Microsoft Windows Common Criteria Evaluation Microsoft Windows 10 (Anniversary Update) Microsoft Windows Server 2016

Windows provides the ability for a user to lock their interactive logon session at their own volition or after a user-defined inactivity timeout. Windows also provides the ability for the administrator to specify the interval of inactivity after which the session will be locked. This policy will be applied to either the local machine or the computers within a domain using either local policy or group policy respectively. If both the administrator and a standard user specify an inactivity timeout period, Windows will lock the session when the shortest time period expires.

Once a user has a desktop session, they can invoke the session locking function by using the same key sequence used to invoke the trusted path (Ctrl+Alt+Del). This key sequence is captured by the TSF and cannot be intercepted or altered by any user process. The result of that key sequence is a menu of functions, one of which is to lock the workstation. The user can also lock their desktop session by going to the Start screen, selecting their logon name, and then choosing the “Lock” option.

Windows constantly monitors the mouse, keyboard, touch display, and the orientation sensor for inactivity in order to determine if they are inactive for the specified time period. After which, Windows will lock the workstation and execute the screen saver unless the user is streaming video such as a movie. Note that if the workstation was not locked manually, the TSF will lock the display and start the screen saver program if and when the inactivity period is exceeded, as well any notifications from applications which have registered to publish the application’s badge or the badge with associated notification text to the locked screen. The user has the option to not display any notifications, or choose one Windows Store Application to display notification text, and select other applications display their badge.

After the computer was locked, in order to unlock their session, the user either presses a key or swipes the display. The user must provide the Ctrl+Alt+Del key combination if the Interactive Logon: Do not required CTRL+ALT+DEL policy is set to disabled. Either action will result in an authentication dialog. The user must then re-enter their authentication data, which has been cached by the local system from the initial logon, after which the user’s display will be restored and the session will resume. Alternately, an authorized administrator can enter their administrator identity and password in the authentication dialog. If the TSF can successfully authenticate the administrator, the user will be logged off, rather than returning to the user’s session, leaving the workstation ready to authenticate a new user.

As part of establishing the interactive logon session, Windows can be configured to display a logon banner, which is specified by the administrator, that the user must accept prior to establishing the session.

25.7.1SFR Summary

• 
  FTA_TAB.1: An authorized administrator can define and modify a banner that will be displayed prior to allowing a user to logon.
  

Windows provides trusted network channels to communicate with supporting IT infrastructure or applications:

• 
  Using TLS (HTTPS) for certificate enrollment; CRL checking; authentication to network resources such as web (HTTPS) and directory (LDAP-S) servers.
  
• 
  Using DTLS for datagram-based services and web browsing using a DTLS version which is specified by the client application.
  

The remote access can be performed through the following methods:

• 
  Remote Desktop Services Overview: https://technet.microsoft.com/en-us/library/hh831447.aspx
  
• 
  Connect to another computer using Remote Desktop Connection: http://windows.microsoft.com/en-us/windows/connect-using-remote-desktop-connection#connect-using-remote-desktop-connection=windows-7
  

25.8.1SFR Summary

• 
  FTP_ITC_EXT.1(TLS), FTP_ITC_EXT.1(DTLS): Windows provides several trusted network channels that protect data in transit from disclosure, provide data integrity, and endpoint identification that is used by TLS, HTTPS, and DTLS. TLS and HTTPS is used as part of network-based authentication and certification validation, HTTPS and DTLS are used for web-browsing and by other connection-based and datagram-based application protocols.
  
• 
  FTP_TRP.1: Windows provide a local trusted path service as described in TOE Access and a network-based trusted channel built on the network protocols described in this section.
  

Microsoft utilizes industry standard practices to address reported product vulnerabilities. This includes a central email address (secure@microsoft.com) to report issues (as described at https://technet.microsoft.com/en-us/security/ff852094), timely triage and root cause analysis, and responsible resolution of the report which may result in the release of a binary update. If a binary update is required, it is made available through automated channels to all customers following the process described at https://technet.microsoft.com/en-us/security/dn436305. If the sender wishes to send secure email, there is a public PGP key for S/MIME at https://technet.microsoft.com/en-us/security/dn606155.aspx. Security updates for Microsoft products – operating system, firmware, and applications – are delivered as described in section 25.6.4 and 25.6.5.

This section provides the protection profile conformance claim and supporting justifications and rationale.

26.1Rationale for Conformance to Protection Profile

This Security Target is in compliance with the General Purpose Operating Systems Protection Profile, Version 4.1, March 9, 2016 (GP OS PP).

For all of the content incorporated from the protection profile, the corresponding rationale in that protection profile remains applicable to demonstrate the correspondence between the TOE security functional requirements and TOE security objectives. Moreover, as demonstrated in this security target Windows runs on a wide variety of hardware ranging from tablets, convertibles, notebooks, desktop, and server computers and so it is a general purpose operating system.

The requirements in the protection profile are assumed to represent a complete set of requirements that serve to address any interdependencies. All the functional requirements in this security target have been copied from the protection profile so that all dependencies between SFRs are satisfied by the inclusion of the relevant component (or one that is hierarchical to it) with the following exceptions, for which a rationale is given:

• 
  FCS_CKM.4: This SFR has not been included in this security target. However, each SFR with dependency in this requirement satisfies that dependency by means of FCS_CKM_EXT.3, which is a security requirement based on FCS_CKM.4.
  

This section provides a rationale that describes how the Security Target reproduced the security functional requirements and security assurance requirements from the protection profile.

27.1Functional Requirements

This Security Target includes security functional requirements (SFRs) that can be mapped to SFRs found in the protection profile along with SFRs that describe additional features and capabilities. The mapping from protection profile SFRs to security target SFRs along with rationale for operations is presented in Table Rationale for Operations. SFR operations left incomplete in the protection profile have been completed in this security and are identified within each SFR in section 5.1 TOE Security Functional Requirements.

The statement of security assurance requirements (SARs) found in section Error: Reference source not found Error: Reference source not found, is in strict conformance with the General Purpose Operating Systems Protection Profile.

27.3Rationale for the TOE Summary Specification

This section, in conjunction with section 25, the TOE Summary Specification (TSS), provides evidence that the security functions are suitable to meet the TOE security requirements.

Each subsection in section 25, TOE Security Functions (TSFs), describes a Security Function (SF) of the TOE. Each description is followed with rationale that indicates which requirements are satisfied by aspects of the corresponding SF. The set of security functions work together to satisfy all of the functional requirements. Furthermore, all the security functions are necessary in order for the TSF to provide the required security functionality.

The set of security functions work together to provide all of the security requirements as indicated in Table . The security functions described in the TOE Summary Specification and listed in the tables below are all necessary for the required security functionality in the TSF.

Table Requirement to Security Function Correspondence