Each instance of the general purpose OS TOE runs on a tablet, convertible, workstation or server computer. The TOE executes on processors from Intel (x86 and x64) or AMD (x86 and x64) along with peripherals for input/output (keyboard, mouse, display, and network).
The TOE does not include any hardware or network infrastructure components between the computers that comprise the distributed TOE. The security target assumes that any network connections, equipment, peripherals and cables are appropriately protected in the TOE security environment.
Windows is typically installed on new computers and consumers can download Windows 10 from http://windows.microsoft.com/en-US/windows/downloads and Windows Server 2016 can be purchased from the online Microsoft Store. The obtained file is in .iso format. Enterprises typically obtain Windows using volume licensing programs such as these for Windows 10 and Windows Server 2016.
TOE Guidance Identification: The following administrator, user, and configuration guides were evaluated as part of the TOE:
This section specifies the formatting information used in the security target.
Term
|
Definition
|
Access
|
Interaction between an entity and an object that results in the flow or modification of data.
|
Access control
|
Security service that controls the use of resources2 and the disclosure and modification of data3.
|
Accountability
|
Tracing each activity in an IT system to the entity responsible for the activity.
|
Active Directory
|
Active Directory manages enterprise identities, credentials, information protection, system and application settings through AD Domain Services, Federation Services, Certificate Services and Lightweight Directory Services.
|
Administrator
|
An authorized user who has been specifically granted the authority to manage some portion or the entire TOE and thus whose actions may affect the TOE Security Policy (TSP). Administrators may possess special privileges that provide capabilities to override portions of the TSP.
|
Assurance
|
A measure of confidence that the security features of an IT system are sufficient to enforce the IT system’s security policy.
|
Attack
|
An intentional act attempting to violate the security policy of an IT system.
|
Authentication
|
A security measure that verifies a claimed identity.
|
Authentication data
|
The information used to verify a claimed identity.
|
Authorization
|
Permission, granted by an entity authorized to do so, to perform functions and access data.
|
Authorized user
|
An authenticated user who may, in accordance with the TOE Security Policy, perform an operation.
|
Availability
|
Timely4, reliable access to IT resources.
|
Compromise
|
Violation of a security policy.
|
Confidentiality
|
A security policy pertaining to disclosure of data.
|
Critical cryptographic security parameters
|
Security-related information appearing in plaintext or otherwise unprotected form and whose disclosure or modification can compromise the security of a cryptographic module or the security of the information protected by the module.
|
Cryptographic boundary
|
An explicitly defined contiguous perimeter that establishes the physical bounds (for hardware) or logical bounds (for software) of a cryptographic module.
|
Cryptographic key (key)
|
A parameter used in conjunction with a cryptographic algorithm that determines:
-
the transformation of plaintext data into ciphertext data
-
the transformation of ciphertext data into plaintext data
-
a digital signature computed from data
-
the verification of a digital signature computed from data
-
a data authentication code computed from data
|
Cryptographic module
|
The set of hardware, software, and/or firmware that implements approved security functions, including cryptographic algorithms and key generation, which is contained within the cryptographic boundary.
|
Cryptographic module security policy
|
A precise specification of the security rules under which a cryptographic module must operate.
|
Defense-in-depth
|
A security design strategy whereby layers of protection are utilized to establish an adequate security posture for an IT system.
|
Discretionary Access Control (DAC)
|
A means of restricting access to objects based on the identity of subjects and groups to which the objects belong. The controls are discretionary meaning that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject.
|
Edition
|
A distinct variation of a Windows OS version. Examples of editions are Windows Server 2016 [Standard] and Windows Server 2016 Datacenter.
|
Enclave
|
A collection of entities under the control of a single authority and having a homogeneous security policy. They may be logical, or based on physical location and proximity.
|
Entity
|
A subject, object, user or external IT device.
|
General-Purpose Operating System
|
A general-purpose operating system is designed to meet a variety of goals, including protection between users and applications, fast response time for interactive applications, high throughput for server applications, and high overall resource utilization.
|
Identity
|
A means of uniquely identifying an authorized user of the TOE.
|
Integrated Windows authentication
|
An authentication protocol formerly known as NTLM or Windows NT Challenge/Response.
|
Named object
| -
An object that exhibits all of the following characteristics:
-
The object may be used to transfer information between subjects of differing user identities within the TOE Security Function (TSF).
-
Subjects in the TOE must be able to request a specific instance of the object.
-
The name used to refer to a specific instance of the object must exist in a context that potentially allows subjects with different user identities to request the same instance of the object.
|
Object
|
An entity under the control of the TOE that contains or receives information and upon which subjects perform operations.
|
Operating environment
|
The total environment in which a TOE operates. It includes the physical facility and any physical, procedural, administrative and personnel controls.
|
Persistent storage
|
All types of data storage media that maintain data across system boots (e.g., hard disk, removable media).
|
Public object
|
An object for which the TSF unconditionally permits all entities “read” access under the Discretionary Access Control SFP. Only the TSF or authorized administrators may create, delete, or modify the public objects.
|
Resource
|
A fundamental element in an IT system (e.g., processing time, disk space, and memory) that may be used to create the abstractions of subjects and objects.
|
SChannel
|
A security package (SSP) that provides network authentication between clients and servers.
|
Secure State
|
Condition in which all TOE security policies are enforced.
|
Security attributes
|
TSF data associated with subjects, objects and users that is used for the enforcement of the TSP.
|
Security-enforcing
|
A term used to indicate that the entity (e.g., module, interface, subsystem) is related to the enforcement of the TOE security policies.
|
Security-supporting
|
A term used to indicate that the entity (e.g., module, interface, subsystem) is not security-enforcing; however, the entity’s implementation must still preserve the security of the TSF.
|
Security context
|
The security attributes or rules that are currently in effect. For SSPI, a security context is an opaque data structure that contains security data relevant to a connection, such as a session key or an indication of the duration of the session.
|
Security package
|
The software implementation of a security protocol. Security packages are contained in security support provider libraries or security support provider/authentication package libraries.
|
Security principal
|
An entity recognized by the security system. Principals can include human users as well as autonomous processes.
|
Security Support Provider (SSP)
|
A dynamic-link library that implements the SSPI by making one or more security packages available to applications. Each security package provides mappings between an application's SSPI function calls and an actual security model's functions. Security packages support security protocols such as Kerberos authentication and Integrated Windows Authentication.
|
Security Support Provider Interface (SSPI)
|
A common interface between transport-level applications. SSPI allows a transport application to call one of several security providers to obtain an authenticated connection. These calls do not require extensive knowledge of the security protocol's details.
|
Security Target (ST)
|
A set of security requirements and specifications to be used as the basis for evaluation of an identified TOE.
|
Subject
|
An active entity within the TOE Scope of Control (TSC) that causes operations to be performed. Subjects can come in two forms: trusted and untrusted. Trusted subjects are exempt from part or all of the TOE security policies. Untrusted subjects are bound by all TOE security policies.
|
Target of Evaluation (TOE)
|
An IT product or system and its associated administrator and user guidance documentation that is the subject of an evaluation.
|
Threat
|
Capabilities, intentions and attack methods of adversaries, or any circumstance or event, with the potential to violate the TOE security policy.
|
Unauthorized individual
|
A type of threat agent in which individuals who have not been granted access to the TOE attempt to gain access to information or functions provided by the TOE.
|
Unauthorized user
|
A type of threat agent in which individuals who are registered and have been explicitly granted access to the TOE may attempt to access information or functions that they are not permitted to access.
|
Universal Unique Identifier (UUID)
|
UUID is an identifier that is unique across both space and time, with respect to the space of all UUIDs. A UUID can be used for multiple purposes, from tagging objects with an extremely short lifetime, to reliably identifying very persistent objects across a network.
|
User
|
Any person who interacts with the TOE.
|
User Principal Name (UPN)
|
An identifier used by Microsoft Active Directory that provides a user name and the Internet domain with which that username is associated in an e-mail address format. The format is [AD username]@[associated domain]; an example would be john.smith@microsoft.com.
|
Uniform Resource Locator (URL)
|
The address that is used to locate a Web site. URLs are text strings that must conform to the guidelines in RFC 2396.
|
Version
|
A Version refers to a release level of the Windows operating system. Windows 7 and Windows 8 are different versions.
|
Vulnerability
|
A weakness that can be exploited to violate the TOE security policy.
|
Evaluation Assurance: As specified in section Error: Reference source not found and specific Assurance Activities associated with the security functional requirements from section Error: Reference source not found.
CC Identification: CC for Information Technology (IT) Security Evaluation, Version 3.1, Revision 4, September 2012.
The security problem definition consists of the threats to security, organizational security policies, and usage assumptions as they relate to Windows 10 and Server 2016. The assumptions, threats, and policies are copied from the General Purpose Operating Systems Protection Profile, Version 4.1, March 9, 2016 (“GP OS PP”).