTP) 64

25.TOE Summary Specification (TSS) 65

25.1Audit 65

25.1.1Audit Collection 66

25.1.2SFR Summary 68

25.2Cryptographic Support 68

25.2.1Cryptographic Algorithms and Operations 68

25.2.2Networking (TLS) 71

25.2.3Protecting Data with DPAPI 74

25.2.4SFR Summary 74

25.3User Data Protection 74

25.3.1Discretionary Access Control 74

25.3.1.1Subject DAC Attributes 75

25.3.1.2Object DAC Attributes 75

25.3.1.3DAC Enforcement Algorithm 77

25.3.1.4Default DAC Protection 79

25.3.1.5DAC Management 81

25.3.1.6Reference Mediation 81

25.3.2VPN Client 81

25.3.3SFR Summary 82



25.4Identification and Authentication 82

25.4.1X.509 Certificate Validation and Generation 83

25.4.2SFR Summary 83

25.5Security Management 84

25.5.1SFR Summary 85



25.6Protection of the TSF 85

25.6.1Separation and Domain Isolation 85

25.6.2Protection of OS Binaries, Audit and Configuration Data 86

25.6.3Protection From Implementation Weaknesses 86

25.6.4Windows Platform Integrity and Code Integrity 87

25.6.5Windows and Application Updates 90

25.6.5.1Windows 10 and Windows Store Applications 91

25.6.5.2Windows Server 2016 and Application Updates 91

25.6.5.3Distributing updates 91

25.6.6SFR Summary 92



25.7TOE Access 92

25.7.1SFR Summary 93



25.8Trusted Channels 93

25.8.1SFR Summary 94



25.9Security Response Process 94

26.Protection Profile Conformance Claim 95

26.1Rationale for Conformance to Protection Profile 95

27.Rationale for Modifications to the Security Requirements 96

27.1Functional Requirements 96

27.2Security Assurance Requirements 98

27.3Rationale for the TOE Summary Specification 98

28.Appendix A: List of Abbreviations 99

List of Tables


1.Security Target Introduction

This section presents the following information required for a Common Criteria (CC) evaluation:


  • Identifies the Security Target (ST) and the Target of Evaluation (TOE)

  • Specifies the security target conventions,

  • Describes the organization of the security target

1.1ST Reference

ST Title: Microsoft Windows 10 (Anniversary Update) and Windows Server 2016 Security Target

ST Version: version 0.06, December 2, 2016

1.2TOE Reference

TOE Software Identification: The following Windows Operating Systems (OS):


  • Microsoft Windows 10 Home Edition (Anniversary Update) (32-bit and 64-bit versions)

  • Microsoft Windows 10 Pro Edition (Anniversary Update) (32-bit and 64-bit versions)

  • Microsoft Windows 10 Enterprise Edition (Anniversary Update) (32-bit and 64-bit versions)

  • Microsoft Windows Server 2016 Standard Edition

  • Microsoft Windows Server 2016 Datacenter Edition

TOE Versions:

  • Windows 10: build 10.0.14393 (also known as version 1607)

  • Windows Server 2016: build 10.0.14393

The following security updates must be applied for:

  • Windows 10, all critical updates as of August 2, 2016

  • Windows Server 2016, all critical updates as of September 26, 2016

1.3TOE Overview

The TOE includes the Windows 10 operating system, the Windows Server 2016 operating system, and those applications necessary to manage, support and configure the operating system. Windows 10 and Server 2016 can be delivered preinstalled on a new computer or downloaded from the Microsoft website.

Windows 10 and Server 2016 can run on any physical or virtual computer which is compatible with the x86 or x64 instruction set, such as processors from Intel or AMD.

1.3.1TOE Types

Windows 10 and Windows Server 2016, collectively called “Windows”, are preemptive multitasking, multiprocessor, and multi-user operating systems. In general, operating systems provide users with a convenient interface to manage underlying hardware. They control the allocation and manage computing resources such as processors, memory, and Input/Output (I/O) devices. Windows expands these basic operating system capabilities to controlling the allocation and managing higher level IT resources such as security principals (user or machine accounts), files, printing objects, services, window station, desktops, cryptographic keys, network ports traffic, directory objects, and web content. Multi-user operating systems such as Windows keep track of which user is using which resource, grant resource requests, account for resource usage, and mediate conflicting requests from different programs and users.

1.3.2TOE Usage

Windows 10 is suited for business desktops, notebook, and convertible computers. It is the workstation product and while it can be used by itself, it is designed to serve as a client within Windows domains.

Built for workloads ranging from the department to the enterprise to the cloud, Windows Server 2016 delivers intelligent file and printer sharing; secure connectivity based on Internet technologies, and centralized desktop policy management. It provides the necessary scalable and reliable foundation to support mission-critical solutions for databases, enterprise resource planning software, high-volume, real-time transaction processing, server consolidation, public key infrastructure, virtualization, and additional server roles.

In terms of security, Windows 10 and Windows Server 2016 share the same security characteristics. The primary difference is that the Server products include services and capabilities that are not part of other Windows editions (for example the DNS Server, DHCP Server) or are not installed by default on Server (for example the Windows Media Player, several Windows desktop themes). The additional services have a bearing on the security properties of the distributed operating system (e.g., by extending the set of available interfaces and proffered services) and as such are included within the scope of the evaluation. The specific differences between the different editions of Windows are described in the TOE summary specification.

Windows provides an interactive User Interface (UI), as well as a network interface. The TOE includes a set of Windows 10 and Server 2016 systems that can be connected via their network interfaces and organized into domains and forests. A domain is a logical collection of Windows systems that allows the administration and application of a common security policy and the use of a common accounts database. One or more domains combine to comprise a forest. Windows supports single-domain and multiple-domain (i.e., forest) configurations as well as federation between forests and external authentication services.

Each domain must include at least one designated server known as a Domain Controller (DC) to manage the domain. The TOE allows for multiple DCs that replicate TOE user and machine account as well as group policy management data among themselves to provide for higher availability.

Each Windows system, whether it is a DC server, non-DC server, or workstation, provides a subset of the TSFs. The TSF subset for Windows 10 and Windows Server 2016 can consist of the security functions from a single system, for a stand-alone system, or the collection of security functions from an entire network of systems, for a domain configuration.

1.3.3TOE Security Services

This section summarizes the security services provided by the TOE:



  • Security Audit: Windows has the ability to collect audit data, review audit logs, protect audit logs from overflow, and restrict access to audit logs. Audit information generated by the system includes the date and time of the event, the user identity that caused the event to be generated, and other event specific data. Authorized administrators can review audit logs and have the ability to search and sort audit records. Authorized Administrators can also configure the audit system to include or exclude potentially auditable events to be audited based on a wide range of characteristics. In the context of this evaluation, the protection profile requirements cover generating audit events, selecting which events should be audited, and providing secure storage for audit event entries.

  • Cryptographic Support: Windows provides FIPS-140-2 CAVP validated cryptographic functions that support encryption/decryption, cryptographic signatures, cryptographic hashing, cryptographic key agreement, and random number generation. The TOE additionally provides support for public keys, credential management and certificate validation functions and provides support for the National Security Agency’s Suite B cryptographic algorithms. Windows also provides extensive auditing support of cryptographic operations, the ability to replace cryptographic functions and random number generators with alternative implementations,1 and a key isolation service designed to limit the potential exposure of secret and private keys. In addition to using cryptography for its own security functions, Windows offers access to the cryptographic support functions for user-mode and kernel-mode programs. Public key certificates generated and used by Windows authenticate users and machines as well as protect both user and system data in transit.

  • User Data Protection: In the context of this evaluation Windows protects user data and provides virtual private networking capabilities.

  • Identification and Authentication Each Windows user must be identified and authenticated based on administrator-defined policy prior to performing any TSF-mediated functions. An interactive user invokes a trusted path in order to protect his I&A information. Windows maintains databases of accounts including their identities, authentication information, group associations, and privilege and logon rights associations. Windows account policy functions include the ability to define the minimum password length, the number of failed logon attempts, the duration of lockout, and password age.

  • Protection of the TOE Security Functions: Windows provides a number of features to ensure the protection of TOE security functions. Windows protects against unauthorized data disclosure and modification by using a suite of Internet standard protocols including IPsec, IKE, and ISAKMP. Windows ensures process isolation security for all processes through private virtual address spaces, execution context, and security context. The Windows data structures defining process address space, execution context, memory protection, and security context are stored in protected kernel-mode memory. Windows includes self-testing features that ensure the integrity of executable program images and its cryptographic functions. Finally, Windows provides a trusted update mechanism to update Windows binaries itself.

  • Session Locking: Windows provides the ability for a user to lock their session either immediately or after a defined interval. Windows constantly monitors the mouse, keyboard, and touch display for activity and locks the computer after a set period of inactivity.

  • TOE Access: Windows allows an authorized administrator to configure the system to display a logon banner before the logon dialog.

  • Trusted Path for Communications: Windows uses HTTPS, DTLS, and TLS to provide a trusted path for communications.

  • Security Management: Windows includes several functions to manage security policies. Policy management is controlled through a combination of access control, membership in administrator groups, and privileges.

1.3.4Non-TOE Hardware, Software, Firmware in the Evaluation

Non-TOE Hardware Identification: The following real and virtualized hardware platforms, corresponding firmware, and components are included in the evaluated configuration:



  • Microsoft Surface Book

  • Microsoft Surface Pro 4

  • Microsoft Surface Pro 3

  • Microsoft Surface 3

  • Windows Server 2016 Hyper-V

  • HP Pro x612 Notebook PC

  • Dell OptiPlex 755

1.4TOE Description

The TOE includes the Windows 10 operating system, the Windows Server 2016 operating system, supporting hardware, and those applications necessary to manage, support and configure the operating system.

1.4.1Evaluated Configurations

The TOE includes five product variants of Windows 10 (build 10.0.14393) and Windows Server 2016 (build 10.0.14393):



  • Microsoft Windows 10 Home Edition (Anniversary Update) (32-bit and 64-bit versions)

  • Microsoft Windows 10 Pro Edition (Anniversary Update) (32-bit and 64-bit versions)

  • Microsoft Windows 10 Enterprise Edition (Anniversary Update) (32-bit and 64-bit versions)

  • Microsoft Windows Server 2016 Standard Edition

  • Microsoft Windows Server 2016 Datacenter Edition

Within this security target, when specifically referring to a type of TSF (for example, a domain controller), the TSF type will be explicitly stated. Otherwise, the term TSF refers to the total of all TSFs within the TOE.

1.4.2Security Environment and TOE Boundary

The TOE includes both physical and logical boundaries. Its operational environment is a networked environment.

1.4.2.1Logical Boundaries

Conceptually the Windows TOE can be thought of as a collection of the following security services which the security target describes with increasing detail in the remainder of this document:



  • Security Audit

  • Cryptographic Support

  • User Data Protection

  • Identification and Authentication

  • Security Management

  • Protection of the TOE Security Functions

  • Access to the TOE

  • Trusted Path and Channels

These services are primarily provided by Windows components:

  • The Boot Manager, which is invoked by the computer’s bootstrapping code.

  • The Windows Loader which loads the operating system into the computer’s memory.

  • The Windows Kernel which contains device drivers for the Windows NT File System, full volume encryption, the crash dump filter, and the kernel-mode cryptographic library.

  • The IPv4 / IPv6 network stack in the kernel.

  • The Windows Trusted Installer which installs updates to the Windows operating system.

  • The Local Security Authority Subsystem which identifies and authenticates users prior to log on and generates events for the security audit log.

  • FIPS-Approved cryptographic algorithms to protect user and system data.

  • The Key Isolation Service which protects secret and private keys.

  • Yüklə 0,57 Mb.

    Dostları ilə paylaş:
  1   2   3   4   5   6   7   8   9   ...   14




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©www.genderi.org 2024
rəhbərliyinə müraciət

    Ana səhifə