librarieswindowsserver2003

MicrosoftWindowsServer2003,XPProfessionalandXPEmbeddedSecurityTargetVersion3.
0November19,2007PreparedFor:MicrosoftCorporationCorporateHeadquartersOneMicrosoftWayRedmond,WA98052-6399PreparedBy:ScienceApplicationsInternationalCorporationCommonCriteriaTestingLaboratory7125GatewayDriveColumbia,MD21046-2554Version3.
0,11/19/07MicrosoftCorporation,2008iiAllRightsReserved.
Version3.
0,11/19/07Thisisapreliminarydocumentandmaybechangedsubstantiallypriortofinalcommercialreleaseofthesoftwaredescribedherein.
TheinformationcontainedinthisdocumentrepresentsthecurrentviewofMicrosoftCorporationontheissuesdiscussedasofthedateofpublication.
BecauseMicrosoftmustrespondtochangingmarketconditions,itshouldnotbeinterpretedtobeacommitmentonthepartofMicrosoft,andMicrosoftcannotguaranteetheaccuracyofanyinformationpresentedafterthedateofpublication.
Thisdocumentisforinformationalpurposesonly.
MICROSOFTMAKESNOWARRANTIES,EXPRESSORIMPLIED,ASTOTHEINFORMATIONINTHISDOCUMENT.
Complyingwithallapplicablecopyrightlawsistheresponsibilityoftheuser.
ThisworkislicensedundertheCreativeCommonsAttribution-NoDerivs-NonCommercialLicense(whichallowsredistributionofthework).
Toviewacopyofthislicense,visithttp://creativecommons.
org/licenses/by-nd-nc/1.
0/orsendalettertoCreativeCommons,559NathanAbbottWay,Stanford,California94305,USA.
Microsoftmayhavepatents,patentapplications,trademarks,copyrights,orotherintellectualpropertyrightscoveringsubjectmatterinthisdocument.
ExceptasexpresslyprovidedinanywrittenlicenseagreementfromMicrosoft,thefurnishingofthisdocumentdoesnotgiveyouanylicensetothesepatents,trademarks,copyrights,orotherintellectualproperty.
Theexamplecompanies,organizations,products,peopleandeventsdepictedhereinarefictitious.
Noassociationwithanyrealcompany,organization,product,personoreventisintendedorshouldbeinferred.
2007MicrosoftCorporation.
Allrightsreserved.
Microsoft,ActiveDirectory,VisualBasic,VisualStudio,Windows,theWindowslogo,WindowsNT,andWindowsServerareeitherregisteredtrademarksortrademarksofMicrosoftCorporationintheUnitedStatesand/orothercountries.
Thenamesofactualcompaniesandproductsmentionedhereinmaybethetrademarksoftheirrespectiveowners.
MicrosoftCorporation,2008iiiAllRightsReserved.
Version3.
0,11/19/07TableofContents1.
1SECURITYTARGETINTRODUCTION1.
1SECURITYTARGET,TOE,ANDCCIDENTIFICATION11.
2CCCONFORMANCECLAIMS41.
3STRENGTHOFENVIRONMENT41.
4CONVENTIONS,TERMINOLOGY,ACRONYMS.
41.
4.
1Conventions41.
4.
2Terminology.
51.
4.
3Acronyms51.
5SECURITYTARGETOVERVIEWANDORGANIZATION52.
TOEDESCRIPTION.
72.
1PRODUCTTYPES72.
2PRODUCTDESCRIPTION82.
3PRODUCTFEATURES92.
3.
1Windows2003/XPAdministrationandManagementFeatures.
102.
3.
2Windows2003/XPNetworkSecurityFeatures.
132.
3.
3Windows2003/XPScalabilityFeatures.
152.
3.
4NewWindows2003/XPTOEFeatures.
172.
4SECURITYENVIRONMENTANDTOEBOUNDARY.
192.
4.
1LogicalBoundaries.
192.
4.
2PhysicalBoundaries.
212.
5TOESECURITYSERVICES.
213.
SECURITYENVIRONMENT.
243.
1THREATSTOSECURITY243.
2ORGANIZATIONALSECURITYPOLICIES.
253.
3SECUREUSAGEASSUMPTIONS.
253.
3.
1ConnectivityAssumptions.
263.
3.
2PersonnelAssumptions.
263.
3.
3PhysicalAssumptions264.
SECURITYOBJECTIVES284.
1TOEITSECURITYOBJECTIVES.
284.
2NON-ITSECURITYOBJECTIVESFORTHEENVIRONMENT.
295.
ITSECURITYREQUIREMENTS.
305.
1TOESECURITYFUNCTIONALREQUIREMENTS.
305.
1.
1Audit(FAU)Requirements375.
1.
2CryptographicSupport(FCS)415.
1.
3UserDataProtection(FDP)Requirements455.
1.
4IdentificationandAuthentication(FIA)555.
1.
5ManagementRequirements(FMT)575.
1.
6ProtectionoftheTOESecurityFunctions(FPT)655.
1.
7ResourceUtilization(FRU)685.
1.
8TOEAccess(FTA)685.
1.
9TrustedPath/Channels695.
2TOESECURITYASSURANCEREQUIREMENTS695.
2.
1ConfigurationManagement(ACM)705.
2.
2DeliveryandOperation(ADO)735.
2.
3Development(ADV)745.
2.
4GuidanceDocuments(AGD)785.
2.
5LifeCycleSupport(ALC)80MicrosoftCorporation,2008AllRightsReserved.
ivVersion3.
0,11/19/075.
2.
6SecurityTesting(ATE)825.
2.
7VulnerabilityAssessment(AVA)845.
3SECURITYREQUIREMENTSFORTHEITENVIRONMENT.
876.
TOESUMMARYSPECIFICATION.
886.
1TOESECURITYFUNCTIONS886.
1.
1AuditFunction.
886.
1.
2UserDataProtectionFunction936.
1.
3CryptographicProtection.
1046.
1.
4IdentificationandAuthenticationFunction.
1076.
1.
5SecurityManagementFunction.
1136.
1.
6TSFProtectionFunction1176.
1.
7ResourceUtilizationFunction.
1256.
1.
8SessionLockingFunction.
1266.
2TOESECURITYASSURANCEMEASURES1266.
2.
1ProcessAssurance.
1276.
2.
2DeliveryandGuidance.
1286.
2.
3DesignDocumentation1286.
2.
4Tests.
1296.
2.
5VulnerabilityAssessment.
1307.
PROTECTIONPROFILECLAIMS.
1327.
1CONTROLLEDACCESSPROTECTIONPROFILE(CAPP)CONFORMANCECLAIMREFERENCE1327.
1.
1CAPPRequirementsinST.
1327.
1.
2CAPPDifferencesandEnhancements.
1328.
RATIONALE.
1388.
1SECURITYOBJECTIVESRATIONALE1388.
1.
1TOEITSecurityObjectivesRationale.
1388.
1.
2Non-ITSecurityObjectivesfortheEnvironmentRationale1418.
2SECURITYREQUIREMENTSRATIONALE1428.
2.
1SecurityFunctionalRequirementsRationale1428.
2.
2SecurityAssuranceRequirementsRationale1508.
2.
3RequirementDependencyRationale.
1518.
2.
4ExplicitlyStatedRequirementsRationale.
1568.
2.
5InternalConsistencyandMutuallySupportiveRationale1588.
2.
6StrengthofFunctionRationale.
1588.
3TOESUMMARYSPECIFICATIONRATIONALE1589.
ADDITIONALPROTECTIONPROFILEREFERENCES…1639.
1PROTECTIONPROFILEFORSINGLE-LEVELOPERATINGSYSTEMS(SLOSPP)REFERENCE….
1639.
2WEBSERVERPPREFERENCE…163APPENDIXALISTOFACRONYMS.
A-1APPENDIXBTOECOMPONENTDECOMPOSITIONB-1MicrosoftCorporation,2008vAllRightsReserved.
Version3.
0,11/19/071.
SecurityTargetIntroductionThissectionpresentsthefollowinginformation:IdentifiestheSecurityTarget(ST)andTargetofEvaluation(TOE);SpecifiestheSTconventionsandSTconformanceclaims;and,DescribestheSTorganization.
1.
1SecurityTarget,TOE,andCommonCriteria(CC)IdentificationSTTitle-MicrosoftWindowsServer2003,XPProfessionalandXPEmbeddedSecurityTargetSTVersion–Version3.
0,11/19/07TOESoftwareIdentification–ThefollowingWindowsOperatingSystems(OS'):MSWindowsXPProfessional,Version5.
1SP2MSWindowsXPProfessionalx64,Version5.
2SP2MSWindowsXPEmbedded,Version5.
1SP2MSWindowsServer2003Standard,Version5.
2SP2MSWindowsServer2003R2Standard,Version5.
2SP2MSWindowsServer2003Standardx64,Version5.
2SP2MSWindowsServer2003R2Standardx64,Version5.
2SP2MSWindowsServer2003Enterprise,Version5.
2SP2MSWindowsServer2003R2Enterprise,Version5.
2SP2MSWindowsServer2003Enterprisex64,Version5.
2SP2MSWindowsServer2003R2Enterprisex64,Version5.
2SP2MicrosoftWindowsServer2003,DatacenterEditionx64,version5.
2,SP2MicrosoftWindowsServer2003R2,DatacenterEditionx64,version5.
2,SP2WindowsServer2003EnterpriseEditionwithSP2forItanium-basedSystemsThefollowingsecurityupdatesandpatchesmustbeappliedtotheaboveWindowsServer2003products:MS07-029:VulnerabilityinWindowsDNSRPCInterfaceCouldAllowRemoteCodeExecution(KB935966)MS07-022:VulnerabilityinWindowsKernelCouldAllowElevationofPrivilege(KB931784)–x86onlyMS07-021:VulnerabilitiesinCSRSSCouldAllowRemoteCodeExecution(KB930178)MS07-017:VulnerabilitiesinGDICouldAllowRemoteCodeExecution(KB925902)SoftwareUpdateforBaseSmartCardCryptographicServiceProvider:AnassociatedMicrosoftSecurityBulletinforthisissueisnotavailable(KB909520)ThefollowingsecurityupdatesmustbeappliedtotheaboveXPproducts:MicrosoftCorporation,20081AllRightsReserved.
Version3.
0,11/19/07ThefollowingapplytoallXPproducts:oMS07-021:VulnerabilitiesinCSRSSCouldAllowRemoteCodeExecution(KB930178)oMS07-017:VulnerabilitiesinGDICouldAllowRemoteCodeExecution(KB925902)oSoftwareUpdateforBaseSmartCardCryptographicServiceProvider:AnassociatedMicrosoftSecurityBulletinforthisissueisnotavailable(KB909520).
ThefollowingupdatesarenecessaryforXPprofessional32-bitonly:oMS07-022:VulnerabilityinWindowsKernelCouldAllowElevationofPrivilege(KB931784)oMS07-006:VulnerabilityinWindowsShellCouldAllowElevationofPrivilege(KB928255)oMS06-075:VulnerabilityinWindowsCouldAllowElevationofPrivilege(KB926255)oMS06-070:VulnerabilityinWorkstationServiceCouldAllowRemoteCodeExecution(KB924270)oMS06-065:VulnerabilityinWindowsObjectPackagerCouldAllowRemoteExecution(KB924496)oMS06-064:VulnerabilitiesinTCP/IPIPv6CouldAllowDenialofService(KB922819)oMS06-063:VulnerabilityinServerServiceCouldAllowDenialofService(KB923414)oMS06-061:VulnerabilitiesinMicrosoftXMLCoreServicesCouldAllowRemoteCodeExecution(KB924191)oMS06-057:VulnerabilityinWindowsExplorerCouldAllowRemoteExecution(KB923191)oMS06-056:VulnerabilityinASP.
NET2.
0CouldAllowInformationDisclosure(KB922770)oUpdateforWindowsXP(KB922582)-ThisupdateresolveanissueidentifiedinFilterManagerthatcanpreventyoufrominstallingupdatesfromWindowsupdate.
oUpdateforWindowsXP(KB910437)-ThisupdateresolveanissueinwhichWindowsUpdateandAutomaticUpdatescannolongerdownloadupdatesafteranAccessViolationerroroccurswhenusingtheAutomaticUpdatesserviceoMS06-053:VulnerabilityinIndexingServiceCouldAllowCross-SiteScripting(KB920685)oMS06-045:VulnerabilityinWindowsExplorerCouldAllowRemoteCodeExecution(KB921398)oMS06-042:CumulativeSecurityUpdateforInternetExplorer(KB918899)oMS06-041:VulnerabilityinDNSResolutionCouldAllowRemoteCodeExecution(KB920683)oMS06-040:VulnerabilityinServerServiceCouldAllowRemoteCodeExecution(KB921883)oMS06-036:VulnerabilityinDHCPClientServiceCouldAllowRemoteCodeExecution(KB914388)MicrosoftCorporation,20082AllRightsReserved.
Version3.
0,11/19/07oMS06-035:VulnerabilityinServerServiceCouldAllowRemoteCodeExecution(KB917159)oMS06-030:VulnerabilityinServerMessageBlockCouldAllowElevationofPrivilege(KB914389)oMS06-018:VulnerabilityinMicrosoftDistributedTransactionCoordinatorCouldAllowDenialofService(KB913580)oMS06-015:VulnerabilityinWindowsExplorerCouldAllowRemoteCodeExecution(KB908531)oMS06-008:VulnerabilityinWebClientServiceCouldAllowRemoteCodeExecution(KB911927)oMS06-001:VulnerabilityinGraphicsRenderingEngineCouldAllowRemoteCodeExecution(KB912919)oMS05-053:VulnerabilitiesinGraphicsRenderingEngineCouldAllowCodeExecution(KB896424)oMS05-051:VulnerabilitiesinMSDTCandCOM+CouldAllowRemoteCodeExecution(KB902400)oMS05-049:VulnerabilitiesinWindowsShellCouldAllowRemoteCodeExecution(KB900725)oMS05-047:VulnerabilityinPlugandPlayCouldAllowRemoteCodeExecutionandLocalElevationofPrivilege(KB905749)oIPSecPolicyAgentUpdate:AnassociatedMicrosoftSecurityBulletinforthisissueisnotavailable.
(KB907865)oMS05-043:VulnerabilityinPrintSpoolerServiceCouldAllowRemoteCodeExecution(KB896423)oMS05-042:VulnerabilitiesinKerberosCouldAllowDenialofService,InformationDisclosure,andSpoofing(KB899587)oMS05-027:VulnerabilityinServerMessageBlockCouldAllowRemoteCodeExecution(KB896422)oMS05-018:VulnerabilityinWindowsKernelCouldAllowElevationofPrivilegeandDenialofService(KB890859)oMS05-011:VulnerabilityinServerMessageBlockCouldAllowRemoteCodeExecution(KB885250)oMS05-007:VulnerabilityinWindowsCouldAllowInformationDisclosure(KB888302)oMS04-044:VulnerabilitiesinWindowsKernelandLSASSCouldAllowElevationofPrivilege(KB885835)TOEHardwareIdentification–Thefollowinghardwareplatformsareincludedintheevaluatedconfiguration:ManufacturerModelProcessor(s)MemoryDellOptiplexGX6203.
0GHzIntelPentiumDProcessor830(1CPU),32-bit2GBDellPowerEdgeSC14203.
0GHzIntelXeonProcessor(1CPU),32-bit1GBDellPowerEdgeSC14203.
6GHzIntelXeonProcessor(1CPU),32-bit2GBDellPowerEdge18003.
2GHzIntelXeonProcessor(1CPU),32-bit2GBDellPowerEdge28502.
8GHzIntelXeonProcessor(2Dual-CoreCPUs),64-bit4GBMicrosoftCorporation,20083AllRightsReserved.
Version3.
0,11/19/07HPProliantDL3852.
6GHzAMDOpteronProcessor252(2CPUs),64-bit2GBHPrx1620BundleSolutionServer1.
3GHzIntelItaniumProcessor(1CPU),64-bit2GBHPxw9300Workstation2.
2GHzAMDOpteronProcessor248(1CPU),64-bit2GBIBMeServer326m2.
0GHzAMDOpteronProcessor270(1Dual-CoreCPU),64-bit2GBIBMeServer326m2.
4GHzAMDOpteronProcessor280(2Dual-CoreCPUs),64-bit2GBUnisysRASCALES70002.
5GHzIntelXeonMPEM64TProcessor(4CPUs),64-bit4GBGemPlusGemPCTwinUSBsmartcardsEvaluationAssuranceLevel(EAL)–EAL4augmentedwithALC_FLR.
3(SystematicFlawRemediation).
CCIdentification–CCforInformationTechnology(IT)SecurityEvaluation,Version2.
3,August2005.
InternationalStandard–InternationalOrganizationforStandardization(ISO)/InternationalElectro-technicalCommission(IEC)15408:1999.
Keywords–OS,sensitivedataprotectiondevice,directoryservice,networkmanagement,desktopmanagement,singlesignon,DiscretionaryAccessControl(DAC),ActiveDirectoryFederationServices(ADFS),WindowsServerUpdateServices(WSUS),RPCoverHTTP,contentindexingandsearching,DataExecutionPrevention(DEP),ST,cryptography,Publickey,firewall,webserver,IPSec,smartcard,certificateserver,IPVersion6(IPv6),informationflow,FederalInformationProcessingStandard(FIPS)-140,VirtualPrivateNetwork(VPN),content-provider,accesscontrol,ControlledAccessProtectionProfile(CAPP),EAL4,MicrosoftWindows,32bit,64bit,x64.
1.
2CCConformanceClaimsThisTOEandSTareconsistentwiththefollowingspecifications:ConformanttoPP,ControlledAccessProtectionProfile,Version1.
d,NationalSecurityAgency,8October1999(PPConformant).
NotethattheCAPPrequiresEAL3.
CommonCriteriaforInformationTechnologySecurityEvaluationPart2:Securityfunctionalrequirements,Version2.
3,August2005,extended(Part2extended)CommonCriteriaforInformationTechnologySecurityEvaluationPart3:SecurityassurancerequirementsVersion2.
3,August2005,conformant,EAL4augmentedwithALC_FLR.
3(Part3Conformant,EAL4augmented).
1.
3StrengthofEnvironmentTheevaluationofWindows2003/XPprovidesamoderatelevelofindependentlyassuredsecurityinaconventionalTOEandissuitablefortheenvironmentspecificationinthisST.
TheassurancerequirementsandtheminimumStrengthofFunction(SOF)werechosentobeconsistentwiththisgoalandtobecompliantwiththeCAPP.
TheTOEassurancelevelisEAL4augmentedwithALC_FLR.
3andtheTOEminimumSOFisSOF-medium.
1.
4Conventions,Terminology,AcronymsThissectionspecifiestheformattinginformationusedintheST.
1.
4.
1ConventionsThefollowingconventionshavebeenappliedinthisdocument:MicrosoftCorporation,20084AllRightsReserved.
Version3.
0,11/19/07SFRs–Part2oftheCCdefinestheapprovedsetofoperationsthatmaybeappliedtofunctionalrequirements:iteration,assignment,selection,andrefinement.
oIteration:allowsacomponenttobeusedmorethanoncewithvaryingoperations.
IntheST,aletterplacedattheendofthecomponentindicatesiteration.
ForexampleFMT_MTD.
1(a)andFMT_MTD.
1(b)indicatethattheSTincludestwoiterationsoftheFMT_MTD.
1requirement,aandb.
oAssignment:allowsthespecificationofanidentifiedparameter.
oSelection:allowsthespecificationofoneormoreelementsfromalist.
oRefinement:allowstheadditionofdetails.
Theconventionsfortheassignment,selection,refinement,anditerationoperationsaredescribedinSection5.
OthersectionsoftheST–OthersectionsoftheSTuseboldingtohighlighttextofspecialinterest,suchascaptions.
1.
4.
2TerminologyThefollowingterminologyisusedintheST:AuthorizedUser–anentitythathasbeenproperlyidentifiedandauthenticated.
TheseusersareconsideredtobelegitimateusersoftheTOE.
Authorizedadministrator/Administrator–AuserintheadministratorroleisanauthorizeduserwhohasbeengrantedtheauthoritytomanagetheTOE.
Theseusersareexpectedtousethisauthorityonlyinthemannerprescribedbytheguidancegiventhem.
ThetermauthorizedadministratoristakenfromtheCCandCAPPandisusedintheSTinthosesectionsthatarederivedfromtheCAPPortheCCdirectly.
Otherwise,thetermadministratorisused.
Thesetermsareusedinterchangeably.
DACPolicy–TheDACpolicyisdefinedasintheCAPP.
1.
4.
3AcronymsTheacronymsusedinthisSTarespecifiedinAppendixA–AcronymList.
1.
5STOverviewandOrganizationTheWindows2003/XPTOEisageneral-purpose,distributed,networkOSthatprovidescontrolledaccessbetweensubjectsanduserdataobjects.
Windows2003/XPhasabroadsetofsecuritycapabilitiesincludingsinglenetworklogon(usingpasswordorsmartcard);accesscontrolanddataencryption;extensivesecurityauditcollection;host-basedfirewallandIPSectocontrolinformationflow,publickeycertificateservice,built-instandard-basedsecurityprotocolssuchasKerberos,TransportLayerSecurity(TLS)/SecureSocketsLayer(SSL),Digest,InternetKeyExchange(IKE)/IPSec,FIPS-140validatedcryptography,WebService(WS)-FederationwithintheActiveDirectoryFederationServices(ADFS)framework,WindowsServerUpdateServices,andLight-weightDirectoryAccessProtocol(LDAP)Directory-basedresourcemanagement.
TheWindows2003/XPTOEprovidesthefollowingsecurityservices:userdataprotection(WEBUSERaccesscontrol,webcontentprovideraccesscontrol,DAC,IPSecinformationflowcontrol,connectionfirewallinformationflowcontrol),cryptographicsupport,audit,IdentificationandAuthentication(I&A)(includingtrustedpath/channel),securitymanagement,protectionoftheTOESecurityFunctions(TSF),resourcequotas,andTOEaccess/session.
TheWindows2003/XPsecuritypoliciesprovidenetwork-widecontrolledaccessprotection(accesscontrolforuserdata,WEBUSERandwebcontentprovider,IPSecinformationflow,connectionfirewallinformationflow),encrypteddata/keyprotection,andencryptedfileprotection.
Thesepoliciesenforceaccesslimitationsbetweenindividualusersanddataobjects,andonin-comingandout-goingtrafficchannelsthroughaphysicallyseparatepartoftheMicrosoftCorporation,20085AllRightsReserved.
Version3.
0,11/19/07TOE.
TheTOEiscapableofauditingsecurityrelevanteventsthatoccurwithinaWindows2003/XPnetwork.
Allthesesecuritycontrolsrequireuserstoidentifythemselvesandbeauthenticatedpriortousinganynodeonthenetwork.
TheWindows2003/XPSTcontainsthefollowingadditionalsections:TOEDescription(Section2)–ProvidesanoverviewoftheTSFandboundary.
SecurityEnvironment(Section3)–Describesthethreats,organizationalsecuritypoliciesandassumptionsthatpertaintotheTOE.
SecurityObjectives(Section4)–IdentifiesthesecurityobjectivesthataresatisfiedbytheTOEandtheTOEenvironment.
ITSecurityRequirements(Section5)–PresentsthesecurityfunctionalandassurancerequirementsmetbytheTOE.
TOESummarySpecification(Section6)–DescribesthesecurityfunctionsprovidedbytheTOEtosatisfythesecurityrequirementsandobjectives.
PPClaims(Section7)–PresentstherationaleconcerningcomplianceoftheSTwiththeCAPP.
Rationale(Section8)–Presentstherationaleforthesecurityobjectives,requirements,andTOESummarySpecifications(TSS)astotheirconsistency,completenessandsuitability.
AdditionalPPReferences(Section9)–SummarizescontentdrawnforotherunclaimedPPsaboveandbeyondthatdrawnfromtheCAPP.
MicrosoftCorporation,20086AllRightsReserved.
Version3.
0,11/19/072.
TOEDescriptionTheTOEincludestheWindows2003/XPOS,supportinghardware,andthoseapplicationsnecessarytomanage,supportandconfiguretheOS.
ThisSecurityTargetbuildsuponthepreviousCC-evaluatedversionofWindows2003/XP(http://www.
niap-ccevs.
org/cc%2Dscheme/st/vid=10151)andaddsActiveDirectoryFederationServices,WindowsServerUpdateServices,contentindexingandsearching,DistributedTransactionCoordination(DTC),SimpleServiceDiscoveryProtocol(SSDP)serviceforUniversalPlugandPlay(UPnP),andRPCoverHTTPproxiestotheevaluatedconfiguration.
2.
1ProductTypesWindows2003/XPisapreemptivemultitasking,multiprocessor,andmulti-userOS.
Ingeneral,OS'provideuserswithaconvenientinterfacetomanageunderlyinghardware.
Theycontroltheallocationandmanagecomputingresourcessuchasprocessors,memory,andInput/Output(I/O)devices.
Windows2003/XPexpandsthesebasicOScapabilitiestocontrollingtheallocationandmanaginghigherlevelITresourcessuchassecurityprincipalslikeuserormachineaccounts,files,printingobjects,services,windowstation,desktops,cryptographickeys,networkports/traffics,directoryobjects,andwebcontents.
Multi-userOS'suchasWindows2003/XP,keeptrackofwhichuserisusingwhichresource,grantresourcerequests,accountforresourceusage,andmediateconflictingrequestsfromdifferentprogramsandusers.
Windows2003/XPprovidesaninteractiveUserInterface(UI),aswellasanetworkinterface.
TheTOEincludesahomogenoussetofWindows2003/XPsystemsthatcanbeconnectedviatheirnetworkinterfacesandmaybeorganizedintodomains.
AdomainisalogicalcollectionofWindows2003/XPsystemsthatallowstheadministrationandapplicationofacommonsecuritypolicyandtheuseofacommonaccountsdatabase.
Windows2003/XPsupportssingleandmultipledomainconfigurations.
Inamulti-domainconfiguration,theTOEsupportsimplicitandexplicittrustrelationshipsbetweendomains.
Domainsuseestablishedtrustrelationshipstoshareaccountinformationandvalidatetherightsandpermissionsofusers.
Auserwithoneaccountinonedomaincanbegrantedaccesstoresourcesonanyserverorworkstationonthenetwork.
Domainscanhaveone-wayortwo-waytrustrelationships.
EachdomainmustincludeatleastonedesignatedserverknownasaDomainController(DC)tomanagethedomain.
TheTOEallowsformultipleDCsthatreplicateTOEDataamongthemselvestoprovideforhigheravailability.
EachWindows2003/XPsystem,whetheritisaDCserver,non-DCserver,orworkstation,ispartoftheTOEandprovidesasubsetoftheTSFs.
TheTSFforWindows2003/XPcanconsistofthesecurityfunctionsfromasinglesystem(inthecaseofastand-alonesystem)orthecollectionofsecurityfunctionsfromanentirenetworkofsystems(inthecaseofdomainconfigurations).
WithinthisST,whenspecificallyreferringtoatypeofTSF(e.
g.
,DC),theTSFtypewillbeexplicitlystated.
Otherwise,thetermTSFreferstothetotalofallTSFswithintheTOE.
OtherthananOSWindows2003/XPcanalsobecategorizedasthefollowingtypesofInformationAssurance(IA)orIAenabledITproducts:Windows2003/XPisaSensitiveDataProtectionDevicetodefendtheComputingEnvironment.
ThecoremechanisminthiscaseistheWindows2003/XPEncryptingFileSystem(EFS),whichispartoftheWindows2003/XPTOE.
Windows2003/XPisaDirectoryServiceproducttosupportSecurityInfrastructure.
TheLDAPbasedaccessandmanagementofWindowsActiveDirectory(AD)objectsispartoftheWindows2003/XPTInterfaces(TSFI).
MicrosoftCorporation,20087AllRightsReserved.
Version3.
0,11/19/07Windows2003/XPisaNetworkManagementproducttosupporttheSecurityInfrastructure.
Windows2003/XPGroupPolicy,whichispartoftheWindows2003/XPTOEandprovidesthenetworkmanagementinWindows2003/XPnetworks.
Windows2003/XPisaDesktopManagementproducttosupporttheSecurityInfrastructure.
Windows2003/XPGroupPolicyService,whichispartofWindows2003/XPTOEandprovidesthedesktopmanagementofWindows2003/XPTOEdesktops.
Windows2003/XPisaSingleSignOnproduct(usingpasswordorsmartcard)forWindows2003/XPnetworkstodefendtheComputingEnvironment.
Windows2003/XPsupportssinglesignontotheTOE.
Windows2003/XPisaFirewall(NetworkandHost-based)productwiththecapabilitytofilternetworktrafficbaseduponsourceanddestinationaddresses/portsandprotocol.
Windows2003/XPisaVPNproductprovidinganIPSecserviceanditsassociatedTransportDriverInterface(TDI)basednetworksupport.
Windows2003isaWebServerproductbyincludingtheInternetInformationServices(IIS)Version6.
0(IIS6)componentfunctionalitywhichprovidesawebserviceapplicationinfrastructureutilizingtheunderlyingOSservices.
2.
2ProductDescriptionWindows2003/XPisanOSthatsupportsbothworkstationandserverinstallations.
TheTOEincludesfiveproductvariantsofWindows2003/XP:XPEmbedded,XPProfessional,Server2003StandardServer,Server2003EnterpriseServer,andServer2003DataCenter.
TheserverproductsadditionallyprovideDCfeaturesincludingtheADandKerberosKeyDistributionCenter(KDC).
TheserverproductsintheTOEalsoprovideActiveDirectoryFederationServices,WindowsServerUpdateServices,contentindexingandsearching,RPCoverHTTPproxies,SimpleServiceDiscoveryProtocol(SSDP)service,DistributedTransactionCoordinator(DTC),CertificateServer,FileReplication,DirectoryReplication,DomainNameSystem(DNS),DynamicHostConfigurationProtocol(DHCP),DistributedFileSystem(DFS)service,RemovableStorageManager,andVirtualDiskService.
Allvariantsincludethesamesecurityfeatures.
Theprimarydifferencebetweenthevariantsisthenumberofusersandtypesofservicestheyareintendedtosupport.
Windows2003/XPProfessionalaresuitedforbusinessdesktopsandnotebookcomputers(notethatonlydesktopsareincludedintheevaluatedconfiguration);itistheworkstationproduct.
Designedfordepartmentalandstandardworkloads,WindowsServer2003StandardServerdeliversintelligentfileandprintersharing;secureconnectivitybasedonInternettechnologies,andcentralizeddesktoppolicymanagement.
WindowsServer2003EnterpriseServerdiffersfromWindowsServer2003StandardServerprimarilyinitssupportforhigh-performanceserversforgreaterloadhandling.
Thesecapabilitiesprovidereliabilitythathelpsensuresystemsremainavailable.
WindowsServer2003Datacenterprovidesthenecessaryscalableandreliablefoundationtosupportmission-criticalsolutionsfordatabases,enterpriseresourceplanningsoftware,high-volume,real-timetransactionprocessing,andserverconsolidation.
WindowsXPEmbeddedistheembeddedOSthatdeliversthepowerofWindowsincomponentizedformforrapidlybuildingreliableandadvancedembeddeddevices.
ThesecurityfeaturesaddressedbythissecuritytargetarethoseprovidedbyWindows2003/XPasanOS.
MicrosoftprovidesseveralWindow2003/XPsoftwareapplicationsthatareconsideredoutsidethescopeofthedefinedTOEandthusnotpartoftheevaluatedconfiguration.
Servicesoutsidethisevaluationinclude:e-mailservice,TerminalService,MicrosoftMessageQueue,RightManagementService,andWindowsSharePointService.
ThefeaturesidentifiedanddescribedinthissectionareincludedintheTOEandassucharewithinthescopeoftheevaluation.
ThefollowingtablesummarizestheTOEconfigurationsincludedintheevaluation.
Thereareelevenstand-aloneconfigurationsandseventeennetworkedconfigurations.
MicrosoftCorporation,20088AllRightsReserved.
Version3.
0,11/19/07WindowsXPProfessional(32bitand64bit)WindowsXPEmbedded(32bitWindowsServer2003Standard(32bitand64bit)WindowsServer2003Enterprise(32bitand64bit)WindowsServer2003DataCenter(64bit)SingleProcessorXXXXN/AMultipleProcessorXN/AXXXStand-aloneXXXXXDomainMemberXXXXXDomainControllerN/AN/AN/AXXVariationsasaDomainElement212422.
3ProductFeaturesWindows2003/XPhasmanyfeatures,severalofwhichsupportsimplifyingtheadministrationandmanagementofadistributedenvironment,inordertoimprovenetworksecurity,andscalability.
Thissectionhighlightsseveralofthesefeatures.
WhiletheWindowsoperatingsystemsperformsmanysecurityrelatedfunctions,onlythoseaddressedbyrequirementsinSection5wereevaluatedaspartofthisevaluation.
2.
3.
1NewWindows2003/XPTOEFeaturesThebelowhighlightadditionalfeaturesthatwerenotavailableinthepreviousWindows2003/XPCCevaluationcompletedinAugust2005,butareincludedinthisevaluationofWindows2003/XPTOE.
ActiveDirectoryFederationServicesActiveDirectoryFederationServices(ADFS)enablesfederatedidentityandaccessmanagementbysecurelysharingdigitalidentityandentitlementrightsacrosssecurityandenterpriseboundaries.
TheCCevaluationfocusesontheidentityaspectofADFS.
ADFScreatesacryptographically-signedsecuritytoken(whichmaybebasedonX.
509v3publickeycertificate,Kerberos,orSAML)torepresentausersession.
Thatsignedtokencanbeusedforsinglesign-onacrossdistributed,trustedportionsoftheTOE.
TheprimaryuseofADFSwithintheTOEisinthescenariosofauthenticatingandauthorizingusersforthecontrolledaccessofwebresources.
WindowsServerUpdateServicesversion3.
0MicrosoftWindowsServerUpdateServices(WSUS)givesadministratorsfullcontrolovertheupdatemanagementprocess,eliminatingtheneedforclientcomputerstoretrieveupdatesdirectlyfromMicrosoftUpdate.
Intheevaluatedconfiguration,atrustedserverwillbeusedtostoreupdates.
WSUSadministratorscanspecifythetypesofupdatestodownload,createtargetgroupsofcomputerstoreceiveupdates,anddeterminewhichcomputersrequireupdatesbeforedeployment.
Administratorscanapproveupdatesfordeploymentautomatically,uninstallupdates,andgeneratereportstomonitorupdateactivity.
WSUSisnotontheinstallationmediaprovidedfortheevaluation;rather,itcanbeobtainedontheMicrosoftwebsite.
SystemRestoreServiceTheSystemRestorefeatureofWindowsXPenablesadministratorstopartiallyrestoremachines,intheeventofaproblem,toapreviousstatewithoutlosingpersonaldatafiles(suchasWorddocuments,MicrosoftCorporation,20089AllRightsReserved.
Version3.
0,11/19/07drawings,ore-mail).
SystemRestoreactivelymonitorssystemfilechangesandsomeapplicationfilechangesasconfiguredbytheadministratortorecordorstorepreviousversionsbeforethechangesoccurred.
ContentIndexingServiceTheContentIndexingServiceworkswithIIStocreateindexedcatalogsforthecontentsandpropertiesofbothfilesystemsandvirtualWebs.
Fromasecurityperspective,itlimitsaccesstofilenameswhenreturningsearchresults.
Usersareonlypermittedtoseeresultsforwhichtheyhaveunderlyingpermissiontoaccesstheunderlyingfile.
ResultantSetofPolicyProviderThisservicepermitsanadministratortoviewhowmultipleGroupPolicyobjectsaffectvariouscombinationsofuserobjectsandcomputerobjects,ortopredicttheeffectofGroupPolicysettingsontheTOE.
ThisaidsadministratorsinmakingdecisionsabouthowsecuritysettingseffecttheoverallTOE.
TaskSchedulerTheTaskSchedulerenablesuserstoautomaticallyperformroutinetasksonachosencomputeroftheTOE.
TheTaskSchedulerdoesthisbymonitoringwhatevercriteriaauserchoosestoinitiatethetasksandthenexecutingthetaskswhenthecriteriaismet.
Tasksareprotectedbythediscretionaryaccesscontrolpolicyrules.
SimpleServiceDiscoveryProtocolServiceTheSimpleServiceDiscoveryProtocol(SSDP)allowsanewUniversalPlugandPlaydevicetoadvertiseitspresenceontheTOEtootherdevicesandcontrolpointsbyusingtheSSDP.
AninformationflowpolicyrestrictsaccesstonewdevicestothosewhosesourceIPaddressesaretrusted.
RPCoverHTTPHTTPcanbeusedasatransportprotocolforRPC.
ThiscommunicationisrealizedbytheRPCProxyrunningwithinIIISWebServerconfiguredonaServeroftheTOEnetwork.
Thecommunicationiscontrolledbyaninformationflowpolicythatonlypermitsclientstoconnecttoportslistedintheregistryasvalidports.
DistributedTransactionCoordinator(DTC)AdistributedtransactionisatransactionthatupdatesdataontwoormorenetworkedcomputeroftheTOE.
Distributedtransactionsextendthebenefitsoftransactionstoapplicationsthatmustupdatedistributeddata.
Intheabsenceofdistributedtransactions,anapplicationprogramitselfmustdetectandrecoverfromfailures.
Inadistributedtransaction,eachparticipatingcomponentmustagreetocommitachangeactionbeforethetransactioncanoccur.
TheDistributedTransactionCoordinator(DTC)performsthetransactioncoordinationroleforthecomponentsinvolvedandactsasatransactionmanagerforeachcomputerthatmanagestransactions.
Whencommittingatransactionthatisdistributedamongseveralcomputers,thetransactionmanagersendsprepare,commit,andabortmessagestoallitssubordinatetransactionmanagers.
HelpandSupportTheHelpandSupportCentersystemprovidesaninterfacetoautomaticallymonitorsystemhealth,performpreventativemaintenance,andreportproblemssothattheycanberesolved.
2.
3.
2Windows2003/XPAdministrationandManagementFeaturesWindows2003/XPdistributedsecurityfeaturesprovidescalable,flexibleaccountmanagementforlargedomainswithfine-grainaccesscontrolanddelegationofadministration.
Afewoftheseadministrationfeaturesarebrieflydescribedbelow.
GroupPolicyWindows2003/XPGrouppolicyallowscentralmanagementofcollectionsofusers,computers,applications,andnetworkresourcesinsteadofmanagingentitiesonaone-by-onebasis.
IntegrationwithADdeliversgranularandflexiblecontrol.
ItpermitsauthorizedadministratorstodefinecustomizedrulesMicrosoftCorporation,200810AllRightsReserved.
Version3.
0,11/19/07aboutvirtuallyeveryfacetofauser'scomputerenvironmentsuchassecurity,userrights,desktopsettings,applications,andresources,minimizingthelikelihoodofmisconfiguration.
Uponinstallation,Windows2003/XPoffersgroupsthatarepre-configuredwithspecificuserrightsand/orprivileges.
Thesegroupsarereferredtoas"built-ingroups.
"TheWindows2003/XPbuilt-ingroupsfallintothree(3)categories:built-inlocalgroups(e.
g.
,Administrator,BackupOperator);built-indomainlocalgroups(e.
g.
,Administrator,AccountOperator);andbuilt-inglobalgroups(e.
g.
EnterpriseAdministrator,DomainAdministrator).
Theauthorizedadministratorcanconvenientlytakeadvantageofthesebuilt-ingroupsbyassigningthesegroupstospecificuseraccountsallowinguserstogaintherightsand/orprivilegesassociatedwiththesegroups.
ForestTrustForesttrustisanewtypeofWindowstrustformanagingthesecurityrelationshipbetweentwoforests.
Thisfeatureenablesthetrustingforesttoenforceconstraintsonwhichsecurityprincipalnamesittrustsotherforeststoauthenticate.
Thisnewtrusttypethatallowsalldomainsinoneforestto(transitively)trustalldomainsinanotherforest,viaasingletrustlinkbetweenthetwoforestrootdomains.
Cross-forestauthenticationenablessecureaccesstoresourceswhentheuseraccountisinoneforestandthecomputeraccountisinanotherforest.
Thisfeatureallowsuserstosecurelyaccessresourcesinotherforests,usingeitherKerberosorNTLM,withoutsacrificingthesinglesign-onbenefitsofhavingonlyoneuserIdentification(ID)andpasswordmaintainedintheuser'shomeforest.
DelegatedAdministrationWindows2003/XPintroducesAD,ascalable,standard-compliantdirectoryservice.
ADcentrallymanagesWindows-basedclientsandservers,throughasingleconsistentmanagementinterface,reducingredundancyandmaintenancecosts.
ADenablesauthorizedadministratorstodelegateaselectedsetofadministrativeprivilegestoappropriateindividualswithintheorganizationtodistributethemanagementandimproveaccuracyofadministration.
Delegationhelpscompaniesreducethenumberofdomainstheyneedtosupportalargeorganizationwithmultiplegeographicallocations.
ADcaninteroperateorsynchronizedatawithotherdirectoryservicesusingLDAP,MicrosoftDirectoryService(DS)Synchronization,orADConnector.
AccessControlLists(ACLs)Windows2003/XPpermitsonlyauthenticateduserstoaccesssystemresources.
Thesecuritymodelincludescomponentstocontrolwhoaccessesobjects(suchasfiles,directories,andsharedprinters);whatactionsanindividualcanperformwithrespecttoanobject,andtheeventsthatareaudited.
EveryobjecthasauniqueSecurityDescriptor(SD)thatincludesanACL.
AnACLisalistofentriesthatgrantordenyspecificaccessrightstoindividualsorgroups.
TheWindows2003/XPServerobject-basedsecuritymodelletsadministratorsgrantaccessrightstoauserorgroup-rightsthatgovernwhocanaccessaspecificobject,agroupofproperties,oranindividualpropertyofanobject.
Thedefinitionofaccessrightsonaper-propertylevelprovidesthehighestlevelofgranularityofpermissions.
DiskQuotasWindows2003/XPallowsauthorizedadministratorstosetquotasondiskspaceusageperuserandpervolumetoprovideincreasedavailabilityofdiskspaceandhelpcapacityplanningefforts.
WindowsManagementInstrumentation(WMI)WMIisauniformmodelthroughwhichmanagementdatafromanysourcecanbemanagedinastandardway.
WMIprovidesthisforsoftware,suchasapplications,whileWMIextensionsfortheWindowsDriverModel(WDM)providethisforhardwareorhardwaredevicedrivers.
AdministrativeToolsMicrosoftCorporation,200811AllRightsReserved.
Version3.
0,11/19/07Windows2003/XPdeliversanintegratedsetofmanagementtoolsandservices.
Onlyafewaredescribedbelow.
SetupManager:providesagraphicalwizardthatguidesauthorizedadministratorsindesigninginstallationscripts.
BackupandRecovery:Windows2003/XPbackupandrecoveryfeaturesmakeiteasiertobackupdataandthenrecoverdataintheeventofaharddiskfailure.
Windows2003/XPallowsbackuptoasinglefileonaharddiskortoexternalmedia.
Administrativewizards:Windows2003/XPmakesiteasiertoperformroutineorchallengingtasks,resultinginfewerhelpdeskcallsandbettercustomerservice.
Forexample,theAddPrinterWizardmakesiteasytoconnecttolocalandnetworkprintersevenwhenyou'rebrowsingthenetwork.
MicrosoftManagementConsole(MMC)MMCunifiesandsimplifiessystemmanagementtasksthroughacentral,customizableconsolethatallowscontrol,monitoring,andadministrationofwidespreadnetworkresources.
AllmanagementfunctionsinWindows2003/XPareavailablethroughtheMMCsnap-ins(includingADDomainsandTrusts,ADSitesandServices,ADUsersandComputers,ComponentServices,ComputerManagement,CertificateManagement,EventViewer,GroupPolicy,IPSecPolicyManagement,SecurityTemplate,SecurityConfigurationandAnalysis).
WindowsFileProtectionTheWindowsFileProtectiontechnologypreventscoresystemfilesfrombeingoverwrittenbyapplicationinstalls.
Intheeventafileisoverwritten,WindowsFileProtectionwillreplacethatfilewiththecorrectversion.
Windows2003/XPidentifiesdevicedriversthathavepassedtheWindowsHardwareQualityLabstestandwarnsusersiftheyareabouttoinstallanuncertifieddriver.
WindowManagerTheWindowManagerisimplementedinkernelmode.
ItprovidesamachineindependentgraphicalApplicationProgrammingInterface(API)forapplicationstocontrolprintingandwindowgraphics,byprovidingawayofdisplayinginformationandreceivinguserinput.
Graphicalapplicationsuseresources,suchaswindowstodisplayinformationandreceiveuserinput.
Usersinteractwiththeapplicationthoroughgraphicalfeatures.
Theycancontrolapplicationsbychoosingmenucommands.
Theycanprovideinputusingthemouse,keyboard,andotherdevices.
Theyreceiveinformationfromresourcessuchasbitmaps,carets,cursors,andicons.
TheWindowManagerexportstwoprotectedobjecttypes:aWindowstationobjectandaDesktopObject.
EachisanobjectwithaDACLthatisusedtocontrolaccesstoit.
VirtualDiskService(VDS)VDSprovidesasetofutilitiesformanagingthehardwaredisks.
VDSimplementsasingle,uniforminterfaceformanagingdisks.
EachhardwarevendorwritesaVDSproviderthattranslatesthegeneralpurposeVDSAPIsintospecificinstructionsfortheirhardware.
Windows2003/XPincludesVDSprovidersforbasicanddynamicdisks.
ProcessorRunTimePowerManagementForeachfamilyofprocessorssupportedbytheWindowsXP/2003TOE,anabstractionofissuesdealingwithprocessorfrequency,voltage,microcode,temperature,idlehandling,starting,stoppingandinitializationisdefined.
TheTOEusesthisabstractiontomanagethepowermanagementaspectoftheprocessors.
RemovableStorageManagerRemovableStorageManageroftheWindowsXP/2003TOEmakesiteasytotrackremovablestoragemedia(tapesandopticaldiscs)andtomanagethehardwarelibraries,suchaschangersandjukeboxes,thatcontainthem.
Notethat,currently,hardwarechangersandjukeboxesarenotpartsoftheTOE.
MicrosoftCorporation,200812AllRightsReserved.
Version3.
0,11/19/07RemoteStorageServiceRemoteStorageusescriteriaspecifiedbyanauthorizedusertoautomaticallycopylittle-usedfilestoremovablemedia.
Ifhard-diskspacedropsbelowspecifiedlevels,RemoteStorageremovesthe(cached)filecontentfromthedisk.
Ifthefileisneededlater,thecontentisautomaticallyrecalledfromstorage.
2.
3.
3Windows2003/XPNetworkSecurityFeaturesWindows2003/XPServersecuresnetworkdatausinganauthenticationprotocol.
Foranadditionallevelofsecuritywithinasite,networkdatacanalsobeencrypted.
Allnetworkcommunicationcanbeencryptedforspecificclients,orforallclientsinadomainusingIPSec.
Severalfeaturesthatsupportimprovednetworksecurityarebrieflydescribedbelow.
EFSWindows2003/XPincreasessecurityofdataontheharddiskbyencryptingit.
Thisdataremainsencryptedevenwhenbackeduporarchived.
EFSrunsasanintegratedsystemservicemakingiteasytomanage,difficulttoattack,andtransparenttotheuser.
Theencryptionanddecryptionprocessesaretransparenttotheuser.
KerberosAuthenticationSupportFullsupportforKerberosVersion5(v5)protocolWindows2003/XPprovidesfast,singlesign-ontoWindows2003/XP-basedenterpriseresources.
ItisusedtosupportTransitiveDomainTrusttoreducethenumberoftrustrelationshipsrequiredtomanageusersandresourcesbetweenWindowsdomains.
SupportforSecurityStandardsWindows2003/XPbuildssecurenetworksitesusingthelateststandards,including128-bitSSL/TLS,IPSecandKerberosv5authentication.
SecureNetworkCommunicationsWindows2003/XPsupportsend-to-endencryptedcommunicationsacrossnetworkusingtheIPSecstandard.
Itprotectssensitiveinternalcommunicationsfromintentionaloraccidentalviewing.
ADprovidescentralpolicycontrolforitsusetomakeitdeployable.
CryptographicAPI(CryptoAPI)Windows2003/XPCryptoAPIprovidesapplicationsaccesstoFIPS-140compliantcryptographicfunctions,publickeys,credentialmanagementandcertificatevalidationfunctions.
DynamicDNSTheADintegrated,Internetstandards-basedDNSservicesimplifiesobjectnamingandlocationthroughInternetprotocols,andimprovesscalability,performanceandinteroperability.
SystemsthatreceiveaddressesfromaDHCPserverareautomaticallyregisteredinDNS.
ReplicationoptionsthroughADcansimplifyandstrengthennamereplicationinfrastructure.
VolumeShadowCopyService(VSS)VSScoordinatesshadowcopiesforapplicationsandtargetNewTechnologyFileSystem(NTFS)volumesinapoint-in-timecopy.
ThroughintegrationwithtargetapplicationssuchasADVSSenablesconsistentstatemanagement.
If,duringtheshadowcopycreationprocess,anapplicationwritestodisk,datainconsistenciescanoccur,compromisingtheintegrityofthepoint-in-timedataimage.
TheVSShasbeendesignedtoeliminatethesedrawbacks.
WebDocumentAuthoringandVersioning(WebDAV)RedirectorWebDAVredirectorallowsfilesstoredinwebfolderstobeencryptedwithEFS.
WhenaclientmapsadrivetoaWebDAVaccesspointonaremoteserver,filesmaybeencryptedlocallyontheclientandthentransmittedasarawencryptedfiletotheWebDAVserverusinganHyperTextTransferProtocol(HTTP)"PUT"command.
Similarly,encryptedfilesdownloadedtoaclientaretransmittedasrawencryptedfilesusinganHTTP"GET"commandanddecryptedlocallyontheclient.
MicrosoftCorporation,200813AllRightsReserved.
Version3.
0,11/19/07IPv6IPv6isthenextgenerationoftheInternetlayerprotocolsoftheTransmissionControlProtocol(TCP)/IPprotocolsuite.
TheIPv6protocoldriverincludesutilitiesandAPIsupportforIPv6-enabledsystemcomponents.
WindowsIPv6alsoprovidessupportforIPv6/IPVersion4(IPv4)coexistencetechnologiessuchas"6to4"andIntra-siteAutomaticTunnelAddressingProtocol(ISATAP).
ClientSideCachingOff-lineFilesSupportwithSMB/CommonInternetFileSystem(CIFS)RedirectorWhenWindows2003/XPclientiscachingafileandtheWindows2003/XPfileserverisavailable,theclientwiththeSMB/CIFSRedirectorcheckswiththefileservertoverifythatthecachedversionofthefileisup-to-date.
Ifthefileisup-to-date,thentheclientusesthecachedcopyofthefile.
IftheWindows2003/XPfileserverisnotavailable,theclientwiththeSMB/CIFSRedirectoralsohasthecachedcopytouse.
IIS6WebServiceAnIIS6workerprocessisanapplicationthatrunsinusermode.
Itstypicalrolesincludeprocessingrequeststoreturnastaticpage,invokinganInternetServerAPI(ISAPI)extensionorfilter,orrunninganapplicationspecifichandler.
Aworkerprocessisphysicallyimplementedasanexecutablefilenamed"W3wp.
exe"andiscontrolledbyWorld-WideWeb(WWW)ServiceAdministrationandMonitoring.
Bydefault,workerprocessesrunasNetworkService,whichhastheleastsystemresourceaccessthatiscompatiblewiththefunctionalityrequired.
Workerprocessesuse"HTTP.
sys"forsendingrequestsandreceivingresponsesoverHTTP.
DependingonhowIIS6isconfigured,therecanbemultipleworkerprocessesrunning,servingdifferentWebapplicationsconcurrently.
Thisdesignseparatesapplicationsbyprocessboundaries,andithelpsachievemaximumWebserverreliabilityandsecurity.
WindowsFirewall(previouslyknownasInternetConnectionFirewall(ICF))WindowsFirewallisastatefulfirewallthatdropsunsolicitedincomingtrafficthatdoesnotcorrespondtoeithertrafficsentinresponsetoarequestofthecomputer(solicitedtraffic)orunsolicitedtrafficthathasbeenspecifiedasallowed(exceptedtraffic).
WindowsFirewallprovidesalevelofprotectionfrommalicioususersandprogramsthatrelyonunsolicitedincomingtraffictoattackcomputers.
WindowsFirewallsupportsIPv4andIPv6.
Thefirewalldrivers(forIPv4andforIPv6respectively)haveastaticrulecalledaboot-timepolicytoperformstatefulfiltering.
ThisallowstheWindowsXP/2003TOEtoperformbasicnetworkingtaskssuchasDNSandDHCPandcommunicatewithaDCtoobtainpolicy.
Oncethefirewallserviceisrunning,itwillloadandapplytherun-timeICFpolicyandremovetheboot-timefilters.
ConstrainedDelegationDelegationistheactofallowingaservicetoimpersonateauseraccountorcomputeraccountinordertoaccessresourcesthroughoutthenetwork.
ThisnewfeatureinWindowsServer2003enablesyoutolimitdelegationtospecificservices,tocontroltheparticularnetworkresourcestheserviceorcomputercanuse.
Forexample,aservicethatwaspreviouslytrustedfordelegationinordertoaccessabackendonbehalfofausercannowbeconstrainedtouseitsdelegationprivilegeonlytothatbackendandnottoothermachinesorservices.
ProtocolTransitionInWindowsServer2003TOE,thenewKerberosprotocoltransitionmechanismallowsaservicetotransitiontoaKerberos-basedidentityfortheuserwithoutknowingtheuser'spasswordandwithouttheuserhavingtoauthenticateusingKerberos.
ThusausercanbeauthenticatedusinganalternativeauthenticationmethodandthenobtainaWindowsidentity,subjecttosystempolicy.
ImprovementsinIPSecWindowsServer2003TOEincludessupportforastrongercryptographicmasterkey,theuseofa2048-bitDiffie-Hellman(DH)keyexchange.
InWindowsXPandtheWindowsServer2003family,IPSecurityMonitorisimplementedaspartofMMCandincludesenhancementsthatallowyoutomonitorIPSecinformationforyourlocalcomputerandforremotecomputers.
Inaddition,itisnowpossibletocreateandMicrosoftCorporation,200814AllRightsReserved.
Version3.
0,11/19/07assignapersistentIPSecpolicytosecureacomputerifalocalIPSecpolicyoranAD-basedIPSecpolicycannotbeapplied.
FileReplicationService(FRS)FRSisatechnologythatreplicatesfilesandfoldersstoredintheSystemVolume(SYSVOL)sharedfolderondomaincontrollersandDistributedFileSystem(DFS)sharedfolders.
WhenFRSdetectsthatachangehasbeenmadetoafileorfolderwithinareplicatedsharedfolder,FRSreplicatestheupdatedfileorfoldertootherservers.
BecauseFRSisamulti-masterreplicationservice,anyserverthatparticipatesinthereplicationofasharedfoldercangeneratechanges.
Inaddition,FRScanresolvefileandfolderconflictstomakedataconsistentamongservers.
NetworkAddressTranslation(NAT)NAThidesinternallymanagedIPaddressesfromexternalnetworksbytranslatingprivateinternaladdressestopublicexternaladdresses.
ThistranslationreducesIPaddressregistrationcostsbylettingyouuseprivateIPaddressesinternally,whicharetranslatedtoasmallnumberofregisteredIPaddressesexternally.
NATalsohidestheinternalnetworkstructure,reducingtheriskofattacksagainstinternalsystems.
TheWindowsXP/2003TOEIPSecimplementationworkstransparentlywithNATwithoutinteroperabilityissues.
NetworkBridgeTheNetworkBridgefeatureprovidesaneasyandinexpensivewaytoconnectLANsegments.
ThroughNetworkBridge,userscanbridgeconnectionsamongdifferentcomputersanddevicesontheirnetwork,evenwhentheyconnecttothenetworkthroughdifferentmethods.
InternetConnectionSharing(ICS)ICSisintendedforuseinascenariowheretheICShostcomputerdirectsnetworkcommunicationbetweentwonetworkswhereonenetworkistypicallyamoreprivateLANwhiletheotheristypicallyawideareanetwork.
TheICShostcomputerneedstwonetworkconnections.
TheLANconnection,automaticallycreatedbyinstallinganetworkadapter,connectstothecomputersontheLAN.
TheotherconnectionconnectstheLANtotheWideAreaNetwork(WAN).
Asaresult,thesharedconnectionconnectscomputersonthelLANtotheWAN.
"Winsock2"InstallableFileSystem(IFS)LayerDriverThe"Winsock2"IFSLayerDriverisatransportlayerdriverthatemulatesfilehandlesforWindowsSocketserviceprovidersforwhichasockethandleisnotanIFShandle.
Asaresult,WindowsSocketsarchitectureaccommodatesserviceproviderswhosesockethandlesarenotIFSobjects.
Applicationscanuse"Win32"fileI/Ocallswiththehandlewithoutanyknowledgeaboutthenetworkaspects.
2.
3.
4Windows2003/XPScalabilityFeaturesWindows2003/XPdeliversscalabilityfeaturesthatsupporthighervolumesofusersandmorecomplexapplications.
Severalofthesefeaturesaredescribedbelow.
MemoryandProcessorSupportWindows2003/XPProfessionalandWindows2003/XPServersupportuptofour(4)Gigabytes(GBs)ofRandomAccessMemory(RAM)anduptofour(4)symmetricmultiprocessors.
WindowsServer2003EnterpriseServertakesadvantageoflargeramountsofmemorytoimproveperformanceandhandlethemostdemandingapplications,withsupportforupto32GBofRAMforx86-basedcomputersand64GBofRAMforItanium-basedandx64-basedcomputers.
Itsupportsuptoeight(8)symmetricmultiprocessors.
WindowsServer2003DataCentersupports64GBofRAMforx86-basedcomputersand512GBofRAMforItanium-basedandx64-basedcomputers.
Ittakescareofamaximum64symmetricmultiprocessors.
HighThroughputandBandwidthUtilizationMicrosoftCorporation,200815AllRightsReserved.
Version3.
0,11/19/07WindowsServer2003includesmanyenhancementstothosecoreOSfunctionsthatareusedtomanipulateandmanagesystemresources.
Becausetheefficiencywithwhichsystemresourcesaremanagedaffectsallserverworkloads,thebenefitsresultingfromthesechangesarenotlimitedtoanyoneworkloadbutinsteadhaveabroad,positiveimpactonperformanceandscalability.
MostserverworkloadshavesomecomponentofdiskI/Oand/ornetworkI/O.
BothtypesofI/Orequireprocessorcyclesandmemory,sotheoptimizationsinWindowsServer2003thatimprovetheefficiencywithwhichdiskI/OandnetworkI/Oisprocessedleavemoresystemresourcesavailabletosupportothercomponentsofaworkload.
JobObjectAPITheWindows2003/XPJobObjectAPI,withitsabilitytosetupprocessoraffinity,establishtimelimits,controlprocesspriorities,andlimitmemoryutilizationforagroupofrelatedprocesses,allowsanapplicationtomanageandcontroldependentsystemresources.
ThisadditionallevelofcontrolmeanstheJobObjectAPIcanpreventanapplicationfromnegativelyimpactingoverallsystemscalability.
DFSWindows2003/XPDFSbuildsasingle,hierarchicalviewofmultiplefileserversandfileserversharesonanetwork.
DFSmakesfileseasierforuserstolocate,andincreasesavailabilitybymaintainingmultiplefilecopiesacrossdistributedservers.
Multi-masterReplicationADusesmulti-masterreplicationtoensurehighscalabilityandavailabilityindistributednetworkconfigurations.
"Multi-master"meansthateachdirectoryreplicainthenetworkisapeerofallotherreplicas;changescanbemadetoanyreplicaandwillbereflectedacrossallofthem.
Fault-TolerantProcessModelandKernel-ModeWebDriverWithIIS6,webtrafficrequestsarepasseddirectlyfromthenetworkstacktoakernel-modeWebdriver,HTTP.
SYS.
The"AFD.
SYS"driverandWinsock2.
0layerdonotplayarole.
"HTTP.
SYS"examinestherequest,determiningifitcanbesatisfiedfromthedriver'sowncache.
Ifso,therequestedcontentisimmediatelyreturnedwithoutacontextswitchfromkernelmodetousermode.
Whenthekernel-modeWebdrivercannotsatisfyarequestfromitscache,"HTTP.
SYS"passestherequestacrossthekernel/userboundarydirectlytoaworkerprocessforservicing.
InadditiontodeliveringsignificantlybetterWebserverthroughput,thenewarchitectureofIIS6significantlyimprovesWebserverstabilitybecauseasinglefaultyapplicationrunningontheWebservercannolongerbringdownotherapplicationsonthesameserver.
Theworkerprocessthatisservicingthefaultyapplicationcansimplyberecycledwithoutaffectingotherworkerprocesses.
StorportDriverWindows2003/XPintroducesanewportdrivercalledStorport(storport.
sys),whichdeliverssignificantlygreaterdiskI/Oprocessingefficiencyandthroughput,especiallywhenusedwithhigh-performancedevicessuchashost-basedRedundantArrayofIndependentDisks(RAID)andfiber-channeladapters.
ThereareseveraladvantagestousingtheStorportdriver,includingreducedsystemresourceusageandbetterperformance.
SomeoftheprimaryreasonsfortheStorportdriver'sbetterperformanceandresourceusageinclude:Full-DuplexMode,ReducedDeviceLockContention,IncreasedQueuingEfficiency.
MultipleDFSRootsWindowsServer2003EnterpriseServerandDatacentercansupportmultipleDFSrootdirectoriesonasingleserver(Windows2000islimitedtoasingleDFSrootperserver).
LargerDirectoryDatabaseCacheADimplementsanin-memorycachethatresidesinuserspaceandstoresdirectoryobjectsforfasteraccessthaniftheyhadtoberetrievedfromdisk.
InWindows2000,thiscachewaslimitedto512Megabytes(MBs)undernormalconditionsand1024MBwhenthe/3GBswitchwasused.
InWindowsServer2003,thiscacheisallowedtogrowmorefreely,althoughitisstilllimitedbytheamountofvirtualaddressspace(approximatemaximumsizesare2.
2GBwiththe/3GBswitchand1.
5GBwithouttheswitch).
Withthecacheabletostoremoreobjects,cachehitratiosarehigherandperformanceisimproved.
MicrosoftCorporation,200816AllRightsReserved.
Version3.
0,11/19/07IncreasedPerformanceforNetworkPrintingAnenhancedstandardportmonitorinprintspooleroftheWindowsXP/2003TOEprovidesafastandrobustmethodforprintingtonetwork-attachedprintersandprovidesbetterperformanceandricherdevicestatus.
Otherenhancementsincludesupportforprintdriversthatcanbedownloadedautomaticallywhenclientcomputersconnecttoprintservers,abenefitthatsimplifiesprintingforusersandadministrators.
2.
3.
5OtherWindows2003/XPTOESecurityFeaturesThebelowhighlightadditionalsecurityfeaturesthatdidnotfitcleanlyintoonofthepreviouscategories.
Thesesecurityfeaturesaddressauthenticationmechanisms,certificateservices,plugandplaysupport,aswellasothersecurityfunctions.
SmartCardSupportforAuthenticationSmartCardtechnologyisfullyintegratedintotheWindowsXP/2003TOE,andisanimportantcomponentoftheoperatingsystem'sPublicKeyInfrastructure(PKI)securityfeature.
Thesmartcardservesasasecurestoreforpublicandprivatekeysandasacryptographicengineforperformingadigitalsignatureorkey-exchangeoperation.
SmartcardtechnologyallowsWindowsXP/2003TOEtoauthenticateusersbyusingtheprivateandpublickeyinformationstoredonacard.
TheSmartCardsubsystemontheWindowsXP/2003TOEsupportsindustrystandardPersonalComputer/SmartCard(PC/SC)–compliantcardsandreaders,andprovidesdriversforcommerciallyavailablePlugandPlaysmartcardreaders.
Smartcardreadersattachtostandardperipheralinterfaces,suchasRS-232andUniversalSerialBus(USB).
TheWindowsXP/2003TOEdetectsPlugandPlay-compliantsmartcardreadersandinstallsthemusingtheAddHardwarewizard.
DigestAuthenticationDigestauthenticationoperatesmuchlikeBasicauthentication.
However,unlikeBasicauthentication,Digestauthenticationtransmitscredentialsacrossthenetworkasahashvalue,alsoknownasamessagedigest.
Theusernameandpasswordcannotbedecipheredfromthehashvalue.
Conversely,BasicauthenticationsendsaBase64encodedpassword,essentiallyincleartext,acrossthenetwork.
BasicauthenticationisnotsupportedintheWindowsXP/2003TOE.
Digestauthenticationdoesnothavetousereversiblepasswordencryption.
WithDigestauthenticationinWindows2000,auserwhoisauthenticatedbyusingDigestauthenticationmusthavethepasswordstoredwiththeStorepasswordusingreversibleencryptionoptionflagged.
However,inWindowsServer2003TOE,theADextendedschemapropertiesensuresthateverynewlycreateduseraccountautomaticallyhastheDigestauthenticationpasswordhashedandstoredasafieldinthe"AltSecId"propertyoftheuserobject.
PublicKeyCertificateIssuingandManagementServiceTheWindowsServer2003CertificateServerissuesandmanagespublickeycertificatesforthefollowingWindowsXP/2003TOEservices:digitalsignatures,softwarecodesigning,TLS/SSLauthenticationforWebtraffic,IPSec,Smartcardlogon,EFSuserandrecoverycertificates.
CredentialManagerThisprovidesasecurestoreforusernames/passwordsandalsostoreslinkstocertificatesandkeys.
Thisenablesaconsistentsinglesign-onexperienceforusers,includingroamingusers.
Singlesign-onmakesitpossibleforuserstoaccessresourcesoverthenetworkwithouthavingtorepeatedlysupplytheircredentials.
Auto-enrollmentPublicKeyCertificateauto-enrollmentandauto-renewalinWindowsServer2003significantlyreducetheresourcesneededtomanagex.
509certificates.
Thesefeaturesalsomakeiteasiertodeploysmartcardsfaster,andtoimprovethesecurityoftheWindowsPKIbyautomaticallyexpiringandrenewingcertificates.
DeltaCertificateRevocationLists(CRLs)ThecertificateserverincludedinWindowsServer2003TOEsupportsDeltaCRL,whichmakespublicationofrevokedX.
509certificatesmoreefficient.
ADeltaCRLisalistcontainingonlycertificatesMicrosoftCorporation,200817AllRightsReserved.
Version3.
0,11/19/07whosestatushaschangedsincethelastfull(base)CRLwascompiled.
ThisisamuchsmallerobjectthanafullCRLandcanbepublishedfrequentlywithlittleornoimpactonclientmachinesornetworkinfrastructure.
Cross–CertificationSupportAlsocalledqualifiedsubordination1,Cross-CertificationallowsconstraintstobeplacedonsubordinateCertificateAuthorities(CAs)andonthecertificatestheyissue,andallowstrusttobeestablishedbetweenCAsinseparatehierarchies.
Cross-CertificationsupportimprovestheefficiencyofadministeringPKI.
URL-BasedauthorizationThisauthorizationmechanismenablesbusinessestocontrolaccesstoapplicationsexposedthroughtheWebbyrestrictinguseraccesstoURLs.
Forexample,oneusermayberestrictedfromaccesstocertainapplications,whereasanotherusercanbeallowedtoexecuteotherapplications.
EFSMulti-userSupportWindowsXP/2003TOEsupportsfilesharingbetweenmultipleusersofanindividualencrypteddatafile.
Encryptedfilesharingisausefulandeasywaytoenablecollaborationwithouthavingtoshareprivatekeysamongusers.
GloballyUniqueIdentifier(GUID)PartitionTable(GPT)The64-bitversionsofWindowsServer2003EnterpriseServerandDatacentersupportanewdiskpartitioningstyle,theGUIDPartitionTable(GPT).
Unlikemasterbootrecordpartitioneddisks,GPTallowsdatacriticaltoplatformoperationtobelocatedinpartitionsratherthanunpartitionedorhiddensectors.
Inaddition,GPTpartitioneddisksprovideimproveddatastructureintegritybyofferingredundantprimaryandbackuppartitiontables.
PasswordBackupandRestoreServiceAnewPasswordBackupandRestoreServicemakesiteasyforuserstocreateabackupdiskthatcanbeusedtoresettheirpassword.
Theserviceprovidesuserswithasecuremechanismforresettingtheirpasswordwithoutadministrativeintervention.
Thepasswordisnotstoredonthebackupdisk.
Thediskcanbeusedonlytoresetthepasswordfortheassociateduseraccount.
PlugandPlayPlugandPlaytechnologycombineshardwareandsoftwaresupportinsuchawaythattheWindowsXP/2003TOEcanrecognizeandadapttohardwareconfigurationchangesautomatically,withoutuserinterventionandorrestartingthecomputer.
COMPlusComponentServiceInfrastructureCOMPlusComponentServiceisanInfrastructurerunningtheWindowsXP/2003TOEbasedonextensionsofthe.
COMPlusComponentServiceprovidesthreadingandsecurity,objectpooling,queuedcomponents,andapplicationadministrationandpackaging.
ApplicationCompatibilitySupportApplicationCompatibilitytechnologyprovidesanenvironmentforrunningprogramsthatmorecloselyreflectsthebehaviorofpreviousMicrosoftOSreleases.
Applicationcompatibilitytechnologyconsistsofausermodeserviceandkernelmodecachesupport.
Theservicedefinesanexternalinterfacetotheapplicationcompatibilitycachesupport.
Thecacheresidesinsystemspaceandismappedintotheaddressspaceofeveryprocess.
KernelDebugManagementTheKernelDebuggersubcomponentsupportsauthorizeduserstodebugrunningprocessesintheWindowsXP/2003TOEbyallowingthemtoattachadebuggertoarunningprocessviaanewkernelobject,the1Qualifiedsubordinationisdifferentfrom"qualifiedcertificates"definedinRFC3739.
MicrosoftCorporation,200818AllRightsReserved.
Version3.
0,11/19/07"DebugObject".
TheKernelDebuggerassociatesresourcesimplementedbyotherkernel-modesubcomponentsandwrapstheminadebugobjectthatcanthenbemanipulatedtoprovideinformationaboutthesystemthatwaspreviouslyunavailablewithouttheaidofanexternaldebugger.
WindowsSecurityCenterService(WSC)WSCisaservicethatmonitorsthestatusofWindowsfirewallrunningontheWindowsXP/2003TOE.
Italsoprovidesthelogged-oninteractiveusercertainvisualnotificationswhenitdetectsthatthestatusofWindowsfirewallhaschanged.
WebSitePermissionsWebSitepermissionsarenotmeanttobeusedinplaceofNTFSpermissions.
Instead,theyareusedwithNTFSpermissionstostrengthenthesecurityofspecificWebsitecontentmaintainedbytheIIS6webserveroftheWindowsServer2003TOE.
Anauthorizedusercanconfigurewebsite'saccesspermissionsforspecificsites,directories,andfiles.
UnlikeNTFSpermissions,WebsitepermissionsaffecteveryonewhotriestoaccesstheconfiguredWebsites.
IfWebpermissionsconflictwithNTFSpermissionsforadirectoryorfile,themorerestrictivesettingsareapplied.
WindowsInstallerServiceTheWindowsInstallerServiceenablescustomerstobetteraddresscorporatedeploymentandprovideastandardformatforcomponentmanagement.
Theinstallersupportsadvertisementofapplicationsandfeaturesaccordingtotheoperatingsystemsettings.
Itcaninstallmultiplepatcheswithasingletransactionthatintegratesinstallationprogress,rollback,andreboots.
Itcanapplypatchesinaconstantorderregardlessoftheorderthatthepatchesareprovidedtothesystem.
PatchesinstalledwiththeWindowsInstallerServicecanbeuninstalledinanyordertoleavethestateoftheproductthesameasifthepatchwasneverinstalled.
PatchingusingWindowsInstallerServiceonlyupdatesfilesaffectedbythepatchandcanbesignificantlyfasterthanearlierinstallerversions.
AccountswithadministratorprivilegescanuseWindowsInstallerServicefunctionstoqueryandinventoryproduct,feature,componentandpatchinformationandtoread,editandreplaceinstallersourcelistsfornetwork,URLandmediasources.
Administratorscanenumerateacrossuserandinstallcontextsandmanagesourcelistsfromanexternalprocess.
HardwareDataExecutionPrevention64-bithardwaresupportsaddsasetofDataExecutionPrevention(DEP)securitycheckstoWindows.
Thesechecks,knownashardware-enforcedDEP,aredesignedtoblockmaliciouscodethattakesadvantageofexception-handlingmechanismsbyinterceptingattemptstoexecutecodeinmemorythatismarkedfordataonly.
ThishardwareprotectionfeatureispresentinIA64,andx64hardwarearchitectures.
2.
4SecurityEnvironmentandTOEBoundaryTheTOEincludesbothphysicalandlogicalboundaries.
Itsoperationalenvironmentisthatofahomogenous,networkedenvironment.
2.
4.
1LogicalBoundariesThediagrambelowdepictscomponentsandsubcomponentsofWindows2003/XPthatcomprisetheTOE.
Thecomponents/subcomponentsarelargeportionsoftheWindows2003/XPOS,andgenerallyfallalongprocessboundariesandafewmajorsubdivisionsofthekernelmodeOS.
MicrosoftCorporation,200819AllRightsReserved.
Version3.
0,11/19/07Thesystemcomponentsare:AdministratorToolsModuleoAdministratorToolsComponent(akaGUIComponent):ThiscomponentrepresentstherangeoftoolsavailabletomanagethesecuritypropertiesoftheTSF.
CertificateServicesModuleoCertificateServerComponent:Thiscomponentprovidesservicesrelatedtoissuingandmanagingpublickeycertificates(e.
g.
X.
509certificates).
EmbeddedModuleoThiscomponentprovidesavarietyofapplicationsthatfacilitatetheOSfunctioningindevicesthatrequireanembeddedOS.
FirewallModuleoWindowsFirewallComponent:Thiscomponentprovidesservicesrelatedtoinformationflowcontrol.
HardwareModuleoHardwareComponent:ThiscomponentincludesallhardwareusedbytheTSFtoincludetheprocessor(s),motherboardandassociatedchipsets,controllers,andI/Odevices.
KernelSoftwareModuleoExecutiveComponent:Thisisthekernel-modesoftwarethatprovidescoreOSservicestoincludememorymanagement,processmanagement,andinter-processcommunication.
Thiscomponentimplementsallthenon-I/OTSFinterfacesforthekernel-mode.
oI/OSystem:Thisisthekernel-modesoftwarethatimplementsallI/Orelatedservices,aswellasalldriver-relatedservices.
TheI/OSystemisfurtherdividedinto:I/OCoreComponentI/OFileComponentI/ONetworkComponentI/ODevicesComponentMicrosoftCorporation,200820AllRightsReserved.
Version3.
0,11/19/07MiscellaneousOSSupportModuleoOSSupportComponent:ThiscomponentisasetofprocessesthatprovidevariousotherOSsupportfunctionsandservicesRemoteProcedureCall(RPC)andNetworkSupportModuleoNetworkSupportComponent:ThiscomponentcontainsvarioussupportservicesforRPC,COM,andothernetworkservices.
SecurityModuleoSecurityComponent:Thiscomponentincludesallsecuritymanagementservicesandfunctions.
ServicesModuleoServicesComponent:Thisisthecomponentthatprovidesmanysystemservicesaswellastheservicecontroller.
InternetInformationServicesModuleoIISComponent:ThiscomponentprovidesservicesrelatedtoWeb/HTTPrequests.
Win32ModuleoWin32Component:ThiscomponentprovidesvarioussupportservicesforWin32applicationsandthecommandconsoleapplication.
WinLogonModuleoWinLogonComponent:Thiscomponentprovidesvariousinteractivelogonservicestoincludeinteractiveauthentication,trustedpath,sessionmanagementandlocking.
ThesecomponentsarefurtherrefinedinAppendixB,TOEComponentDecomposition.
2.
4.
2PhysicalBoundariesPhysically,eachTOEworkstationorserverconsistsofanx86,x64,orIA64machineorequivalentprocessor(includingAMDOpteronandAthlon64;andIntelXeonandPentiumfamilies)withuptofour(4)CPUsforastandardServerproduct,uptoeight(8)CPUsfortheEnterpriseServerproduct,andupto32CPUsfortheDataCenterproduct.
Asetofdevicesmaybeattachedandtheyarelistedasfollows:DisplayMonitor,Keyboard,Mouse,FloppyDiskDrive,CD-ROMDriveFixedDiskDrives,Printer,AudioAdaptor,NetworkAdaptor,andSmartCardReader.
TheTOEdoesnotincludeanyphysicalnetworkcomponentsbetweennetworkadaptorsofaconnection.
TheSTassumesthatanynetworkconnections,equipment,andcablesareappropriatelyprotectedintheTOEsecurityenvironment.
2.
5TOESecurityServicesThesecurityservicesprovidedbytheTOEaresummarizedbelow:MicrosoftCorporation,200821AllRightsReserved.
Version3.
0,11/19/07SecurityAudit–Windows2003/XPhastheabilitytocollectauditdata,reviewauditlogs,protectauditlogsfromoverflow,andrestrictaccesstoauditlogs.
Auditinformationgeneratedbythesystemincludesdateandtimeoftheevent,userwhocausedtheeventtobegenerated,computerwheretheeventoccurred,andothereventspecificdata.
Authorizedadministratorscanreviewauditlogs.
Inadditiontoauditdata,theWindowsServerUpdateServicescreatesextensivelogginginformation.
ThisinformationisstoredandprotectedintheTOEfilesystem.
IdentificationandAuthentication–Windows2003/XPrequireseachusertobeidentifiedandauthenticated(usingpasswordorsmartcard)priortoperforminganyfunctions.
AninteractiveuserinvokesatrustedpathinordertoprotecthisI&Ainformation.
Windows2003/XPmaintainsadatabaseofaccountsincludingtheiridentities,authenticationinformation,groupassociations,andprivilegeandlogonrightsassociations.
Windows2003/XPincludesasetofaccountpolicyfunctionsthatincludetheabilitytodefineminimumpasswordlength,numberoffailedlogonattempts,durationoflockout,andpasswordage.
SecurityManagement–Windows2003/XPincludesanumberoffunctionstomanagepolicyimplementation.
Policymanagementiscontrolledthroughacombinationofaccesscontrol,membershipinadministratorgroups,andprivileges.
UserDataProtection–Windows2003/XPprotectuserdatabyenforcingseveralaccesscontrolpolicies(DAC,WEBUSER,webcontentprovideraccesscontrol,andIndexingServiceaccesscontrol)andseveralinformationflowpolicies(IPSecfilterinformationflowcontrol,ConnectionFirewall,UPnPfiltering,andRPCoverHTTP);and,objectandsubjectresidualinformationprotection.
Windows2003/XPusesaccesscontrolmethodstoallowordenyaccesstoobjects,suchasfiles,directoryentries,printers,andwebcontent.
Windows2003/XPusesinformationflowcontrolmethodstocontroltheflowofIPtraffic.
UPnPtraffic,andRPCoverHTTPtraffic.
.
ItauthorizesaccesstotheseresourceobjectsthroughtheuseofSDs(whicharesetsofinformationidentifyingusersandtheirspecificaccesstoresourceobjects),webpermissions,IPfilters,andportmappingrules.
Windows2003/XPalsoprotectsuserdatabyensuringthatresourcesexportedtouser-modeprocessesdonothaveanyresidualinformation.
CryptographicProtection-Windows2003/XPprovidesadditionalprotectionofdatathroughtheuseofdataencryptionmechanisms.
Thesemechanismsonlyallowauthorizedusersaccesstoencrypteddata.
ProtectionofTOESecurityFunctions–Windows2003/XPprovidesanumberoffeaturestoensuretheprotectionofTOEsecurityfunctions.
Windows2003/XPprotectsagainstunauthorizeddatadisclosureandmodificationbyusingasuiteofInternetstandardprotocolsincludingIPSecandISAKMP.
TheXPportionoftheTSFprovidestheabilitytorestoresomepreviouslyarchiveTSFdata.
Windows2003/XPprovidesaWindowsServerUpdateServicesthatallowsauthorizedadministratorstheabilitytomanagesoftwareupdatesandcontrolthepropagationofupdatestoindividualmachinesoftheTOE.
Windows2003/XPensuresprocessisolationsecurityforallprocessesthroughprivatevirtualaddressspaces,executioncontextandsecuritycontext.
TheWindows2003/XPdatastructuresdefiningprocessaddressspace,executioncontext,memoryprotection,andsecuritycontextarestoredinprotectedkernel-modememory.
ResourceUtilization–Windows2003/XPcanlimittheamountofdiskspacethatcanbeusedbyanidentifieduserorgrouponaspecificdiskvolume.
Eachvolumehasasetofpropertiesthatcanbechangedonlybyamemberoftheadministratorgroup.
Thesepropertiesallowanauthorizedadministratortoenablequotamanagement,specifyquotathresholds,andselectactionswhenquotasareexceeded.
TOEAccess–Windows2003/XPprovidestheabilityforausertolocktheirsessionimmediatelyorafteradefinedinterval.
ItconstantlymonitorsthemouseandkeyboardforactivityandlockstheMicrosoftCorporation,200822AllRightsReserved.
Version3.
0,11/19/07workstationafterasetperiodofinactivity.
Windows2003/XPallowsanauthorizedadministratortoconfigurethesystemtodisplayalogonbannerbeforethelogondialogue.
MicrosoftCorporation,200823AllRightsReserved.
Version3.
0,11/19/073.
SecurityEnvironmentTheTOEsecurityenvironmentconsistsofthethreatstosecurity,organizationalsecuritypolicies,andusageassumptionsastheyrelatetoWindows2003/XP.
TheassumptionsandpoliciesareprimarilyderivedfromtheCAPP,whilethethreatshavebeenintroducedtobetterrepresentspecificthreatsaddressedbyWindows2003/XP.
3.
1ThreatstoSecurityTable3-1presentsknownorpresumedthreatstoprotectedresourcesthatareaddressedbyWindows2003/XP.
Table3-1ThreatsAddressedbyWindows2003/XPThreatDescriptionT.
AUDIT_CORRUPTUnauthorizedusersmaytamperwithauditdataorunauthorizedusersmaycauseauditdatatobelostduetofailureofthesystemtoprotecttheauditdata.
T.
CONFIG_CORRUPTConfigurationdataorothertrusteddatamaybetamperedwithbyunauthorizedusersduetofailureofthesystemtoprotectthisdata.
T.
OBJECTS_NOT_CLEANUsersmayrequestaccesstoresourcesandgainunauthorizedaccesstoinformationbecausethesystemmaynotadequatelyremovethedatafromobjectsbetweenusesbydifferentusers,therebyreleasinginformationtothesubsequentuser.
T.
SPOOFAhostileentitymasqueradingastheITsystemmayreceiveunauthorizedaccesstoauthenticationdatafromauthorizeduserswhoincorrectlybelievetheyarecommunicatingwiththeITsystemduringattemptsbyausertoinitiallylogon.
T.
SYSACCAnunauthorizedusermaygainunauthorizedaccesstothesystemandactastheadministratororothertrustedpersonnelduetofailureofthesystemtorestrictaccess.
T.
UNAUTH_ACCESSAnunauthorizedusermaygainaccesstosystemdataduetofailureofthesystemtorestrictaccess.
T.
UNAUTH_MODIFICATIONAnunauthorizedusermaycausethemodificationofthesecurityenforcingfunctionsinthesystem,andtherebygainunauthorizedaccesstosystemanduserresourcesduetofailureofthesystemtoprotectitssecurityenforcingfunctionsT.
UNDETECTED_ACTIONSAnunauthorizedusermayperformunauthorizedactionsthatgoundetectedbecauseofthefailureofthesystemtorecordactions.
T.
USER_CORRUPTUserdatamaybetamperedwithbyunauthorizedusersduetofailureofthesystemtoenforcetherestrictionstodataspecifiedbyauthorizedusers.
T.
ADMIN_ERRORAnadministratormayincorrectlyinstallorconfiguretheTOEresultinginineffectivesecuritymechanisms.
T.
AUDIT_COMPROMISEAmaliciousprocessorusermaycauseauditdatatobeinappropriatelyaccessed(viewed,modifiedordeleted),orpreventfuturerecordsfrombeingrecorded,thusmaskinganattacker'sactions.
T.
EAVESDROPAmaliciousprocessorusermayinterceptdatatransmittedwithintheenclave.
T.
MASQUERADEAnunauthorizeduser,process,orexternalITentitymaymasqueradeasanauthorizedentitytogainaccesstodataorTOEresources.
T.
POOR_DESIGNUnintentionalorintentionalerrorsinrequirementspecification,designordevelopmentoftheTOEmayoccur.
MicrosoftCorporation,200824AllRightsReserved.
Version3.
0,11/19/07ThreatDescriptionT.
POOR_IMPLEMENTATIONUnintentionalorintentionalerrorsinimplementingthedesignoftheTOEmayoccur.
T.
REPLAYAusermaygaininappropriateaccesstotheTOEbyreplayingauthenticationinformation,ormaycausetheTOEtobeinappropriatelyconfiguredbyreplayingTSFdataorsecurityattributes.
T.
UNATTENDED_SESSIONAusermaygainunauthorizedaccesstoanunattendedsession.
T.
UNIDENTIFIED_ACTIONSFailureoftheadministratortoidentifyandactuponunauthorizedactionsmayoccur.
T.
ADDRESS_MASQUERADEAuserononeinterfacemaymasqueradeasauseronanotherinterfacetocircumventtheTOEpolicy.
T.
TCPIP_ATTACKAthreatagentmaytakeadvantageofapublishedvulnerabilityagainstprotocolslayersbelowHTTP(e.
g.
TCPorIP),resultingintheTOEbeingunabletorespondproperlytovalidrequests.
T.
MALICIOUS_CODE_EXECAmalicioususermayattempttoinsertandexecutecodeinthecontextofavulnerableapplication.
T.
LOST_DATATheTSFmayhaveanunexpectedfailureandloseTSFdata.
T.
OLD_SWPortionsoftheTSFmayberunningolderversionsofsoftwarethatarevulnerabletoattackfrommalicioususers.
3.
2OrganizationalSecurityPoliciesTable3-2describesorganizationalsecuritypoliciesthatareaddressedbyWindows2003/XP.
Table3-2OrganizationalSecurityPoliciesSecurityPolicyDescriptionPPSourceP.
ACCOUNTABILITYTheusersofthesystemshallbeheldaccountablefortheiractionswithinthesystem.
CAPPP.
AUTHORIZED_USERSOnlythoseuserswhohavebeenauthorizedaccesstoinformationwithinthesystemmayaccessthesystem.
CAPPP.
NEED_TO_KNOWThesystemmustlimittheaccessto,modificationof,anddestructionoftheinformationinprotectedresourcestothoseauthorizeduserswhichhavea"needtoknow"forthatinformation.
CAPPP.
AUTHORIZATIONThesystemmusthavetheabilitytolimittheextentofeachuser'sauthorizations.
P.
ADD_IPSECThesystemmusthavetheabilitytoprotectsystemdataintransmissionbetweendistributedpartsoftheprotectedsystemP.
WARNThesystemmusthavetheabilitytowarnusersregardingtheunauthorizeduseofthesystem.
3.
3SecureUsageAssumptionsThissectiondescribesthesecurityaspectsoftheenvironmentinwhichWindows2003/XPisintendedtobeused.
Thisincludesassumptionsabouttheconnectivity,personnel,andphysicalaspectsoftheenvironment.
Windows2003/XPisassuredtoprovideeffectivesecuritymeasuresinthedefinedenvironmentonlyifitisinstalled,managed,andusedcorrectly.
Theoperationalenvironmentmustbemanagedinaccordancewiththeuserandadministratorguidance.
MicrosoftCorporation,200825AllRightsReserved.
Version3.
0,11/19/073.
3.
1ConnectivityAssumptionsWindows2003/XPisadistributedsystemconnectedvianetworkmedia.
ItisassumedthattheconnectivityconditionsdescribedinTable3-3willexist.
Table3-3ConnectivityAssumptionsAssumptionDescriptionPPSourceA.
CONNECTAllconnectionstoperipheraldevicesresidewithinthecontrolledaccessfacilities.
TheTOEonlyaddressessecurityconcernsrelatedtothemanipulationoftheTOEthroughitsauthorizedaccesspoints.
Internalcommunicationpathstoaccesspointssuchasterminalsareassumedtobeadequatelyprotected.
CAPPA.
PEERAnyothersystemswithwhichtheTOEcommunicatesareassumedtobeunderthesamemanagementcontrolandoperateunderthesamesecuritypolicyconstraints.
TheTOEisapplicabletonetworkedordistributedenvironmentsonlyiftheentirenetworkoperatesunderthesameconstraintsandresideswithinasinglemanagementdomain.
Therearenosecurityrequirementsthataddresstheneedtotrustexternalsystemsorthecommunicationslinkstosuchsystems.
CAPP3.
3.
2PersonnelAssumptionsItisassumedthatthepersonnelconditionsdescribedinTable3-4willexist.
Table3-4PersonnelAssumptionsAssumptionDescriptionPPSourceA.
COOPAuthorizeduserspossessthenecessaryauthorizationtoaccessatleastsomeoftheinformationmanagedbytheTOEandareexpectedtoactinacooperatingmannerinabenignenvironment.
CAPPA.
MANAGETherewillbeoneormorecompetentindividualsassignedtomanagetheTOEandthesecurityoftheinformationitcontains.
CAPPA.
NO_EVIL_ADMThesystemadministrativepersonnelarenotcareless,willfullynegligent,orhostile,andwillfollowandabidebytheinstructionsprovidedbytheadministratordocumentation.
CAPP3.
3.
3PhysicalAssumptionsWindows2003/XPisintendedforapplicationinuserareasthathavephysicalcontrolandmonitoring.
ItisassumedthatthephysicalconditionsdescribedinTable3-5willexist.
Table3-5PhysicalAssumptionsAssumptionDescriptionPPSourceA.
LOCATETheprocessingresourcesoftheTOEwillbelocatedwithincontrolledaccessfacilitiesthatwillpreventunauthorizedphysicalaccess.
CAPPA.
PROTECTTheTOEhardwareandsoftwarecriticaltosecuritypolicyenforcementwillbeprotectedfromunauthorizedphysicalmodification.
CAPPMicrosoftCorporation,200826AllRightsReserved.
Version3.
0,11/19/07MicrosoftCorporation,200827AllRightsReserved.
Version3.
0,11/19/074.
SecurityObjectivesThissectiondefinesthesecurityobjectivesofWindows2003/XPanditssupportingenvironment.
Securityobjectives,categorizedaseitherITsecurityobjectivesornon-ITsecurityobjectives,reflectthestatedintenttocounteridentifiedthreatsand/orcomplywithanyorganizationalsecuritypoliciesidentified.
Alloftheidentifiedthreatsandorganizationalpoliciesareaddressedunderoneofthecategoriesbelow.
4.
1TOEITSecurityObjectivesTable4-1describestheWindows2003/XPITsecurityobjectives.
Table4-1ITSecurityObjectivesSecurityObjectiveDescriptionPPSourceO.
AUTHORIZATIONTheTSFmustensurethatonlyauthorizedusersgainaccesstotheTOEanditsresources.
CAPPO.
DISCRETIONARY_ACCESSTheTSFmustcontrolaccessedtoresourcesbasedonidentityofusers.
TheTSFmustallowauthorizeduserstospecifywhichresourcesmaybeaccessedbywhichusers.
CAPPO.
AUDITINGTheTSFmustrecordthesecurityrelevantactionsofusersoftheTOE.
TheTSFmustpresentthisinformationtoauthorizedadministrators.
CAPPO.
RESIDUAL_INFORMATIONTheTSFmustensurethatanyinformationcontainedinaprotectedresourceisnotreleasedwhentheresourceisrecycled.
CAPPO.
MANAGETheTSFmustprovideallthefunctionsandfacilitiesnecessarytosupporttheauthorizedadministratorsthatareresponsibleforthemanagementofTOEsecurity.
CAPPO.
ENFORCEMENTTheTSFmustbedesignedandimplementedinamannerwhichensuresthattheorganizationalpoliciesareenforcedinthetargetenvironment.
CAPPO.
AUDIT_PROTECTIONTheTSFmustprovidethecapabilitytoprotectauditinformationassociatedwithindividualusers.
O.
PROTECTTheTSFmustprotectitsowndataandresourcesandmustmaintainadomainforitsownexecutionthatprotectsitfromexternalinterferenceortampering.
O.
TRUSTED_PATHTheTSFmustprovidethecapabilitytoallowuserstoensuretheyarenotcommunicatingwithsomeotherentitypretendingtobetheTSFduringinitialuserauthentication.
O.
LEGAL_WARNINGTheTSFmustprovideamechanismtoadviseusersoflegalissuesinvolvinguseoftheTOEpriortoallowingtheusertoaccessresourcescontrolledbytheTSF.
O.
LIMIT_AUTHORIZATIONTheTSFmustprovidethecapabilitytolimittheextentofeachuser'sauthorizations.
O.
IPSECTheTSFmusthavethecapabilitytoprotectdataintransmissionbetweendistributedpartsoftheTOEandcontroltheflowoftrafficbetweendistributedpartsoftheTOEMicrosoftCorporation,2008AllRightsReserved.
28Version3.
0,11/19/07SecurityObjectiveDescriptionPPSourceO.
ENCRYPTED_DATATheTSFmustensurethatonlytheusersthatencrypteddatamayreceivethatdatadecrypted.
O.
ASSURANCEAssuranceintheTOE'ssecurityfunctionalitywillbesupportedbythefollowingactivities:ConfigurationmanagementoftheTOEanditsdevelopmentevidenceduringitsdevelopment;Useofsounddesignprinciplesandtechniques;Functionaltesting;demonstrationthattheguidancedocumentationissufficientandnotmisleading;Vulnerabilityanalysis;PenetrationtestingdemonstratingtheTOEissufficientlyrobusttoprotectitselfagainstthecasualattackerusingpublishedexploits.
O.
MEDIATETheTOEmustmediatetheflowofinformationbetweensetsofTOEnetworkinterfacesorbetweenanetworkinterfaceandtheTOEitselfinaccordancewithitssecuritypolicy.
O.
SOFTWARE_PROTECTTheTSFmustprovidethecapabilitytoprotectthememoryusedbyuserapplications.
O.
PARTIAL_RECOVERYTheTSFmustprovidethecapabilitytorecoversomeoftheTSFdatatoaknownstate.
O.
UPDATED_SWTheTSFmustprovidethecapabilitytodownloadandinstallsoftwareupdatesfromatrustedsource.
4.
2Non-ITSecurityObjectivesfortheEnvironmentTheTOEisassumedtobecompleteandself-containedand,assuch,isnotdependentuponanyotherproductstoperformproperly.
However,certainobjectiveswithrespecttothegeneraloperatingenvironmentmustbemet.
Table4-2describestheNon-ITSecurityObjectivesfortheEnvironment.
Table4-2Non-ITSecurityObjectivesSecurityObjectiveDescriptionPPSourceO.
INSTALLThoseresponsiblefortheTOEmustensurethattheTOEisdelivered,installed,managed,andoperatedinamannerwhichmaintainsITsecurityobjectives.
CAPPO.
PHYSICALThoseresponsiblefortheTOEmustensurethatthosepartsoftheTOEcriticaltosecuritypolicyareprotectedfromphysicalattackwhichmightcompromiseITsecurityobjectives.
CAPPO.
CREDENThoseresponsiblefortheTOEmustensurethatallaccesscredentials,suchaspasswordsorotherauthenticationinformation,areprotectedbytheusersinamannerwhichmaintainsITsecurityobjectives.
CAPPMicrosoftCorporation,2008AllRightsReserved.
29Version3.
0,11/19/075.
ITSecurityRequirements5.
1TOESecurityFunctionalRequirementsThissectionspecifiestheSFRsfortheTOE.
ThissectionorganizestheSFRsbyCCclass.
RequirementOperations:WithinthetextofeachSFRtakenfromtheCAPP;assignment,refinement,andselectionoperationscompletedintheCAPPoperationsareunderlined.
WithinthetextofeachSFRtakenfromtheCAPP,additionaloperationsperformedinthisSTareidentifiedasfollows.
WithinthetextofeachSFRtakendirectlyfromtheCC,operationsperformedinthisSTareidentifiedasfollows:AdditionalselectionandassignmentoperationscompletedinthisSTarebracketedinthisST(e.
g.
,[[).
AdditionalrefinementoperationscompletedinthisSTareindicatedusingbold,foradditions,andstrike-through,fordeletions(e.
g.
,"…allobjects…"or"…somebigthings…").
AdditionaliterationscompletedinthisSTareitalicized.
Iteratedrequirementsareindicatedbyaletterinparenthesisplacedattheendofthecomponentshortnameandelementname(s)(e.
g.
,FMT_MTD.
1(a)).
InterpretedRequirements:RequirementsthathavebeenmodifiedbaseduponanInternationalInterpretationareidentifiedbyanitalicizedparentheticcommentfollowingtherequirementelementthathasbeenmodified(e.
g.
,(perInternationalInterpretation#51)).
SOF:ThisSTincludestheSOFassurancerequirement(AVA_SOF.
1).
TheminimumstrengthlevelfortheSFRsrealizedbyaprobabilisticorpermutationalmechanism(withtheexceptionofencryptionmechanisms)isSOF-Medium.
SFRSummary:Table5-1,CAPPComponentsandOperations,summarizestheSFRsthatareincludedintheSTfromtheCAPPasfollows:RequirementsincludedintheSTverbatimfromtheCAPP,RequirementsoperateduponintheCAPP,RequirementsincludedintheSTwithresolvedoperationsfromtheCAPP,andRequirementssupportedbyfunctionswithassociatedSOFclaimsareidentifiedwitha"SOF"subscriptinthecolumn"CAPPComponent.
"Table5-2,CCComponentsandOperationssummarizestheSFRsthatarenotincludedintheCAPPasfollows:Additionalrequirementsfrompart2oftheCC,Additionalrequirementsfrompart2oftheCCwithresolvedoperations,andRequirementssupportedbyfunctionswithassociatedSOFclaimsareidentifiedwitha"SOF"subscriptinthecolumn"CCComponent.
"ExplicitlyStatedRequirements:MicrosoftCorporation,2008AllRightsReserved.
30Version3.
0,11/19/07TheCCenvisionedthatsomePP/STauthorsmayhavesecurityneedsnotyetcoveredbytheSFRcomponentsintheCCandallowsPP/STauthorstoconsiderrequirementsnottakenfromtheCC,referredtoasextensibility.
ThisSTincludesseveralrequirementsthatarenotderivedfromtheCC.
SomeareinheritedfromtheCAPPandothersarenot.
Table5-1and5-2identifiesthoserequirementsthatarenotfromtheCCasthosethathave"extension"intheCAPPOperationorSTOperationColumnsofthosetables.
Theserequirementsarealsodenotedbytheirnamesendingwiththephrase"_EX".
AllSFRsarefullystatedinthesectionsbelow.
Table5-1CAPPComponentsandOperationsCAPPComponentComponentNameCAPPOperationAdditionalSTOperationsFAU_GEN.
1AuditDataGenerationAssignment,RefinementRefinementFAU_GEN.
2UserIdentityAssociationNoneNoneFAU_SAR.
1AuditReviewAssignmentRefinementFAU_SAR.
2RestrictedAuditReviewNoneNoneFAU_SAR.
3(a)SelectableAuditReviewbySearchingandSortingAssignment,SelectionAssignment,Selection,IterationFAU_SEL.
1SelectiveAuditSelectionAssignmentFAU_STG.
1ProtectedAuditTrailStorage2SelectionRefinementFAU_STG.
3ActioninCaseofPossibleAuditDataLossAssignmentAssignmentFAU_STG.
4PreventionofAuditDataLossSelectionAssignment,RefinementFDP_ACF.
1(a)DiscretionaryAccessControlFunctionsAssignment,RefinementAssignment,Refinement,IterationFDP_RIP.
2ObjectResidualInformationProtectionSelectionNoneNote1_EX3SubjectResidualInformationProtectionExtensionNoneFIA_ATD.
1UserAttributeDefinitionAssignmentAssignmentFIA_SOS.
1(SOF)4VerificationofSecrets5AssignmentRefinementFIA_UAU.
1TimingofAuthenticationNoneAssignmentFIA_UID.
1TimingofIdentificationNoneAssignmentFIA_UAU.
7ProtectedAuthenticationFeedbackAssignmentNone2ThistitleisconsistentwiththeCC.
TheCAPPtitleforthisrequirementis"GuaranteesofAuditDataAvailability"whichisinconsistentwiththeCC.
3ThistitleisinconsistentwiththeCAPPinordertousethisST'sconventionofdenotingexplicitrequirementsbyendingthenamewiththephrase"_EX".
TheCAPPtitlesthisrequirementas"FDP_RIP.
2.
Note1.
"4TheSOFclaimassociatedwiththisrequirementisametricasdefinedintheFIA_SOS.
1requirement5ThistitleisconsistentwiththeCC.
TheCAPPtitleforthisrequirementis"StrengthofAuthenticationData"whichisinconsistentwiththeCC.
MicrosoftCorporation,2008AllRightsReserved.
31Version3.
0,11/19/07CAPPComponentCAPPAdditionalSTComponentNameOperationOperationsFIA_USB.
1_EX6User-SubjectBindingExtensionAssignment,RefinementFMT_MSA.
1(a)ManagementofObjectSecurityAttributesAssignment,SelectionAssignment,IterationFMT_MSA.
3(a)StaticAttributeInitializationAssignment,SelectionAssignment,IterationFMT_MTD.
1(a)ManagementoftheAuditTrail(1a)Assignment,Selection,IterationNoneFMT_MTD.
1(b)ManagementofAuditedEvents(1b)Assignment,Selection,IterationNoneFMT_MTD.
1(c)ManagementofUserAttributes(1c)Assignment,Selection,IterationAssignmentFMT_MTD.
1(d)ManagementofAuthenticationData(1d)Assignment,Selection,IterationNoneFMT_REV.
1(a)RevocationofUserAttributes(1a)Assignment,Selection,IterationAssignmentFMT_REV.
1(b)RevocationofObjectAttributes(1b)Assignment,Selection,IterationAssignment,RefinementFMT_SMR.
1SecurityRolesAssignmentAssignmentFPT_AMT.
1AbstractMachineTestingSelectionRefinementFPT_RVM.
1Non-bypassabilityoftheTSP7NoneNoneFPT_SEP.
1TSFDomainSeparationAssignmentNoneFPT_STM.
1ReliableTimeStampsNoneNoneTable5-2CCComponentsandOperationsCCComponentComponentNameSTOperationsFAU_LOG_EX.
1UpdateServerLoggingExtensionFAU_SAR.
3(b)SelectableAuditReviewbySearchingAssignment,SelectionFCS_COP.
1(a)thruFCS_COP.
1(j)CryptographicOperationAssignment,Iteration6ThistitleisinconsistentwiththeCAPPinordertousethisST'sconventionofdenotingexplicitrequirementsbyendingthenamewiththephrase"_EX".
TheCAPPtitlesthisrequirementas"FIA_USB.
1".
7ThistitleisconsistentwiththeCC.
TheCAPPtitleforthisrequirementis"ReferenceMediation"whichisinconsistentwiththeCC.
MicrosoftCorporation,2008AllRightsReserved.
32Version3.
0,11/19/07CCComponentComponentNameSTOperationsFCS_CKM.
1(a)thruFCS_CKM.
1(e)CryptographicKeyGenerationAssignment,Iteration,RefinementFCS_CKM.
2CryptographicKeyDistributionAssignment,RefinementFCS_CKM.
4CryptographicKeyZeroizationRefinement,AssignmentFCS_CKM_EX.
1CryptographicKeyValidationandPackagingExtensionFCS_CKM_EX.
2CryptographicKeyHandlingandStorageExtensionFDP_ACC.
2(a)DiscretionaryAccessControlPolicyAssignment,Refinement,IterationFDP_ACC.
2(b)WEBUSERCompleteAccessControlAssignment,Refinement,IterationFDP_ACC.
2(c)Content-ProviderCompleteAccessControlAssignment,Refinement,IterationFDP_ACC.
2(d)IndexingCompleteAccessControlAssignment,Refinement,IterationFDP_ACF.
1(b)WEBUSERAccessControlFunctionsAssignment,Refinement,IterationFDP_ACF.
1(c)Content-ProviderAccessControlFunctionsAssignment,Refinement,IterationFDP_ACF.
1(d)IndexingAccessControlFunctionsAssignment,Refinement,IterationFDP_IFC.
1(a)IPSecSubsetInformationFlowControlAssignment,IterationFDP_IFC.
1(b)WindowsFirewallConnectionSubsetInformationFlowControlAssignment,IterationFDP_IFC.
1(c)RPCoverHTTPSubsetInformationFlowControlAssignment,IterationFDP_IFF.
1(a)IPSecSimpleSecurityAttributesAssignment,Refinement,IterationFDP_IFF.
1(b)WindowsFirewallConnectionSimpleSecurityAttributesAssignment,Refinement,IterationMicrosoftCorporation,2008AllRightsReserved.
33Version3.
0,11/19/07CCComponentComponentNameSTOperationsFDP_IFF.
1(c)RPCoverHTTPSimpleSecurityAttributesAssignment,Refinement,IterationFDP_ITT.
1BasicInternalProtectionAssignment,SelectionFDP_UCT.
1WEBUSERSFPBasicDataExchangeConfidentialityAssignment,Selection,RefinementFDP_UIT.
1WEBUSERSFPDataExchangeIntegrityAssignment,Selection,RefinementFIA_AFL.
1AuthenticationFailureHandlingAssignmentFIA_UAU.
6Re-authenticatingRefinementFMT_MOF.
1(a)ManagementofAuditAssignment,Selection,IterationFMT_MOF.
1(b)ManagementofTOETSFDatainTransmissionAssignment,Selection,IterationFMT_MOF.
1(c)ManagementofUnlockingSessionsAssignment,Selection,IterationFMT_MOF.
1(d)ManagementofWebServerAssignment,Selection,Iteration,RefinementFMT_MOF.
1(e)ManagementofGroupPolicyCalculationsAssignment,Selection,IterationFMT_MSA.
1(b)ManagementofDACObjectSecurityAttributesAssignment,Selection,IterationFMT_MSA.
1(c)ManagementofIPSecObjectSecurityAttributesAssignment,Selection,IterationFMT_MSA.
1(d)ManagementofWindowsFirewallConnectionObjectSecurityAttributesAssignment,Selection,IterationFMT_MSA.
1(e)ManagementofWEBUSERObjectSecurityAttributesAssignment,Selection,IterationFMT_MSA.
1(f)ManagementofContent-ProviderObjectSecurityAttributesAssignment,Selection,IterationFMT_MSA.
1(g)ManagementofIndexingObjectSecurityAttributesAssignment,Selection,IterationFMT_MSA.
1(h)ManagementofRPCoverHTTPObjectSecurityAttributesAssignment,Selection,IterationMicrosoftCorporation,2008AllRightsReserved.
34Version3.
0,11/19/07CCComponentComponentNameSTOperationsFMT_MSA_EX.
2ValidPasswordSecurityAttributesExtensionFMT_MSA.
3(b)IPSecStaticAttributeInitializationAssignment,Selection,IterationFMT_MSA.
3(c)WindowsFirewallConnectionStaticAttributeInitializationAssignment,Selection,IterationFMT_MSA.
3(d)WEBUSERStaticAttributeInitializationAssignment,Selection,Iteration,RefinementFMT_MSA.
3(e)Content-ProviderStaticAttributeInitializationAssignment,Selection,Iteration,RefinementFMT_MSA.
3(f)IndexingStaticAttributeInitializationAssignment,Selection,IterationFMT_MSA.
3(g)RPCoverHTTPStaticAttributeInitializationAssignment,Selection,IterationFMT_MTD.
1(e)ManagementofAccountLockoutDurationAssignment,Selection,IterationFMT_MTD.
1(f)ManagementofMinimumPasswordLengthAssignment,Selection,IterationFMT_MTD.
1(g)ManagementofTSFTimeAssignment,Selection,IterationFMT_MTD.
1(h)ManagementofNTFSVolumeQuotaSettingsAssignment,Selection,IterationFMT_MTD.
1(i)ManagementofAdvisoryWarningMessageAssignment,Selection,IterationFMT_MTD.
1(j)ManagementofAuditLogSizeAssignment,Selection,IterationFMT_MTD.
1(k)ManagementofUserInactivityThresholdAssignment,Selection,IterationFMT_MTD.
1(l)ManagementofGeneralTSFDataAssignment,Selection,IterationFMT_MTD.
1(m)ManagementofReadingAuthenticationTSFDataAssignment,Iteration,RefinementFMT_MTD.
1(n)ManagementofPasswordComplexityRequirementAssignment,Selection,IterationMicrosoftCorporation,2008AllRightsReserved.
35Version3.
0,11/19/07CCComponentComponentNameSTOperationsFMT_MTD.
1(o)ManagementofUserPrivate/PublicKeyPairAssignment,Selection,IterationFMT_MTD.
1(p)ManagementofWSUSConfigurationSettingsAssignment,Selection,IterationFMT_MTD.
2ManagementofUnsuccessfulAuthenticationAttemptsThresholdAssignmentFMT_SAE.
1Timed–limitedAuthorizationAssignmentFMT-SMF.
1SpecificationofManagementFunctionsAssignmentFMT_SMR.
3AssumingRolesAssignment,RefinementTRANSFER_PROT_EX.
1InternalTSFDataTransferProtectionExtensionFPT_RST_EX.
1PartialSystemRestoreExtensionFPT_SEP_EX.
1TSFHardwareProtectionExtensionFPT_SUS_EX.
1WSUSUpdateRestrictionsExtensionFPT_SUS_EX.
2WSUSUpdateAdvertisementExtensionFPT_SUS_EX.
3WSUSUpdateImportExtensionFPT_SUS_EX.
4WSUSUpdateDistributionApprovalExtensionFPT_SUS_EX.
5ApplicationofWSUSUpdatesExtensionFPT_SUS_EX.
6WSUSUpdateDeadlinesExtensionFPT_TRC_EXInternalTSFDataConsistencyExtensionTRANSFER_PROT_EX.
3InternalTSFDataIntegrityMonitoringExtensionFPT_RPL_EX.
1ReplayDetectionExtensionFRU_RSA.
1MaximumQuotasAssignment,SelectionFTA_LSA_EX.
1LimitationonScopeofSelectableAttributesExtensionFTA_MCS_EX.
1BasiclimitationonmultipleconcurrentsessionsExtensionFTA_SSL1TSF-initiatedSessionLockingAssignmentFTA_SSL.
2User-initiatedSessionLockingAssignmentFTA_SSL.
3WEBUSERTSF-InitiatedTerminationAssignment,RefinementFTA_TAB.
1DefaultTOEAccessBannersRefinementFTA_TSE.
1TOESessionEstablishmentAssignmentFTP_TRP.
1TrustedPathAssignment,SelectionMicrosoftCorporation,2008AllRightsReserved.
36Version3.
0,11/19/075.
1.
1SecurityAudit(FAU)Requirements5.
1.
1.
1AuditDataGeneration(FAU_GEN.
1)5.
1.
1.
1.
1FAU_GEN.
1.
1TheTSFshallbeabletogenerateanauditrecordoftheauditableeventslistedincolumn"Event"ofTable5-3(CAPPCompliantAuditableEvents)andtheeventslistedincolumn"Event"ofTable5-4(OtherAuditableEvents).
5.
1.
1.
1.
2FAU_GEN.
1.
2TheTSFshallrecordwithineachauditrecordatleastthefollowinginformation:a)Dateandtimeoftheevent,typeofevent,subjectidentity,andtheoutcome(successorfailure)oftheevent;andb)Theadditionalinformationspecifiedinthe"Details"columnofTable5-3,CAPPCompliantAuditableEvents.
Thisincludes:TheauditableeventsassociatedwiththeCAPPSFRsatthebasiclevelofauditing,exceptFIA_UID'suseridentityduringfailuresTheidentifiedauditableeventsassociatedwithSFRsinthisST,whicharenotincludedintheCAPP,atthenotspecifiedlevelofauditTable5-3CAPPCompliantAuditableEventsComponentEventDetailsFAU_GEN.
1Start-upandShutdownoftheauditfunctionsFAU_GEN.
2NoneFAU_SAR.
1ReadingofinformationfromtheauditrecordsFAU_SAR.
2UnsuccessfulattemptstoreadinformationfromtheauditrecordsFAU_SAR.
3(a),(b)NoneFAU_STG.
1NoneFAU_STG.
3ActionstakenduetoexceedingofathresholdFAU_STG.
4ActionstakenduetotheauditstoragefailureFDP_ACC.
1(a)8NoneFDP_ACF.
1(a)AllrequeststoperformanoperationonanobjectcoveredbytheSFPTheidentityoftheobject.
FDP_RIP.
2NoneFDP_RIP.
2.
Note1None8ThisrequirementisnotincludedinthisST,however,FDP_ACC.
2iswhichishierarchicaltoFDP_ACC.
1.
MicrosoftCorporation,2008AllRightsReserved.
37Version3.
0,11/19/07ComponentEventDetailsFIA_ATD.
1NoneFIA_SOS.
1RejectionoracceptancebytheTSFofanytestedsecretFIA_UAU.
1TheuseoftheauthenticationmechanismFIA_UAU.
7NoneFIA_UID.
1Alluseoftheuseridentificationmechanism,includingtheidentityprovidedduringsuccessfulattemptsTheoriginoftheattempt(e.
g.
terminalidentification).
FIA_USB.
1_EXSuccessandfailureofbindingusersecurityattributestoasubject(e.
g.
,successandfailuretocreateasubject)FMT_MSA.
1(a)AllmodificationsofthevaluesofsecurityattributesFMT_MSA.
3(a)Modificationsofthedefaultsettingofpermissiveorrestrictiverules.
Allmodificationsoftheinitialvalueofsecurityattributes.
FMT_MTD.
1(a)CAPP–5.
4.
3AllmodificationstothevaluesofTSFdataFMT_MTD.
1(b)CAPP–5.
4.
4AllmodificationstothevaluesofTSFdataThenewvalueoftheTSFdata.
FMT_MTD.
1(c)CAPP–5.
4.
5AllmodificationstothevaluesofTSFdataThenewvalueoftheTSFdata.
FMT_MTD.
1(d)CAPP-5.
4.
6AllmodificationstothevaluesofTSFdataFMT_REV.
1(a)CAPP–5.
4.
7AllattemptstorevokesecurityattributesFMT_REV.
1(b)CAPP–5.
4.
8AllmodificationstothevaluesofTSFdataFMT_SMR.
1ModificationstothegroupofusersthatarepartofaroleFMT_SMR.
1Everyuseoftherightsofarole.
(Additional/Detailed)Theroleandtheoriginoftherequest.
FPT_RVM.
1NoneFPT_SEP.
1NoneFPT_STM.
1ChangestothetimeTable5-4OtherAuditableEventsComponentEventFIA_AFL.
1AccountlockedoutduetoexceedingthemaximumnumberofunsuccessfullogonattemptsFMT_MOF.
1(a)AuditPolicyChangesFMT_MOF.
1(d)ManagementofWebServerFMT_MTD.
1(g)AttempttouseanauthorizedadministratorprivilegetochangetheTSFTimeTRANSFER_PROT_EX.
1IPSECpolicychangesFTA_SSL1AttempttounlockMicrosoftCorporation,2008AllRightsReserved.
38Version3.
0,11/19/07ComponentEventFTA_SSL.
2AttempttounlockFTA_TSE.
1LogonFailureduetopasswordexpirationFTP_TRP.
1AuthenticationandunlockingattemptsFMT_MTD.
1(e)LockoutDurationchangesFMT_MTD.
1(f)ModificationofminimumpasswordlengthFMT_MTD.
1(n)ModificationofpasswordcomplexitypolicyFMT_MTD.
2ModificationofunsuccessfullogonattemptthresholdFMT_SAE.
1SettingofpasswordexpirationtimeTRANSFER_PROT_EX.
3DetectionofadataintegrityviolationFPT_RPL.
1ReplayofTSFdataFPT_TRC_EX.
1DirectoryReplication5.
1.
1.
2UserIdentityAssociation(FAU_GEN.
2)5.
1.
1.
2.
1FAU_GEN.
2.
1TheTSFshallbeabletoassociateeachauditableeventwiththeidentityoftheuserthatcausedtheevent.
5.
1.
1.
3UpdateServerLogging(FAU_LOG_EX.
1)5.
1.
1.
3.
1FAU_LOG_EX.
1.
1TheTSFshallbeabletogeneratealogentryofthefollowingevents:a)Updatedownloads;b)WSUSconfigurationsettings5.
1.
1.
3.
2FAU_LOG_EX.
1.
2TheTSFshallrecordwithineachlogentryatleastthefollowinginformation:Updatestatus,Computerstatus,andSynchronizationstatus.
5.
1.
1.
4AuditReview(FAU_SAR.
1)5.
1.
1.
4.
1FAU_SAR.
1.
1TheTSFshallprovideauthorizedadministratorswiththecapabilitytoreadallauditinformationfromtheauditrecords.
5.
1.
1.
4.
2FAU_SAR.
1.
2TheTSFshallprovidetheauditrecordsinamannersuitablefortheauthorizedadministratortointerprettheinformationusingatooltoaccesstheaudittrail.
MicrosoftCorporation,2008AllRightsReserved.
39Version3.
0,11/19/075.
1.
1.
5RestrictedAuditReview(FAU_SAR.
2)5.
1.
1.
4.
1FAU_SAR.
2.
1TheTSFshallprohibitallusersreadaccesstotheauditrecords,exceptthoseusersthathavebeengrantedexplicitread-access.
5.
1.
1.
6SelectableAuditReviewbySearchingandSorting(FAU_SAR.
3(a))5.
1.
1.
5.
1FAU_SAR.
3.
1(a)TheTSFshallprovidetheabilitytoperform[searchesandsorting]ofauditdatabasedonthefollowingattributes:a)Useridentity;b)[Type(successand/orfailure),date,time,category,eventidentifier,andcomputer].
5.
1.
1.
7SelectableAuditReviewbySearching(FAU_SAR.
3(b))5.
1.
1.
6.
1FAU_SAR.
3.
1(b)TheTSFshallprovidetheabilitytoperform[searches]ofauditdatabasedon[freeformtextsubstringwithinauditrecords].
5.
1.
1.
8SelectiveAudit(FAU_SEL.
1)5.
1.
1.
8.
1FAU_SEL.
1.
1TheTSFshallbeabletoincludeorexcludeauditableeventsfromthesetofauditedeventsbasedonthefollowingattributes:a)Useridentity;b)[Objectidentity,Hostidentity,Eventtype,Successofauditablesecurityevents,andFailureofauditablesecurityevents.
]5.
1.
1.
9ProtectedAuditTrailStorage(FAU_STG.
1)5.
1.
1.
9.
1FAU_STG.
1.
1TheTSFshallprotectthestoredauditrecordsfromunauthorizeddeletion.
5.
1.
1.
9.
2FAU_STG.
1.
2TheTSFshallbeabletopreventunauthorizedmodificationstotheauditrecordsintheaudittrail.
(perInternationalInterpretation#141)5.
1.
1.
10ActioninCaseofPossibleAuditDataLoss(FAU_STG.
3)5.
1.
1.
10.
1FAU_STG.
3.
1TheTSFshallgenerateanalarmtotheauthorizedadministratoriftheaudittrailexceeds[theauthorizedadministratorspecifiedlogsize].
MicrosoftCorporation,2008AllRightsReserved.
40Version3.
0,11/19/075.
1.
1.
11PreventionofAuditDataLoss(FAU_STG.
4)5.
1.
1.
11.
1FAU_STG.
4.
1Whentheaudittrailbecomesfull,theTSFshallbeabletoprovidetheauthorizedadministratorthecapabilitytopreventauditableevents,exceptthosetakenbytheauthorizedadministrator(inthecontextofperformingTOEmaintenance)and[generateanalarmtotheauthorizedadministrator].
iftheaudittrailisfull5.
1.
2CryptographicSupport(FCS)5.
1.
2.
1CryptographicOperation(DESEncryptionandDecryption)(FCS_COP.
1(a))5.
1.
2.
1.
1FCS_COP.
1.
1(a)TheTSFshallperform[theTOECryptProtectData,CryptEncrypt,FipsDes,andFips3Des3KeyencryptionfunctionandtheCryptUnprotectData,CryptDecrypt,FipsDes,andFips3Des3Keydecryptionfunction]inaccordancewithaspecifiedcryptographicalgorithm[FIPS-46-3DESorTripleDESECBandCBCmodes]andcryptographickeysizes[56-bitsor168-bitsrespectively]thatmeetthefollowing[FIPS46-3].
5.
1.
2.
2CryptographicOperation(RSAHash)(FCS_COP.
1(b))5.
1.
2.
2.
1FCS_COP.
1.
1(b)TheTSFshallperform[theTOECryptSignHashsigningfunction]inaccordancewithaspecifiedcryptographicalgorithm[FIPS-186-2RSAusingPKCS-1(RSASSA-PKCS1-v1_5)]andcryptographickeysize[default1024bitsandmaximum16384bits]thatmeetsthefollowing[none].
5.
1.
2.
3CryptographicOperation(DSAHash)(FCS_COP.
1(c))5.
1.
2.
3.
1FCS_COP.
1.
1(c)TheTSFshallperform[theTOECryptSignHashsigningfunction]inaccordancewithaspecifiedcryptographicalgorithm[FIPS-186-2DSA]andcryptographickeysize[default1024bits]thatmeetsthefollowing[none].
5.
1.
2.
4CryptographicOperation(XPSHAHash)(FCS_COP.
1(d))5.
1.
2.
4.
1FCS_COP.
1.
1(d)TheTSFshallperform[theTOECryptCreateHash,CryptHashData,andCryptGetHashParamhashingfunctionswiththeAlgidparameterCALG_SHA1]inaccordancewithaspecifiedcryptographicalgorithm[FIPS-180-2SHA-1]andcryptographickeysize[notapplicable]thatmeetthefollowing[FIPS180-2].
5.
1.
2.
5CryptographicOperation(ServerSHAHash)(FCS_COP.
1(e))5.
1.
2.
5.
1FCS_COP.
1.
1(e)TheTSFshallperform[theTOECryptCreateHash,CryptHashData,andCryptGetHashParamhashingfunctionswiththeAlgidparameterCALG_SHA1,CALG_SHA_256,CALG_SHA_384,orCALG_SHA_512hashing]inaccordancewithaspecifiedcryptographicalgorithm[FIPS-180-2SHA-1,SHA-256,SHA-384,andSHA-512respectively]andcryptographickeysize[notapplicable]thatmeetthefollowing[FIPS-180-2,SHA-1,SHA-256,SHA-384,andSHA-512].
MicrosoftCorporation,2008AllRightsReserved.
41Version3.
0,11/19/075.
1.
2.
6CryptographicOperation(RandomNumberGenerator)(FCS_COP.
1(f))5.
1.
2.
6.
1FCS_COP.
1.
1(f)TheTSFshallperform[theTOECryptGenRandomandFIPSGenRandompseudorandomnumbergenerationfunctions]inaccordancewithaspecifiedcryptographicalgorithm[SHA-1]andcryptographickeysize[notapplicable]thatmeetthefollowing[none].
5.
1.
2.
7CryptographicOperation(RSAEncryptionandDecryption)(FCS_COP.
1(g))5.
1.
2.
7.
1FCS_COP.
1.
1(g)TheTSFshallperform[theTOECryptEncryptandCryptDecryptpublickeyencryptionservices]inaccordancewithaspecifiedcryptographicalgorithm[RSA]andcryptographickeysize[default1024bitsandmaximum16384bits]thatmeetthefollowing[PKCS#1(RSAES-PKCS1-v1_5)].
5.
1.
2.
8CryptographicOperation(Diffie-Hellman)(FCS_COP.
1(h))5.
1.
2.
8.
1FCS_COP.
1.
1(h)TheTSFshallperform[theTOECryptExportKey,CryptImportKeyandCryptGetKeyParam,CryptGenKeycryptographickeyestablishmentservices]inaccordancewithaspecifiedcryptographicalgorithm[Diffie-Hellman(Ephemeral-Ephemeral)]andcryptographickeysize[default1024bitsandmaximum2048bits]thatmeetthefollowing[none].
5.
1.
2.
9CryptographicOperation(AESEncryptionandDecryption)(FCS_COP.
1(i))5.
1.
2.
9.
1FCS_COP.
1.
1(i)TheTSFshallperform[theTOECryptEncryptencryptionfunctionandtheCryptDecryptdecryptionfunction]inaccordancewithaspecifiedcryptographicalgorithm[AESECBandCBCmodes]andcryptographickeysizes[128bits,192bits,or256bits]thatmeetthefollowing[FIPS-197].
5.
1.
2.
10CryptographicOperation(HMAC)(FCS_COP.
1(j))5.
1.
2.
10.
1FCS_COP.
1.
1(j)TheTSFshallperform[theTOECryptCreateHash,CryptHashData,andCryptGetHashParamhashingfunctions]inaccordancewithaspecifiedcryptographicalgorithm[HMAC]andcryptographickeysizes[128]thatmeetthefollowing[FIPS-198(SHA-1)].
5.
1.
2.
11CryptographicKeyManagement(FCS_CKM)CryptographicKeyGeneration(forsymmetrickeys)(FCS_CKM.
1(a)5.
1.
2.
11.
1FCS_CKM.
1.
1(a)TheTSFshallgenerateFIPS-46-3DESorTripleDESsymmetriccryptographickeysinaccordancewithaspecifiedcryptographickeygenerationalgorithmasfollows:[(1)asoftwarerandomnumbergenerator(RNG)asspecifiedinFCS_COP.
1.
1(f),or(2)akeyestablishmentschemeasspecifiedinFCS_COP.
1.
1(h)basedonpublickeycryptographyusingasoftwarerandomnumbergenerator(RNG)asspecifiedinFCS_COP.
1.
1(f),whenusingtheTOECryptGenKeyfunction,orwheninsidetheTOEEFSService,DPAPIService,SchannelSecurityPackage,orIPSECService,]andspecifiedcryptographickeysizes[56bitsor168bitsrespectively]thatmeetthefollowing[FIPS140-1or140-2Level1].
MicrosoftCorporation,2008AllRightsReserved.
42Version3.
0,11/19/075.
1.
2.
12CryptographicKeyManagement(FCS_CKM)CryptographicKeyGeneration(forasymmetrickeys)(FCS_CKM.
1(b))5.
1.
2.
12.
1FCS_CKM.
1.
1(b)TheTSFshallgenerateFIPS-186-2/PKCS#1asymmetriccryptographickeysinaccordancewithaspecifiedcryptographickeygenerationalgorithmasfollows:[(1)aprimenumbergenerator,whenusingtheTOECryptGenKeyfunction,]andspecifiedcryptographickeysizes[default1024bitsandmaximum16384]thatmeetsthefollowing[none].
5.
1.
2.
13CryptographicKeyManagement(FCS_CKM)CryptographicKeyGeneration(forasymmetrickeys)(FCS_CKM.
1(c))5.
1.
2.
13.
1FCS_CKM.
1.
1(c)TheTSFshallgenerateFIPS-186-2DSAasymmetriccryptographickeysinaccordancewithaspecifiedcryptographickeygenerationalgorithmasfollows:[(1)arandomnumbergenerator(SHA-1basedRNG),whenusingtheTOECryptGenKeyfunction,]andspecifiedcryptographickeysizes[1024bits]thatmeetsthefollowing[FIPS186-2].
5.
1.
2.
14CryptographicKeyManagement(FCS_CKM)CryptographicKeyGeneration(forsymmetrickeys)(FCS_CKM.
1(d)5.
1.
2.
14.
1FCS_CKM.
1.
1(d)TheTSFshallgenerateFIPS-197AESsymmetriccryptographickeysinaccordancewithaspecifiedcryptographickeygenerationalgorithmasfollows:[(1)asoftwarerandomnumbergenerator(RNG)asspecifiedinFCS_COP.
1.
1(f),or(2)akeyestablishmentschemeasspecifiedinFCS_COP.
1.
1(h)basedonpublickeycryptographyusingasoftwarerandomnumbergenerator(RNG)asspecifiedinFCS_COP.
1.
1(f),whenusingtheTOECryptGenKeyfunction,]andspecifiedcryptographickeysizes[128bits,192bits,or256bits]thatmeetthefollowing[FIPS-197AESsymmetric].
5.
1.
2.
15CryptographicKeyManagement(FCS_CKM)CryptographicKeyGeneration(forasymmetrickeys)(FCS_CKM.
1(e))5.
1.
2.
15.
1FCS_CKM.
1.
1(e)TheTSFshallgenerateDiffie-Hellmanasymmetriccryptographickeysinaccordancewithaspecifiedcryptographickeygenerationalgorithmasfollows:[(1)arandomnumbergenerator(SHA-1basedRNG),whenusingtheTOECryptGenKeyfunction,]andspecifiedcryptographickeysizes[default1024bitsandmaximum2048bits]thatmeetsthefollowing[none].
MicrosoftCorporation,2008AllRightsReserved.
43Version3.
0,11/19/075.
1.
2.
16CryptographicKeyManagement(FCS_CKM)CryptographicKeyDistribution(FCS_CKM.
2)5.
1.
2.
16.
1FCS_CKM.
2.
1TheTSFshalldistributeFIPS-186-2DSAandFIPS-186-2/PKCS#1privateasymmetriccryptographickeysinaccordancewithaspecifiedcryptographickeydistributionmethodasfollows:[(1)PKCS#5V2.
0(Password-BasedEncryptionStandard),insidetheTOEDPAPIserviceforhandlingthedistributionoftheaforementionedkeystophysically-separatedpartsoftheTOEthatthekeysownersarecurrentlyloggingontoandneedingtousethekeys,usingFIPS-180-2SHA-1andFIPS-46-3TripleDES,]thatmeetthefollowing[FIPS140-1or140-2Level1].
5.
1.
2.
17CryptographicKeyManagement(FCS_CKM)CryptographicKeyZeroization(FCS_CKM.
4)5.
1.
2.
17.
1FCS_CKM.
4.
1TheTSFshalldestroycryptographickeyswithintheFIPS-140validatedcryptographicmodulesinaccordancewithaspecifiedcryptographickeydestructionmethod[cryptographickeyzeroizationmethod]thatmeetsthefollowing[FIPS140-1or140-2Level1].
5.
1.
2.
18CryptographicKeyManagement(FCS_CKM)CryptographicKeyValidationandPackaging(FCS_CKM_EX.
1)5.
1.
2.
18.
1FCS_CKM_EX.
1.
1TheTSFshallapplyvalidationtechniques(e.
g.
hash)tovalidatetheCryptProtectData-encryptedFIPS-186-2DSAandFIPS-186-2/PKCS#1privateasymmetriccryptographickeyswhentheyareobtainedviathedistributionmethodascalledoutinFCS_CKM.
2.
1orviathestoragemethodascalledoutinFCS_CKM_EXP.
2.
2.
5.
1.
2.
19CryptographicKeyManagement(FCS_CKM)CryptographicKeyHandlingandStorage(FCS_CKM_EX.
2)5.
1.
2.
19.
1FCS_CKM_EX.
2.
1TheTSFshallprovideameanstoensurethatFIPS-186-2DSAandFIPS-186-2/PKCS#1privateasymmetriccryptographickeysareassociatedwiththecorrectentities(i.
e.
,person)towhichthekeysareassigned.
5.
1.
2.
19.
2FCS_CKM_EX.
2.
2TheTSFshallstoreFIPS-186-2DSAandFIPS-186-2/PKCS#1privateasymmetriccryptographickeysinaccordancewithaspecifiedcryptographickeystoragemethodasfollows:[(1)PKCS#5V2.
0(Password-BasedEncryptionStandard),usingFIPS-180-2SHA-1andFIPS-46-3TripleDES,]thatmeetthefollowing[FIPS140-1or140-2Level1].
MicrosoftCorporation,2008AllRightsReserved.
44Version3.
0,11/19/075.
1.
3UserDataProtection(FDP)Requirements5.
1.
3.
1DiscretionaryAccessControlPolicy(FDP_ACC.
2(a))5.
1.
3.
1.
1FDP_ACC.
2.
1(a)TheTSFshallenforcethe[DiscretionaryAccessControlPolicy]on[subjects–processesactingonthebehalfofusers]and[Namedobjects–Desktop,Event,KeyedEvent,Eventpair,I/OCompletionPort,Job,Key,Mutant,Mailslot,Namedpipe,NTFSdirectory,NTFSfile,ObjectDirectory,LPCPort,Printer,Process,Section,Semaphore,SymbolicLink,ScheduledTask,Thread,Timer,Tokens,Volume,WindowStation,ActiveDirectory,ApplicationPoolFile,URLReservation,debug,FilterCommunicationPort,andFilterConnectionPortobjects];andalloperationsamongthemsubjectsandobjectscoveredbytheSFP.
5.
1.
3.
1.
2FDP_ACC.
2.
2(a)TheTSFshallensurethatalloperationsbetweenanysubjectintheTSCandanynamedobjectwithintheTSCarecoveredbyanaccesscontrolSFPtheDiscretionaryAccessControlpolicy.
5.
1.
3.
2WEBUSER(WU)CompleteAccessControl(FDP_ACC.
2(b))5.
1.
3.
2.
1FDP_ACC.
2.
1(b)TheWebServerpartoftheTSFshallenforcethe[WEBUSERSFP]on[WebServersubjects:webusers–processesactingonbehalfofusers(whichareusersoftheOSpartoftheTOE/TSF)requestingwebaccess.
WebServerobjects:webservercontent(servedbytheWebServerpartofTSFoverhttp://orhttps://)]andalloperationsamongsubjectsandobjectscoveredbytheSFP.
5.
1.
3.
2.
2FDP_ACC.
2.
2(b)TheTSFshallensurethatalloperationsbetweenanysubjectintheWEBUSERTSCandanyobjectwithintheWEBUSERTSCarecoveredbyanaccesscontroltheWEBUSERSFP.
5.
1.
3.
3Content-Provider(CP)CompleteAccessControl(FDP_ACC.
2(c))5.
1.
3.
3.
1FDP_ACC.
2.
1(c)TheWebServerpartoftheTSFshallenforcethe[CONTENT-PROVIDER(CP)SFP]on[subjects-Content-Providers-processesactingonbehalfofusers(whichareusersoftheOSpartoftheTOE/TSF)(whicharejustUsersoftheOSpartoftheTOE/TSF)objects-WebServerContent(servedbytheWebServerpartofTSFoverhttp://orhttps://)]MicrosoftCorporation,2008AllRightsReserved.
45Version3.
0,11/19/07anduponalloperationsamongWebServersubjectsandWebserverobjectscoveredbytheCONTENT-PROVIDERSFP:5.
1.
3.
3.
2FDP_ACC.
2.
2(c)TheWebServerpartoftheTSFshallensurethatalloperationsbetweenanysubjectintheCONTENT-PROVIDERTSCandanyobjectwithintheCONTENT-PROVIDERTSCarecoveredbyanaccesscontroltheCONTENT-PROVIDERSFP.
5.
1.
3.
4IndexingCompleteAccessControl(FDP_ACC.
2(d))5.
1.
3.
4.
1FDP_ACC.
2.
1(d)TheIndexingServicepartoftheTSFshallenforcethe[INDEXINGSFP]on[subjects-processesactingonbehalfofusers(whichrepresentusersoftheOSpartoftheTOE/TSF)objects-Documents(filesresidingwithinaspecificqueryscopethatpotentiallymaybereturnedbythequery)]anduponalloperationsamongIndexingServicesubjectsandIndexingServiceobjectscoveredbytheINDEXINGSFP:5.
1.
3.
4.
2FDP_ACC.
2.
2(d)TheIndexingServicepartoftheTSFshallensurethatalloperationsbetweenanysubjectintheINDEXINGTSCandanyobjectwithintheINDEXINGTSCarecoveredbyanaccesscontroltheINDEXINGSFP.
5.
1.
3.
5DiscretionaryAccessControlFunctions(FDP_ACF.
1(a))5.
1.
3.
5.
1FDP_ACF.
1.
1(a)TheTSFshallenforcetheDiscretionaryAccessControlPolicytoobjectsbasedonthefollowing:a)Theuseridentity,groupmembership(s),andprivilegesassociatedwithasubjectb)Theuserprivatekey(onlyapplicablewhenrequestingaccesstoencryptedfilesorsigndatahasheswiththeTOECryptSignHashfunction)associatedwithasubjectc)Thefollowingaccesscontrolattributesassociatedwithanobject:[ObjectOwnerADiscretionaryAccessControlList(DACL)thatcanbeeitherabsent,empty,orconsistofalistofoneormoreentries.
EachDACLentryhasa:oType(allowordeny)oUserorgroupidentifieroSpecificobjectaccessrightbitmasksoFordirectoryservice(DS)objectentries,agloballyuniqueidentifier(GUID)indicatingaDS-specificobjectattribute.
Forencryptedfileobjects,FileEncryptionKeys(FEKs)MicrosoftCorporation,2008AllRightsReserved.
46Version3.
0,11/19/07Thedefaultsforallowedordeniedoperationsare:IfaDACLisabsent,theobjectisnotprotectedandallaccessisgranted.
IfaDACLispresentbutempty,noaccessisgranted.
].
(perInternationalInterpretation#103)5.
1.
3.
5.
2FDP_ACF.
1.
2(a)TheTSFshallenforcethefollowingrulestodetermineifanoperationamongcontrolledsubjectsandcontrolledobjectsisallowed:[Objectaccessisallowedifatleastoneofthefollowingconditionsistrue:ADACLentryexplicitlygrantsaccesstoauser,andtheaccesshasnotbeendeniedbyapreviousentryintheDACL.
ADACLentryexplicitlygrantsaccesstoaGroupofwhichthesubjectisamember,andtheaccesshasnotbeendeniedbyapreviousentryintheDACLADACLisnotpresentThesubjectistheobjectownerandtheoperationistoviewtheobject'sDACLortomodifytheobject'sDACL]5.
1.
3.
5.
3FDP_ACF.
1.
3(a)TheTSFshallexplicitlyauthorizeaccessofsubjectstoobjectsbasedinthefollowingadditionalrules:[Forthefollowingoperation,theauthorizedadministratorcanbypasstheruleslistedinFDP_ACF.
1.
2:RequesttochangetheownerofanobjectForthefollowingoperations,onlytheauthorizedadministratorcanbegrantedaccessandtherulesinFDP_ACF.
1.
2donotapply:RequesttochangeormodifytheauditingofaccessattemptstoanobjectForencryptedfileobjects,inadditiontomeetingFDP_ACF.
1.
2,theusermusthaveaprivatekeythatcandecrypttheFEKassociatedwiththefile.
].
5.
1.
3.
5.
4FDP_ACF.
1.
4(a)TheTSFshallexplicitlydenyaccessofsubjectstoobjectsbasedonthefollowingrules:[Objectaccessisexplicitlydeniedifatleastoneofthebelowconditionsistrue:ADACLentryexplicitlydeniesaccessforauser,andtheaccesshasnotbeengrantedbyapreviousentryintheDACL.
ADACLentryexplicitlydeniesaccessforthegroupofwhichtheuserisamember,andtheaccesshasnotbeengrantedbyapreviousentryintheDACL.
].
MicrosoftCorporation,2008AllRightsReserved.
47Version3.
0,11/19/075.
1.
3.
6WEBUSERAccessControlFunctions(FDP_ACF.
1(b))5.
1.
3.
6.
1FDP_ACF.
1.
1(b)TheWebServerpartoftheTSFshallenforcethe[WEBUSERSFP]tocontrolled-accesscontentobjectsbasedonthefollowingtypesofsubjectandobjectsecurityattributes:[subjects–WebServerSubjects–webusers–processonbehalfofusers(whichareusersoftheOSpartoftheTOE/TSF)requestingaccess:otheuseridentityandgroupmembership(s)associatedwithasubjectobjects–WebServerobjects–webservercontent(servedbytheWebServerpartoftheTSFoverhttp://orhttps://)otheDACLassociatedwiththeobjectothewebpermissionsassociatedwithanobjectotheURLauthorizationassociatedwithanobject.
]5.
1.
3.
6.
2FDP_ACF.
1.
2(b)TheWebServerpartoftheTSFshallenforcethefollowingWEBUSERSFPorderedrulestodetermineifanoperationamongcontrolledsubjectsandcontrolledobjectsisallowed:[(a)For(WebServer)controlled-accesscontent:1.
Iftherequestedaccessisdeniedbythefile'sDACLassociatedwiththewebcontenttothatwebuser,denyaccess.
2.
Iftherequestedaccessissomethingotherthanreadaccess,denyaccess.
3.
Ifread-onlyaccessispermittedtothatauthorizedwebuserbythefile'sDACLassociatedwiththewebcontent,grantaccess4.
Otherwise,denyaccess.
(b)For(WebServer)publiccontent1.
Iftherequestedaccessissomethingotherthanreadaccess,denyaccess.
2.
Grantread-onlyaccesstowebuser.
]5.
1.
3.
6.
3FDP_ACF.
1.
3(b)TheWebServerpartoftheTSFshallexplicitlyauthorizeaccessofWebServersubjectstoWebServerobjectsbasedonthefollowingadditionalWEBUSERSFPrules:[(a)awebusertryingtoaccessanobjectURLmustbeauthorizedtotheoperationAccessURL,ifURLauthorizationisconfiguredfortheobject.
(b)awebusermayreadwebservercontentifthewebpermissionassociatedwiththeobjectallowsreadaccess.
(c)awebusermaychangewebservercontentifthewebpermissionassociatedwiththeobjectallowswriteaccess.
MicrosoftCorporation,2008AllRightsReserved.
48Version3.
0,11/19/07(d)awebusermayaccessthesourceofawebservercontentifthewebpermissionassociatedwiththeobjectallowsaccesstothesource.
(e)awebusermayviewwebservercontentfilelistsandcollectionsifthewebpermissionassociatedwiththeobjectallowsbrowsingaccess.
]5.
1.
3.
6.
4FDP_ACF.
1.
4(b)TheWebServerpartoftheTSFshallexplicitlydenyaccessofWebServersubjectstoWebServerobjectsbasedonthefollowingadditionalWEBUSERSFPrules:[(a)ifawebuseruseshttp://insteadofhttps://andthewebpermissionassociatedwiththeobjectrequiresSSL.
(b)ifawebuserdoesnotuseaclientcertificateandthewebpermissionassociatedwiththeobjectrequiresSSLandacertificate.
(c)ifthewebuser'scertificateisrevokedorisinvalidandthewebpermissionassociatedwiththeobjectrequiresSSLandacertificate.
(d)iftheauthorizationsettingofawebuserdeterminedbyanauthenticationproviderdoesnotmatchtheconfiguredauthorizationsettingassociatedwiththeobject.
(e)iftheclientcertificatemappingsettingofawebuserdeterminedbyanauthenticationproviderdoesnotmustmatchtheconfiguredclientcertificatemappingsettingassociatedwiththeobject.
(f)ifthewebpermissionrequestedisnotsupported(otherthanthosepermissionsidentifiedinFDP_ACF.
1.
3)]5.
1.
3.
7ContentProviderAccessControlFunctions(FDP_ACF.
1(c))5.
1.
3.
7.
1FDP_ACF.
1.
1(c)TheWebServerpartoftheTSFshallenforcethe[CONTENT-PROVIDERSFP]toobjectsbasedonthefollowingtypesofsubjectandobjectsecurityattributes:[subjects–ContentProviders–processesactingonbehalfofusers(whichareusersoftheOSpartoftheTOE/TSF)(whicharejustusersoftheOSpartoftheTOE/TSF)otheuseridentityandgroupmembership(s)associatedwithasubjectobjects:WebServerContent(servedbytheWebServerpartoftheTSFoverhttp://orhttps://othewebpermissionsassociatedwithanobjectotheDACLassociatedwiththeobjectotheURLauthorization.
]5.
1.
3.
7.
2FDP_ACF.
1.
2(c)TheWebServerpartoftheTSFshallenforcethefollowingCONTENT-PROVIDERSFPrulestodetermineifanoperationamongcontrolledsubjectsandcontrolledobjectsisallowed:[(a)TheWebServerpartoftheTOEshallrestricttheabilitytocreateormodifycontenttoonlythosecontentprovidersauthorizedbyanauthorizedadministrator.
MicrosoftCorporation,2008AllRightsReserved.
49Version3.
0,11/19/07(b)For(WebServer)controlled-accesscontent:1.
Iftherequestedaccessisdeniedbythefile'sDACLassociatedwiththewebcontenttothatwebuser,denyaccess.
2.
Iftherequestedaccessissomethingotherthanreadaccess,denyaccess.
3.
Ifread-onlyaccessispermittedtothatauthorizedwebuserbythefile'sDACLassociatedwiththewebcontent,grantaccess4.
Otherwise,denyaccess.
(c)For(WebServer)publiccontent1.
Iftherequestedaccessissomethingotherthanreadaccess,denyaccess.
2.
Grantread-onlyaccesstowebuser.
]5.
1.
3.
7.
3FDP_ACF.
1.
3(c)TheWebServerpartoftheTSFshallexplicitlyauthorizeaccessofsubjectstoobjectsbasedonthefollowingadditionalCONTENT-PROVIDERSFPrules:[(a)acontentprovidertryingtoaccessanobjectURLmustbeauthorizedtotheoperationAccessURLiftheURLAuthorizationisconfiguredfortheobject.
(b)acontentprovidermayreadwebservercontentifthewebpermissionassociatedwiththeobjectallowsreadaccess.
(c)acontentprovidermaychangewebservercontentifthewebpermissionassociatedwiththeobjectallowswriteaccess.
(d)acontentprovidermayaccessthesourceofwebservercontentifthewebpermissionassociatedwiththeobjectallowsaccesstothesource(e)acontentprovidermayviewwebservercontentfilelistsandcollectionsifthewebpermissionassociatedwiththeobjectallowsbrowsingaccess]5.
1.
3.
7.
4FDP_ACF.
1.
4(c)TheWebServerpartoftheTSFshallexplicitlydenyaccessofsubjectstoobjectsbasedonthefollowingadditionalCONTENT-PROVIDERSFPrules:[(a)ifacontentprovideruseshttp://insteadofhttps://andthewebpermissionassociatedwiththeobjectrequiresSSL.
(b)ifacontentproviderdoesnotuseaclientcertificateandthewebpermissionassociatedwiththeobjectrequiresSSLandacertificate.
(c)ifthecontentprovider'scertificateisrevokedorisinvalidandthewebpermissionassociatedwiththeobjectrequiresSSLandthatacertificatebenegotiated,orrequiresSSLandacertificate.
(d)iftheauthorizationsettingofacontentproviderdeterminedbyanauthenticationproviderdoesnotmatchtheconfiguredauthorizationsettingassociatedwiththeobject.
(e)iftheclientcertificatemappingsettingofacontentproviderdeterminedbyanauthenticationproviderdoesnotmustmatchtheconfiguredclientcertificatemappingsettingassociatedwiththeobject.
MicrosoftCorporation,2008AllRightsReserved.
50Version3.
0,11/19/07(f)ifthewebpermissionrequestedisnotsupported(otherthanthosepermissionsidentifiedinFDP_ACF.
1.
3(c))]5.
1.
3.
8IndexingAccessControlFunctions(FDP_ACF.
1(d))5.
1.
3.
8.
1FDP_ACF.
1.
1(d)TheIndexingServicepartoftheTSFshallenforcethe[INDEXINGSFP]toobjectsbasedonthefollowingtypesofsubjectandobjectsecurityattributes:[subjects-processesactingonbehalfofusers(whichrepresentusersoftheOSpartoftheTOE/TSF)otheuseridentityandgroupmembership(s)associatedwithasubjectobjects:Documents(residingwithinaspecificqueryscopethatpotentiallymaybereturnedbythequery)otheDACLassociatedwiththeobject.
]5.
1.
3.
8.
2FDP_ACF.
1.
2(d)TheIndexingServicepartoftheTSFshallenforcethefollowingINDEXINGSFPrulestodetermineifanoperationamongcontrolledsubjectsandcontrolledobjectsisallowed:[a)IftheDACLgrantstherequestinguseridentityreadaccess,therequestedaccessisallowedandthedocumentfullpathnameisaddedtothedocumentlistreturnedtotheuser;orb)IftheuseridentityisamemberofagroupandtheDACLgrantsthegroupreadaccess,therequestedaccessisallowedandthedocumentfullpathnameisaddedtothedocumentlistreturnedtotheuser.
]5.
1.
3.
8.
3FDP_ACF.
1.
3(d)TheIndexingServicepartoftheTSFshallexplicitlyauthorizeaccessofsubjectstoobjectsbasedonthefollowingadditionalINDEXINGSFPrules:[therearenoexplicitaccessauthorizationrules].
5.
1.
3.
8.
4FDP_ACF.
1.
4(d)TheIndexingServicepartoftheTSFshallexplicitlydenyaccessofsubjectstoobjectsbasedonthefollowingadditionalINDEXINGSFPrules:[therearenoexplicitaccessdenialrules].
5.
1.
3.
9IPSecSubsetInformationFlowControl(FDP_IFC.
1(a))5.
1.
3.
9.
1FDP_IFC.
1.
1(a)TheTSFshallenforcethe[IPSecFilterPolicy]on:[a)subjects:oneTSFsendingIPtraffictoanotherTSForreceivingIPtrafficfromanotherTSFovertheTOEnetwork;(2)information:IPtraffic(3)operation:passinformation.
].
MicrosoftCorporation,2008AllRightsReserved.
51Version3.
0,11/19/075.
1.
3.
10WindowsFirewallConnectionSubsetInformationFlowControl(FDP_IFC.
1(b))5.
1.
3.
10.
1FDP_IFC.
1.
1(b)TheTSFshallenforcethe[ConnectionFirewallPolicy]on:[a)subjects:oneTSFreceivingIPtrafficfromanotherTSFovertheTOEnetwork;b)information:IPtrafficc)operation:receiveinformation.
].
5.
1.
3.
11RPCoverHTTPSubsetInformationFlowControl(FDP_IFC.
1(c))5.
1.
3.
11.
1FDP_IFC.
1.
1(c)TheTSFshallenforcethe[RPCoverHTTPConnectionPolicy]on:[a)subjects:oneTSFsendingRPCoverHTTPtraffictoaRPCoverHTTPproxysubcomponentrunningonaservermachineoftheTOE;b)information:RPCoverHTTPtrafficc)operation:forwardinformation.
].
5.
1.
3.
12IPSecSimpleSecurityAttributes(FDP_IFF.
1(a))5.
1.
3.
12.
1FDP_IFF.
1.
1(a)TheTSFshallenforcethe[IPSecFilterPolicy]basedonthefollowingtypesofsubjectandinformationsecurityattributes:[a)subject(oneTSFsendingIPtraffictoanotherTSForreceivingIPtrafficfromanotherTSFovertheTOEnetwork)securityattributes:presumedaddress;b)information(IPtraffic)securityattributes:presumedaddressofsourcesubject;presumedaddressofdestinationsubject;protocol;sourceportidentificationdestinationportidentification.
].
5.
1.
3.
12.
2FDP_IFF.
1.
2(a)TheTSFshallpermitaninformationflowbetweenacontrolledsubjectandanothercontrolledinformationsubjectviaacontrolledoperationifthefollowingruleshold:MicrosoftCorporation,2008AllRightsReserved.
52Version3.
0,11/19/07[alltheinformationsecurityattributevaluesareunambiguouslypermittedbytheIPSecpolicyfilterrules,wheresuchrulesmaybecomposedfromallpossiblecombinationsofthevaluesoftheinformationflowsecurityattributes,createdbytheauthorizedadministrator]5.
1.
3.
12.
3FDP_IFF.
1.
3(a)TheTSFshallenforcethe[noadditionalinformationcontrolSFPrules].
5.
1.
3.
12.
4FDP_IFF.
1.
4(a)TheTSFshallprovidethefollowing[noadditionalSFPcapabilities].
5.
1.
3.
12.
5FDP_IFF.
1.
5(a)TheTSFshallexplicitlyauthorizeaninformationflowbasedonthefollowingrules:[noexplicitauthorizationrules].
5.
1.
3.
12.
6FDP_IFF.
1.
6(a)TheTSFshallexplicitlydenyaninformationflowbasedonthefollowingrules:[noexplicitdenyrules].
5.
1.
3.
13WindowsFirewallConnectionSimpleSecurityAttributes(FDP_IFF.
1(b))5.
1.
3.
13.
1FDP_IFF.
1.
1(b)TheTSFshallenforcethe[WindowsFirewallConnectionPolicy]basedonthefollowingtypesofsubjectandinformationsecurityattributes:[a)subject(oneTSFreceivingIPtrafficfromanotherTSFovertheTOEnetwork)securityattributes:WindowsFirewallConnectionPolicyPortMappingRulesb)information(IPtraffic)securityattributes:destinationportidentification.
].
5.
1.
3.
13.
2FDP_IFF.
1.
2(b)TheTSFshallpermitaninformationflowbetweenacontrolledsubjectandanothercontrolledinformationsubjectviaacontrolledoperationifthefollowingruleshold:[theincomingpacketisaresponsetopreviousoutgoingpacket]5.
1.
3.
13.
3FDP_IFF.
1.
3(b)TheTSFshallenforcethe[noadditionalinformationcontrolSFPrules].
5.
1.
3.
13.
4FDP_IFF.
1.
4(b)TheTSFshallprovidethefollowing[noadditionalSFPcapabilities].
5.
1.
3.
13.
5FDP_IFF.
1.
5(b)TheTSFshallexplicitlyauthorizeaninformationflowbasedonthefollowingrules:[thedestinationportispermittedbytheWindowsFirewallConnectionPolicyPortMappingRules].
5.
1.
3.
13.
6FDP_IFF.
1.
6(b)TheTSFshallexplicitlydenyaninformationflowbasedonthefollowingrules:[noexplicitdenyrules].
MicrosoftCorporation,2008AllRightsReserved.
53Version3.
0,11/19/075.
1.
3.
14RPCoverHTTPSimpleSecurityAttributes(FDP_IFF.
1(c))5.
1.
3.
14.
1FDP_IFF.
1.
1(c)TheTSFshallenforcethe[RPCoverHTTPConnectionPolicy]basedonthefollowingtypesofsubjectandinformationsecurityattributes:[a)subject(oneTSFsendingRPCoverHTTPtraffictoaRPCoverHTTPproxysubcomponentrunningonaservermachineoftheTOE)securityattributes:Validportslistb)information(RPCoverHTTPtraffic)securityattributes:DestinationportidentificationDestinationRPCservernameidentification.
].
5.
1.
3.
14.
2FDP_IFF.
1.
2(c)TheTSFshallpermitaninformationflowbetweenacontrolledsubjectandanothercontrolledinformationsubjectviaacontrolledoperationifthefollowingruleshold:[ThereceivingRPCservernameandportarelistedinthelistofvalidports]5.
1.
3.
14.
3FDP_IFF.
1.
3(c)TheTSFshallenforcethe[noadditionalinformationcontrolSFPrules].
5.
1.
3.
14.
4FDP_IFF.
1.
4(c)TheTSFshallprovidethefollowing[noadditionalSFPcapabilities].
5.
1.
3.
14.
5FDP_IFF.
1.
5(c)TheTSFshallexplicitlyauthorizeaninformationflowbasedonthefollowingrules:[noexplicitpermitrules].
5.
1.
3.
14.
6FDP_IFF.
1.
6(c)TheTSFshallexplicitlydenyaninformationflowbasedonthefollowingrules:[noexplicitdenyrules]5.
1.
3.
15BasicInternalTransferProtection(FDP_ITT.
1)5.
1.
3.
15.
1FDP_ITT.
1.
1TheTSFshallenforcethe[IPSecFilterPolicy]topreventthe[disclosureandmodification]ofuserdatawhenitistransmittedbetweenphysically-separatedpartsoftheTOE.
5.
1.
3.
16ObjectResidualInformationProtection(FDP_RIP.
2)5.
1.
3.
16.
1FDP_RIP.
2.
1TheTSFshallensurethatanypreviousinformationcontentofaresourceismadeunavailableupontheallocationoftheresourcetoallobjects.
MicrosoftCorporation,2008AllRightsReserved.
54Version3.
0,11/19/075.
1.
3.
17WEBUSERBasicDataExchangeConfidentiality(FDP_UCT.
1)5.
1.
3.
17.
1FDP_UCT.
1.
1TheWebServerpartoftheTSFshallenforcethe[WEBUSERSFP]tobeableto[transmitandreceive]WebServercontrolled-accesscontentobjectsinamannerprotectedfromunauthorizeddisclosure5.
1.
3.
18WEBUSERSFPDataExchangeIntegrity(FDP_UIT.
1)5.
1.
3.
18.
1FDP_UIT.
1.
1TheWebServerpartoftheTSFshallenforcethe[WEBUSERSFP]tobeableto[transmitandreceive]WebServercontrolled-accesscontentuserdatainamannerprotectedfrom[modification]errors.
5.
1.
3.
18.
2FDP_UIT.
1.
2TheWebServerpartoftheTSFshallbeabletodetermineonreceiptofWebServercontrolled-accesscontentuserdata,undertheWEBUSERSFP,whether[modification]hasoccurred.
5.
1.
3.
19SubjectResidualInformationProtection(Note1_EX)5.
1.
3.
19.
1Note1_EX.
1TheTSFshallensurethatanypreviousinformationcontentofaresourceismadeunavailableupontheallocationoftheresourcetoallsubjects.
5.
1.
4IdentificationandAuthentication(FIA)5.
1.
3.
1AuthenticationFailureHandling(FIA_AFL.
1)5.
1.
4.
1.
1FIA_AFL.
1.
1TheTSFshalldetectwhen[anadministratorconfigurablepositiveintegerwithinarangeofvaluesacceptabletotheadministrator]unsuccessfulauthenticationattemptsoccurrelatedto[userlogon].
5.
1.
4.
1.
2FIA_AFL.
1.
2Whenthedefinednumberofunsuccessfulauthenticationattemptshasbeenmetorsurpassed,theTSFshall[disabletheuseraccountforanauthorizedadministratorspecifiedduration].
5.
1.
4.
2UserAttributeDefinition(FIA_ATD.
1)5.
1.
4.
2.
1FIA_ATD.
1.
1TheTSFshallmaintainthefollowinglistofsecurityattributesbelongingtoindividualusers:a)UserIdentifier;b)GroupMemberships;c)AuthenticationData;d)Security-relevantRoles;ande)[Private/PublicKeys,Privileges,andLogonRightsonspecificphysicallyseparatedpartsoftheTOE;Allowabletimeanddaytologon;Policyrequiringsmartcardtologon].
MicrosoftCorporation,2008AllRightsReserved.
55Version3.
0,11/19/075.
1.
4.
3VerificationofSecrets(FIA_SOS.
1)5.
1.
4.
3.
1FIA_SOS.
1.
1TheTSFshallprovideamechanismtoverifythatsecretsmeetthefollowing:a)Foreachattempttousetheauthenticationmechanism,theprobabilitythatarandomattemptwillsucceedislessthanonein1,000,0002x1015;b)Formultipleattemptstousetheauthenticationmechanismduringaoneminuteperiod,theprobabilitythatarandomattemptduringthatminutewillsucceedislessthanonein100,00025,000,000,000,000;c)Anyfeedbackgivenduringanattempttousetheauthenticationmechanismwillnotreducetheprobabilitybelowtheabovemetrics;andd)Theauthenticationmechanismmustprovideadelaybetweenattempts,suchthattherecanbenomorethantenattemptsperminute.
5.
1.
4.
4TimingofAuthentication(FIA_UAU.
1)5.
1.
4.
4.
1FIA_UAU.
1.
1TheTSFshallallow[accesstothewebserver]onbehalfofthatusertobeperformedbeforetheuserisauthenticated.
5.
1.
4.
4.
2FIA_UAU.
1.
2TheTSFshallrequireeachusertobesuccessfullyauthenticatedbeforeallowinganyotherTSF-mediatedactionsonbehalfofthatuser.
5.
1.
4.
5Re-authenticating(FIA_UAU.
6)5.
1.
4.
5.
1FIA_UAU.
6.
1TheTSFshallre-authenticatetheuserundertheconditions[assignment:listofconditionsunderwhichre-authenticationisrequired]whenchangingauthenticationdata.
5.
1.
4.
6ProtectedAuthenticationFeedback(FIA_UAU.
7)5.
1.
4.
6.
1FIA_UAU.
7.
1TheTSFshallprovideonlyobscuredfeedbacktotheuserwhiletheauthenticationisinprogress.
5.
1.
4.
7TimingofIdentification(FIA_UID.
1)5.
1.
4.
7.
1FIA_UID.
1.
1TheTSFshallallow[accesstothewebserver]onbehalfofthatuser.
5.
1.
4.
7.
2FIA_UID.
1.
2TheTSFshallrequireeachusertobesuccessfullyidentifiedbeforeallowinganyotherTSF-mediatedactionsonbehalfofthatuser.
MicrosoftCorporation,2008AllRightsReserved.
56Version3.
0,11/19/075.
1.
4.
8UserSubjectBinding(FIA_USB.
1_EX)5.
1.
4.
8.
1FIA_USB.
1_EX.
1TheTSFshallassociatethefollowingusersecurityattributeswithsubjectsactingonthebehalfofthatuser:a)Theuseruniqueidentitywhichisassociatedwithauditableevents;b)TheuseridentityoridentitieswhichareusedtoenforcetheDiscretionaryAccessControlPolicy,andMaximumQuotas(FRU_RSA.
1);c)ThegroupmembershipormembershipsusedtoenforcetheDiscretionaryAccessControlPolicy;d)[Private/PublicKeys,Privileges.
]5.
1.
4.
8.
2FIA_USB.
1_EX.
2TheTSFshallenforcethefollowingrulesontheinitialassociationofusersecurityattributeswithsubjectsactingonthebehalfofauser:a)[Everysubjectwillbeassignedasubsetofsecurityattributesassociatedwiththeuseronwhosebehalfthesubjectwillact.
]5.
1.
4.
8.
3FIA_USB.
1_EX.
3TheTSFshallenforcethefollowingrulesgoverningchangestotheusersecurityattributesassociatedwithsubjectsactingonthebehalfofauser:a)[Subjectsactingonbehalfofuserscannotaddadditionalsecurityattributesbeyondthoseinitiallyassigned.
]5.
1.
5ManagementRequirements(FMT)5.
1.
5.
1ManagementofAudit(FMT_MOF.
1(a))5.
1.
5.
1.
1FMT_MOF.
1.
1(a)TheTSFshallrestricttheabilityto[enable,disable,modifythebehaviorof]thefunction[audit]to[authorizedadministrators].
5.
1.
5.
2ManagementofTOETSFDatainTransmission(FMT_MOF.
1(b))5.
1.
5.
2.
1FMT_MOF.
1.
1(b)TheTSFshallrestricttheabilityto[determinethebehaviorofandmodifythebehaviorof]thefunction[thatprotectTOEDataduringtransmissionbetweenseparatepartsoftheTOE]to[authorizedadministrators].
5.
1.
5.
3ManagementofUnlockingSessions(FMT_MOF.
1(c))5.
1.
5.
3.
1FMT_MOF.
1.
1(c)TheTSFshallrestricttheabilityto[modifythebehaviorof]thefunction[lockedusersession]to[authorizedadministratorsandauthorizeduseroflockedsession].
MicrosoftCorporation,2008AllRightsReserved.
57Version3.
0,11/19/075.
1.
5.
4ManagementoftheWebServer(FMT_MOF.
1(d))5.
1.
5.
4.
1FMT_MOF.
1.
1(d)TheWebServerpartoftheTSFshallrestricttheabilityto[modifythebehaviourof]thefunction[WEBUSERSFP]to[authorizedadministrators].
5.
1.
5.
5ManagementofGroupPolicyCalculations(FMT_MOF.
1(e))5.
1.
5.
5.
1FMT_MOF.
1(e)TheTSFshallrestricttheabilityto[enable]thefunction[calculationofmultipleGroupPolicies]to[authorizedadministrators].
5.
1.
5.
6ManagementofObjectSecurityAttributes(FMT_MSA.
1(a))5.
1.
5.
6.
1FMT_MSA.
1.
1(a)TheTSFshallenforcetheDiscretionaryAccessControlPolicytorestricttheabilitytomodifythesecurityattributesaccesscontrolattributesassociatedwithanamedobjectto[theowneroftheobject,subjectswithDACpermissiontotakeownershiportomodifytheDACL,andsubjectswithaspecificprivilege].
5.
1.
5.
7ManagementofDACObjectSecurityAttributes(FMT_MSA.
1(b))5.
1.
5.
7.
1FMT_MSA.
1.
1(b)TheTSFshallenforcethe[DiscretionaryAccessControlPolicy]torestricttheabilityto[delete]thesecurityattributes[FileEncryptionKeys(FEKs)]to[userswithaccesstooneoftheprivatekeysusedtoprotectthefileencryptionkeyassociatedwiththefileandsubjectswithaspecificprivilege].
5.
1.
5.
8ManagementofIPSecObjectSecurityAttributes(FMT_MSA.
1(c))5.
1.
5.
8.
1FMT_MSA.
1.
1(c)TheTSFshallenforcethe[IPSecFilterPolicy]torestricttheabilityto[modify]thesecurityattributes[IPSecFilterPolicysecurityattributes]to[theauthorizedadministrator].
5.
1.
5.
9ManagementofWindowsFirewallConnectionObjectSecurityAttributes(FMT_MSA.
1(d))5.
1.
5.
9.
1FMT_MSA.
1.
1(d)TheTSFshallenforcethe[WindowsFirewallConnectionPolicy]torestricttheabilityto[modify]thesecurityattributes[WindowsFirewallConnectionPolicysecurityattributes]to[theauthorizedadministrator]5.
1.
5.
10ManagementofWEBUSERObjectSecurityAttributes(FMT_MSA.
1(e))5.
1.
5.
10.
1FMT_MSA.
1.
1(e)TheTSFshallenforcethe[WEBUSERPolicy]torestricttheabilityto[modify]thesecurityattributes[WEBUSERPolicysecurityattributes]to[theauthorizedadministrator].
MicrosoftCorporation,2008AllRightsReserved.
58Version3.
0,11/19/075.
1.
5.
11ManagementofCONTENT-PROVIDERObjectSecurityAttributes(FMT_MSA.
1(f))5.
1.
5.
11.
1FMT_MSA.
1.
1(f)TheTSFshallenforcethe[CONTEN-PROVIDERPolicy]torestricttheabilityto[modify]thesecurityattributes[CONTENT-PROVIDERPolicysecurityattributes]to[theauthorizedadministrator].
5.
1.
5.
12ManagementofINDEXINGObjectSecurityAttributes(FMT_MSA.
1(g))5.
1.
5.
12.
1FMT_MSA.
1.
1(g)TheTSFshallenforcethe[INDEXINGPolicy]torestricttheabilityto[modify]thesecurityattributes[INDEXINGPolicysecurityattributes]to[theauthorizedadministrator,documentowners,orauserwhohasbeengrantedtheWRITE_DACaccesstotheobject].
5.
1.
5.
13ManagementofRPCoverHTTPObjectSecurityAttributes(FMT_MSA.
1(h))5.
1.
5.
13.
1FMT_MSA.
1.
1(i)TheTSFshallenforcethe[RPCoverHTTPConnectionPolicy]torestricttheabilityto[modify]thesecurityattributes[Validportslist]to[theauthorizedadministrator].
5.
1.
5.
14ValidPasswordSecurityAttributes(FMT_MSA_EX.
2)5.
1.
5.
14.
1FMT_MSA_EX.
2.
1TheTSFshallensurethatonlyvaluesmeetingthepasswordcomplexityrestrictions,ifdefinedbytheauthorizedadministrator,areacceptedforpasswordsecurityattributes.
5.
1.
5.
15StaticAttributeInitialization(FMT_MSA.
3(a))5.
1.
5.
15.
1FMT_MSA.
3.
1(a)TheTSFshallenforcetheDiscretionaryAccessControlPolicytoproviderestrictivedefaultvaluesforsecurityattributesthatareusedtoenforcetheDiscretionaryAccessControlPolicy.
5.
1.
5.
15.
2FMT_MSA.
3.
2(a)TheTSFshallallowthe[objectcreatororauthorizedadministrator]tospecifyalternativeinitialvaluestooverridethedefaultvalueswhenanobjectorinformationiscreated.
5.
1.
5.
16IPSecStaticAttributeInitialization(FMT_MSA.
3(b))5.
1.
5.
16.
1FMT_MSA.
3.
1(b)TheTSFshallenforcethe[IPSecFilterPolicy]toprovide[permissive]defaultvaluesforsecurityattributesthatareusedtoenforcetheSFP.
5.
1.
5.
16.
2FMT_MSA.
3.
2(b)TheTSFshallallowthe[creatororauthorizedadministrator]tospecifyalternativeinitialvaluestooverridethedefaultvalueswhenanobjectorinformationiscreated.
MicrosoftCorporation,2008AllRightsReserved.
59Version3.
0,11/19/075.
1.
5.
17WindowsFirewallConnectionStaticAttributeInitialization(FMT_MSA.
3(c))5.
1.
5.
17.
1FMT_MSA.
3.
1(c)TheTSFshallenforcethe[WindowsFirewallConnectionPolicy]toprovide[permissive]defaultvaluesforsecurityattributesthatareusedtoenforcetheSFP.
5.
1.
5.
17.
2FMT_MSA.
3.
2(c)TheTSFshallallowthe[authorizedadministrator]tospecifyalternativeinitialvaluestooverridethedefaultvalueswhenanobjectorinformationiscreated.
5.
1.
5.
18WEBUSERStaticAttributeInitialization(FMT_MSA.
3(d))5.
1.
5.
18.
1FMT_MSA.
3.
1(d)TheWebServerpartoftheTSFshallenforcethe[WEBUSERSFP]toprovide[restrictive]defaultvaluesforsecurityattributesthatareusedtoenforcetheSFP.
5.
1.
5.
18.
2FMT_MSA.
3.
2(d)TheWebServerpartoftheTSFshallallowthe[authorizedadministrator]tospecifyalternativeinitialvaluestooverridethedefaultvalueswhenanobjectorinformationiscreated.
5.
1.
5.
19CONTENT-PROVIDERStaticAttributeInitialization(FMT_MSA.
3(e))5.
1.
5.
19.
1FMT_MSA.
3.
1(e)TheWebServerpartoftheTSFshallenforcethe[CONTENT-PROVIDERSFP]toprovide[restrictive]defaultvaluesforsecurityattributesthatareusedtoenforcetheSFP.
5.
1.
5.
19.
2FMT_MSA.
3.
2(e)TheWebServerpartoftheTSFshallallowthe[authorizedadministrator]tospecifyalternativeinitialvaluestooverridethedefaultvalueswhenanobjectorinformationiscreated.
5.
1.
5.
20INDEXINGStaticAttributeInitialization(FMT_MSA.
3(f))5.
1.
5.
20.
1FMT_MSA.
3.
1(f)TheTSFshallenforcethe[INDEXINGSFP]toprovide[restrictive]defaultvaluesforsecurityattributesthatareusedtoenforcetheSFP.
5.
1.
5.
20.
2FMT_MSA.
3.
2(f)TheTSFshallallowthe[authorizedadministrator]tospecifyalternativeinitialvaluestooverridethedefaultvalueswhenanobjectorinformationiscreated.
5.
1.
5.
21RPCoverHTTPStaticAttributeInitialization(FMT_MSA.
3(g))5.
1.
5.
21.
1FMT_MSA.
3.
1(g)TheTSFshallenforcethe[RPCoverHTTPConnectionSFP]toprovide[restrictive]defaultvaluesforsecurityattributesthatareusedtoenforcetheSFP.
5.
1.
5.
21.
2FMT_MSA.
3.
2(g)TheTSFshallallowthe[authorizedadministrator]tospecifyalternativeinitialvaluestooverridethedefaultvalueswhenanobjectorinformationiscreated.
MicrosoftCorporation,2008AllRightsReserved.
60Version3.
0,11/19/075.
1.
5.
22ManagementoftheAuditTrail(FMT_MTD.
1(a))5.
1.
5.
22.
1FMT_MTD.
1.
1(a)TheTSFshallrestricttheabilitytocreate,delete,andcleartheaudittrailtoauthorizedadministrators.
5.
1.
5.
23ManagementofAuditedEvents(FMT_MTD.
1(b))5.
1.
5.
23.
1FMT_MTD.
1.
1(b)TheTSFshallrestricttheabilitytomodifyorobservethesetofauditedeventstoauthorizedadministrators.
5.
1.
5.
24ManagementofUserAttributes(FMT_MTD.
1(c))5.
1.
5.
24.
1FMT_MTD.
1.
1(c)TheTSFshallrestricttheabilitytoinitializeandmodifytheusersecurityattributes,otherthanauthenticationdata[andprivate/publickeys]toauthorizedadministrators.
5.
1.
5.
25ManagementofAuthenticationData(FMT_MTD.
1(d))5.
1.
5.
25.
1FMT_MTD.
1.
1(d)TheTSFshallrestricttheabilitytoinitializetheauthenticationdatatoauthorizedadministrators.
5.
1.
5.
25.
2FMT_MTD.
1.
2(d)TheTSFshallrestricttheabilitytomodifytheauthenticationdatatothefollowing:a)authorizedadministrators;andb)usersauthorizedtomodifytheirownauthenticationdata.
5.
1.
5.
26ManagementofAccountLockOutDuration(FMT_MTD.
1(e))5.
1.
5.
26.
1FMT_MTD.
1.
1(e)TheTSFshallrestricttheabilityto[modify]the[durationtheuseraccountisdisabledaftertheunsuccessfulauthenticationattemptsthresholdisexceeded]to[authorizedadministrators].
5.
1.
5.
27ManagementofMinimumPasswordLength(FMT_MTD.
1(f))5.
1.
5.
27.
1FMT_MTD.
1.
1(f)TheTSFshallrestricttheabilityto[modify]the[minimumallowablepasswordlength]to[authorizedadministrators].
5.
1.
5.
28ManagementofTSFTime(FMT_MTD.
1(g))5.
1.
5.
28.
1FMT_MTD.
1.
1(g)TheTSFshallrestricttheabilityto[modify]the[TSFrepresentationoftime]to[authorizedadministrators].
MicrosoftCorporation,2008AllRightsReserved.
61Version3.
0,11/19/075.
1.
5.
29ManagementofNTFSVolumeQuotaSettings(FMT_MTD.
1(h))5.
1.
5.
29.
1FMT_MTD.
1.
1(h)TheTSFshallrestricttheabilityto[modify]the[quotasettingsonNTFSvolumes]to[authorizedadministrators].
5.
1.
5.
30ManagementofAdvisoryWarningMessage(FMT_MTD.
1(i))5.
1.
5.
30.
1FMT_MTD.
1.
1(i)TheTSFshallrestricttheabilityto[modify]the[advisorywarningmessagedisplayedbeforeestablishingausersession]to[authorizedadministrators].
5.
1.
5.
31ManagementAuditLogSize(FMT_MTD.
1(j))5.
1.
5.
31.
1FMT_MTD.
1.
1(j)TheTSFshallrestricttheabilityto[modify]the[theauditlogsize]to[authorizedadministrators].
5.
1.
5.
32ManagementofUserInactivityThreshold(FMT_MTD.
1(k))5.
1.
5.
32.
1FMT_MTD.
1.
1(k)TheTSFshallrestricttheabilityto[changedefault,modify,delete,clear]the[userinactivitythresholdforanauthorizeduserduringaninteractivesession]to[theauthorizeduser].
5.
1.
5.
33ManagementofTSFData(forgeneralTSFdata)(FMT_MTD.
1(l))5.
1.
5.
33.
1FMT_MTD.
1.
1(l)TheTSFshallrestricttheabilityto[create,change_default,query,modify,delete,andclear]the[security-relevantTSFdataexceptforauditrecords,usersecurityattributes,authenticationdata,andcriticalcryptographicsecurityparameters]to[theauthorizedadministrator.
]5.
1.
5.
34ManagementofTSFData(forreadingofauthenticationdata)(FMT_MTD.
1(m))5.
1.
5.
34.
1FMT_MTD.
1.
1(m)TheTSFshallpreventtherestricttheabilityto[reading]of[authenticationdata].
to[theauthorizedidentifiedroles.
].
5.
1.
5.
35ManagementofPasswordComplexityRequirement(FMT_MTD.
1(n))5.
1.
5.
35.
1FMT_MTD.
1.
1(n)TheTSFshallrestricttheabilityto[modify]the[passwordcomplexityrequirement]to[authorizedadministrators].
5.
1.
5.
36ManagementofUserPrivate/PublicKeyPair(FMT_MTD.
1(o))5.
1.
5.
36.
1FMT_MTD.
1.
1(o)TheTSFshallrestricttheabilityto[initialize]the[usersecurityattributesprivate/publickeypair]to[authorizedadministratorsandauthorizedusers].
MicrosoftCorporation,2008AllRightsReserved.
62Version3.
0,11/19/075.
1.
5.
37ManagementofWSUSConfigurationSettings(FMT_MTD.
1(p))5.
1.
5.
37.
1FMT_MTD.
1.
1(p)TheTSFshallrestricttheabilityto[modify]the[WSUSconfigurationsettings]to[authorizedadministrators].
5.
1.
5.
38ManagementofUnsuccessfulAuthenticationAttemptsThreshold(FMT_MTD.
2)5.
1.
5.
38.
1FMT_MTD.
2.
1TheTSFshallrestrictthespecificationofthelimitsfor[theunsuccessfulauthenticationattemptsthreshold]to[authorizedadministrators].
5.
1.
5.
38.
2FMT_MTD.
2.
2TheTSFshalltakethefollowingaction,iftheTSFdataareat,orexceed,theindicatedlimits:[theTSFshalldisabletheuseraccountforanauthorizedadministratorspecifiedduration].
5.
1.
5.
39RevocationofUserAttributes(FMT_REV.
1(a))5.
1.
5.
39.
1FMT_REV.
1.
1(a)TheTSFshallrestricttheabilitytorevokesecurityattributesassociatedwiththeuserswithintheTSCtoauthorizedadministrators.
5.
1.
5.
39.
2FMT_REV.
1.
2(a)TheTSFshallenforcetherules:a)Theimmediaterevocationofsecurity-relevantauthorizations;and,b)[Noadditionalrule].
5.
1.
5.
40RevocationofObjectAttributes(FMT_REV.
1(b))5.
1.
5.
40.
1FMT_REV.
1.
1(b)TheTSFshallrestricttheabilitytorevokesecurityattributesassociatedwithnamedobjectswithintheTSCtousersauthorizedtomodifythesecurityattributesbytheDiscretionaryAccessControlpolicy.
5.
1.
5.
40.
2FMT_REV.
1.
2(b)TheTSFshallenforcetherules:a)Theaccessrightsassociatedwithanobjectshallbeenforcedwhenanaccesscheckismade;andb)[Noadditionalrule].
5.
1.
5.
41Time-limitedAuthorization(FMT_SAE.
1)5.
1.
5.
41.
1FMT_SAE.
1.
1TheTSFshallrestrictthecapabilitytospecifyanexpirationtimefor[authenticationdata]to[authorizedadministrators].
5.
1.
5.
41.
2FMT_SAE.
1.
2Foreachofthesesecurityattributes,theTSFshallbeableto[lockouttheassociateduseraccount]aftertheexpirationtimefortheindicatedsecurityattributehaspassed.
MicrosoftCorporation,2008AllRightsReserved.
63Version3.
0,11/19/075.
1.
5.
42SpecificationofManagementFunctions(FMT_SMF.
1)5.
1.
5.
42.
1FMT_SMF.
1.
1TheTSFshallbecapableofperformingthefollowingsecuritymanagementfunctions:[a)modifyaccesscontrolattributesassociatedwithanobjectb)deleteencryptionpolicyattributesassociatedwithafilec)enable,disable,modifythebehaviouroftheauditfunctiond)determineandmodifythebehaviourofthefunctionthatprotectsdataduringtransmissionbetweenpartsoftheTOEe)modifythebehaviourofthelockedusersessionfunctionf)cleartheaudittrailg)modifythesetofeventstobeauditedh)readtheauditedeventsi)initializeandmodifyusersecurityattributesj)modifythedurationtheuseraccountisdisabledaftertheunsuccessfulauthenticationattemptsthresholdisexceededk)modifytheminimumallowablepasswordlengthl)modifythequotasettingsonNTFSvolumesm)modifytheadvisorywarningmessagedisplayedbeforeestablishmentofausersessionn)modifytheauditlogsizeo)modifythepasswordcomplexityrestrictionp)modifytheunsuccessfulauthenticationattemptsthresholdq)modifythetimer)calculatetheeffectofmultipleGroupPoliciesonusersand/orcomputerss)modifyinformationflowpolicyattributest)modifyWindowsServerUpdateServicesconfigurationsettings].
5.
1.
5.
43SecurityRoles(FMT_SMR.
1)5.
1.
5.
43.
1FMT_SMR.
1.
1TheTSFshallmaintaintheroles:a)Authorizedadministrator;b)UsersauthorizedbytheDiscretionaryAccessControlPolicytomodifyobjectsecurityattributes;c)Usersauthorizedtomodifytheirownauthenticationdataandunlockthelocalusersession;andd)[objectcreator-Usersthatcreateobjects].
5.
1.
5.
43.
2FMT_SMR.
1.
2TheTSFshallbeabletoassociateuserswithroles.
5.
1.
5.
44AssumingRoles(FMT_SMR.
3)5.
1.
5.
44.
1FMT_SMR.
3.
1TheTSFshallrequireanexplicitrequesttoassumethefollowingroles:[assignment:theroles]anyrole.
MicrosoftCorporation,2008AllRightsReserved.
64Version3.
0,11/19/075.
1.
6ProtectionoftheTOESecurityFunctions(FPT)5.
1.
6.
1InternalDataTransferProtection(TRANSFER_PROT_EX.
1)5.
1.
6.
1.
1TRANSFER_PROT_EX.
1.
1TheTSFshallbeabletoprotectdatafromdisclosureandmodificationwhenitistransmittedbetweenseparatepartsoftheTOEthroughtheuseofencryption.
5.
1.
6.
2InternalTSFDataIntegrityMonitoring(TRANSFER_PROT_EX.
3)5.
1.
6.
2.
1TRANSFER_PROT_EX.
3.
1TheTSFshallbeabletodetect[modification,insertionandreplayofdata]fordatatransmittedbetweenseparatepartsoftheTOEthroughtheuseofcryptographicmeans.
5.
1.
6.
2.
2TRANSFER_PROT_EX.
3.
2Upondetectionofadataintegrityerror,theTSFshalltakethefollowingactions:[a)rejectdatab)auditevent]5.
1.
6.
3AbstractMachineTesting(FPT_AMT.
1)5.
1.
6.
3.
1FPT_AMT.
1TheTSFshallrunasuiteoftestsduringWindowsServer2003CommonCriteriaevaluationtodemonstratethecorrectoperationofthesecurityassumptionsprovidedbytheabstractmachinethatunderliestheTSF5.
1.
6.
4ReplayDetection(FPT_RPL_EX.
1)5.
1.
6.
4.
1FPT_RPL_EX.
1.
1TheTSFshallbeabletodetectreplayofTSFdatatransmittedbetweenseparatepartsoftheTOEthroughtheuseofcryptographicmeans.
5.
1.
6.
5PartialSystemRestore(FPT_RST_EX.
1)5.
1.
6.
5.
1FPT_RST_EX.
1.
1TheXPpartofTSFshallallowanauthorizedadministratortoinitiateareturnofthefollowingportionsoftheTSFdatatoapreviousautomaticallyarchivedstate:a)Registryb)Profiles(localonly—roaminguserprofilesnotimpactedbyrestore)c)COM+databased)WindowsFileProtection(WFP)cachee)WMIdatabasef)FileswithextensionslistedintheportionoftheMonitoredFileExtensionslistMicrosoftCorporation,2008AllRightsReserved.
65Version3.
0,11/19/075.
1.
6.
5.
2FPT_RST_EX.
1.
2TheXPpartofTSFshallreturntheTOEdatatothepreviousautomaticallyarchivedstateuponanauthorizedadministrator'sinitiation.
5.
1.
6.
6Non-bypassabilityoftheTSP(FPT_RVM.
1)5.
1.
6.
6.
1FPT_RVM.
1.
1TheTSFshallensurethattheTSPenforcementfunctionsareinvokedandsucceedbeforeeachfunctionwithintheTSCisallowedtoproceed.
5.
1.
6.
7TSFDomainSeparation(FPT_SEP.
1)5.
1.
6.
7.
1FPT_SEP.
1.
1TheTSFshallmaintainasecuritydomainforitsownexecutionthatprotectsitfrominterferenceandtamperingbyuntrustedsubjects.
5.
1.
6.
7.
2FPT_SEP.
1.
2TheTSFshallenforceseparationbetweenthesecuritydomainsofsubjectsintheTSC.
5.
1.
6.
8TSFHardwareProtection(FPT_SEP_EX.
1)5.
1.
6.
8.
1FPT_SEP_EX.
1.
1TheTSFin64-bitarchitecturesshallallowasubjecttochooseanoptionwherebytheTSFshallpreventthesubjectfromexecutingdataonamemorypagethatisnotmarkedforexecution.
5.
1.
6.
8.
2FPT_SEP_EX.
1.
2TheTSFshallpreventasubjectfromexecutingdataonamemorypagethatisnotmarkedforexecutionafterthesubjecthasselectedsuchanoption.
5.
1.
6.
9ReliableTimeStamp(FPT_STM.
1)5.
1.
6.
9.
1FPT_STM.
1.
1TheTSFshallbeabletoprovidereliabletimestampsforitsownuse.
5.
1.
6.
10WSUSUpdateInstallation(FPT_SUS_EX.
1)5.
1.
6.
10.
1FPT_SUS_EX.
1.
1TheWSUSpartoftheTSFshallinstalladministrator-specifiedupdatesfromthelistofavailableupdatesonadministrator-specifiedTOEmachines.
MicrosoftCorporation,2008AllRightsReserved.
66Version3.
0,11/19/075.
1.
6.
11WSUSUpdateAdvertisement(FPT_SUS_EX.
2)5.
1.
6.
11.
1FPT_SUS_EX.
2.
1TheWSUSpartoftheTSFshalladvertisetheavailabilityofsoftwareupdatesimportedbytheauthorizedadministratortoTOEmachineswithintheevaluatedconfigurations.
5.
1.
6.
12WSUSUpdateImport(FPT_SUS_EX.
3)5.
1.
6.
12.
1FPT_SUS_EX.
3.
1TheWSUSpartoftheTSFshallrestricttheabilitytoimportsoftwareupdatesfordistributionwithintheTOEevaluatedconfigurationstoauthorizedadministrators.
5.
1.
6.
13WSUSUpdateDistributionApproval(FPT_SUS_EX.
4)5.
1.
6.
13.
1FPT_SUS_EX.
4.
1TheWSUSpartoftheTSFshallrestricttheabilitytoapprovesoftwareupdatesfordistributionwithintheTOEevaluatedconfigurationstoauthorizedadministrators.
5.
1.
6.
14ApplicationofWSUSUpdates(FPT_SUS_EX.
5)5.
1.
6.
14.
1FPT_SUS_EX.
5.
1TheTSFshallpolltheWSUSServerpartoftheTSFlookingfornewupdates.
5.
1.
6.
14.
2FPT_SUS_EX.
5.
2TheWSUSServerpartoftheTSFshallensureonlyupdatescreatedbyMicrosoftareinstalled.
5.
1.
6.
14.
3FPT_SUS_EX.
5.
3TheTSFshalldownloadandinstalladministratorapprovedupdatesfromtheWSUSServerpartoftheTSF.
5.
1.
6.
15WSUSUpdateDeadlines(FPT_SUS_EX.
6)5.
1.
6.
15.
1FPT_SUS_EX.
6.
1:TheTSFshallrestricttheabilitytoenforceanupdatedeadlineforupdatestobeinstalledtoauthorizedadministrators.
5.
1.
6.
15.
2FPT_SUS_EX.
6.
2:TheTSFshallenforcetherulethatupdatedeadlinescanbeimmediatelyapplied.
5.
1.
6.
16InternalTSFDataConsistency(FPT_TRC_EX.
1)5.
1.
6.
16.
1FPT_TRC_EX.
1.
1TheTSFshallensurethatTSFdataisconsistentbetweenpartsoftheTOEbyprovidingamechanismtobringinconsistentTSFdataintoaconsistentstateuponreplicationbetweenpartsoftheTOE.
MicrosoftCorporation,2008AllRightsReserved.
67Version3.
0,11/19/075.
1.
7ResourceUtilization(FRU)5.
1.
7.
1MaximumQuotas(FRU_RSA.
1)5.
1.
7.
1.
1FRU_RSA.
1.
1TheTSFshallenforcemaximumquotasofthefollowingresources:[NTFSvolumes]that[individualusers]canuse[simultaneously].
5.
1.
8TOEAccess(FTA)5.
1.
8.
1LimitationonScopeofSelectableAttributes(FTA_LSA_EX.
1)5.
1.
8.
1.
1FTA_LSA_EX.
1.
1TheTSFshallrestrictthescopeofsessionsecurityattributes[rolesanduserprivileges],basedon[location,time,andday]ifpartofadomain.
5.
1.
8.
2BasicLimitationonMultipleConcurrentSessions(FTA_MCS_EX.
1)5.
1.
8.
2.
1FTA_MCS_EX.
1.
1TheTSFshallenforceamaximumnumberofconcurrentinteractivesessionsperuser,ifpartofadomain.
5.
1.
8.
2.
2FTA_MCS_EX.
1.
2TheTSFshallallowanauthorizedadministratortosetthemaximumnumberofconcurrentinteractivesessionsperuser,ifpartofadomain.
5.
1.
8.
3TSF-InitiatedSessionLocking(FTA_SSL.
1)5.
1.
8.
3.
1FTA_SSL.
1.
1TheTSFshalllockaninteractivesessionafter[auser-selectedintervalofinactivityoranadministratorspecifiedtimeintervalofuserinactivity]by:a)Clearingoroverwritingdisplaydevices,makingthecurrentcontentsunreadable;b)Disablinganyactivityoftheuser'sdataaccess/displaydevicesotherthanunlockingthesession.
5.
1.
8.
3.
2FTA_SSL.
1.
2TheTSFshallrequirethefollowingeventstooccurpriortounlockingthesession:[Re-authenticatetheuser.
]5.
1.
8.
4User-InitiatedSessionLocking(FTA_SSL.
2)5.
1.
8.
4.
1FTA_SSL.
2.
1TheTSFshallallowuser-initiatedlockingoftheuser'sowninteractivesessionby:a)Clearingoroverwritingdisplaydevices,makingthecurrentcontentsunreadable;b)Disablinganyactivityoftheuser'sdataaccess/displaydevicesotherthanunlockingthesession.
MicrosoftCorporation,2008AllRightsReserved.
68Version3.
0,11/19/075.
1.
8.
4.
2FTA_SSL.
2.
2TheTSFshallrequirethefollowingeventstooccurpriortounlockingthesession:[Re-authenticatetheuser.
]5.
1.
8.
5WEBUSERTSF-InitiatedTermination(FTA_SSL.
3)5.
1.
8.
5.
1FTA_SSL.
3.
1TheWebServerpartoftheTSFshallterminatearemoteinteractivehttp://orhttps://sessionafter[anadministratorconfigurabletimeintervalofsessioninactivity].
5.
1.
8.
6DefaultTOEAccessBanners(FTA_TAB.
1)5.
1.
8.
6.
1FTA_TAB.
1.
1Beforeestablishingausersession,theTSFshalldisplayanauthorized-administratorspecifiedadvisorynoticeandconsentwarningmessageregardingunauthorizeduseoftheTOE.
5.
1.
8.
7TOESessionEstablishment(FTA_TSE.
1)5.
1.
8.
7.
1FTA_TSE.
1.
1TheTSFshallbeabletodenysessionestablishmentbasedon[authenticationdataexpiration,location,time,andday].
5.
1.
9TrustedPath/Channels5.
1.
9.
1TrustedPath(FTP_TRP.
1)5.
1.
9.
1.
1FTP_TRP.
1.
1TheTSFshallprovideacommunicationpathbetweenitselfand[local]usersthatislogicallydistinctfromothercommunicationpathsandprovidesassuredidentificationofitsendpointsandprotectionofthecommunicateddatafrommodificationordisclosure.
5.
1.
9.
1.
2FTP_TRP.
1.
2TheTSFshallpermit[localandremoteusers]toinitiatethecommunicationviathetrustedpath.
5.
1.
9.
1.
3FTP_TRP.
1.
3TheTSFshallrequiretheuseofthetrustedpathfor[initialuserauthenticationwithpassword,initialuserauthenticationwithsmartcard,sessionunlocking,andchanginguserpasswordwhentheTSFrequests/notifies(viathetrustedpath)theuseroftheuseraccount,towhichthepasswordbelongs,tochangepassword].
5.
2TOESARsTheSARsfortheTOEaretheEAL4componentsaugmentedwithALC_FLR.
3asspecifiedinPart3oftheCC.
Nooperationsareappliedtotheassurancecomponents.
InterpretedRequirementsRequirementsthathavebeenmodifiedbaseduponanInternationalInterpretationareidentifiedbyanitalicizedparentheticcommentfollowingtherequirementelementthathasbeenmodified(e.
g.
(perInternationalInterpretation#51)).
MicrosoftCorporation,2008AllRightsReserved.
69Version3.
0,11/19/07Table5-5EAL4AssuranceComponentsAssuranceClassAssuranceComponentsACM_AUT.
1PartialCMAutomationACM_CAP.
4GenerationSupportandAcceptanceProceduresConfigurationManagement(ACM)ACM_SCP.
2ProblemTrackingCMCoverageADO_DEL.
2DetectionofModificationDeliveryandOperation(ADO)ADO_IGS.
1Installation,Generation,andStart-upProceduresADV_FSP.
2FullyDefinedExternalInterfacesADV_HLD.
2SecurityEnforcingHigh-levelDesignADV_IMP.
1SubsetoftheImplementationoftheTSFADV_LLD.
1DescriptiveLow-levelDesignADV_RCR.
1InformalCorrespondenceDemonstrationDevelopment(ADV)ADV_SPM.
1InformalTOESecurityPolicyModelAGD_ADM.
1AdministratorGuidanceGuidanceDocuments(AGD)AGD_USR.
1UserGuidanceALC_DVS.
1IdentificationofSecurityMeasuresALC_FLR.
3SystematicFlawRemediationALC_LCD.
1DeveloperDefinedLife-cycleModelLifecyclesupport(ALC)ALC_TAT.
1Well-definedDevelopmentToolsATE_COV.
2AnalysisofCoverageATE_DPT.
1Testing:High-levelDesignATE_FUN.
1FunctionalTestingTests(ATE)ATE_IND.
2IndependentTesting–SampleAVA_MSU.
2ValidationofAnalysisAVA_SOF.
1StrengthofTOESecurityFunctionEvaluationVulnerabilityassessment(AVA)AVA_VLA.
2IndependentVulnerabilityAnalysis5.
2.
1ConfigurationManagement(ACM)5.
2.
1.
1PartialCMAutomation(ACM_AUT.
1)5.
2.
1.
1.
1ACM_AUT.
1.
1DThedevelopershalluseaCMsystem.
5.
2.
1.
1.
2ACM_AUT.
1.
2DThedevelopershallprovideaCMplan.
MicrosoftCorporation,2008AllRightsReserved.
70Version3.
0,11/19/075.
2.
1.
1.
3ACM_AUT.
1.
1CTheCMsystemshallprovideanautomatedmeansbywhichonlyauthorizedchangesaremadetotheTOEimplementationrepresentation.
5.
2.
1.
1.
4ACM_AUT.
1.
2CTheCMsystemshallprovideanautomatedmeanstosupportthegenerationoftheTOE.
5.
2.
1.
1.
5ACM_AUT.
1.
3CTheCMplanshalldescribetheautomatedtoolsusedintheCMsystem.
5.
2.
1.
1.
6ACM_AUT.
1.
4CTheCMplanshalldescribehowtheautomatedtoolsareusedintheCMsystem.
5.
2.
1.
1.
7ACM_AUT.
1.
1ETheevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
5.
2.
1.
2GenerationSupportandAcceptanceProcedures(ACM_CAP.
4)5.
2.
1.
2.
1ACM_CAP.
4.
1DThedevelopershallprovideareferencefortheTOE.
5.
2.
1.
2.
2ACM_CAP.
4.
2DThedevelopershalluseaCMsystem.
5.
2.
1.
2.
3ACM_CAP.
4.
3DThedevelopershallprovideCMdocumentation.
5.
2.
1.
2.
4ACM_CAP.
4.
1CThereferencefortheTOEshallbeuniquetoeachversionoftheTOE.
5.
2.
1.
2.
5ACM_CAP.
4.
2CTheTOEshallbelabeledwithitsreference.
5.
2.
1.
2.
6ACM_CAP.
4.
3CTheCMdocumentationshallincludeaconfigurationlist,aCMplan,andanacceptanceplan.
5.
2.
1.
2.
7ACM_CAP.
4.
NewCTheconfigurationlistshalluniquelyidentifyallconfigurationitemsthatcomprisetheTOE.
(perInternationalInterpretation#3)5.
2.
1.
2.
8ACM_CAP.
4.
4CTheconfigurationlistshalldescribetheconfigurationitemsthatcomprisetheTOE.
MicrosoftCorporation,2008AllRightsReserved.
71Version3.
0,11/19/075.
2.
1.
2.
9ACM_CAP.
4.
5CTheCMdocumentationshalldescribethemethodusedtouniquelyidentifytheconfigurationitems.
5.
2.
1.
2.
10ACM_CAP.
4.
6CTheCMsystemshalluniquelyidentifyallconfigurationitems.
5.
2.
1.
2.
11ACM_CAP.
4.
7CTheCMplanshalldescribehowtheCMsystemisused.
5.
2.
1.
2.
12ACM_CAP.
4.
8CTheevidenceshalldemonstratethattheCMsystemisoperatinginaccordancewiththeCMplan.
5.
2.
1.
2.
13ACM_CAP.
4.
9CTheCMdocumentationshallprovideevidencethatallconfigurationitemshavebeenandarebeingeffectivelymaintainedundertheCMsystem.
5.
2.
1.
2.
14ACM_CAP.
4.
10CTheCMsystemshallprovidemeasuressuchthatonlyauthorizedchangesaremadetotheconfigurationitems.
5.
2.
1.
2.
15ACM_CAP.
4.
11CTheCMsystemshallsupportthegenerationoftheTOE.
5.
2.
1.
2.
16ACM_CAP.
4.
12CTheacceptanceplanshalldescribetheproceduresusedtoacceptmodifiedornewlycreatedconfigurationitemsaspartoftheTOE.
5.
2.
1.
2.
17ACM_CAP.
4.
1ETheevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
5.
2.
1.
3ProblemTrackingCMCoverage(ACM_SCP.
2)5.
2.
1.
3.
1ACM_SCP.
2.
1DThedevelopershallprovidealistofconfigurationitemsfortheTOE.
(perInternationalInterpretation#4).
5.
2.
1.
3.
2ACM_SCP.
2.
1CThelistofconfigurationitemsshallincludethefollowing:implementationrepresentation;securityflaws;andtheevaluationevidencerequiredbytheassurancecomponentsintheST.
(perInternationalInterpretation#4and#38).
5.
2.
1.
3.
3ACM_SCP.
2.
2C(thiselementhasbeendeletedperInternationalInterpretation#4)MicrosoftCorporation,2008AllRightsReserved.
72Version3.
0,11/19/075.
2.
1.
3.
4ACM_SCP.
2.
1ETheevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
5.
2.
2DeliveryandOperation(ADO)5.
2.
2.
1DetectionofModification(ADO_DEL.
2)5.
2.
2.
1.
1ADO_DEL.
2.
1DThedevelopershalldocumentproceduresfordeliveryoftheTOEorpartsofittotheuser.
5.
2.
2.
1.
2ADO_DEL.
2.
2DThedevelopershallusethedeliveryprocedures.
5.
2.
2.
1.
3ADO_DEL.
2.
1CThedeliverydocumentationshalldescribeallproceduresthatarenecessarytomaintainsecuritywhendistributingversionsoftheTOEtoauser'ssite.
5.
2.
2.
1.
4ADO_DEL.
2.
2CThedeliverydocumentationshalldescribehowthevariousproceduresandtechnicalmeasuresprovideforthedetectionofmodifications,oranydiscrepancybetweenthedeveloper'smastercopyandtheversionreceivedattheusersite.
5.
2.
2.
1.
5ADO_DEL.
2.
3CThedeliverydocumentationshalldescribehowthevariousproceduresallowdetectionofattemptstomasqueradeasthedeveloper,evenincasesinwhichthedeveloperhassentnothingtotheuser'ssite.
5.
2.
2.
1.
6ADO_DEL.
2.
1ETheevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence5.
2.
2.
2Installation,Generation,andStart-upProcedures(ADO_IGS.
1)5.
2.
2.
2.
1ADO_IGS.
1.
1DThedevelopershalldocumentproceduresnecessaryforthesecureinstallation,generation,andstart-upoftheTOE.
5.
2.
2.
2.
2ADO_IGS.
1.
1CTheinstallation,generationandstart-updocumentationshalldescribeallthestepsnecessaryforsecureinstallation,generationandstart-upoftheTOE.
(perInternationalInterpretation#51)5.
2.
2.
2.
3ADO_IGS.
1.
1ETheevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
MicrosoftCorporation,2008AllRightsReserved.
73Version3.
0,11/19/075.
2.
2.
2.
4ADO_IGS.
1.
2ETheevaluatorshalldeterminethattheinstallation,generation,andstart-upproceduresresultinasecureconfiguration.
5.
2.
3Development(ADV)5.
2.
3.
1FullyDefinedExternalInterfaces(ADV_FSP.
2)5.
2.
3.
1.
1ADV_FSP.
2.
1DThedevelopershallprovideafunctionalspecification.
5.
2.
3.
1.
2ADV_FSP.
2.
1CThefunctionalspecificationshalldescribetheTSFanditsexternalinterfacesusinganinformalstyle.
5.
2.
3.
1.
3ADV_FSP.
2.
2CThefunctionalspecificationshallbeinternallyconsistent.
5.
2.
3.
1.
4ADV_FSP.
2.
3CThefunctionalspecificationshalldescribethepurposeandmethodofuseofallexternalTSFinterfaces,providingcompletedetailsofalleffects,exceptionsanderrormessages.
5.
2.
3.
1.
5ADV_FSP.
2.
4CThefunctionalspecificationshallcompletelyrepresenttheTSF.
5.
2.
3.
1.
6ADV_FSP.
2.
5CThefunctionalspecificationshallincluderationalethattheTSFiscompletelyrepresented.
5.
2.
3.
1.
7ADV_FSP.
2.
1ETheevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
5.
2.
3.
1.
8ADV_FSP.
2.
2ETheevaluatorshalldeterminethatthefunctionalspecificationisanaccurateandcompleteinstantiationoftheTOEsecurityfunctionalrequirements.
5.
2.
3.
2SecurityEnforcingHigh-levelDesign(ADV_HLD.
2)5.
2.
3.
2.
1ADV_HLD.
2.
1DThedevelopershallprovidethehigh-leveldesignoftheTSF.
5.
2.
3.
2.
2ADV_HLD.
2.
1CThepresentationofthehigh-leveldesignshallbeinformal.
MicrosoftCorporation,2008AllRightsReserved.
74Version3.
0,11/19/075.
2.
3.
2.
3ADV_HLD.
2.
2CThehigh-leveldesignshallbeinternallyconsistent.
5.
2.
3.
2.
4ADV_HLD.
2.
3CThehigh-leveldesignshalldescribethestructureoftheTSFintermsofsubsystems.
5.
2.
3.
2.
5ADV_HLD.
2.
4CThehigh-leveldesignshalldescribethesecurityfunctionalityprovidedbyeachsubsystemoftheTSF.
5.
2.
3.
2.
6ADV_HLD.
2.
5CThehigh-leveldesignshallidentifyanyunderlyinghardware,firmware,and/orsoftwarerequiredbytheTSFwithapresentationofthefunctionsprovidedbythesupportingprotectionmechanismsimplementedinthathardware,firmware,orsoftware.
5.
2.
3.
2.
7ADV_HLD.
2.
6CThehigh-leveldesignshallidentifyallinterfacestothesubsystemsoftheTSF.
5.
2.
3.
2.
8ADV_HLD.
2.
7CThehigh-leveldesignshallidentifywhichoftheinterfacestothesubsystemsoftheTSFareexternallyvisible.
5.
2.
3.
2.
9ADV_HLD.
2.
8CThehigh-leveldesignshalldescribethepurposeandmethodofuseofallinterfacestothesubsystemsoftheTSF,providingdetailsofeffects,exceptionsanderrormessages,asappropriate.
5.
2.
3.
2.
10ADV_HLD.
2.
9CThehigh-leveldesignshalldescribetheseparationoftheTOEintoTSP-enforcingandothersubsystems.
5.
2.
3.
2.
11ADV_HLD.
2.
1ETheevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
5.
2.
3.
2.
12ADV_HLD.
2.
2ETheevaluatorshalldeterminethatthehigh-leveldesignisanaccurateandcompleteinstantiationoftheTOEsecurityfunctionalrequirements.
5.
2.
3.
3SubsetoftheImplementationoftheTSF(ADV_IMP.
1)5.
2.
3.
3.
1ADV_IMP.
1.
1DThedevelopershallprovidetheimplementationrepresentationforaselectedsubsetoftheTSF.
5.
2.
3.
3.
2ADV_IMP.
1.
1CTheimplementationrepresentationshallunambiguouslydefinetheTSFtoalevelofdetailsuchthattheTSFcanbegeneratedwithoutfurtherdesigndecisions.
MicrosoftCorporation,2008AllRightsReserved.
75Version3.
0,11/19/075.
2.
3.
3.
3ADV_IMP.
1.
2CTheimplementationrepresentationshallbeinternallyconsistent.
5.
2.
3.
3.
4ADV_IMP.
1.
1ETheevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
5.
2.
3.
3.
5ADV_IMP.
1.
2ETheevaluatorshalldeterminethattheleastabstractTSFrepresentationprovidedisanaccurateandcompleteinstantiationoftheTOEsecurityfunctionalrequirements.
5.
2.
3.
4DescriptiveLow-levelDesign(ADV_LLD.
1)5.
2.
3.
4.
1ADV_LLD.
1.
1DThedevelopershallprovidethelow-leveldesignoftheTSF.
5.
2.
3.
4.
2ADV_LLD.
1.
1CThepresentationofthelow-leveldesignshallbeinformal.
5.
2.
3.
4.
3ADV_LLD.
1.
2CThelow-leveldesignshallbeinternallyconsistent.
5.
2.
3.
4.
4ADV_LLD.
1.
3CThelow-leveldesignshalldescribetheTSFintermsofmodules.
5.
2.
3.
4.
5ADV_LLD.
1.
4CThelow-leveldesignshalldescribethepurposeofeachmodule.
5.
2.
3.
4.
6ADV_LLD.
1.
5CThelow-leveldesignshalldefinetheinterrelationshipsbetweenthemodulesintermsofprovidedsecurityfunctionalityanddependenciesonothermodules.
5.
2.
3.
4.
7ADV_LLD.
1.
6CThelow-leveldesignshalldescribehoweachTSP-enforcingfunctionisprovided.
5.
2.
3.
4.
8ADV_LLD.
1.
7CThelow-leveldesignshallidentifyallinterfacestothemodulesoftheTSF.
5.
2.
3.
4.
9ADV_LLD.
1.
8CThelow-leveldesignshallidentifywhichoftheinterfacestothemodulesoftheTSFareexternallyvisible.
5.
2.
3.
4.
10ADV_LLD.
1.
9CThelow-leveldesignshalldescribethepurposeandmethodofuseofallinterfacestothemodulesoftheTSF,providingdetailsofeffects,exceptionsanderrormessages,asappropriate.
MicrosoftCorporation,2008AllRightsReserved.
76Version3.
0,11/19/075.
2.
3.
4.
11ADV_LLD.
1.
10CThelow-leveldesignshalldescribetheseparationoftheTOEintoTSP-enforcingandothermodules.
5.
2.
3.
4.
12ADV_LLD.
1.
1ETheevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
5.
2.
3.
4.
13ADV_LLD.
1.
2ETheevaluatorshalldeterminethatthelow-leveldesignisanaccurateandcompleteinstantiationoftheTOEsecurityfunctionalrequirements.
5.
2.
3.
5InformalCorrespondenceDemonstration(ADV_RCR.
1)5.
2.
3.
5.
1ADV_RCR.
1.
1DThedevelopershallprovideananalysisofcorrespondencebetweenalladjacentpairsofTSFrepresentationsthatareprovided.
5.
2.
3.
5.
2ADV_RCR.
1.
1CForeachadjacentpairofprovidedTSFrepresentations,theanalysisshalldemonstratethatallrelevantsecurityfunctionalityofthemoreabstractTSFrepresentationiscorrectlyandcompletelyrefinedinthelessabstractTSFrepresentation.
5.
2.
3.
5.
3ADV_RCR.
1.
1ETheevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
5.
2.
3.
6InformalTOESecurityPolicyModel(ADV_SPM.
1)5.
2.
3.
6.
1ADV_SPM.
1.
1DThedevelopershallprovideaTSPmodel.
5.
2.
3.
6.
2ADV_SPM.
1.
2DThedevelopershalldemonstratecorrespondencebetweenthefunctionalspecificationandtheTSPmodel.
5.
2.
3.
6.
3ADV_SPM.
1.
1CTheTSPmodelshallbeinformal.
5.
2.
3.
6.
4ADV_SPM.
1.
2CTheTSPmodelshalldescribetherulesandcharacteristicsofallpoliciesoftheTSPthatcanbemodeled.
5.
2.
3.
6.
5ADV_SPM.
1.
3CTheTSPmodelshallincludearationalethatdemonstratesthatitisconsistentandcompletewithrespecttoallpoliciesoftheTSPthatcanbemodeled.
MicrosoftCorporation,2008AllRightsReserved.
77Version3.
0,11/19/075.
2.
3.
6.
6ADV_SPM.
1.
4CThedemonstrationofcorrespondencebetweentheTSPmodelandthefunctionalspecificationshallshowthatallofthesecurityfunctionsinthefunctionalspecificationareconsistentandcompletewithrespecttotheTSPmodel.
5.
2.
3.
6.
7ADV_SPM.
1.
1ETheevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
5.
2.
4GuidanceDocuments(AGD)5.
2.
4.
1AdministratorGuidance(AGD_ADM.
1)5.
2.
4.
1.
1AGD_ADM.
1.
1DThedevelopershallprovideadministratorguidanceaddressedtosystemadministrativepersonnel.
5.
2.
4.
1.
2AGD_ADM.
1.
1CTheadministratorguidanceshalldescribetheadministrativefunctionsandinterfacesavailabletotheadministratoroftheTOE.
5.
2.
4.
1.
3AGD_ADM.
1.
2CTheadministratorguidanceshalldescribehowtoadministertheTOEinasecuremanner.
5.
2.
4.
1.
4AGD_ADM.
1.
3CTheadministratorguidanceshallcontainwarningsaboutfunctionsandprivilegesthatshouldbecontrolledinasecureprocessingenvironment.
5.
2.
4.
1.
5AGD_ADM.
1.
4CTheadministratorguidanceshalldescribeallassumptionsregardinguserbehaviorthatarerelevanttosecureoperationoftheTOE.
5.
2.
4.
1.
6AGD_ADM.
1.
5CTheadministratorguidanceshalldescribeallsecurityparametersunderthecontroloftheadministrator,indicatingsecurevaluesasappropriate.
5.
2.
4.
1.
7AGD_ADM.
1.
6CTheadministratorguidanceshalldescribeeachtypeofsecurity-relevanteventrelativetotheadministrativefunctionsthatneedtobeperformed,includingchangingthesecuritycharacteristicsofentitiesunderthecontroloftheTSF.
5.
2.
4.
1.
8AGD_ADM.
1.
7CTheadministratorguidanceshallbeconsistentwithallotherdocumentationsuppliedforevaluation.
MicrosoftCorporation,2008AllRightsReserved.
78Version3.
0,11/19/075.
2.
4.
1.
9AGD_ADM.
1.
8CTheadministratorguidanceshalldescribeallsecurityrequirementsontheITenvironmentthatarerelevanttotheadministrator.
5.
2.
4.
1.
10AGD_ADM.
1.
1ETheevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence5.
2.
4.
2UserGuidance(AGD_USR.
1)5.
2.
4.
2.
1AGD_USR.
1.
1DThedevelopershallprovideuserguidance.
5.
2.
4.
2.
2AGD_USR.
1.
1CTheuserguidanceshalldescribethefunctionsandinterfacesavailabletothenon-administrativeusersoftheTOE.
5.
2.
4.
2.
3AGD_USR.
1.
2CTheuserguidanceshalldescribetheuseofuser-accessiblesecurityfunctionsprovidedbytheTOE.
5.
2.
4.
2.
4AGD_USR.
1.
3CTheuserguidanceshallcontainwarningsaboutuser-accessiblefunctionsandprivilegesthatshouldbecontrolledinasecureprocessingenvironment.
5.
2.
4.
2.
5AGD_USR.
1.
4CTheuserguidanceshallclearlypresentalluserresponsibilitiesnecessaryforsecureoperationoftheTOE,includingthoserelatedtoassumptionsregardinguserbehaviorfoundinthestatementofTOEsecurityenvironment.
5.
2.
4.
2.
6AGD_USR.
1.
5CTheuserguidanceshallbeconsistentwithallotherdocumentationsuppliedforevaluation.
5.
2.
4.
2.
7AGD_USR.
1.
6CTheuserguidanceshalldescribeallsecurityrequirementsontheITenvironmentthatarerelevanttotheuser.
5.
2.
4.
2.
8AGD_USR.
1.
1ETheevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
MicrosoftCorporation,2008AllRightsReserved.
79Version3.
0,11/19/075.
2.
5LifeCycleSupport(ALC)5.
2.
5.
1IdentificationofSecurityMeasures(ALC_DVS.
1)5.
2.
5.
1.
1ALC_DVS.
1.
1DThedevelopershallproducedevelopmentsecuritydocumentation.
5.
2.
5.
1.
2ALC_DVS.
1.
1CThedevelopmentsecuritydocumentationshalldescribeallthephysical,procedural,personnel,andothersecuritymeasuresthatarenecessarytoprotecttheconfidentialityandintegrityoftheTOEdesignandimplementationinitsdevelopmentenvironment.
5.
2.
5.
1.
3ALC_DVS.
1.
2CThedevelopmentsecuritydocumentationshallprovideevidencethatthesesecuritymeasuresarefollowedduringthedevelopmentandmaintenanceoftheTOE.
5.
2.
5.
1.
4ALC_DVS.
1.
1ETheevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
5.
2.
5.
1.
5ALC_DVS.
1.
2ETheevaluatorshallconfirmthatthesecuritymeasuresarebeingapplied.
5.
2.
5.
2SystematicFlawRemediation(ALC_FLR.
3)5.
2.
5.
2.
1ALC_FLR.
3.
1DThedevelopershalldocumenttheflawremediationprocedures.
5.
2.
5.
2.
2ALC_FLR.
3.
2DThedevelopershallestablishaprocedureforacceptingandactinguponuserreportsofsecurityflawsandrequestsforcorrectionstothoseflaws.
5.
2.
5.
2.
3ALC_FLR.
3.
3DThedevelopershalldesignateoneormorespecificpointsofcontactforuserreportsandinquiriesaboutsecurityissuesinvolvingtheTOE.
5.
2.
5.
2.
4ALC_FLR.
3.
1CTheflawremediationproceduresdocumentationshalldescribetheproceduresusedtotrackallreportedsecurityflawsineachreleaseoftheTOE.
5.
2.
5.
2.
5ALC_FLR.
3.
2CTheflawremediationproceduresshallrequirethatadescriptionofthenatureandeffectofeachsecurityflawbeprovided,aswellasthestatusoffindingacorrectiontothatflaw.
MicrosoftCorporation,2008AllRightsReserved.
80Version3.
0,11/19/075.
2.
5.
2.
6ALC_FLR.
3.
3CTheflawremediationproceduresshallrequirethatcorrectiveactionsbeidentifiedforeachofthesecurityflaws.
5.
2.
5.
2.
7ALC_FLR.
3.
4CTheflawremediationproceduresdocumentationshalldescribethemethodsusedtoprovideflawinformation,correctionsandguidanceoncorrectiveactionstoTOEusers.
5.
2.
5.
2.
8ALC_FLR.
3.
5CTheproceduresforprocessingreportedsecurityflawsshallensurethatanyreportedflawsarecorrectedandthecorrectionissuedtoTOEusers.
5.
2.
5.
2.
9ALC_FLR.
3.
6CTheproceduresforprocessingreportedsecurityflawsshallprovidesafeguardsthatanycorrectionstothesesecurityflawsdonotintroduceanynewflaws.
5.
2.
5.
2.
10ALC_FLR.
3.
7CTheflawremediationproceduresshallincludeaprocedurerequiringtimelyresponsesfortheautomaticdistributionofsecurityflawreportsandtheassociatedcorrectionstoregistereduserswhomightbeaffectedbythesecurityflaw.
5.
2.
5.
2.
11ALC_FLR.
3.
1ETheevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
5.
2.
5.
3DeveloperDefinedLife-cycleModel(ALC_LCD.
1)5.
2.
5.
3.
1ALC_LCD.
1.
1DThedevelopershallestablishalife-cyclemodeltobeusedinthedevelopmentandmaintenanceoftheTOE.
5.
2.
5.
3.
2ALC_LCD.
1.
2DThedevelopershallprovidelife-cycledefinitiondocumentation.
5.
2.
5.
3.
3ALC_LCD.
1.
1CThelife-cycledefinitiondocumentationshalldescribethemodelusedtodevelopandmaintaintheTOE.
5.
2.
5.
3.
4ALC_LCD.
1.
2CThelife-cyclemodelshallprovideforthenecessarycontroloverthedevelopmentandmaintenanceoftheTOE.
5.
2.
5.
3.
5ALC_LCD.
1.
1ETheevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
MicrosoftCorporation,2008AllRightsReserved.
81Version3.
0,11/19/075.
2.
5.
4Well-definedDevelopmentTools(ALC_TAT.
1)5.
2.
5.
4.
1ALC_TAT.
1.
1DThedevelopershallidentifythedevelopmenttoolsbeingusedfortheTOE.
5.
2.
5.
4.
2ALC_TAT.
1.
2DThedevelopershalldocumenttheselectedimplementation-dependentoptionsofthedevelopmenttools.
5.
2.
5.
4.
3ALC_TAT.
1.
1CAlldevelopmenttoolsusedforimplementationshallbewelldefined.
5.
2.
5.
4.
4ALC_TAT.
1.
2CThedocumentationofthedevelopmenttoolsshallunambiguouslydefinethemeaningofallstatementsusedintheimplementation.
5.
2.
5.
4.
5ALC_TAT.
1.
3CThedocumentationofthedevelopmenttoolsshallunambiguouslydefinethemeaningofallimplementation-dependentoptions.
5.
2.
5.
4.
6ALC_TAT.
1.
1ETheevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
5.
2.
6SecurityTesting(ATE)5.
2.
6.
1AnalysisofCoverage(ATE_COV.
2)5.
2.
6.
1.
1ATE_COV.
2.
1DThedevelopershallprovideananalysisofthetestcoverage.
5.
2.
6.
1.
2ATE_COV.
2.
1CTheanalysisofthetestcoverageshalldemonstratethecorrespondencebetweenthetestsidentifiedinthetestdocumentationandtheTSFasdescribedinthefunctionalspecification.
5.
2.
6.
1.
3ATE_COV.
2.
2CTheanalysisofthetestcoverageshalldemonstratethatthecorrespondencebetweentheTSFasdescribedinthefunctionalspecificationandthetestsidentifiedinthetestdocumentationiscomplete.
5.
2.
6.
1.
4ATE_COV.
2.
1ETheevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
MicrosoftCorporation,2008AllRightsReserved.
82Version3.
0,11/19/075.
2.
6.
2Testing:High-levelDesign(ATE_DPT.
1)5.
2.
6.
2.
1ATE_DPT.
1.
1DThedevelopershallprovidetheanalysisofthedepthoftesting.
5.
2.
6.
2.
2ATE_DPT.
1.
1CThedepthanalysisshalldemonstratethatthetestsidentifiedinthetestdocumentationaresufficienttodemonstratethattheTSFoperatesinaccordancewithitshigh-leveldesign.
5.
2.
6.
2.
3ATE_DPT.
1.
1E9Theevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
5.
2.
6.
3FunctionalTesting(ATE_FUN.
1)5.
2.
6.
3.
1ATE_FUN.
1.
1DThedevelopershalltesttheTSFanddocumenttheresults.
5.
2.
6.
3.
2ATE_FUN.
1.
2DThedevelopershallprovidetestdocumentation.
5.
2.
6.
3.
3ATE_FUN.
1.
1CThetestdocumentationshallconsistoftestplans,testproceduredescriptions,expectedtestresultsandactualtestresults.
5.
2.
6.
3.
4ATE_FUN.
1.
2CThetestplansshallidentifythesecurityfunctionstobetestedanddescribethegoaloftheteststobeperformed.
5.
2.
6.
3.
5ATE_FUN.
1.
3CThetestproceduredescriptionsshallidentifytheteststobeperformedanddescribethescenariosfortestingeachsecurityfunction.
Thesescenariosshallincludeanyorderingdependenciesontheresultsofothertests.
5.
2.
6.
3.
6ATE_FUN.
1.
4CTheexpectedtestresultsshallshowtheanticipatedoutputsfromasuccessfulexecutionofthetests.
5.
2.
6.
3.
7ATE_FUN.
1.
5CThetestresultsfromthedeveloperexecutionofthetestsshalldemonstratethateachtestedsecurityfunctionbehavedasspecified.
9ThislabelisconsistentwiththeCAPP.
IntheCC,thiselementisincorrectlylabeledas"ATE_DPT.
1.
2E"MicrosoftCorporation,2008AllRightsReserved.
83Version3.
0,11/19/075.
2.
6.
3.
8ATE_FUN.
1.
1ETheevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
5.
2.
6.
4IndependentTesting–Sample(ATE_IND.
2)5.
2.
6.
4.
1ATE_IND.
2.
1DThedevelopershallprovidetheTOEfortesting.
5.
2.
6.
4.
2ATE_IND.
2.
1CTheTOEshallbesuitablefortesting.
5.
2.
6.
4.
3ATE_IND.
2.
2CThedevelopershallprovideanequivalentsetofresourcestothosethatwereusedinthedeveloper'sfunctionaltestingoftheTSF.
5.
2.
6.
4.
4ATE_IND.
2.
1ETheevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
5.
2.
6.
4.
5ATE_IND.
2.
2ETheevaluatorshalltestasubsetoftheTSFasappropriatetoconfirmthattheTOEoperatesasspecified.
5.
2.
6.
4.
6ATE_IND.
2.
3ETheevaluatorshallexecuteasampleoftestsinthetestdocumentationtoverifythedevelopertestresults.
5.
2.
7VulnerabilityAssessment(AVA)5.
2.
7.
1ValidationofAnalysis(AVA_MSU.
2)5.
2.
7.
1.
1AVA_MSU.
2.
1DThedevelopershallprovideguidancedocumentation.
5.
2.
7.
1.
2AVA_MSU.
2.
2DThedevelopershalldocumentananalysisoftheguidancedocumentation.
5.
2.
7.
1.
3AVA_MSU.
2.
1CTheguidancedocumentationshallidentifyallpossiblemodesofoperationoftheTOE(includingoperationfollowingfailureoroperationalerror),theirconsequencesandimplicationsformaintainingsecureoperation.
5.
2.
7.
1.
4AVA_MSU.
2.
2CTheguidancedocumentationshallbecomplete,clear,consistentandreasonable.
MicrosoftCorporation,2008AllRightsReserved.
84Version3.
0,11/19/075.
2.
7.
1.
5AVA_MSU.
2.
3CTheguidancedocumentationshalllistallassumptionsabouttheintendedenvironment.
5.
2.
7.
1.
6AVA_MSU.
2.
4CTheguidancedocumentationshalllistallrequirementsforexternalsecuritymeasures(includingexternalprocedural,physicalandpersonnelcontrols).
5.
2.
7.
1.
7AVA_MSU.
2.
5CTheanalysisdocumentationshalldemonstratethattheguidancedocumentationiscomplete.
5.
2.
7.
1.
8AVA_MSU.
2.
1ETheevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
5.
2.
7.
1.
9AVA_MSU.
2.
2ETheevaluatorshallrepeatallconfigurationandinstallationprocedures,andotherproceduresselectively,toconfirmthattheTOEcanbeconfiguredandusedsecurelyusingonlythesuppliedguidancedocumentation.
5.
2.
7.
1.
10AVA_MSU.
2.
3ETheevaluatorshalldeterminethattheuseoftheguidancedocumentationallowsallinsecurestatestobedetected.
5.
2.
7.
1.
11AVA_MSU.
2.
4ETheevaluatorshallconfirmthattheanalysisdocumentationshowsthatguidanceisprovidedforsecureoperationinallmodesofoperationoftheTOE.
5.
2.
7.
2StrengthofTOESecurityFunctionEvaluation(AVA_SOF.
1)5.
2.
7.
2.
1AVA_SOF.
1.
1DThedevelopershallperformastrengthofTOEsecurityfunctionanalysisforeachmechanismidentifiedintheSTashavingastrengthofTOEsecurityfunctionclaim.
5.
2.
7.
2.
2AVA_SOF.
1.
1CForeachmechanismwithastrengthofTOEsecurityfunctionclaimthestrengthofTOEsecurityfunctionanalysisshallshowthatitmeetsorexceedstheminimumstrengthleveldefinedinthePP/ST.
5.
2.
7.
2.
3AVA_SOF.
1.
2CForeachmechanismwithaspecificstrengthofTOEsecurityfunctionclaimthestrengthofTOEsecurityfunctionanalysisshallshowthatitmeetsorexceedsthespecificstrengthoffunctionmetricdefinedinthePP/ST.
5.
2.
7.
2.
4AVA_SOF.
1.
1ETheevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
MicrosoftCorporation,2008AllRightsReserved.
85Version3.
0,11/19/075.
2.
7.
2.
5AVA_SOF.
1.
2ETheevaluatorshallconfirmthatthestrengthclaimsarecorrect.
5.
2.
7.
3IndependentVulnerabilityAnalysis(AVA_VLA.
2)5.
2.
7.
3.
1AVA_VLA.
2.
1DThedevelopershallperformavulnerabilityanalysis.
5.
2.
7.
3.
2AVA_VLA.
2.
2DThedevelopershallprovidevulnerabilityanalysisdocumentation.
5.
2.
7.
3.
3AVA_VLA.
2.
1CThevulnerabilityanalysisdocumentationshalldescribetheanalysisoftheTOEdeliverablesperformedtosearchforwaysinwhichausercanviolatetheTSP.
5.
2.
7.
3.
4AVA_VLA.
2.
2CThevulnerabilityanalysisdocumentationshalldescribethedispositionofidentifiedvulnerabilities.
5.
2.
7.
3.
5AVA_VLA.
2.
3CThevulnerabilityanalysisdocumentationshallshow,forallidentifiedvulnerabilities,thatthevulnerabilitycannotbeexploitedintheintendedenvironmentfortheTOE.
5.
2.
7.
3.
6AVA_VLA.
2.
4CThevulnerabilityanalysisdocumentationshalljustifythattheTOE,withtheidentifiedvulnerabilities,isresistanttoobviouspenetrationattacks.
5.
2.
7.
3.
7AVA_VLA.
2.
1ETheevaluatorshallconfirmthattheinformationprovidedmeetsallrequirementsforcontentandpresentationofevidence.
5.
2.
7.
3.
8AVA_VLA.
2.
2ETheevaluatorshallconductpenetrationtesting,buildingonthedevelopervulnerabilityanalysis,toensuretheidentifiedvulnerabilitieshavebeenaddressed.
5.
2.
7.
3.
9AVA_VLA.
2.
3ETheevaluatorshallperformanindependentvulnerabilityanalysis.
5.
2.
7.
3.
10AVA_VLA.
2.
4ETheevaluatorshallperformindependentpenetrationtesting,basedontheindependentvulnerabilityanalysis,todeterminetheexploitabilityofadditionalidentifiedvulnerabilitiesintheintendedenvironment.
5.
2.
7.
3.
11AVA_VLA.
2.
5ETheevaluatorshalldeterminethattheTOEisresistanttopenetrationattacksperformedbyanattackerpossessingahighattackpotential.
MicrosoftCorporation,2008AllRightsReserved.
86Version3.
0,11/19/075.
3SecurityRequirementsfortheITEnvironmentTheTOEhasnosecurityrequirementsallocatedtoitsITenvironment.
MicrosoftCorporation,2008AllRightsReserved.
87Version3.
0,11/19/076.
TOESummarySpecification(TSS)ThischapterdescribestheWindows2003/XPsecurityfunctionsandassociatedassurancemeasures.
TheWindows2003/XPSecurityFunctions(SFs)andSecurityAssuranceMeasures(SAMs)satisfythesecurityfunctionalandassurancerequirementsoftheCAPP.
TheTOEalsosatisfiesadditionalSFsandSAMs.
TheSFsandSAMsperformedbyWindows2003/XParedescribedinthefollowingsections,aswellasamappingtothesecurityfunctionalandassurancerequirementsatisfiedbytheTOE.
6.
1TOESecurityFunctionsThissectionpresentstheTSFsandamappingofsecurityfunctionstoSFRs.
TheTOEperformsthefollowingsecurityfunctions:Audit,UserDataProtection,CryptographicProtection,IdentificationandAuthentication,SecurityManagement,TSFProtection,ResourceUtilization,andTOEAccess.
6.
1.
1AuditFunctionTheTOEAuditsecurityfunctionperforms:AuditCollection,AuditLogReview,SelectiveAudit,AuditLogOverflowProtection,andAuditLogRestrictedAccessProtection.
6.
1.
1.
1AuditCollectionTheEventloggerservicecreatesthesecurityeventlog,whichcontainsthesecurityrelevantauditrecordscollectedonasystem.
Thereisonesecuritylog(auditlog)permachine.
TheLocalSecurityAuthority(LSA)servercollectsauditeventsfromallotherpartsoftheTSFandforwardsthemtotheEventLoggerforstorageinthesecuritylog.
Foreachauditevent,theEventLoggerstoresthefollowingdataineachauditrecord:Date:Thedatetheeventoccurred.
Time:Thetimetheeventoccurred.
User:Thesecurityidentifier(SID)oftheuseronwhosebehalftheeventoccurredthatrepresentstheuser.
SIDsaredescribedinmoredetailinSection6underIdentificationandAuthentication,EventID:Auniquenumberidentifyingtheparticulareventclass.
Source:Thiswillbe"Security.
"MicrosoftCorporation,2008AllRightsReserved.
88Version3.
0,11/19/07Types:Indicateswhetherthesecurityauditeventrecordedistheresultofasuccessfulorfailedattempttoperformtheaction.
Category:Aclassificationoftheeventdefinedbytheeventsource.
Forsecuritylog,theLSAservicedefinesthefollowingcategoriesforsecurityauditevents:System,Logon,ObjectAccess,PrivilegeUse,DetailedProcessTracking,PolicyChange,AccountManagement,DirectoryServiceAccess,andAccountLogon.
Eachauditeventmayalsocontaincategory-specificdatathatiscontainedinthebodyoftheeventsuchasdescribedbelow:FortheSystemCategory,theauditrecordsadditionallyincludeinformationrelatingtothesystemsuchasthetimeofclearingtheaudittrail.
FortheObjectAccessandtheDirectoryServiceAccessCategory,theauditrecordsadditionallyincludetheobjectnameandthedesiredaccessrequested.
ForthePrivilegeUseCategory,theauditrecordsadditionallyidentifytheprivilege.
FortheDetailedProcessTrackingCategory,theauditrecordsadditionallyincludetheprocessidentifier.
ForthePolicyChangeandAccountManagementCategory,theauditrecordsadditionallyincludenewvaluesofthepolicyoraccountattributes.
FortheLogonandAccountLogonCategory,theauditrecordsadditionallyincludethereasonforfailureofattemptedlogons.
FortheLogonCategory,theauditrecordsadditionallyincludethelogontypethatindicatesthesourceofthelogonattemptbyindicatingoneofthefollowingtypesintheauditrecord:oInteractive(locallogon)oNetwork(logonfromthenetwork)oService(logonasaservice)oBatch(logonasabatchjob)oUnlock(forUnlockscreensaver)oNetwork_ClearText(foranonymousauthenticationtoIIS)Note:IntheevaluatedconfigurationIISwillonlyacceptrequestfromauthenticatedclients,however,ifconfiguredforanonymousauthenticationIISwillnotforcetheusertore-authenticatethemselvesandaspecifiedaccount(identifiedbytheauthorizedadministrator)willbeassociatedwiththeuser.
TherearetwoplaceswithintheTSFwheresecurityauditeventsarecollected.
TheSecurityReferenceMonitor(SRM)isresponsibleforthegenerationofallauditrecordsfortheobjectaccess,privilegeuse,anddetailedprocesstrackingeventcategories.
Withoneexception,auditeventsfortheremainderoftheeventcategoriesaregeneratedbyvariousservicesthatco-existinthesecurityprocesswiththeLSAserverorthatcalltheAuthzReportAuditAPIsprovidedbytheLSAPolicysubcomponent.
TheexceptionisthattheEventLoggeritselfrecordsaneventrecordwhenthesecuritylogisclearedandwhenthesecuritylogexceedsthewarninglevelconfiguredbytheauthorizedadministrator.
TheLSAservermaintainsanauditpolicyinitsdatabasethatdetermineswhichcategoriesofeventsareactuallycollected.
Definingandmodifyingtheauditpolicyisrestrictedtotheauthorizedadministrator.
Theauthorizedadministratorcanselecteventstobeauditedbyselectingthecategoryorcategoriestobeaudited.
Anauthorizedadministratorcanindividuallyselecteachcategory.
Thoseservicesinthesecurityprocesscandeterminethecurrentauditpolicyviadirectlocalfunctioncalls.
TheonlyotherTSFcomponentthatusestheauditpolicyistheSRMinordertocontrolobjectaccess,privilegeuse,andMicrosoftCorporation,2008AllRightsReserved.
89Version3.
0,11/19/07detailedtrackingaudit.
LSAandtheSRMshareaprivatelocalconnectionport,whichisusedtopasstheauditpolicytotheSRM.
Whenanauthorizedadministratorchangestheauditpolicy,theLSAupdatesitsdatabaseandnotifiestheSRM.
TheSRMreceivesacontrolflagindicatingifauditingisenabledandadatastructureindicatingthattheeventsinparticularcategorieswillbeaudited.
Inadditiontothesystem-wideauditpolicyconfiguration,itispossibletodefineaper-userauditpolicy.
Thisallowsindividualauditcategories(ofsuccessorfailure)tobeenabledordisabledonaperuserbasis.
Theper-userauditpolicyrefinesthesystem-wideauditpolicy,allowingamoreprecisedefinitionoftheauditpolicy.
Withineachcategory,auditingcanbeperformedbasedonsuccess,failure,orboth.
Forobjectaccessevents,auditingcanbefurthercontrolledbasedonuser/groupidentifyandaccessrightsusingSystemAccessControlLists(SACLs).
SACLsareassociatedwithobjectsandindicatewhetherornotauditingforaspecificobject,orobjectattribute,isenabled.
TheTSFiscapableofgeneratingtheauditeventsassociatedwitheachauditcategory,asdescribedintheDescriptioncolumnofTable6-1(AuditEventCategories).
TheauditableeventsassociatedwitheachcategorycapturetheeventslistedinTables5-3and5-4.
Foreachcategory,theassociatedauditevents(listedinTables5-3and5-4)foreachoftherequirementsintheFAU_GENRequiredEventscolumnofTable6-1arecaptured.
Table6-1AuditEventCategoriesCategoryDescriptionFAU_GENRequiredEventsSystemAuditattemptsthataffectsecurityoftheentiresystemsuchasclearingtheaudittrail.
FAU_STG.
3;FAU_STG.
4;FMT_MTD.
1(a)ObjectAccessAuditattemptstoaccessuserobjects,suchasfiles.
FDP_ACF.
1(a);FMT_MSA.
1(a);FMT_MSA.
3(a);FMT_REV(b);PrivilegeUseAuditsattemptstousesecurityrelevantprivileges.
SecurityrelevantprivilegesarethoseprivilegesthatarerelatedtotheTSFsandcanbeassignedintheevaluatedconfiguration.
FMT_SMR.
1;FPT_STM.
1;FMT_MTD.
1(g);FMT_MOF.
1(a);FMT_MTD.
1(a);FAU_SAR.
1;FAU_SAR.
2DetailedProcessTrackingAuditsubject-trackingevents,includingprogramactivation,handleduplication,indirectaccesstoanobject,andprocessexit.
FIA_USB.
1_EX;FDP_ACF.
1(a);FMT_MSA.
1(d)PolicyChangeAuditattemptstochangesecuritypolicysettingssuchastheauditpolicyandprivilegeassignment.
FMT_MTD.
1(b);FMT_MTD.
1(c);FMT_REV.
1(a);FMT_SMR.
1;FMT_MOF.
1(a);TRANSFER_PROT_EX.
1;TRANSFER_PROT_EX.
3;FAU_GEN.
1AccountManagementAuditattemptstocreate,delete,orchangeuserorgroupaccountsandchangestotheirattributes.
FMT_MTD.
1(c);FMT_MTD.
1(d);FMT_REV.
1(a);FMT_SMR.
1;FIA_AFL.
1;FMT_SAE.
1;FMT_MTD.
1(f);FMT_MTD.
1(n);FMT_MTD.
2;FMT_MTD.
1(e)DirectoryServiceAccessAuditaccesstodirectoryserviceobjectsandassociatedproperties.
FDP_ACF.
1(a);FPT_TRC_EX.
1MicrosoftCorporation,2008AllRightsReserved.
90Version3.
0,11/19/07CategoryDescriptionFAU_GENRequiredEventsLogonAuditattemptstologonorlogoffthesystem,attemptstomakeanetworkconnection.
FIA_SOS.
1;FIA_UAU.
1;FIA_UID.
1;FIA_AFL.
1;FIA_USB.
1;FTA_SSL.
1;FTA_SSL.
2;FTA_TSE.
1;TRANSFER_PROT_EX;FTP_TRP.
1AccountLogonAuditwhenaDCreceivesalogonrequest.
FIA_SOS.
1;FIA_UAU.
1;FIA_UID.
1;6.
1.
1.
2AuditLogReviewTheeventvieweradministratortoolprovidesauserinterfacetoview,sort,andsearchthesecuritylog.
Thesecuritylogcanbesortedandsearchedbyuseridentity,eventtype,date,time,source,category,eventID,andcomputer.
Thesecuritylogcanalsobesearchedbyfreeformtextsoccurringintheauditrecords.
6.
1.
1.
3SelectiveAuditTheauthorizedadministratorisprovidedtheabilitytoselecteventstobeauditedbaseduponobjectidentity,useridentity,workstation(hostidentity),eventtype,andsuccessorfailureoftheevent.
6.
1.
1.
4AuditLogOverflowProtectionTheTSFprotectsagainstthelossofeventsthroughacombinationofcontrolsassociatedwithauditqueuingandeventlogging.
AsconfiguredintheTOE,auditdataisappendedtotheauditloguntilitisfull.
TheTOEprotectsagainstlostauditdatabyallowingtheauthorizedadministratortoconfigurethesystemtogenerateanauditeventwhenthesecuritylogreachesaspecifiedcapacitypercentage(e.
g.
,90%).
Additionally,theauthorizedadministratorcanconfigurethesystemnottooverwriteeventsandtoshutdownwhenthesecuritylogisfull.
Whensoconfigured,afterthesystemhasshutdownduetoauditoverflow,onlytheauthorizedadministratorcanlogon.
Whenthesecuritylogisfull,amessageiswrittentotheterminaldisplayoftheauthorizedadministratorindicatingtheauditloghasoverflowed.
Asdescribedearlier,theTSFcollectsauditdataintwoways,viatheSRMandviatheLSAserver.
Bothcomponentsmaintainauditeventqueues.
TheSRMputsauditrecordsonaninternalqueuetobesenttotheLSAserver.
TheLSAmaintainsasecondqueuewhereitholdstheauditdatafromSRMandtheotherservicesinthesecurityprocess.
Bothauditqueuesdetectwhenanauditeventlosshasoccurred.
TheSRMservicemaintainsahighwatermarkandalowwatermarkonitsauditqueuetodeterminewhenfull.
TheLSAalsomaintainsmarksinitsqueuetoindicatewhenfull.
AuditeventsmaybelostiftheSRMortheLSAqueuesreachtheirhigh-watermark,orifthesecuritylogfileisfull.
TheTOEcanbeconfiguredtocrashwhentheaudittrailisfull.
Thesecuritylogfileislimitedinsizebytheresourcesavailableonthesystem.
6.
1.
1.
5AuditLogRestrictedAccessProtectionTheEventLoggercontrolsandprotectsthesecurityeventlog.
Toviewthecontentsofthesecuritylog,theusermustbeanauthorizedadministrator.
Thesecurityeventlogisasystemresource,createdduringsystemstartup.
Nointerfacesexisttocreate,destroy,ormodifyasecurityeventwithinthesecurityeventlog.
TheLSAsubsystemistheonlyserviceregisteredtoentereventsintothesecuritylog.
TheTOEonlyoffersuserinterfacestoreadandclearthesecurityeventlogandtheseinterfacesrequiretheusertobeanauthorizedadministrator.
6.
1.
1.
6ServerUpdateServerLoggingTheWindowsServerUpdateServercreatesalogrecordingitsactivities.
ThelogisafileresidingintheTOENTFSfilesystemthatisprotectedbyNTFSaccesspermissions(i.
e.
DAC)thatrestrictaccesstoauthorizedadministrators.
TheWindowsServerUpdateServerlogcontainsthefollowinginformation:MicrosoftCorporation,2008AllRightsReserved.
91Version3.
0,11/19/07Downloadstatus–Thelogcontainsrecordsofindividualcomputer'sactivitieswithrespecttoparticulardownloads.
Wheneveradownloadisaccessedbyacomputer,anentryisaddedtothelog.
Configurationsettings–ThelogcontainsarecordoftheconfigurationssettingsfortheWindowsServerUpdateServer.
Theauthorizedadministratorcanviewthelogfileandcorrelatesuchinformationas:Computerstatus-Administratorscanassessthestatusofclientcomputerswithrespecttothestatusofupdatesonthosecomputers-forexample,asummaryofupdatesthathavebeeninstalledorareneededforaparticularcomputer.
Updatestatus-Administratorscanvieworprintasummaryofcomplianceinformationforaspecificupdate,includingtheupdatepropertiesandcumulativestatusforeachcomputergroup.
Synchronization(ordownload)status-Administratorscanmonitorsynchronizationactivity(i.
e.
,clientcommunicationswiththeWSUS)andstatusforagiventimeperiod,andviewthelatestupdatesthathavebeendownloaded.
SFRMapping:TheAuditfunctionsatisfiesthefollowingSFRs:FAU_GEN.
1–TheTOEauditcollectioniscapableofgeneratingauditeventsforitemsidentifiedinTable6-1,TOEauditevents.
ForeachauditeventtheTSFrecordsthedate,time,userSecurityIdentifier(SID)orname,logontype(forlogonauditrecords),eventID,source,type,andcategory.
FAU_GEN.
2–AllauditrecordsincludetheuserSID,whichuniquelyrepresentseachuser.
FAU_SAR.
1–Theeventviewerprovidesauthorizedadministratorswiththeabilitytoreviewauditdatainareadableformat.
FAU_SAR.
2andFMT_MTD.
1(a)–Onlyauthorizedadministratorshaveanyaccesstotheauditlog.
FAU_SAR.
3(a),(b)–Theauditfunctionprovidescapabilitiesforselectiveauditingandreviewusingtheeventviewer.
TheTOEprovidesthecapabilitytoselecteventstobeauditedbasedonthesuccessand/orfailureatthecategorylevel.
Additionally,fortheobjectaccesscategoryofevents,eventscanbeselectedbasedonuseridentity.
TheTSFdetermineswhichauditeventstorecordbasedonthecurrentauditpolicyandthespecificsettingsintheSACLs.
Theeventviewerprovidesthecapabilitytoperformsearchesandsortingofauditdatabydate,time,userSIDorname,computer,eventID,source,type,andcategory.
Additionally,theeventviewerprovidesthecapabilitytoperformsearchingbaseduponspecifiedfreeformtextsubstringswithintheauditrecords.
FAU_SEL.
1–TheTSFprovidestheabilityfortheauthorizedadministratortoselecttheeventstobeauditedbaseduponobjectidentity,useridentity,workstation(hostidentity),eventtype,andsuccessorfailureoftheevent.
FAU_STG.
1–Theinterfacetothesecuritylogislimitedbytheeventlogger.
Theinterfacetothesecuritylogonlyallowsforviewingtheauditdataandforclearingalltheauditdata.
Theinterfacetothesecuritylogisrestrictedtoauthorizedadministratorsanddoesnotallowforthemodificationofauditdatawithinthesecuritylog.
FAU_STG.
3–Theauthorizedadministratorcanconfigurethesystemsuchthatanauditevent(alarm)isgeneratediftheauditdataexceedsaspecifiedpercentageofthesecuritylog.
FMT_MTD.
1(j)–TheTSFrestrictstheabilitytospecifythesizeofthesecuritylogtoanauthorizedadministrator.
MicrosoftCorporation,2008AllRightsReserved.
92Version3.
0,11/19/07FAU_STG.
4–TheTOEcanbeconfiguredsuchthatwhenthesecuritylogisfullthesystemshutsdown.
Atthatpoint,onlytheauthorizedadministratorcanlogontothesystemtoclearthesecuritylogandreturnthesystemtoanoperationalstateconsistentwithTOEguidance.
Additionally,whenthesecuritylogreachesacertainpercentage,anauditevent(alarm)isgenerated.
FAU_LOG_EX.
1–TheTSFgeneratealogforactivitiesassociatedwiththeWindowsServerUpdateServer.
Thelogcontainseventsfordownloadstatusandconfigurationsettings.
WithinthelogisalltheinformationspecifiedintheSFR.
6.
1.
2UserDataProtectionFunctionTheuserdataprotectionsecurityservicesprovidedbytheTOEare:DiscretionaryAccessControl,WEBUSERAccessControl,ContentProviderAccessControl,InformationFlowControlandProtection,andResidualDataProtection.
6.
1.
2.
1DiscretionaryAccessControlTheTSFmediatesaccessbetweensubjectsanduserdataobjects,alsoknownasnamedobjects.
Subjectsconsistofprocesseswithoneormorethreadsrunningonbehalfofusers.
Table6-2liststhespecificuserdataobjectsunderthecontroloftheDACpolicyfortheTOE.
MicrosoftCorporation,2008AllRightsReserved.
93Version3.
0,11/19/07Table6-2NamedObjectsNameDescriptionDesktopTheprimaryobjectusedforgraphicaldisplays.
TheinteractivewindowstationhasthreedefaultdesktopscreatedbyWinLogon.
EventAnobjectcreatedfortheinterprocesscommunicationmechanism.
KeyedEventAnobjectcreatedfortheinterprocesscommunicationmechanism.
EventPairAnobjectcreatedfortheinterprocesscommunicationmechanism.
I/OCompletionPortAnobjectthatprovidesameanstosynchronizeI/O.
JobAnobjectthatallowsforthemanagementofmultipleprocessesasaunit.
RegistryKeyRegistryKeysaretheobjectsthatformtheRegistry.
MutantAnobjectcreatedfortheinterprocesscommunicationmechanism(knownasMutexatthewin32interface).
ObjectDirectoryAdirectoryintheobjectnamespace.
LPCPortAconnection-orientedlocalprocesscommunicationmechanismobjectthatsupportsclientandserversidecommunicationendpoints,messagequeues,etc.
MailslotAnI/OobjectthatprovidessupportformessagepassingIPCviathenetwork.
NamedPipeAnI/OobjectusedforIPCoverthenetwork.
NTFSDirectoryNTfilesystemfileobject.
NTFSFileAuserdatafileobjectmanagedbyNTFS.
PrinterRepresentsaparticularprintqueueanditsassociationwithaprintdevice.
ActiveDirectoryRepresentssharedresourcesdefinedandmaintainedbyActiveDirectoryservices.
ProcessAnexecutioncontextforthreadsthathasassociatedaddressspaceandmemory,token,handletable,etc.
SectionAmemoryregion.
SemaphoreAnobjectcreatedforinterprocesscommunicationmechanism.
SymbolicLinkAmeansforprovidingnamealiasingintheobjectnamespace.
ScheduledTaskAprogramthatisexecutedatapredefinedtimeorwhenapredefinedeventoccursThreadAnexecutioncontext(registers,stacks,etc.
)Alluser-modethreadsareassociatedwithaprocess.
TimerAmeansforathreadtowaitforaspecifiedamountoftimetopass.
TokensTheseobjectsrepresentthesecuritycontextofaprocessorthread.
VolumeApartitionorcollectionofpartitionsthathavebeenformattedforusebyafilesystem.
MicrosoftCorporation,2008AllRightsReserved.
94Version3.
0,11/19/07NameDescriptionWindowStationAcontainerfordesktopobjectsandrelatedattributes.
ApplicationPoolFileAgroupofwebapplicationsthatshareconfigurationsettings.
URLReservationAURL.
DebugAsetofresourcesusedfordebuggingaprocess.
FilterConnectionPortRepresentsamini-filterdriver.
FilterCommunicationPortRepresentsaporttocommunicatewithamini-filterdriver.
6.
1.
2.
1.
1SubjectDACAttributesTokenscontainthesecurityattributesforasubject.
Tokensareassociatedwithprocessesandthreadsrunningonbehalfoftheuser.
TheDACrelatedinformationinthetokenincludes:theSIDfortheuser,SIDsrepresentinggroupsforwhichtheuserisamember,privilegesassignedtotheuser,anownerSIDidentifyingSIDtoassignasownerfornewlycreatedobjects,adefaultDACL(fornewlycreatedobjects),tokentype(primaryorimpersonation),impersonationlevel(forimpersonationtokens),anoptionallistofrestrictingSIDs,andalogonIDforthesession.
AsdescribedintheI&Afunction,athreadcanbeassignedanimpersonationtokenthatwouldbeusedinsteadoftheprocess'tokenwhenmakingaccesschecksandgeneratingauditdata.
Hence,thatthreadisimpersonatingtheclientthatprovidedtheimpersonationtoken.
Impersonationstopswhentheimpersonationtokenisremovedfromthethreadorwhenthethreadterminates.
AtokenmayalsoincludealistofrestrictingSIDswhichareusedtolimitaccesstoobjects.
RestrictingSIDsarecontainedinrestrictedtokens,(whichisaspecialformofathreadimpersonationtoken).
Accessdecisionsaremadeusingtheimpersonationtokenofathreadifitexists,andotherwisethethread'sprocessprimarytoken(whichalwaysexits).
6.
1.
2.
1.
2ObjectDACAttributesSDscontainallofthesecurityattributesassociatedwithanobject.
AllobjectsinTable6-2haveanassociatedSD.
ThesecurityattributesfromaSDusedforaccesscontrolaretheobjectownerSID,theDACLpresentflag,andtheDACLitself,ifpresent.
DACLscontainalistofAccessControlEntries(ACEs).
EachACEspecifiesanACEtype,aSIDrepresentingauserorgroup,andanaccessmaskcontainingasetofaccessrights.
EachACEhasinheritanceattributesassociatedwithitthatspecifyiftheACEappliestotheassociatedobjectonly,toitschildrenobjectsonly,ortobothitschildrenobjectsandtheassociatedobject.
TherearetwotypesofACEsthatapplytoaccesscontrol:1ALLOWACESa.
ACCESS_ALLOWED_ACE–usedtograntaccesstoauserorgroupofusersb.
ACCESS_ALLOWED_OBJECT_ACE–(forDSobjects)usedtograntaccessforauserorgrouptoapropertyorpropertysetonthedirectoryserviceobject,ortolimittheACE_inheritancetoaspecifiedtypeofchildobject.
ThisACEtypeisonlysupportedfordirectoryserviceobjects.
2DENYACESa.
ACCESS_DENIED_ACE–usedtodenyaccesstoauserorgroupofusersb.
ACCESS_DENIED_OBJECT_ACE–(forDSobjects)usedtodenyaccessforauserorgrouptoapropertyorpropertysetonthedirectoryserviceobjectortolimitMicrosoftCorporation,2008AllRightsReserved.
95Version3.
0,11/19/07theACE_inheritancetoaspecifiedtypeofchildobject.
ThisACEtypeisonlysupportedfordirectoryserviceobjects.
Anaccessmaskcontainsobjectaccessrightsgranted(ordenied)totheSID,representingauserorgroup,intheACE.
Anaccessmaskisalsousedtospecifythedesiredaccesstoanobjectwhenaccessingtheobjectandtoidentifygrantedaccessassociatedwithanopenedobject.
Eachbitinanaccessmaskrepresentsaparticularaccessright.
Therearefourcategoriesofaccessrights:standard,specific,special,andgeneric.
Standardaccessrightsapplytoallobjecttypes.
Specificaccessrightshavedifferentsemanticmeaningsdependingonthetypeofobject.
Specialaccessrightsareusedindesiredaccessmaskstorequestspecialaccessortoaskforallallowablerights.
Genericaccessrightsareconvenientgroupingsofspecificandstandardaccessrights.
Eachobjecttypeprovidesitsownmappingbetweengenericaccessrightsandthestandardandspecificaccessrights.
Formostobjects,asubjectrequestsaccesstotheobject(e.
g.
,opensit)andreceivesapointertoahandleinreturn.
TheTSFassociatesagrantedaccessmaskwitheachopenedhandle.
Forkernel-modeobjects,handlesaremaintainedinakernel-modehandletable.
Thereisonehandletableperprocess;eachentryinthehandletableidentifiesanopenedobjectandtheaccessrightsgrantedtothatobject.
Foruser-modeTSFservers,thehandleisaserver-controlledcontextpointerassociatedwiththeconnectionbetweenthesubjectandtheserver.
Theserverusesthiscontexthandleinthesamemanneraswiththekernelmode(i.
e.
,tolocateanopenedobjectanditsassociatedgrantedaccessmask).
Inbothcases(userandkernel-modeobjects),theSRMmakesallaccesscontroldecisions.
Forsomeobjects(inparticular,DSobjects),theTSFdoesnotmaintainanopenedcontext(e.
g.
,ahandle)totheobject.
Inthesecases,accesschecksareperformedoneveryreferencetotheobject(inplaceofcheckingahandle'sgrantedaccessmask).
DSobjectsalsodifferfromotherobjectsinthattheyhaveadditionalattributes,knownaspropertiesandpropertysets(groupsofproperties).
PropertiesreferencespecificportionsofaDSobject.
Propertysetsreferenceacollectionofproperties.
EveryDSobject,propertysetandpropertyhasanassociatedobjecttypeGUID.
TheTOEallowsaccesscontrolforDSobjectstothelevelofGUIDs(i.
e.
,theentireDSobject,agivenpropertyset,andoraspecificproperty).
Likeallobjects,DSobjectsstillhaveasinglesecuritydescriptorfortheentireobject;howevertheDACLforaDSobjectcancontainACEsthegrants/deniesaccesstoanyoftheassociatedGUIDs.
6.
1.
2.
1.
3DACEnforcementAlgorithmTheTSFenforcestheDACpolicytoobjectsbasedonSIDsandprivilegesintherequestor'stoken,thedesiredaccessmaskrequested,andtheobject'ssecuritydescriptor.
Belowisasummaryofthealgorithmusedtodeterminewhetherarequesttoaccessauserdataobjectisallowed.
Inorderforaccesstobegranted,allaccessrightsspecifiedinthedesiredaccessmaskmustbegrantedbyoneofthefollowingsteps.
Attheendofanystep,ifalloftherequestedaccessrightshavebeengrantedthenaccessisallowed.
Attheendofthealgorithm,ifanyrequestedaccessrighthasnotbeengranted,thenaccessisdenied.
1.
PrivilegeCheck–a.
CheckforSeSecurityprivilege–ThisisrequiredifACCESS_SYSTEM_SECURITYisinthedesiredaccessmask.
IfACCESS_SYSTEM_SECURITYisrequestedandtherequestordoesnothavethisprivilege,accessisdenied.
OtherwiseACCESS_SYSTEM_SECURITYisgranted.
b.
CheckforSeTakeOwnerprivilege–IfthedesiredmaskhasWRITE_OWNERaccessright,andtheprivilegeisfoundintherequestor'stoken,thenWRITE_OWNERaccessisgranted.
2.
OwnerCheck–a.
ChecksallSIDsintokentodetermineifthereisamatchwiththeobjectowner.
Ifso,theREAD_CONTROLandWRITE_DACrightsaregrantedifrequested.
MicrosoftCorporation,2008AllRightsReserved.
96Version3.
0,11/19/073.
DACLnotpresent–a.
Allfurtheraccessrightsrequestedaregranted.
4.
DACLpresentbutempty–a.
Ifanyadditionalaccessrightsarerequested,accessisdenied.
5.
IterativelyprocesseachACEintheorderthattheyappearintheDACLasdescribedbelow:a.
IftheinheritanceattributesoftheACEindicatetheACEisapplicableonlytochildrenobjectsoftheassociatedobject,theACEisskipped.
b.
IftheSIDintheACEdoesnotmatchanySIDintherequestor'saccesstoken,theACEisskipped.
c.
IfaSIDmatchisfound,andtheaccessmaskintheACEmatchesanaccessinthedesiredaccessmask:i)AccessAllowedACETypes––IftheACEisoftypeACCESS_ALLOWED_OBJECT_ACEandtheACEincludesaGUIDrepresentingapropertysetorpropertyassociatewiththeobject,thentheaccessisgrantedtothepropertysetorspecificpropertyrepresentedbytheGUID(ratherthantotheentireobject).
OtherwisetheACEgrantsaccesstotheentireobject.
ii)AccessDeniedACETypes–-IftheACEisoftypeACCESS_DENIED_OBJECT_ACEandtheACEincludesaGUIDrepresentingapropertysetorpropertyassociatewiththeobject,thentheaccessisdeniedtothepropertysetorspecificpropertyrepresentedbytheGUID.
OtherwisetheACEdeniesaccesstotheentireobject.
IfarequestedaccessisspecificallydeniedbyanACE,thentheentireaccessrequestfails.
6.
1.
2.
1.
4DACEnforcementofEncryptedFilesTheTOEprovidestheabilitytoencryptNTFSfileobjects.
Usersmayencryptfilesattheirdiscretion.
Ifafileisencrypted,theTSFperformschecksinadditiontothecheckspresentedintheDACEnforcementAlgorithmuponsubsequentaccessrequesttotheencryptedfile.
ThefirsttimeauserencryptsafiletheTSFassignstheuseraccountapublic/privatekeypair.
Everytimeauserencryptsafile,theTSFcreatesarandomlygeneratedfileFEK.
TheFEKisusedtoencryptthefiledatausingtheTripleDataEncryptionStandard(3DES)CBCalgorithm.
TheTSFstorestheFEKasanattributeofthefileandencryptstheFEKusingtheRSApublic-keybasedencryptionalgorithmwiththeuser'spublickey.
TheTSFalsoallowsauserwhocandecryptthefiletograntaccesstootherusersbyaddingadditionalencryptedFEKs(encryptedwiththenewusers'publickey)tothefile.
Anauthorizedadministratorcanassignapublic/privatekeypairtoanynumberofaccounts.
Theseaccountsarereferredtoasrecoveryagentsandtheprivatekeyassociatedwiththerecoveryagentisreferredtoasrecoverykeys.
TheTSFalsoencryptstheFEKwithoneormorerecoverykeys.
Thepurposeofrecoverykeysistoletdesignatedaccounts,orRecoveryAgents,decryptauser'sfilewhenadministrativeauthoritymusthaveaccesstotheuser'sdata.
Onceafileisencrypted,uponsubsequentaccessrequest,theTSFchecksthattheuserprivatekeyorrecoveryprivatekeycandecrypttheencryptedFEK.
TheremaybemorethanoneencryptedFEKassociatedwiththefile.
Inthiscase,theTSFattemptstodecrypteachassociatedencryptedFEK(eachofwhichisencrypted)untilitissuccessfullydecryptedoritreachestheendofthelistofFEKs.
MicrosoftCorporation,2008AllRightsReserved.
97Version3.
0,11/19/07IftheFEKisdecryptedsuccessfullywiththeprivatekey,thedecryptedFEKisthenusedtodecryptthefilecontentsandtheaccessrequestisgranted.
IftheTSFcannotdecryptanyoftheencryptedFEKsassociatedwiththefileusingtheuserprivatekeyortherecoverykey,theaccessrequestisnotgranted.
6.
1.
2.
1.
5DefaultDACProtectionTheTSFprovidesaprocessensuringaDACLisappliedtoallnewobjects.
Whennewobjectsarecreated,theappropriateDACLisdetermined.
ThedefaultDACprotectionforDSandthatfornon-DSobjectsareslightlydifferent.
TheTOEusesthefollowingrulestosettheDACLintheSDsfornewnon-DSsecurableobjects:Theobject'sDACListheDACLfromtheSDspecifiedbythecreatingprocess.
TheTOEmergesanyinheritableACEsintotheDACLunlessSE_DACL_PROTECTEDissetintheSDcontrolflags.
TheTOEthensetstheSE_DACL_PRESENTSDcontrolflag.
IfthecreatingprocessdoesnotspecifyaSD,theTOEbuildstheobject'sDACLfrominheritableACEsintheparentobject'sDACL.
TheTOEthensetstheSE_DACL_PRESENTSDcontrolflag.
IftheparentobjecthasnoinheritableACEs,theTOEusesitsobjectmanagersubcomponenttoprovideadefaultDACL.
TheTOEthensetstheSE_DACL_PRESENTandSE_DACL_DEFAULTEDSDcontrolflags.
IftheobjectmanagerdoesnotprovideadefaultDACL,theTOEchecksthesubject'saccesstokenforadefaultDACL.
TheTOEthensetstheSE_DACL_PRESENTandSE_DACL_DEFAULTEDSDcontrolflags.
Thesubject'saccesstokenalwayshasadefaultDACL,whichissetbytheLSAsubcomponentwhenthetokeniscreated.
ThemethodusedtobuildaDACLforanewDSobjectisslightlydifferent.
Therearetwokeydifferences,whichareasfollows:TherulesforcreatingaDACLdistinguishbetweengenericinheritableACEsandobject-specificinheritableACEsintheparentobject'sSD.
GenericinheritableACEscanbeinheritedbyalltypesofchildobjects.
Object-specificinheritableACEscanbeinheritedonlybythetypeofchildobjecttowhichtheyapply.
TheADschemacanprovideaSD.
EachobjectclassdefinedintheschemahasadefaultSecurityDescriptorattribute.
IfneitherthecreatingprocessnorinheritancefromtheparentobjectprovidesaDACLforanewADobject,theTOEusestheDACLinthedefaultSDspecifiedbytheschema.
TheTOEusesthefollowingrulestosettheDACLinthesecuritydescriptorfornewDSobjects:Theobject'sDACListheDACLfromtheSDspecifiedbythecreatingprocess.
TheTOEmergesanyinheritableACEsintotheDACLunlessSE_DACL_PROTECTEDissetintheSDcontrolflags.
TheTOEthensetstheSE_DACL_PRESENTSDcontrolflag.
IfthecreatingprocessdoesnotspecifyaSD,theTOEcheckstheparentobject'sDACLforinheritableobject-specificACEsthatapplytothetypeofobjectbeingcreated.
Iftheparentobjecthasinheritableobject-specificACEsfortheobjecttype,theTOEbuildstheobject'sDACLMicrosoftCorporation,2008AllRightsReserved.
98Version3.
0,11/19/07frominheritableACEs,includingbothgenericandobject-specificACEs.
ItthensetstheSE_DACL_PRESENTSDcontrolflag.
Iftheparentobjecthasnoinheritableobject-specificACEsforthetypeofobjectbeingcreated,theTOEusesthedefaultDACLfromtheADschemaforthatobjecttype.
ItthensetstheSE_DACL_PRESENTandSE_DACL_DEFAULTEDSDcontrolflags.
IftheADschemadoesnotspecifyadefaultDACLfortheobjecttype,theTOEchecksthesubject'saccesstokenforadefaultDACL.
ItthensetstheSE_DACL_PRESENTandSE_DACL_DEFAULTEDSDcontrolflags.
Thesubject'saccesstokenalwayshasadefaultDACL,whichissetbytheLSAsubcomponentwhenthetokeniscreated.
AlltokensarecreatedwithanappropriatedefaultDACL,whichcanbeappliedtothenewobjectsasappropriate.
ThedefaultDACLisrestrictiveinthatitonlyallowstheSYSTEMSIDandtheuserSIDthatcreatedtheobjecttohaveaccess.
TheSYSTEMSIDisaspecialSIDrepresentingTSFtrustedprocesses.
6.
1.
2.
2WEBUSERAccessControlTheTOEincludesawebserver(theIIS)ontheWindows2003serverproductthatmediatesaccessrequesttoitswebservercontentfromclientsaccessingthewebserverthroughtheHTTP.
IISsupportsuserauthenticationusingeitheranonymous,basic,digest,certificate,NTorpassportauthenticationscheme.
Inanevaluatedconfiguration,anIISserveracceptsonlytheanonymous,digest,certificate,andNTauthenticationschemes.
Thus,onlyHTTPrequestsfromclientsthatauthenticateusinganacceptableschemeareprocessedbythewebserver.
NotethatIISanonymousauthenticationallowsawebserverrequesttobeservicedwithoutpromptingtheclientforI&A.
However,thatclienthasbeenauthenticatedpriortomakingawebserverrequestintheevaluatedconfiguration.
Thewebserverthenassignstheconnectiontotheuseraccountthatisspecifiedforanonymousconnections.
IISensuresthattheDACPolicyofthefilesassociatedwiththewebservercontentrequestedisenforced.
Therefore,theDACLofthefileassociatedwiththewebcontentiscomparedagainsttheuserIDandgroupidsassociatedwiththewebuserrequestingwebcontentaccess.
Ifarequesttoaccesswebcontentfromawebuserisotherthanarequesttoreadwebcontenttherequestisdeniedunlesscertainconfigurationofwebpermissionsareassociatedwiththatwebcontent.
InadditiontoensuringthattheDACpolicyisenforced,IISenforcesfurtherrestrictionstowebcontentbaseduponwebpermissionsthatareassociatedwithwebcontentinIISconfigurationrepository,referredtoasthemetabase.
WebpermissionsdonotviolatetheDACpolicyandaccesscanonlybefurtherrestrictedbyIIS.
IISallowsforconfigurationsettingstobeassociatedwithaURLthatassociatewebpermissionswithURLs.
ThesesettingsallowforaccesscontrolcheckstobeperformedbyIISwhenaccessrequestaremadetotheseURLs,ifconfigured.
Thesewebpermissionscontroltheabilitytoperformthefollowingactionstowebcontent:AccessURL:accesstheURL,Readwebpermission:readwebcontent,Writewebpermission:changewebcontent,Sourcewebpermission:accessthesourceofwebcontent,andBrowsingwebpermission:viewthelistsandcollectionsinadirectory.
IfwebcontentisconfiguredwithwebpermissionsthenIISperformsadditionalcheckingwhenanaccessrequestismadetothatwebcontenttoensurethattheappropriatepermissionisconfiguredforthatwebcontent(asdescribedabove).
Iftheappropriatepermissionisconfigured,accesswillbegranted.
ForMicrosoftCorporation,2008AllRightsReserved.
99Version3.
0,11/19/07example,ifwriterequestismadetowebcontentandthatwebcontentisnotconfiguredwithwritewebpermissionthentherequestwillbedenied.
However,ifwriterequestismadetowebcontentandtheDACLassociatedwiththefileallowswriteaccesstothatwebuserandthewritewebpermissionisconfiguredforthatwebcontent,thenaccessisgranted.
UndercertaincircumstancesIISdeniesaccesstowebcontentbaseduponwebpermissionsassociatedwiththewebcontent,asfollows:IfwebcontentisconfiguredtorequireSSL/TLSandthewebuserrequestaccessviaHTTPandnotSecureHTTP(HTTPS),thenaccessisdenied.
IfwebcontentisconfiguredtorequireSSL/TLSanduseaclientcertificate,andthewebuserrequestaccessviaHTTPSwithoutacertificateorviaHTTP,thenaccessisdeniedIfwebcontentisconfiguredtorequireSSL/TLSandanegotiatedcertificateorrequiresacertificate,andthewebuserrequestaccessviaHTTPorviaHTTPSwithaninvalidorrevokedcertificate,thenaccessisdenied.
Iftheauthorizationsettingofawebuserrequestingaccessdoesnotmatchtheconfiguredauthorizationsettingassociatedwiththewebcontent,thenaccessisdenied.
Iftheclientcertificatemappingsettingofthewebuserrequestingaccessdoesnotmatchtheconfiguredcertificatemappingsettingassociatedwiththewebcontent,thenaccessisdenied.
Intheevaluatedconfigurationexecutepermissionofwebcontentisnotallowed.
Readaccesstowebcontentisallowedbydefault,however,otheraccessmustbespecificallyassignedbytheauthorizedadministrator.
ADFSissupportedintheevaluatedconfigurations.
ADFSisprovidedtosupportsinglesign-onacrossrealms(arealmrepresentsasingleunitofsecurityadministrationortrust,suchasadomain)inWebresourceaccessscenarios.
AuthenticationisperformedwhenaclientattemptstoaccessaWebresourceinadifferentrealmfromtherealmthatcontainstheuseraccount.
Thefirsttimetheclient'srequesttoaccesstheresourceisreceived,theclientdoesnotpossessasignedsecuritytokenforaccessingtheWebserver.
Theresourcerealmre-directstheclientrequesttotheclient'sFederationServicetoperformauthentication.
TheaccountfederationserverperformstheauthenticationusingtheActiveDirectorystoreandgeneratesasignedsecuritytoken.
ThesignedsecuritytokenisthenembeddedinacookiethattheclientuseswhenrequestingWebservicesfromtheresourcerealm.
TheADFSextensionsinthewebserverimplanttheirownDACLmechanism.
Theextensionsusetheidentityinformationinthesignedtokentodetermineaccesstothewebcontentfollowingthesamerulesasthosedefinedforothercontrolledwebcontent.
6.
1.
2.
2.
1WEBUSERDataIntegrityandConfidentialityIISprotectsdataduringtransmissionbetweenthewebuserandthewebserverfromunauthorizeddisclosureandmodificationbyrequiringthatthewebusermustuseHTTPSinsteadofHTTPwithorwithoutaclientcertificatewhichisaccomplishedbyconfiguringthewebcontentobjecttorequireSSL/TLS.
Additionally,byrequiringSSL/TLS,IIScandetermineuponreceiptofdatafromthewebuserifdatacontenthasbeenmodified.
6.
1.
2.
3IndexingAccessControlTheIndexingServiceisresponsibleforprovidingsearchresultsforwebcontent.
WhentheIndexingServiceperformsasearchonbehalfofauser,itperformsanaccesscheckbasedontheDACLassociatedwitheachdocument(i.
e.
file)representingwebcontent.
Ausermusthavereadpermissiontotheassociateddocumentbeforeareferencetothewebcontent(i.
e.
filefullpathname)isreturned.
6.
1.
2.
4ContentProviderAccessControlAwebuserthatisallowedtoinstallandmodifywebcontentisreferredtoasacontentprovider.
TheIISconfigurationvaluesthatdefinetheconfigurationofwebpermissionstowebcontentobjectsarestoredinMicrosoftCorporation,2008AllRightsReserved.
100Version3.
0,11/19/07whatisreferredtoasametabasefile.
Thismetabasecanonlybemanipulatedbyauthorizedadministrators.
Accessrequesttomodifywebcontentaremediatedbaseduponthesamerulesasdescribedforwebusers.
6.
1.
2.
5IPSECInformationFlowControlandProtectionTheTOEincludesahomogenoussetofWindows2003/XPsystemsthatcanbeconnectedviatheirnetworkinterfaces.
EachWindows2003/XPsystemwithintheTOEprovidesasubsetoftheTSFs.
Therefore,theTSFforWindows2003/XPcanbeacollectionofSFsfromanentirenetworkofsystems(inthecaseofdomainconfigurations).
Therefore,theTSFisconsideredtobethecollectionoftheTSFsofeachWindows2003/XPsystemincludedintheTOE.
TheTOEusesasuiteofInternetstandardprotocolsincludingIPSecandISAKMP.
IPSeccanbeusedtosecuretrafficusingIPaddressesorportnumberbetweentwocomputersorbetweentwoTSFswithintheTOE.
SeeSection6.
1.
6.
2,InternalTOEProtection,forfurtherdetailsofIPSec.
NotethatIPSECandISAKMParenotavailablewhentheTOEisconfiguredtouseIPv6forsendingorreceivingnetworktraffic.
IPSecpoliciesspecifythefunctionsthatIPSecmustperformforagivenoutboundorinboundpacketandincludealistoffilterstobeappliedtoIPpackettraffic.
FilterscanbespecifiedtocontroltrafficflowbaseduponsourceIPaddress,destinationIPaddress,protocol,sourceport,ordestinationport.
AnactionofpermitorblockcanbespecifiedwithinthefilterforspecificflowsoftrafficbaseduponsourceIPaddress,destinationIPaddress,protocol,sourceport,ordestinationport.
TheTSFenforcesthesefiltersbeforesendinganyoutboundpacketsandbeforeallowinganyinboundpacketstoproceed.
TheTSFalsopreventsthedisclosureandmodificationofuserdatausingIPSecpoliciesandfilters.
IPSECpoliciesandfilterscanbeconfiguredonlybyanauthorizedadministratorandcanbeconfiguredtoapplyactionstospecifytrafficflowssuchasencryptorsign.
IPSECusestheEncapsulatingSecurityProtocol(ESP)toprovidedataconfidentialityforIPpackets.
ESPperformsencryptionusingtheDataEncryptionStandard(DES)CipherBlockChaining(CBC)algorithmand3DESCBC.
InadditiontoESP,theTSFimplementsIPAuthenticationHeader(AH).
AHprovidesintegrity,authenticationandanti-replay.
AHusesahashingalgorithm,suchasSecureHashAlgorithm(SHA)-1,tocomputeakeyedmessagehashforeachIPpacket.
SeeSection6.
1.
5.
2,InternalTOEProtection,forfurtherdetailsofIPSec.
6.
1.
2.
6WindowsFirewallInformationFlowControlTheTSFallowsfortheauthorizedadministratortodefineaConnectionFirewallpolicythatcanspecifywhatportstheTSFwillallowconnectionsupon.
Thispolicywillthenenforcetheblockingofallotherincomingconnectionsandallowsinonlythatwhichisareplytoapreviousrequestthatwentout.
IftheWindowsFirewallfeatureisenabledbytheauthorizedadministrator,theTSFenforcestheConnectionFirewallpolicythatwillblockallunsolicitedincomingpacketsexceptforpacketsdestinedforportsspecifiedbytheauthorizedadministrator.
TosupportthispolicytheTSFusesTCP/IP(IPv4orIPv6).
WhenWindowsFirewallisenabled,itopensandclosesthecommunicationsportsthatareusedbyauthorizedapplications.
WindowsFirewallmaintainsatableofconnectionsthatareinitiatedonbehalfoftheothersystemsonthe"protected"sideofthelocalnetwork,andinboundInternettrafficcanreachthe"protected"networkonlywhenthetableholdsamatchingentry.
Theadministratorconfigureswhich"services"willbepermittedbyWindowsFirewall.
TheadministratoralsoconfiguresInternetControlMessageProtocol(ICMP)messagehandling.
ServicesettingsandICMPoptionsareperinterface.
WindowsFirewallsupportsStatefulPacketFilteringandPortMapping.
6.
1.
2.
7RPCoverHTTPInformationFlowControlTheTSFpermitsauthorizedadministratortodefineaRPCoverHTTPConnectionpolicythatdesignatestowhichdestinationportsaspecificRPCserverrunningontheTOEaRPCconnectioncanconnectoverHTTPthroughthemediationofaRPCoverHTTPproxysubcomponent.
AllrequeststodestinationportsMicrosoftCorporation,2008AllRightsReserved.
101Version3.
0,11/19/07fromRPCservermachinesotherthanthosespecifiedintheconnectionruleswillberejected.
Theenforcementisontherequestingmachine.
Bydefault,aclientthatcontactsaRPCoverHTTPproxysubcomponenttotunnelRPCoverHTTPcallscannotaccessanyRPCserverprocessesexcepttheRPCserverprocessrunningonthesamemachineastheRPCoverHTTPproxy.
ToenableaclienttotunneltoaRPCserverprocessonanothermachineontheTOE,theauthorizedadministratormustaddaregistryentrytotheRPCoverHTTPProxy'slistofvalidports.
6.
1.
2.
8ResidualDataProtectionFunctionTheTOEensuresthatanypreviousinformationcontentisunavailableuponallocationtosubjectsandobjects.
TheTSFensuresthatresourcesexportedtouser-modeprocessesdonothaveresidualinformationinthefollowingways:Allobjectsarebasedonmemoryanddiskstorage.
Memoryallocatedforobjectsiseitheroverwrittenwithallzerosoroverwrittenwiththeprovideddatabeforebeingassignedtoanobject.
10Objectsstoredondiskarerestrictedtoonlydiskspaceusedforthatobject.
Read/writepointerspreventreadingbeyondthespaceusedbytheobject.
Onlytheexactvalueofwhatismostrecentlywrittencanbereadandnomore.
Forvaryinglengthobjects,subsequentreadsonlyreturntheexactvaluethatwasset,eventhoughtheactualallocatedsizeoftheobjectmaybegreaterthanthis.
Subjectshaveassociatedmemoryandanexecutioncontext.
TheTSFensuresthatthememoryassociatedwithsubjectsiseitheroverwrittenwithallzerosoroverwrittenwithuserdatabeforeallocationasdescribedinthepreviousbulletformemoryallocatedtoobjects.
Inaddition,theexecutioncontext(registers)isinitializedwhennewthreadswithinaprocessarecreatedandrestoredwhenathreadcontextswitchoccurs.
SFRMapping:TheUserDataProtectionfunctionsatisfiesthefollowingSFRs:FDP_ACC.
2(a)–TheSRMmediatesallaccesstoobjects,includingkernel-basedobjectsanduser-modeTSFserver-basedobjects.
AllaccesstoobjectsispredicatedontheSRMvalidatingtheaccessrequest.
Inthecaseofmostobjects,thisDACvalidationisperformedoninitialaccess(e.
g.
,"open")andsubsequentuseoftheobjectisviaahandlethatincludesagrantedaccessmask.
Forsomeobjects(inparticularDSobjects),everyreferencetotheobjectrequiresacompleteDACvalidationtobeperformed.
TheTSFmediatesreadaccessbysubjectstoencryptedfilesbyprotectinguserandrecoveryprivatekeysandusingthosekeystoprotecttheFEK.
FDP_ACF.
1(a)–TheTSFenforcesaccesstouserobjectsbasedonSIDsandprivilegesassociatedwithsubjectscontainedintokens(impersonationtoken,ifoneexist),andthesecuritydescriptorsforobjects.
TherulesgoverningtheaccessaredefinedaspartoftheDACalgorithmdescribedabove.
TheTSFusestheFEKsassociatedwiththefileandprotectedusingauthorizedusers'privatekeystoprotecttheencryptedfilecontents.
FDP_ACC.
2(b),FDP_ACC.
2(c),FDP_ACF.
1(b),FDP_ACF.
1(c)–TheTSFenforcesaccesstowebservercontentbaseduponthewebuser'sidentityandgroupmemberships,theDACLassociatedwiththeobject,URLauthorization,andwebpermissions.
TheWEBUSERpolicyrulesgovernaccesstoreadthewebcontentandmodifythewebcontentifspecificallyauthorized(FDP_ACC.
2(b),FDP_ACF.
2(b)).
TheCONTENTPROVIDERpolicyrulesgovernaccesstoprimarilycontroltheabilitytomakewebcontentavailabletowebusersandtomodifywebcontent(FDP_ACC.
2(c),FDP_ACF.
2(c)).
FDP_ACC.
1(d),FDP_ACF.
1(d)–TheIndexingServicepartoftheTSFrestrictsaccessestoviewtheresultsofwebcontentsearchesbasedonDACLs.
Usersmusthavereadpermissiontothedocumentsbeforeareferencetothedocuments(i.
e.
filefullpathnames)isreturned.
10ForAPIsthatcreateobjects,thecallermayprovidedatatoinitializetheobject.
MicrosoftCorporation,2008AllRightsReserved.
102Version3.
0,11/19/07FDP_IFC.
1(a),FDP_IFF.
1(a)–TheTSFcontrolstheflowoftrafficfromoneWindows2003/XPsystem'sTSFtoanotherusingtheIPSec'scapabilitytoenforcefiltersthatcanbeconfiguredtorestricttheflowoftrafficbaseduponsourceIPaddress,destinationIPaddress,sourceport,destinationport,andprotocol.
FDP_IFC.
1(b),FDP_IFF.
1(b)–TheTSFcontrolstheflowoftrafficintoaWindows2003/XPsystem'sTSFbyprovidingthecapabilitytoblockallunsolicitedtrafficwiththeexceptionsoftraffictargetedtoportsspecifiedbytheauthorizedadministrator.
FDP_IFC.
1(c),FDP_IFF.
1(c)–TheTSFcontrolstheflowofRPCoverHTTPtrafficbetweendistributedportionsoftheTSPbasedonthedestinationportassociatedwithaspecificRPCserverbeingspecifiedintheRPCoverHTTPProxy'slistofvalidports.
FDP_UCT.
1,FDP_UIT.
1–TheTSFprotectsdataduringtransmissionbetweenthewebuserandthewebserverfromunauthorizeddisclosureandmodificationbyrequiringthatSSL/TLSisusedtosupportthiscommunication.
FDP_ITT.
1–TheTSFpreventsthedisclosureandmodificationofuserdatausingIPSecencryptionanddigitalsignaturecapabilitieswhenuserdataistransmittedbetweendifferentsystemFMT_MOF.
1(d)–OnlyanauthorizedadministratorcanmodifythevaluesinthemetabasewhichincludetheIISconfiguration.
Thesevaluesdefinepermissionstowebcontent.
FMT.
MSA.
1(a)–TheabilitytochangetheDACpolicyiscontrolledbytheabilitytochangeanobject'sDACL.
ThefollowingarethefourmethodsthatDACLchangesarecontrolled:oObjectowner-HasimplicitWRITE_DACaccess.
oExplicitDACLchangeaccess–AusergrantedexplicitWRITE_DACaccessontheDACLcanchangetheDACL.
oTakeowneraccess–AusergrantedexplicitWRITE_OWNERaccessontheDACLcantakeownershipoftheobjectandthenusetheowner'simplicitWRITE_DACaccess.
oTakeownerprivilege–AuserwithSeTakeOwnerprivilegecantakeownershipoftheobjectandthenusertheowner'simplicitWRITE_DACaccess.
FMT_MSA.
1(c)–TheabilitytochangethesecurityattributesuponwhichtheIPSecFilterPolicyisbaseduponisrestrictedtotheauthorizedadministrator.
FMT_MSA.
1(d)–TheabilitytochangethesecurityattributesuponwhichtheConnectionFirewallPolicyisbaseduponisrestrictedtotheauthorizedadministrator.
FMT_MSA.
1(e),FMT_MSA1(f)–TheabilitytochangethesecurityattributesuponwhichtheWEBUSERandCONTENTPROVIDERpoliciesarebaseduponisrestrictedtotheauthorizedadministrator.
FMT_MSA.
1(g),FMT_MSA1(h)–TheabilitytochangethesecurityattributesuponwhichtheINDEXINGandRPCoverHTTPConnectionpoliciesarebaseduponisrestrictedtotheauthorizedadministratorFMT.
MSA.
3(a)-TheTSFprovidesrestrictivedefaultvaluesforsecurityattributesusedtoprovideaccesscontrolviatheprocess'sdefaultDACLswhichonlyallowsaccesstotheSYSTEMandtheusercreatingtheobject.
UserswhocreateobjectscanspecifyaSDwithaDACLtooverridethedefault.
Theinitialkeysarecryptographicallygeneratedandcannotbemodified.
FMT_MSA.
3(b)–FilterscanbedefinedandassignedtorestricttrafficflowfromoneTSFtoanother.
However,bydefault,therearenofiltersassignedandtrafficisallowedtoflowinanunrestrictedmanner.
OnlytheauthorizedadministratorcandefineormodifytheIPSecfiltersthatspecifytherulesfortrafficflow.
MicrosoftCorporation,2008AllRightsReserved.
103Version3.
0,11/19/07FMT_MSA.
3(c)–Bydefault,thelistofportswhichtheTSFwillallowunsolicitedtrafficintoaWindows2003/XPsystem'sTSFtoisempty.
Onlytheauthorizedadministratorcanspecifyportsforwhichunsolicitedtrafficwillbeaccepted.
However,thefirewallfeatureisoptionalandcanbedisabledintheevaluatedconfigurationinwhichcasenorestrictionontrafficflowisenforced.
FMT_MSA.
3(d),FMT_MSA.
3(e)–Bydefault,onlyreadaccesstowebcontentisallowedandonlyanauthorizedadministratorcandefinetheconfigurationorthewebpermissionsassociatedwiththewebcontentinthemetabase.
FMT_MSA.
3(f)–Bydefault,onlyreadaccesstodocumentsisallowedandonlyanauthorizedadministrator,documentowner,orauserwhohasbeengrantedWRITE_DACaccesstothedocumentscandefinethepermissionsassociatedwiththedocumentsresidingwiththeaspecificsearchscopemaintainedbytheIndexService.
FMT_MSA.
3(g)–Bydefault,theRPCserverprocesscanonlybeaccessedthroughaRPCoverHTTPproxyiftheRPCserverprocessrunsonthesamemachineastheRPCoverHTTPproxy.
Authorizedadministratorscanchangetheconnectionrulestopermitconnectionstoremotemachines.
FMT_REV.
1(b)–TheabilitytorevokeaccesstoanobjectiscontrolledbytheabilitytochangetheDACLandisgovernedbythesameconditionsforFMT_MSA.
1above.
ThechangedDACLiseffectiveuponsubsequentaccesschecksagainsttheobject.
FMT_MSA.
1(b)–TheTSFassociatesprivatekeyswithusers.
OnlytheowneroftheprivatekeyusedtoprotecttheFEKassociatedwiththefileoranadministratororsubjectwithaspecificprivilegecandeletetheFEK.
FDP_RIP.
2-TheTSFensuresthatpreviousinformationcontentsofresourcesusedfornewobjectsarenotdiscernableinthenewobjectviazeroingoroverwritingofmemoryandtrackingread/writepointersfordiskstorage.
Note1_EX-Everyprocessisallocatednewmemoryandanexecutioncontext.
Memoryiszeroedoroverwrittenbeforeallocation.
Theexecutionisinitializedorrestoredwhenthreadsarecreatedorwhenacontextswitchoccurs.
6.
1.
3CryptographicProtectionTheTOECryptProtectDataandCryptUnprotectDatafunctionsencryptanddecryptdatablockspreventingthedatafrombeingdecryptedbyunauthorizedusers.
ThesefunctionsareusedinternallybytheTOEaswellasbyusers.
TheTSFusesthisfunctiontoencrypttheprivatekeysusedbytheRivest,ShamirandAdleman(RSA)public-key-basedencryptionalgorithmwhichareusedtodecrypttheFEKs(FEKaredescribedtheDACEnforcementofEncryptedFiles).
Userscanusethesefunctionstoencryptanddecryptrawdatablocksattheirdiscretion.
Uponarequesttoencryptdata,theTSFcreatesarandom,symmetrickey,knownastheuser'smasterkeytoencrypttheuserdata.
Theintegrityoftheuser'smasterkeyisensuredbytheTSFbasedonSHA-1Hash-BasedMessageAuthenticationCode(HMAC)whichusesahashoftheuser'smasterkey,andahashoftheuser'sSIDwiththeuser'slogonpassword(credential).
Abackupkeyoftheuser'smasterkeyisalsocalculatedbasedonabackup/restorekeyofaDC,ifpresent.
ThekeysizeisbasedontheDESor3DESalgorithmusedforencryption,andis56or168bits.
Usingtheuser'smasterkey,theTSFencryptsthedataandtheencrypteddataisreturnedtotheuser.
Uponarequesttodecryptdataprovidedbytheuser,theTSFusestheuser'smasterkeytodecryptthedata.
Ifthedecryptionfails,theuserdoesnotreceiveanydata.
Whendiscoveringtheuser'smasterkey,theTSFperformsaMessageAuthenticationCode(MAC)checktoverifyproperdecryptionoftheuser'smasterkey.
IftheMACchecksucceeds,themasterkeyisusedtodecrypttheuser'sdata.
IftheMACcheckfails,thentheTSFattemptstodecryptthedatausingthebackup/restoremasterkey.
Thismaybenecessaryiftheuser'spasswordhaschanged.
TheTSFverifiesthattheuserisauthorizedtothebackup/restoremasterkeybycomparingtheSIDextractedusingthebackup/restoremasterkeytotheSIDofthecaller.
Ifthecallerisauthorizedtothebackup/restoremasterMicrosoftCorporation,2008AllRightsReserved.
104Version3.
0,11/19/07key(e.
g.
,theSIDsmatch),thenthebackup/restoremasterkeyisusedtodecryptthedata.
Ifthisdecryptionfailsalso,theuserdoesnotreceiveanydata.
Theencryptionanddecryptionoperationsareperformedbyindependentmodules,knownasCryptographicServiceProviders(CSPs).
TheCSPsareFIPS140Level1compliant.
TheFIPS140standardwasdevelopedbytheNationalInstituteofStandardsandTechnology(NIST).
FIPS140,titled"SecurityRequirementsforCryptographicModules,"specifiestheU.
S.
government'srequirementsforproperdesignandimplementationofhardwareandsoftwarecryptographicmodulesthatperformcryptographicoperationsforsensitivebutunclassifiedinformation.
FIPS140hasbeenadoptedbytheCanadianCommunicationSecurityEstablishment(CCSE)andtheAmericanNationalStandardsInstitute(ANSI).
FIPS140iswidelyregardedasadefactostandardforcryptographicmodules.
Inadditiontoencryptionanddecryptionservices,theTSFprovidesothercryptographicoperationssuchashashing,keyexchange,anddigitalsignatures.
TheTSFalsoprovidesapseudorandomnumbergenerationcapability.
Thesecryptographiccapabilitiesaredesignedtoconformtopublishedstandardandcompliancewiththesecryptographicstandardshasbeendemonstratedasfollows:Table6-3CryptographicStandardsandEvaluationMethodCryptographicOperationStandardEvaluationMethodEncryption/DecryptionFIPS46-3DES(ECBandCBCmodes)FIPS140-2Certified(382)Encryption/DecryptionFIPS46-33DES(ECBandCBCmodes)FIPS140-2Certified(382)Encryption/DecryptionFIPS197(AdvancedEncryptionStandard(AES))FIPS140-2Certified(382)Encryption/DecryptionPKCS#1(RSAES-PKCS1-v1_5)VendorAssertionHMACFIPS-198HMAC(SHA-1)FIPS140-2Certified(382)HashFIPS-180-2SHA-1,SHA-25611,SHA-38412,SHA-51213FIPS140-2Certified(382)RandomnumbergenerationNoneVendorAssertionKeyexchangeDH(Ephemeral-Ephemeral)VendorAssertionKeyGenerationSoftwareRNG(FIPS46-33DESandDES)VendorAssertionKeyGenerationSoftwareRNG(FIPS197AES)VendorAssertionKeyGenerationPrimeRNGforRSAVendorAssertionKeyGenerationRNG(FIPS186-2DSA)VendorAssertionKeyGenerationRNG(DH)VendorAssertionKeyDistributionPKCS#5V2.
0(Password-BasedEncryptionStandard)VendorAssertionKeyZeroizationFIPS140-1orFIPS140-214FIPS140-2Certified(382)11SHA-256isavailableonthe2003Serverproductonly.
12SHA-384isavailableonthe2003Serverproductonly.
13SHA-512isavailableonthe2003Serverproductonly.
MicrosoftCorporation,2008AllRightsReserved.
105Version3.
0,11/19/07CryptographicOperationStandardEvaluationMethodKeyStoragePKCS#5V2.
0(Password-BasedEncryptionStandard),usingFIPS-180-2SHA-1andFIPS-46-3TripleDESVendorAssertionTheTSFappliesvalidationtechniques(e.
g.
,hash)tovalidatetheCryptProtectData-encryptedFIPS-186-2DSAandFIPS-186-2/PKCS#1privateasymmetriccryptographickeyswhentheyareobtainedviathedistributionmethodorviathestoragemethod.
TheTSFchecksthehashoftheencrypteddata(whichismeanttobeaCryptProtectData-encryptedprivatekey).
TheTSFprovidesameanstoensurethatFIPS-186-2DSAandFIPS-186-2/PKCS#1privateasymmetriccryptographickeysareassociatedwiththecorrectentities(i.
e.
,person)towhichthekeysareassigned.
Theprivatekeysareencryptedwithausermasterkey.
TheTSFencryptstheusermasterkeywithaSHA-1hashofthelogonpasswordofthekeyowner.
TheTSFusesPKCS#5V2.
0(Password-BasedEncryptionStandard),usingFIPS-180-2SHA-1andFIPS-46-33DESintheprocesstostoreFIPS-186-2DSAandFIPS-186-2/PKCS#1privateasymmetriccryptographickeys.
TheTSFencryptstheprivatekeyswithamasterkeyusing3DES;andthemasterkeyisencryptedusingthePKCS#5formatwithaSHA-1hashingofthekeyowner'sinteractively-logging-onpassword.
Theencryptedprivatekeysandencryptedmasterkeysarewrittentotheirpersistentfiles.
Thesefilesarestoredinasubdirectoryoftheuserprofilesothattheycouldbeloadedwhentheprofileownerlogsontoamachine.
Thekeystorageeffectisachievedbecausetheencryptedprivatekeysandencryptedmasterkeysarestoredintheirpersistentfilesintheuserprofile.
UserprofilescanbecentrallymaintainedbytheTSFdomaincontrollers.
ThekeydistributioneffectisachievedbecausetheuserprofilefilescanbedownloadedfromaTSFdomaincontrollerwhentheuserlogsontoamachine.
ForRSAkeygeneration,pseudo-randomseedsarenotputthroughtheSHA-1processbeforetheyareusedinaRSAkeygenerationasinthecaseofDSAorDHkeygeneration.
Thedetailsoftheelementtypesthatcontributetoapseudo-randomseedcomputationaredocumentedintheNISTapprovedsecuritypolicydocumentsassociatedwiththeaboveFIPS-140certificatesontheNISTwebsite.
Apseudo-randomvalueisusedasthestartingpointofanarrayrepresentingconsecutiveoddintegers.
Thelengthofthearraydependsuponthesizeoftheprimesought.
Thearrayisthensievedbyfindingmultiplesofeachsmallprime(aboutathousandsmallprimes).
Survivingcandidates(startingfromthesmallest)aretheneachputthroughfouriterationsofMiller-Rabinuntiloneisfoundthatpasses.
Ifnoprimeisfound,anewrandomstartingvalueisselectedandtheprocessisrepeateduntilaprimeisfound.
Resettingthestartingvaluewhenanewsieveisrequiredlimitsthebiasintroducedbythesievingmethod.
TheprimalitytestforDH/DSAprimesgoesthroughoneMillerRabinandoneLucas.
ThemechanismtogenerateaseedforaDSAkeypairisthesamemechanismforwhichthecryptomodulehasreceivedtheFIPS-140-2DSACertificate.
ThedetailsoftheelementtypesthatcontributetoaseedcomputationaredocumentedintheNISTapprovedsecuritypolicydocumentsassociatedwiththeaboveFIPS-140certificatesontheNISTwebsite.
Therefore,theentropyvalueforthemechanismisatleastthatofanyFIPS-140validatedcryptomodules.
DSAkeygenerationrequiresapseudo-randomseedtogothroughtheSHA-1processwithallthemandatorychecksforreceivingtheFIPS-140certificates.
TheDSAprimevaluespandqaregeneratedusingthealgorithmofFIPS-186-2Appendix2.
2.
TheGvalueisgeneratedusingFIPS-186-2Appendix4.
SFRMapping:TheCryptographicProtectionfunctionsatisfiesthefollowingSFRs:FCS_COP.
1(a)–TheTSFusestheDESor3DES(56-bitor168-bitkeysizes)algorithmtoencryptuserdataandonlyallowstheuserwhoencryptedthedatatodecryptthedatabyensuring14FIPS140-1and140-2certificationincludesspecifickeyzeroizationrequirements.
MicrosoftCorporation,2008AllRightsReserved.
106Version3.
0,11/19/07thattheSIDofthesubjectrequestingdecryptionisthesameastheSIDofthesubjectthatrequestedencryptionofthedata.
FCS_COP.
1(a)–(j)–SeetheTable6-3CryptographicStandardsandEvaluationMethodFCS_CKM.
1(a)–(e)-SeetheTable6-3CryptographicStandardsandEvaluationMethodFCS_CKM.
2,FCS_CKM.
4–SeetheTable6-3CryptographicStandardsandEvaluationMethodFCS_CKM_EX.
1–TheTSFvalidateskeysbycheckingthehash.
FCS_CKM_EX.
2–TheTSFensurestheprivatekeysareassociatedwiththeentitiesbyencryptingthekeyswithahashofthepasswordofthekeyowner.
TheTSFstoresprivatekeysinPKCS#5inasubdirectorywiththeuser'sprofile.
6.
1.
4IdentificationandAuthenticationFunctionTheTOErequireseachusertobeidentifiedandauthenticatedpriortoperformingTSF-mediatedfunctionsonbehalfofthatuser,withafewexceptions,regardlessofwhethertheuserisloggingoninteractivelyorisaccessingthesystemviaanetworkconnection.
Oneexceptionisthefunctionallowingausertoshutthesystemdown;however,anauthorizedadministratormaydisableeventhatfunctionifitisnotappropriateforagivenenvironment.
Theotherexceptionisaccesstothewebserverwhenanonymousauthenticationisallowed(asdescribedintheWEBUSERAccessControlsection)duringwhichawebserverrequestisservicedwithoutpromptingtheclientforidentificationandauthentication,eventhoughthatclienthasbeenauthenticatedpriortomakingawebserverrequestintheevaluatedconfiguration.
6.
1.
4.
1LogonTypeTheTOEsupportssixtypesofuserlogon:interactive("Logonlocally"),network("AccessthiscomputerfromNetwork"),batch("Logonasabatchjob"),service("Logonasaservice"),unlock("Unlockscreensaver"),andNetwork_ClearText("AnonymousauthenticationtoIIS").
Theinteractivelogontypeisforuserswhowillbeinteractivelyusingthesystem,suchasauserbeingloggedonataworkstationconsole.
Thenetworklogontypeisusedwhenauserlogsontoaremotenetworkservertoaccessresources.
Thebatchlogontypeisintendedforbatchservers,whereprocessesmaybeexecutingonbehalfofauserwithouttheirdirectintervention(e.
g.
,COM-servers).
Theservicelogontypeisusedwhenaserviceprocessisstartedtoprovideausercontextinwhichthatservicewilloperate.
Theunlocklogontypeisusedwhenauserisforcedtore-authenticateinteractivelyafteraspecifiedtimeofinactivity.
Thenetwork_clearTextlogontypeisusedwhenIISisconfiguredtonotrequireaclientrequestingIISservicestore-authenticateandassignsaspecifiedaccountforuserstobeassociatedwiththeanonymousconnection.
IntheevaluatedconfigurationIISwillonlyacceptrequestfromauthenticatedclients.
Eachofthelogontypeshasacorrespondinguserlogonrightthatcanbeassignedtouserandgroupaccountstocontrolthelogonmethodsavailabletousersassociatedwiththoseaccounts.
6.
1.
4.
2TrustedPathandRe-authenticationForinitialinteractivelogon,ausermustinvokeatrustedpathinordertoensuretheprotectionofidentificationandauthenticationinformation.
ThetrustedpathisinvokedbyusingtheCtrl+Alt+Delkeysequence,whichisalwayscapturedbytheTSF(i.
e.
,itcannotbeinterceptedbyanuntrustedprocess),andtheresultwillbealogondialogthatisunderthecontroloftheTSF.
Oncethelogondialogisdisplayed,theusercanentertheiridentity(usernameanddomain)andauthentication(password).
Forremotelogon,ausermustfirstlogononinteractivelyforwhichatrustedpathisprovided(asdescribedabove).
Additionally,theTSFusesIPSectoprovideatrustedpathbetweenTSFstoensuretheprotectionoftheI&AinformationtransferredbetweenTSFs.
Ausercanchangetheirpasswordeitherduringtheinitialinteractivelogorwhileloggedon.
Tochangeauser'spassword,theusermustinvokethetrustedpathbyusingtheCtrl+Alt+Delkeysequence.
Thelogondialogdisplayedallowstheusertoselectanoptiontochangetheirpassword.
Ifselected,achangepassworddialogisdisplayedwhichrequirestheusertoentertheircurrentpasswordandanewpassword.
MicrosoftCorporation,2008AllRightsReserved.
107Version3.
0,11/19/07TheTSFwillchangethepasswordonlyiftheTSFcansuccessfullyauthenticatetheuserusingthecurrentpasswordthatisentered(seesectionLogonProcessforadescriptionoftheauthenticationprocess).
OtheractionsthatrequiretheusertoinvokethetrustedpathbyusingtheCtrl+Alt+Delkeysequenceandre-authenticatethemselvesare:initialuserauthenticationwithasmartcard,changingpasswords,andsessionunlocking(seesectionTOEAccessFunction).
6.
1.
4.
2.
1LogonBannerAnauthorizedadministratorcanconfiguretheinteractivelogonscreentodisplayalogonbannerwithatitleandwarning.
Thislogonbannerwillbedisplayedimmediatelybeforetheinteractivelogondialog(seeabove)andtheusermustselect"OK"toexitthebannerandaccessthelogondialog.
6.
1.
4.
3UserAttributeDatabase6.
1.
4.
3.
1UserandGroupAccountsDefinitionsEachTSFmaintainsdatabases(collectivelyreferredtoasuserattributedatabase)thatfullydefineuserandgroupaccounts.
Thesedefinitionsinclude:Accountname–usedtorepresenttheaccountinhuman-readableform;SID–aUserIdentifier(UID)orgroupidentifierusedtorepresenttheuserorgroupaccountwithintheTOE;Password(onlyforuseraccounts)–usedtoauthenticateauseraccountwhenitlogson(storedinhashedformandisencryptedwhennotinuseusingaRivest'sCipher(RC)4algorithmandaRC4systemgeneratedkey);Private/PublicKeys–usedtoencryptanddecryptuser'sFEK;Groups–usedtoassociategroupmembershipswiththeaccountPrivileges–usedtoassociatedTSFprivilegeswiththeaccount;Logonrights–usedtocontrolthelogonmethodsavailabletotheaccount(e.
g.
the"logonlocally"rightallowsausertointeractivelylogontoagivensystem);SmartCardPolicy–usedtorequireasmartcardtologon;Miscellaneouscontrolinformation–usedtokeeptrackofadditionalsecurityrelevantaccountattributessuchasallowableperiodsofusage,whethertheaccounthasbeenlocked,whetherthepasswordhasexpired,passwordhistory,andtimesincethepasswordwaslastchanged;and,Othernon-securityrelevantinformation–usedtocompletethedefinitionwithotherusefulinformationsuchauser'srealnameandthepurposeoftheaccount.
TheactualcompositionoftheuserattributedatabasedependsuponthetypeofTSF(e.
g.
,stand-alone,domainmember,DC).
Specifically,theTOEallowstheestablishmentofdomains.
DomainsareusedtoallowacollectionofTSFstoshareacommonsetofpoliciesandaccounts.
ThisisaccomplishedbyestablishingDCsthatinstantiateADservices(everyTSFwiththeADserviceisaDC)thatdefinepoliciesandaccountstobesharedbyTSFsinthedomain.
Notethatgrouppolicies(seeSecurityManagement)canalsobedefinedintheADthatapplytoselectedTSFs(e.
g.
,systems)andaccountswithinthedomain.
IfaTSFtypeisnotadomainmember,itwillhaveonlyitsownuserattributedatabase.
IfaTSFtypeisadomainmember,butnotaDC,itwillalsohaveitsownuserattributedatabase.
However,thepoliciesandaccountsofitsDCwilllogicallybeincludedinthatTSF'suserattributedatabase.
IfaTSFtypeisaDC,itsuserattributedatabaseisdefinedwithinitsADandisgenerallysharedwithotherTSFsinthedomain.
Inadomain,auserattributedatabasecanbelogicallyextendedevenfurtherthroughtrustrelationships.
EachDCcanbeconfiguredtotrustotherdomains.
Theresultisthataccountsfromtrusteddomainscanbeusedtoaccessthetrustingdomain.
MicrosoftCorporation,2008AllRightsReserved.
108Version3.
0,11/19/07Aforestisasetofoneormoretreesthatdonotformacontiguousnamespace.
TheTSFallowsaforesttoenforceconstraintsonwhichusersittruststheotherforesttoauthenticate.
Thisallowsalldomainsinoneforestto(transitively)trustalldomainsinanotherforestviaasingletrustlinkbetweenthetwoforestrootdomains.
Thiscross-forestauthenticationenablessecureaccesstoresourceswhentheuseraccountisinoneforestandthecomputeraccountisinanotherforest.
AcomputeraccountisauseraccountwheretheuseridentityoftheaccountisacomputeridentitybelongingtoaWindowsdomain.
6.
1.
4.
3.
2AccountPoliciesComplimentarytotheuseraccountdatabaseistheaccountpolicythatisdefinedoneachTSFandineachdomain.
Theaccountpolicyiscontrolledbyanauthorizedadministratorandallowsthedefinitionofapasswordaccountlockoutpolicywithrespecttointeractivelogons.
Thepasswordpolicyincludes:Thenumberofhistoricalpasswordtomaintaintorestrictchangingpasswordsbacktoapreviousvalue;Themaximumpasswordagebeforetheuserisforcedtochangetheirpassword;Theminimumpasswordagebeforetheuserisallowedtochangedtheirpassword;and,Theminimumpasswordlengthwhenchangingtoanewpassword(0-14).
Theaccountlockoutpolicyincludes:Durationoftheaccountlockoutonceitoccurs;Numberoffailedlogonattemptsbeforetheaccountwillbelockedout;and,Theamountoftimeafterwhichthefailedlogoncountwillbereset.
ThesepoliciesallowtheTSFtomakeappropriatedecisionsandchangeuserattributesintheabsenceofanauthorizedadministrator.
Forexample,theTSFwill"expire"apasswordautomaticallywhenthemaximumpasswordagehasbeenreached.
Similarly,itwilllockanaccountonceapredefinednumberoffailedlogonattemptshaveoccurredandwillsubsequentlyonlyunlocktheaccountasthepolicydictates.
Thesepoliciesalsoservetorestrictfeaturesavailabletoauthorizedusers(e.
g.
,frequencyofpasswordchange,sizeofpassword,reuseofpasswords).
6.
1.
4.
4LogonProcessAlllogonsaretreatedessentiallyinthesamemannerregardlessoftheirsource(e.
g.
,interactivelogondialog,networkinterface,internallyinitiatedservicelogon).
Theybeginwithanaccountname,domainname(whichmaybeNULL;indicatingthelocalsystem),andpasswordthatmustbeprovidedtotheTSF.
Thedomainnameindicateswheretheaccountisdefined.
IfthelocalTSF(orNULL)isselectedforthedomainname,thelocaluseraccountdatabaseisused.
OtherwisetheuseraccountdatabaseonthetargetTSF'sDCwillbeused.
IfthedomainnameprovideddoesnotmatchthatoftheDC,theDCwillattempttodeterminewhetherthetargetdomainisatrusteddomain.
Ifitis,thetrusteddomain'suseraccountdatabasewillbeused.
Otherwise,thelogonattemptwillfail.
Atthispoint,twotypesoflogonmayoccur:NTLMorKerberos.
KerberosisthedefaultlogonmethodandwillbeusedifaKerberosKDCisavailable.
Generally,eachDCincludesaKDCinadditiontoitsAD.
IfnoKDCisavailable,NTLMwillbeused.
IntheevaluatedconfigurationaKDCisavailabletoeachDC.
TherearetwoprimarydifferencesbetweenNTLMandKerberoslogons.
ThefirstisthatNTLMrequiresthattheusernameandahashedversionofthepasswordbesenttotheappropriateDC(orlocalTSFforalocalaccount).
ThereceivingTSFwillcomparetheprovidedhashedpasswordwiththeversionstoredinitsdatabasefortheuseridentifiedbytheusername.
Ifthehashedpasswordsmatch,authenticationissuccessful.
Kerberos,ontheotherhand,requiresthatatime-stampedlogonrequestbepartiallyencryptedwiththehashedpassword.
TheencryptedrequestissenttotheappropriateDC,whichinturnlooksuptheuser'shashedpasswordinitsdatabase.
Thehashedpasswordisusedtodecryptthelogonrequest.
IftheMicrosoftCorporation,2008AllRightsReserved.
109Version3.
0,11/19/07decryptoperationsucceedsandthelogonrequesthasanappropriatetimestamp(i.
e.
,withinatimeperiodsetbyanauthorizedadministrator),authenticationissuccessful.
Ineithercase,asuccessfulauthenticationyieldstheuser'sSIDandtheSIDsoftheuser'sgroupsasdefinedontheauthenticatingDC(orlocalTSFforalocalaccount).
Notethatafailedauthenticationattemptyieldsanincrementinfailedlogonattemptsfortheuseraccountandmayresultintheaccountbeinglockedout(i.
e.
,unabletologon).
ThesecondprimarydifferencebetweenNTLMandKerberoslogonisinhowsubsequentrequestsforservice(i.
e.
,networklogons)willoccur.
InthecaseofNTLM,theusermustlogontoeveryTSFinordertoobtainaservice(e.
g.
,accesstoafile).
Thesewillbenetworklogonsandwillessentiallyfollowthesameprocessastheinitialinteractivelogon.
AKerberoslogonyieldsaTicketGrantingTicketthatisusedtosubsequentlyrequestServiceTicketsfromtheKDCeachtimetheuserprocesswantstoaccessanetworkservice.
TheServiceTicket,containingsomeoftheuser'ssecurityattributes,willservetoauthenticatetheuserratherthaneffectivelyrequiringre-authenticationusingahashedpassword.
Onceasuccessfulauthenticationoccurs,theTSFwillqueryitsAD(viaitsDC),ifapplicable,forgrouppoliciesrelevanttotheuserthatisattemptingtologon.
TheTSFwilluseitsuserattributesdatabase(includingdomainproperties,suchasfromagrouppolicy)toderiveadditionalsecurityattributesfortheuser(e.
g.
,privilegesanduserrights).
TheTSFwillthenensurethatanylogonconstraintsdefinedinitsuserattributesdatabase(includingdomainpropertiesapplicabletotheuser)totheuserareenforcedpriortocompletingasuccessfullogon.
Iftherearenoconstraintsthatwouldpreventasuccessfullogon,aprocess(orthread,whenthelogonserverisgoingtoimpersonatetheuser)iscreatedandassignedatokenthatdefinesasecuritycontextbasedontheattributescollectedduringthelogonprocess(userandgroupSIDs,privileges,logonrights,aswellasadefaultDACLcreatedbythelogonprocess).
WhenaWebsiteoranothercomputerrequestsauthenticationthroughNTLMorKerberos,anUpdateDefaultCredentialsorSavePasswordcheckboxappearsintheNetUIdialogbox.
Iftheuserselectsthecheckbox,theCredentialManagerkeepstrackoftheuser'sname,password,andrelatedinformationfortheauthenticationserviceinuse.
Thenexttimethatserviceisused,theCredentialManagerautomaticallysuppliesthestoredcredential.
Ifitisnotaccepted,theuserispromptedforthecorrectaccessinformation.
Ifaccessisgranted,theCredentialManageroverwritesthepreviouscredentialwiththenewone.
6.
1.
4.
4.
1SmartCardLogonProcessingTheTOEofferstheabilitytoauthenticatewithasmartcardinadditiontoauthenticationwithapassword.
Thesmartcardlogonprocessbeginswhentheuserinsertsasmartcardintoasmartcardreaderattachedtothecomputer.
WhentheTOEisconfiguredforsmartcardlogon,theinsertionofthecardsignalstheSecureAttentionSequence(SAS),justasthekeycombinationCtrl+Alt+DelsignalstheSASoncomputersconfiguredforpasswordlogon.
Inresponse,theTOEforcesthedisplayofalogondialogboxandtheuserispromptedtoprovideaPIN.
NotethatthePINisrequiredbythesmartcardwhichisnotpartoftheTOE.
Assuch,itisassumedthatuserswillphysicallyprotecttheirsmartcardsandthesmartcardrequirementtoprovideaPINforaccessservesonlyasanextra,unevaluated,mechanismofferedbytheTOEenvironment.
Theuser'slogoninformationissenttotheLSAjustasitdoeswithausername/passwordlogon.
TheLSAKerberosauthenticationpackageusesthePINforaccess,viatheSmartCardHelperRPCInterfaces,tothesmartcard.
Thesmartcardcontainstheuser'sprivatekeyalongwithanX.
509v3certificatethatcontainsthepublichalfofthekeypair.
Thecryptographicoperationsthatusethesekeystakeplaceonthesmartcard.
Aftertheinitialprivate-keyauthentication,standardKerberosprotocolsforobtainingsessionticketsareusedtoconnecttonetworkservices.
WhentheKDCisnotavailableinthecaseofasmartcardcachedlogonrequest,theverificationinformation(e.
g.
,supplementalcredentials)isprovidedbytheMSV1_0authenticationpackage.
ThebehavioroftheTOEwithrespecttosmartcardremovalisgovernedbyaregistryvaluewhichdictateswhichofthefollowingactionswilloccurasareactiontotheremovalofthesmartcard:noaction,theworkstationislocked,alogoutisforced.
MicrosoftCorporation,2008AllRightsReserved.
110Version3.
0,11/19/076.
1.
4.
4.
2NetworkLogonSupportPK-certificatenetworklogonissupportedbytheTLS/SSLSecurityProviderthatimplementstheMicrosoftUnifiedSecurityProtocolProvidersecuritypackage.
Thispackageprovidessupportforfournetworksecurityprotocols,namelySSLversions2.
0and3.
0,TLSversion1.
0.
IntheTOE,securitypackageAPIsarenotdirectlyaccessible,rathertheyareaccessedviaLSAAuthenticationAPIs.
TheTLS/SSLSecurityProviderauthenticatesconnections,and/orencryptsmessagesbetweenclientsandservers.
Whenanapplicationneedstouseanetworkresourceonanauthenticatedchannel,theLSAaccessestheTLS/SSLSecurityServiceProvider(SSP)viatheSSPinterfaces.
DigestnetworklogonissupportedbytheMicrosoftDigestAccessAuthenticationPackage.
DigestperformsuserauthenticationforLSAAuthenticationinsupportofnetworklogonattempts.
InteractivelogonscannotbeperformedusingDigestAccess.
Digestimplementsanetworksecurityprotocol,inthiscasedigestchallenge/responseauthentication,thatsupportsremotenetworklogonuserauthenticationandothernetworksecurityservicesaccordingtoRFC2617"HTTPAuthentication:BasicandDigestAccessAuthentication.
"6.
1.
4.
5ImpersonationInsomecases,specificallyforserverprocesses,itisnecessarytoimpersonateanotheruserinordertoensurethataccesscontrolandaccountabilityareperformedinanappropriatecontext.
Tosupportthis,theTSFincludestheabilityforaservertoimpersonateaclient.
Asdescribedabove,eachprocesshasatokenthatprimarilyincludesaccountSIDs,privileges,logonrights,andadefaultDACL.
Normally,eachthreadwithinaprocessusestheprocess'tokenforitssecuritycontext.
However,athreadcanbeassignedanimpersonationtokenthatwouldbeusedinsteadoftheprocessestokenwhenmakingaccesschecksandgeneratingauditdata.
Hence,thatthreadisimpersonatingtheclientthatprovidedtheimpersonationtoken.
Impersonationstopswhentheimpersonationtokenisremovedfromthethreadorwhenthethreadterminates.
Whencommunicatingwithaserver,theclientcanselectanimpersonationlevelthatconstrainswhetherandhowaservermayimpersonatetheclient.
Theclientcanselectoneoffouravailableimpersonationlevels:anonymous,identify,impersonate,anddelegate.
Anonymousallowstheservertoimpersonatetheclient,buttheimpersonationtokendoesn'tcontainanyclientinformation.
Identifyallowstheservertoimpersonatetheclienttoperformaccesschecks.
Impersonateallowstheservertoimpersonatetheclientsentiresecuritycontexttoaccessresourceslocaltotheserver'sTSF.
DelegateallowstheservertoimpersonatetheclientonlocalandremoteTSFs.
6.
1.
4.
6RestrictedTokensWheneveraprocessiscreated,orathreadisassignedanimpersonationtoken,theTSFallowsthecallertorestrictthetokenthatwillbeusedinthenewprocessorimpersonationthread.
Specifically,thecallercanremoveprivilegesfromthetoken,assignadeny-onlyattributetoSIDs,andspecifyalistofrestrictingSIDs.
Thefollowingpertains:Removedprivilegesaresimplynotpresentintheresultingtoken.
SIDswiththedeny-onlyattributeareusedonlytoidentifyaccessdeniedsettingswhencheckingforaccess,butignoreanyaccessallowedsettings.
WhenalistofrestrictingSIDsisassignedtoatoken,accessischeckedtwiceonceusingthetokensenabledSIDsandagainusingtherestrictingSIDs.
Accessisgrantedonlyifbothchecksallowthedesiredaccess.
6.
1.
4.
7StrengthofAuthenticationAsindicatedabove,theTSFprovidesasetoffunctionsthatallowtheaccountpolicytobemanaged.
Thesefunctionsincludetheabilitytodefineaccountpolicyparameters,includingminimumpasswordlength.
Theminimumpasswordlengthcanbeconfiguredtorequireaslargeas14characters.
However,theMicrosoftCorporation,2008AllRightsReserved.
111Version3.
0,11/19/07administratorguiderecommendsthattheminimumpasswordlengthbeconfiguredtonolessthaneight(8)characters(withatleast90availablecharacters,thepasswordspaceis4,304,672,100,000,000availablecombinations).
Therefore,intheevaluatedconfiguration,theprobabilitythatarandomattemptwillsucceedislessthanone(1)in5x1015andtheprobabilitythat,formultipleattemptswithinoneminute,theprobabilitythatarandomattemptwillsucceedislessthanone(1)in25x1012.
Duringauthentication,theTSFwillnotprovidefeedbackthatwillreducetheprobabilitybeforethemetricsidentifiedabove.
Furthermore,theTSFforcesadelaybetweenattempts,suchthattherecanbenomorethanten(10)attemptsperminute.
Foreachsubsequentfailedlogonfollowingfive(5)consecutivefailedlogonoccurrencesinthelast60seconds,theWinlogon/GraphicalIdentificationandAuthentication(GINA)subcomponentsleepsfor30secondsbeforeshowinganewlogondialog.
ItthereforesupportstheI&Afunctionthatnomorethanten(10)interactivelogonattemptsarepossibleinany60second(oneminute)period.
WhenKerberosisused,thepasswordrequirementsarethesameasthosedescribedabove.
However,therearebothTicketGrantingTicketsandServiceTicketsthatareusedtostore,protect,andrepresentusercredentialsandareeffectivelyusedinidentifyingandauthenticatingtheuser.
Sessionkeysareinitiallyexchangedusingahashoftheuser'spasswordforakey.
SFRMapping:TheIdentificationandAuthenticationfunctionsatisfiesthefollowingSFRs:FIA_AFL.
1-TheTSFlockstheaccountaftertheadministrator-definedthresholdofunsuccessfullogonattemptshasoccurred.
Theaccountwillremainlockedeitheruntilanauthorizedadministratorunlocksitoruntilthedurationdefinedbyanauthorizedadministratorhaselapsed.
FIA_ATD.
1-EachTSFhasauserattributedatabase.
Eachuserattributedatabasedescribesaccounts,includingidentity,groupmemberships,password(e.
g.
,authenticationdata),privileges,logonrights,allowabletimeperiodsofusage,smartcardpolicy,aswellasothersecurity-relevantcontrolinformation.
Security-relevantrolesareassociatedwithusersviagroupmembershipsandprivileges.
FIA_SOS.
1-ThepasswordandkeyspacesusedbytheTSFreducethechanceofguessingapasswordtolessthanone(1)in2x1015forasinglerandomattemptandone(1)in25x1012formultipleattemptsduringaoneminuteperiod.
TheTSFcanblockauserfromcontinuingtoattempttologonforaspecifiedamountoftimeafteraspecifiednumberoffailedattemptssuchthattherecanbenomorethantenattemptsperminuteandtheTSFdoesnotprovidefeedbackduringauthenticationthatwillreducetheprobabilityofsuccessfullyguessingpasswords.
FIA_UAU.
1-AnauthorizedadministratorcanconfiguretheTSFtoallownoTSF-mediatedfunctionspriortoauthentication,withtheexceptionofaccesstothewebserver.
FIA_UAU.
7-Duringaninteractivelogon,theTSFechoestheuserspasswordwith"*"characterstopreventdisclosureoftheuser'spassword.
FIA_UAU.
6-TheTSFwillonlyallowapasswordtobechangediftheTSFcansuccessfullyauthenticatetheuserusingthecurrentpasswordwhichmustbeenteredwiththenewpassword.
FIA_UID.
1-AnauthorizedadministratorcanconfiguretheTSFtoallownoTSF-mediatedfunctionspriortoidentification,withtheexceptionofaccesstothewebserver.
FIA_USB.
1_EX-Eachprocessandthreadhasanassociatedtokenthatidentifiestheresponsibleuser(usedforauditandaccess),associatedgroups(usedforaccess),privileges,andlogonrightsheldbythatprocessorthreadonbehalfoftheuser.
Additionally,apublic/privatekeypairisassociatedwithauser'saccountwhenauserencryptsafileandanauthorizedadministratorcanassignapublic/privatekeypairtoauseraccount.
FTA_LSA_EX.
1-OnaDC,accountscanberestrictedtoaworkstationduringaspecifictimeandday.
Iftheaccounthastheserestrictions,themembersofthedomainwillthenrestricttheabilitytologontoasystembasedupontheLogonLocallyright(allowstheusertointeractivelylogontoMicrosoftCorporation,2008AllRightsReserved.
112Version3.
0,11/19/07givensystem),thetime,andtheday.
Ifonagivensystem,theusercanlogonatagiventimeandday,thentheuserwillbeallowedtologonandwillbeincludedinthegroupsassignedtothataccountandwillhavetheprivilegesassignedtothataccount.
FTA_MCS_EX.
1-Throughlocallylogonrightenforcement,accountscanberestrictedtospecificworkstationstherebyenforcingthemaximumnumberofinteractiveconcurrentsessionsperuserbaseduponthosemachinestheauthorizedadministratorhasdefinedanaccountuponforanygivenuser.
FTA_TAB.
1,FMT_MTD.
1(i)-Anauthorizedadministratorcandefineandmodifyabannerthatwillbedisplayedpriortoallowingausertologon.
FTA_TSE.
1-TheTSFwillnotallowausertologoniftheuser'spasswordhasexpired.
TheTSFwillrestrictthelocationausercanlogonfrombaseduponthelogonrightsassociatedwithauser'saccount(logonlocally,logonasabatchjob,accessthiscomputerfromthenetwork,andlogonasaservice).
Additionally,theTSFrestrictsauserfromlogonbasedupontimeordayinthatauserwillnotbeabletologonifattemptsaremadeafteranaccounthasbeenlockedoutbutwithintheaccountlockoutdurationdefinedbytheauthorizedadministrator.
FTP_TRP.
1-TheTSFprovidesanunspoofablekeysequence,Ctrl+Alt+Del,thatcanbeusedtoassurethattheuseriscommunicatingdirectlywiththeTSFforpurposesofinitialinteractivelogonwithpassword,sessionunlocking,andchangingtheuser'spasswordwhentheTSFrequests/notifies(viathetrustedpath)theusertodoso.
WhentheTOEisconfiguredforsmartcardlogon,theinsertionofthecardsignalstheSAS,justasthekeycombinationCtrl+Alt+DelsignalstheSASoncomputersconfiguredforpasswordlogon.
Additionally,IPSecisusedtoprovideanadditionaltrustedpathforremotelogons.
FMT_SMR.
3-Inordertoassumetheauthorizedadministratorrole(seetheSecuritymanagementFunction),auserwithoneofthesecurity-relevantadministrativegroupsorsecurity-relevantprivilegesmustsuccessfullylogon.
Furthermore,toswitchbetweenauserwithprivilegedandanauthorizedadministrator,ausermustlogoffandre-logon.
6.
1.
5SecurityManagementFunctionTheTOEsupportsthedefinitionofrolesaswellasprovidinganumberoffunctionstomanagethevarioussecuritypoliciesandfeaturesprovidedbytheTOE.
6.
1.
5.
1RolesThenotionofrolewithintheTOEisgenerallyrealizedbyassigninggroupaccountsandprivilegestoagivenuseraccount.
Wheneverthatuseraccountisusedtologon,theuserwillbeassumingtherolethatcorrespondswiththecombinationofgroupsandprivilegesthatitholds.
Whileadditionalrolescouldbedefined,thisSTdefinestwologicalroles:theauthorizedadministratorroleandtheauthorizeduserrole.
TheAdministratorroleisdefinedasanyuseraccountthatisassignedoneofthesecurity-relevantprivileges(e.
g.
,TakeOwnerprivilege)orismadeamemberofoneoftheseveralpre-definedadministrativegroups(e.
g.
,AdministratorsandBackupOperatorslocalgroup).
TheAdministratorGuidefullyidentifiesallsecurity-relatedprivilegesandadministrativegroups,andprovidesadviceonhowandwhentoassignthemtouseraccounts.
Auserassumesanadministratorrolebyloggingonusingauseraccountassignedoneoftheseprivilegesorgroupmembership.
Anyuserthatcansuccessfullylogonandisnotintheadministratorrole(asdefinedabove)isconsideredtobeinanauthorizeduserrole.
6.
1.
5.
2SecurityManagementFunctionsTheTOEsupportsanumberofpoliciesandfeaturesthatrequireappropriatemanagement.
Withfewexceptions,thesecuritymanagementfunctionsarerestrictedtoanauthorizedadministrator.
Thisconstraintisgenerallyaccomplishedbyprivilegeoraccesscontrol(e.
g.
,SD),andoccasionallybyaspecificSIDMicrosoftCorporation,2008AllRightsReserved.
113Version3.
0,11/19/07requirement(e.
g.
,"Administrators").
TheTOEsupportssecuritymanagementfunctionsforthefollowingsecuritypoliciesandfeatures:AuditPolicy–Theauditpolicymanagementfunctionsallowanauthorizedadministratortheabilitytoenableanddisableauditing,toconfigurewhichcategoriesofeventswillbeauditedforsuccessand/orfailure,andtomanage(e.
g.
,clear)andaccessthesecurityeventlog.
AnauthorizedadministratorcanalsodefinespecificallywhichuserandaccessmodecombinationswillbeauditedforspecificobjectsintheTOE.
AccountPolicy–Theaccountpolicymanagementfunctionsallowonlyanauthorizedadministratortodefineconstraintsforpasswords(passwordcomplexityrequirements),accountlockout(duetofailedlogonattempts)parameters,andKerberoskeyusageparameters.
Theconstraintsforpasswordsrestrictchangesbyincludingminimumpasswordlength,passwordhistory,andtheminimumandmaximumallowablepasswordage.
Ifthemaximumpasswordageisexceeded,thecorrespondingusercannotlogonuntilthepasswordischanged.
Theaccountlockoutparametersincludethenumberoffailedlogonattempts(inaselectedinterval)beforelockingtheaccountanddurationofthelockout.
TheKerberoskeyusageparametersprimarilyspecifyhowlongvariouskeysremainvalid.
Whileanauthorizedadministratorcanchangepasswordsandausercanchangetheirownpasswords,theTSFdoesnotallowanyuser(includingtheauthorizedadministrator)toreadpasswords.
Additionally,theauthorizedadministratorcandefinedtheadvisorywarningmessagedisplayedbeforeaccesstotheTOEisgranted.
AccountDatabasePolicy–Theaccountdatabasemanagementfunctionsallowanauthorizedadministratortodefineandassignandremovesecurityattributestoandfrombothuserandgroupaccounts,bothlocallyandforadomain,ifapplicable.
Thesetofattributesincludesaccountnames,SIDs,passwords,groupmemberships,andothersecurity-relevantandnon-securityrelevantinformation.
Ofthesetofuserinformation,onlythepasswordcanbemodifiedbyauserthatisnotanauthorizedadministrator.
Specifically,anauthorizedadministratorassignsaninitialpasswordwhenanaccountiscreatedandmayalsochangethepasswordlikeanyotheraccountattribute.
However,ausermaychangetheirpassword.
Thisisenforcedbyrequiringtheusertoentertheiroldpasswordinordertochangethepasswordtoanewvalue.
UserRightsPolicy–Theuserrightsmanagementfunctionsallowanauthorizedadministratortoassignorremoveuserandgroupaccountstoandfromspecificlogonrightsandprivileges.
DomainPolicy–Thedomainmanagementfunctionsallowanauthorizedadministratortoaddandremovemachinestoandfromadomainaswellastoestablishtrustrelationshipsamongdomains.
Changestodomainsanddomainrelationshipseffectivelychangethedefinitionandscopeofothersecuritydatabasesandpolicies(e.
g.
,theaccountdatabase).
Forexample,accountsinadomainaregenerallyrecognizedbyallmembersofthedomain.
Similarly,accountsinatrusteddomainarerecognizedinthetrustingdomain.
GroupPolicy–Thegrouppolicymanagementfunctionsallowanauthorizedadministratortodefineaccounts,userrightassignments,andTOEmachine/computersecuritysettings,etc.
foragroupofTSFsoraccountswithinadomain.
Thegrouppolicieseffectivelymodifythepolicies(e.
g.
,machinesecuritysettings,anduserrightspolicy)definedforthecorrespondingTSFsorusers.
Administratorsalsohavetheabilitytocalculatetheresultofapplytwopoliciesanddeterminingitseffectsbeforeapplyingapolicy.
IPSecPolicy–TheIPSecmanagementfunctionsallowanauthorizedadministratortodefinewhetherandhow(e.
g.
,protocolsandportstobeprotected,outboundand/orinboundtraffic,withwhatcryptographicalgorithms)IPSecwillbeusedtoprotecttrafficamongdistributedTSFs.
EFSPolicy–TheEFSmanagementfunctionsallowanauthorizedadministratortoenableordisableEFSonanNTFSvolumeandgenerallycontroltherecoveryforEFSdata.
DiskQuotaPolicy–ThediskquotamanagementfunctionsallowanauthorizedadministratortomanagediskquotasforNTFSvolumes.
Morespecifically,thefunctionsallowanauthorizedMicrosoftCorporation,2008AllRightsReserved.
114Version3.
0,11/19/07administratortoenableordisablediskquotas,definedefaultdiskquotas,anddefineactionstotakewhendiskquotasareexceeded.
DACPolicy–TheDACfunctionsallowauthorizeduserstomodifyaccesscontrolattributesassociatedwithanamedobject.
FEKPolicy-ThefirsttimeauserencryptsafiletheTSFassignstheuseraccountapublic/privatekeypairwhichisusedtoprotecttherandomlygeneratedFEKassociatedwiththefile.
OnlytheowneroftheprivatekeyusedtoprotecttheFEKassociatedwiththefileoranadministratororsubjectwithaspecificprivilegecandeletetheFEK.
Other–TheTSFalsoallowstheadministratortheabilitytomodifythetimeandconfiguretheWindowsUpdateServersecuritysettings.
6.
1.
5.
3ValidPasswordAttributesTheTSFensuresthatonlyvalidvaluesareacceptedassecurityattributesforthepassword.
Validvaluesarevaluesthataremeetthepasswordcomplexityrestrictionsasdefinedbytheadministrator.
Forexample,theminimumpasswordlengthshouldbesettogreaterthanorequalto8bytheadministrator.
Subsequently,attemptstocreatepasswordsshorterthan8willnotbeacceptedbytheTSF.
SFRMapping;TheSecurityManagementfunctionsatisfiesthefollowingSFRs:FMT_MOF.
1(a):Onlyanauthorizedadministratorcanenableanddisabletheauditmechanism,selectwhichauditeventcategorieswillbeaudited,andalsoselectwhethertheywillbeauditedforsuccessand/orfailure.
FMT_MOF.
1(b)-TheTSFprovidesIPSecmanagementfunctionsthatallowonlyanauthorizedadministratortheabilitytodefineifandhowIPSecwillbeusedtoprotecttrafficamongstdistributedTSFs.
FMT_MOF.
1(e)-TheTSFallowsonlytheauthorizedadministratortocalculatetheeffectofmultiplegrouppoliciesontheTOE.
FMT_MSA_EX.
2-TheTSFensuresthatvaluesforpasswordsecurityattributesmeetthepasswordcomplexityrestrictions,ifdefinedbytheadministrator.
FMT_MTD.
1(a)-Onlyanauthorizedadministratorcanclearthesecurityeventlog.
Therearenointerfacestocreateordeletethesecurityeventlogentries(seeAuditLogRestrictedAccessProtection).
FMT_MTD.
1(b)-Onlyanauthorizedadministratorcanviewthesecurityeventlog.
Therearenointerfacestomodifyasecurityevent(auditrecord)inthesecurityeventlog(seeAuditLogRestrictedAccessProtection).
FMT_MTD.
1(c)-Onlyanauthorizedadministratorcandefineuseraccountsandgroupaccounts,defineuser/groupassociations(e.
g.
,groupmemberships),assignprivilegesanduserrightstoaccounts,aswellasdefineothersecurity-relevantandnon-securityrelevantuserattributes,withtheexceptionofpasswords(whichareaddressedbelow)andprivate/publickeypairs.
FMT_MTD.
1(d)-Onlyanauthorizedadministratorcaninitiallyassignapasswordtoauseraccount.
Subsequently,bothanauthorizedadministratorandtheusercorrespondingtothepasswordcanchangeapassword.
FMT_MTD.
1(e)-Onlyanauthorizedadministratorcanchangethedurationoflockouts.
FMT_MTD.
1(f)-Onlyanauthorizedadministratorcanchangetheminimumpasswordlength.
FMT_MTD.
1(h)-Onlyanauthorizedadministratorcanmanagediskquotasanddefineactionstotakewhendiskquotasareexceeded.
MicrosoftCorporation,2008AllRightsReserved.
115Version3.
0,11/19/07FMT_MTD.
1(l)-Onlyanauthorizedadministratorcancreate,change_default,query,modify,delete,andclearTSFdatathatisnotconsideredauditrecords,usersecurityattributes,authenticationdataancriticalcryptographicsecurityparameters(suchasIPSecandEFSpolicy).
FMT_MTD.
1(m)-TheTSFdoesnotstorepasswordsincleartextanddoesnotprovideanyinterfacestoreadpasswords.
FMT_MTD.
1(n)-TheTSFallowsonlytheauthorizedadministratortochangethepasswordcomplexityrequirements.
FMT_MTD.
1(o)–TheTSFallowsausertotriggerthegenerationofaprivate/publickeypairfortheirownaccountanauthorizedadministratormaytriggerthegenerationofaprivate/publickeyforanyaccount.
FMT_MTD.
1(p)-TheTSFallowsonlytheauthorizedadministratortochangethesettingfortheWindowsServerUpdateServices.
FMT_MTD.
2-Onlyanauthorizedadministratorcanspecifyandmodifythemaximumamountoffailedlogonattemptsthatmayoccurbeforetheaccountislockedout.
FMT_REV.
1(a)-Onlyanauthorizedadministratorcanremovesecurityattributesfromusersandgroupaccounts.
AprocedureisdescribedintheAdministratorGuidethatwillinstructanauthorizedadministratoronhowtoimmediatelyremovesecurityattributesfromaccounts.
FMT_SAE.
1-Onlyanauthorizedadministratorcansetaccountpolicyparameters,includingthemaximumallowablepasswordagebeforetheaccountwillbeunabletologon.
FMT_SMF.
1-TheTSFprovidestheadministratorwiththecapabilitytomodifythetime,WindowsServerUpdateServicessettings,anddefinethefollowingpolicies:AuditPolicy,AccountPolicy,AccountDatabasePolicy,UserRightsPolicy,DomainPolicy,GroupPolicy,IPSecPolicy,EFSPolicy,DiskQuotaPolicy,DACPolicy,andtheFileEncryptionKeyPolicy.
Specifically,theTSFprovidestheadministratorwiththecapabilitytoperformthefollowing:oDACPolicymodifyaccesscontrolattributesassociatedwithanamedobjectoFileEncryptionKeyPolicydeleteencryptionpolicyattributesassociatedwithafileoAuditPolicyenable,disable,modifythebehavioroftheauditfunctionandcleartheaudittrailmodifythesetofeventstobeauditedreadtheauditedeventsmodifytheauditlogsizeoIPSecPolicydetermineandmodifythebehaviorofthefunctionthatprotectsdataduringtransmissionbetweenpartsoftheTOEoAccountPolicymodifythebehaviorofthelockedusersessionfunctionmodifythedurationtheuseraccountisdisabledaftertheunsuccessfulauthenticationattemptsthresholdisexceededmodifytheminimumallowablepasswordlengthmodifytheadvisorywarningmessagedisplayedbeforeestablishmentofausersessionmodifythepasswordcomplexityrestrictionmodifytheunsuccessfulauthenticationattemptsthresholdoAccountDatabasePolicyinitializeandmodifyusersecurityattributesoDiskQuotaPolicyMicrosoftCorporation,2008AllRightsReserved.
116Version3.
0,11/19/07modifythequotasettingsonNTFSvolumesFMT_SMR.
1-TheTOEsupportsthedefinitionofanauthorizedadministratorthroughtheassociationofspecificprivilegesandgroupmembershipswithuseraccounts.
AsdescribedintheUserDataProtectionsection,usersaregenerallyallowedtocontrolthesecurityattributesofobjectsdependingupontheaccessthattheyhavetothoseobjects.
Userscanalsomodifytheirownauthenticationdata(e.
g.
,passwords)byprovidingtheiroldpasswordforauthorization.
Additionally,uponthecreationofanobject,theusercreatingtheobject(objectcreator)candefineinitialvaluesforitssecurityattributesthatoverridethedefaultvalues(e.
g.
DACL).
6.
1.
6TSFProtectionFunctionTheTSFProtectionprovides:SystemIntegrity;InternalTSFTransferProtection;TSFDataReplicationConsistency;PartialSystemRestore;WindowsUpdates;ReferenceMediation;DomainSeparation;AbstractMachineTesting;and,TimeService.
6.
1.
6.
1SystemIntegrityThehardwareplatformincludedintheTOEistestedtoensurethesecurityfunctionsaresupported.
Thetestsaredirectedatdeterminingcorrectoperationofthecentralhardwarecomponents,suchasthemotherboard,aswellasthesetofattachedperipheraldevices,suchasmemory,disks,video,I/Oports,etc.
Specifically,thesetestaredesignedtoensurethatthefeaturesmostdirectlyreliedupontosupportthesecurityfunctionsareoperatingcorrectly(i.
e.
,interrupthandling,memorymanagement,taskmanagement,privilegedinstructions).
6.
1.
6.
2InternalTOEProtectionTheTOEprotectsagainstunauthorizeddisclosureandmodificationofdatawhenitistransferredbetweenphysicallyseparatedpartsoftheTOEusingasuiteofInternetstandardprotocolsincludingIPSecandISAKMP.
IPSeccanbeusedtosecuretrafficusingIPaddressesorportnumberbetweentwocomputers.
IPSecdoesnotapplytobroadcastormulticasttraffic.
IPSecservicesareconfigurableonthesystemtoallowforavarietyofsecurityservicesincludingdataoriginauthentication,messageintegrity,anddataconfidentiality.
TheTOEimplementsIPSecwithasetofkernelsubsystemsanduser-modetrustedservers.
IPSecallowsfortheapplicationofasetofsecurityservicestobeappliedtoIPdatabasedonpredefinedIPSecpolicies.
TheTOEstoresIPSecandrelatedkeyexchangeprotocol(ISAKMP/Oakley)policiesintheDS.
Atsysteminitialization,thesepoliciesareretrievedandstoredinthesystemregistryandpassedtotheIPSecnetworkdriver.
TheTSFmonitorsforpolicyupdatesandprocessestheseaswell,byupdatingthesystemregistryandupdatingthepolicyentriesinthenetworkdriverasappropriate(modify,add,anddelete).
IPSecpoliciesspecifythefunctionsthatIPSecmustperformforagivenoutboundorinboundpacket.
IPSecpoliciesidentifythelocalhostalgorithmsandassociatedattributes,modeofcommunication(transportistheonlymodeincludedintheevaluationconfiguration),andalistoffilterstobeappliedtoIPpackettraffic.
FiltersareusedtoassociateinboundandoutboundpacketswithaspecificIPSecpolicy.
TheyspecifythesourceanddestinationIPaddresses,ports,andprotocol.
MicrosoftCorporation,2008AllRightsReserved.
117Version3.
0,11/19/07IPSecusestheESPtoprovidedataconfidentialityforIPpackets.
ESPperformsencryptionusingtheDESCBCalgorithmand3DESCBC.
InadditiontoESP,theTSFimplementsIPAH.
AHprovidesintegrity,authenticationandanti-replay.
AHusesahashingalgorithm,suchasSHA-1,tocomputeakeyedmessagehashforeachIPpacket.
KeysareexchangedbetweencomputerswithintheTOEbeforesecureddatacanbeexchangedbytheestablishmentofasecurityagreementbetweenthetwocomputers.
Inthissecurityagreement,calledaSecurityAssociation(SA),bothagreeonhowtoexchangeandprotectinformation.
Tobuildthisagreementbetweenthetwocomputers,theInternetEngineeringTaskForce(IETF)hasestablishedastandardmethodofsecurityassociationandkeyexchangeresolutionnamedIKEwhichisappliedintheTOE.
ASAisthecombinationofanegotiatedkey,securityprotocol,andSecurityParametersIndex(SPI),whichtogetherdefinethesecurityusedtoprotectthecommunicationfromsendertoreceiver.
TheSPIisaunique,identifyingvalueintheSAthatisusedtodistinguishamongmultipleSAsthatexistatthereceivingcomputer.
Inordertoensuresuccessfulandsecurecommunication,IKEperformsatwo-phaseoperation.
Confidentialityandauthenticationareensuredduringeachphasebytheuseofencryptionandauthenticationalgorithmsthatareagreeduponbythetwocomputersduringsecuritynegotiations.
Phase1(MainModeSA)KeyNegotiation:Duringthefirstphase,thetwocomputersestablishasecure,authenticatedchannel.
ThisiscalledthePhaseIormainmodeSA.
IKEautomaticallyprovidesnecessaryidentityprotectionduringthisexchange.
PolicyNegotiation:TonegotiateapolicythefollowingfourmandatoryparametersarenegotiatedaspartofthemainmodeSA:oTheencryptionalgorithm(DESor3DES);oTheintegrityalgorithm(MD5orSHA1);oTheDHgrouptobeusedforthebasekeyingmaterial:Group1(768bitsofkeyingmaterial)Group2(1,024bits),orGroup2048(2,048bits)oTheauthenticationmethod(KerberosV5,certificate,orpresharedkeyauthentication)oIfcertificatesorpresharedkeysareusedforauthentication,thecomputeridentityisprotected.
IfKerberosV5authenticationisused,thecomputeridentityisunencrypteduntilencryptionoftheentireidentitypayloadtakesplaceduringauthentication.
DHexchange(ofpublicvalues)-OnlythebaseinformationrequiredbytheDHkeydeterminationalgorithmtogeneratetheshared,secretkeyisexchanged.
Afterthisexchange,theIKEserviceoneachcomputergeneratesthemasterkeythatisusedtoprotectauthentication.
Authentication:Topreventasuccessfulman-in-the-middleattack,thecomputersattempttoauthenticatetheDHexchange.
Withoutsuccessfulauthentication,communicationwillnotproceed.
PhaseII(QuickModeSA)KeyNegotiation:Inthisphase,SAsarenegotiatedonbehalfoftheIPSecdriver.
Thefollowingarethestepsthatcompriseaquickmodenegotiation.
Policynegotiationoccurs.
TheIPSeccomputersexchangethefollowingrequirementsforsecuringthedatatransfer:oTheIPSecprotocol(AHorESP)oThehashalgorithmforintegrityandauthentication(MD5orSHA1)oThealgorithmforencryption,ifrequested(3DESorDES)Acommonagreementisreached,andtwoSAsareestablished.
OneSAisforinboundcommunicationandtheotherisforoutboundcommunication.
MicrosoftCorporation,2008AllRightsReserved.
118Version3.
0,11/19/07TheIPSecmanagementfunctionsallowanauthorizedadministratortodefinetheIPSecPolicyincludingwhetherandhow(i.
e.
,protocolsandportstobeprotected,outboundand/orinboundtraffic,withwhatcryptographicalgorithms)IPSecwillbeusedtoprotecttrafficamongdistributedTSFs.
TheevaluatedconfigurationssupporttheuseofKerberosandtheuseofPublickeycertificateformachineauthenticationintheIKEprocessing.
IKEprocessingincludesthevalidationofthepeer'scertificate(includingpathvalidation)andsignaturepayloadverification.
TheIPSecpolicyMMCsnapinallowsanadministratortoselecttheauthenticationmethodbasedonpublickeycertificate.
TouseapublickeycertificateforauthenticationservicestheCAassociatedwiththepublickeycertificateandtheassociatedrootCAcanbechosen.
IKEprocessingmapsacomputercertificatetoacomputeraccountinanADdomainorforest,andthenretrievesanaccesstoken,whichincludesthelistofuserrightsassignedtothecomputer.
AnadministratorcanrestrictaccessbyconfiguringGroupPolicysecuritysettingsandassigningeithertheAccessthiscomputerfromthenetworkuserrightortheDenyaccesstothiscomputerfromthenetworkuserrighttoindividualormultiplecomputersasneeded.
TheIKEprocessingalsoprocessesISAKMPpayloadmessagestoallowIKEprocessingtoobtaineachother'spublickeyvalue.
ForoutboundIPtraffic,theprocessingoccursasfollows:TheIPstackcallsintotheIPSecmoduletoapplysecurityaction(e.
g.
encrypt)tothepacketbasedonfiltersdefinedinpolicy.
Ifthisisthefirstpacketprocessedforthespecifiedsource/destinationpair,asetofsecurityparametersareretrievedand/orgeneratedviatheInternetstandardbasedkeymanagementprotocol(ISAKMP).
Theparametersincludethesecuritycontext(usedtoestablishcommonkeyswiththedestinationmachineandenforceparticularpolicyvariations),generatedkeys,andothers,suchasthespecificalgorithm,whicharemappedtoastructureknownasaSA.
IPSecactionisperformed(encrypt,AH,etc.
).
ForinboundIPtraffic,theprocessingoccursasfollows:TheIPstackcallstheIPSecmoduletoperformsecurityaction(decrypt,authenticate).
TheIPSecmoduleprocessesthenextheadertodeterminewhat,ifany,securityservicehasbeenapplied(e.
g.
,ESP,AH).
Ifasecurityservicehasbeenapplied,thentheIPSecmoduleretrievestheappropriateparametersviatheSAtoprocessthepacket.
Thepacketisprocessedbyobtainingtheappropriatealgorithmtoprocessthesecurityaction(decrypt,verifysignature(ESPintegrityandAHintegrity))andremovessecurityspecificheaders.
NotethatESPintegrityandencryptioncanonlybechosentogether.
IPSecpoliciesandfiltersmaybeconfiguredtorejectthepacketoraudittheeventiftheresultsofaserviceappliedtoapacketchallengestheintegrityofthepacket(modification,insertionofdata,replayofdata).
6.
1.
6.
3TSFDataReplicationConsistencyIngeneral,directorydataresideinmorethanoneplaceonthenetwork.
Theyalsoneedtobeequallyusefultoallusers.
Throughreplication,thedirectoryservicemaintainsreplicasofdirectorydataonmultipleDCs,ensuringdirectoryavailabilityandperformanceforallusers.
ADusesamulti-masterreplicationmodel,allowingauthorizeduserstomakedirectorychangesatanyDC,notjustatadesignatedprimaryDC.
AnyDCwithinaforestpotentiallycouldbeareplicationpartnerofanother.
Replicationpartnersaredeterminedbyareplicationtopology.
AreplicationtopologyisasetofADconnectionsbywhichDCsinaforestcommunicateoverthenetworktosynchronizethedirectorypartitionreplicasthattheyhaveincommon.
MicrosoftCorporation,2008AllRightsReserved.
119Version3.
0,11/19/07ThereplicationtopologydeterminesthereplicationpartnershipsbetweensourceanddestinationDCs.
Asareplicationsource,theDCmustdeterminethereplicationpartnersitmustnotifywhenchangesoccur.
Asareplicationdestination,thedomaincontrollerparticipatesinreplicationeitherbyrespondingtonotificationofchangesfromasource,orbyrequestingchangestoinitiatereplicationwhenitstartsuporinresponsetoaschedule.
TheKCC)isanelementofADthatcreatesthereplicationtopology.
ItcreatesconnectionobjectsondestinationDCsthatrepresenttheinboundconnectionfromthereplicationsourceDC.
ForeachsourceDCthatisrepresentedbyaninboundconnectionobject,theKCCwritesinformationtothe"repsFrom"attributeofthedirectorypartitionobjectforeachdirectorypartitionthatthedestinationDChasincommonwiththesourceDC.
ThisinformationislocaltothedestinationDCandisnotreplicated.
AsourceDCkeepstrackofitsreplicationpartnersthatpullchangesfromitandusestheinformationtolocatepartnersforchangenotification.
ThisinformationisnotprovidedbytheKCC,butratherbythesourceDCitselfduringareplicationcycle.
ThefirsttimeaDCreceivesarequestforchangesfromanewdestination,thesourcecreatesanentryforthedestinationinthe"repsTo"attributeontherespectivedirectorypartitionobject.
Wheneverthesourcehaschanges,itsendsanotificationtoallreplicationpartnersthatareidentifiedinthe"repsTo"valuefortherespectivedirectorypartition.
Likethe"repsFrom"data,thisinformationisstoredlocallyontheDCandisnotreplicated.
Whenupdatesoccur,thesourceDCchecksthe"repsTo"attributetodeterminetheidentitiesofitsdestinationreplicationpartners.
ThesourceDCnotifiesthemonebyonethatchangesareavailable.
TheADserviceallowsforspecificdatatobereplicatedwithintheTOE.
TheADnamespaceincludesadomaintreestructureandaforeststructuretofacilitatethemanagementoflargesizeinstallations.
Additionally,theADincludestheGlobalCatalog(GC),whichisapartialindexofselectobjectsinthedomaintree,combinedwithasearchengine.
TheGCreturnsthelocationofanobjectbasedonanobjectattributeprovidedbytheuser.
Aforestisasetofoneormoretreesthatdonotformacontiguousnamespace.
Alltreesinaforestshareacommonschema,configuration,andGC.
Alltreesinaforesttrusteachotherthroughtransitive,hierarchicalKerberostrustrelationships.
Unliketrees,aforestdoesnotneedadistinctname.
Aforestexistsasasetofcross-referenceobjectsandKerberostrustrelationshipsknowntothemembertrees.
TreesinaforestformahierarchyforthepurposesofKerberostrust;thetreenameattherootofthetrusttreecanbeusedtorefertoagivenforest.
AtreeisasetofoneormoreWindows2003/XPdomainssharingacommonschema,configuration,andGC,joinedtogethertoformacontiguousnamespace.
AlldomainsinagiventreetrusteachotherthroughtransitivehierarchicalKerberostrustrelationships.
Alargertreecanbeconstructedbyjoiningadditionaldomainsaschildrentoformalargercontiguousnamespace.
AGCServerisaDCthatstoresspecificinformationaboutallobjectsintheforest.
TheGCstoresareplicaofeverydirectorypartitionintheforest:Itstoresfullreplicasoftheschemaandconfigurationdirectorypartitions,afullreplicaofthedomaindirectorypartitionforwhichtheDCisauthoritative,andpartialreplicasofallotherdomaindirectorypartitionsintheforest.
Whenan"attributeSchema"objecthasthe"isMemberOfPartialAttributeSet"attributesetto"TRUE,"theattributeisreplicatedfromthedomaindirectorypartitiontothecorrespondingdirectorypartitionreplicasonallauthoritativeDCsandalsotoallGCServers.
Enterprisescanbeasingle-treeoramulti-tree.
Namingwithinagiventreeisalwayscontiguous.
TherearetwotypesofTSFdatareplicatedconsistentlythroughouttheTOE.
TheyconsistofGroupPolicyObjects(GPOs)andDSdata.
GPOsareusedtodefineconfigurationsforgroupsofusersandcomputers.
GPOsstoreGroupPolicyinformationintwolocations:aGroupPolicyContainer(GPC)andaGroupPolicyTemplate(GPT).
AGPCisaDScontainerthatstoresGPOpropertiesthathavesettingsintheGPO.
AsaDSContainertheGroupPolicyContainerisreplicatedthroughoutthedomainwiththerestoftheDSdata.
MicrosoftCorporation,2008AllRightsReserved.
120Version3.
0,11/19/07AGPTisafolderstructurethatstoresAdministrativeTemplate-basedpolicies,securitysettings,andapplicationsavailableforSoftwareInstallation,andscriptfiles.
Whenyouadd,remove,ormodifythecontentsoftheSYSVOLfolderonaDC,thosechangesarereplicatedtotheSYSVOLfoldersonallotherDCsinthedomain.
SYSVOLcontentusesthesamereplicationscheduleastheDSforinter-sitereplication.
AlongwiththeGPO,allDCscontainthreetypesofDSdata:domain,schema,andconfiguration.
InthecaseoftheGCserveraforthcategoryconsistingofapartialreplicaofdomaindataforalldomainsisadded.
EachtypeofdataisseparatedintodistinctdirectorypartitionsthatformthebasicunitsofreplicationfortheDS.
Thesepartitionsareasfollows:Domainpartition:allobjectsinthedirectoryforagivendomain,replicatedtoeverydomaincontrollerinthatdomain,butnotbeyonditsdomain.
Schemapartition:allobjecttypes(w/attributes)thatcanbecreatedinAD,commontoalldomainsinthedomaintreeorenterprise,andreplicatedtoallDCsintheenterprise.
Configurationpartition:replicationtopologyandrelatedmetadata,commontoalldomainsinthedomaintreeorenterprise,replicatedtoallDCsintheenterprise.
GCserveralsocontains:Domaindata(partialreplica)forallforestdomains:apartialreplicaofthedomaindirectorypartitionforallotherdomainsintheenterprise,containsasubsetofthepropertiesforallobjectsinalldomainsintheenterprise.
(Isread-only)TheDSisamulti-masterenableddatabase.
ThismeansthatchangesoccuratanyDCintheenterprise.
Thisintroducesthepossibilityofconflictsthatcanpotentiallyleadtoproblemsoncethedataisreplicatedtotherestoftheenterprise.
TheDSaddressesthesepotentialconflictsintwoways.
Oneway,isbyhavingaconflictresolutionalgorithmhandlediscrepanciesinvaluesbyresolvingtotheDCtowhichchangeswerewrittenlast(thatis,"thelastwriterwins"),whilediscardingthechangesinallotherDC's.
Forspecificinstanceswhenconflictsaretoodifficulttoresolveusingthe"lastwriterwins"approach,theDSupdatescertainobjectsinasingle-masterfashion.
Inasingle-mastermodel,onlyoneDCintheentiredirectoryisallowedtoprocessupdates.
Formanagementflexibility,thismodelisextendedtoincludemultipleroles,andtheabilitytotransferrolestoanyDCintheenterprise.
ThisextendedmodelisreferredtoasFlexibleSingleMasterOperation(FSMO).
CurrentlyinWindows2003/XPtherearefiveFSMOroles:Schemamaster-thesingleDCresponsibleforperformingupdatestothedirectoryschema.
Domainnamingmaster-theDCresponsibleformakingchangestotheforest-widedomainnamespaceofthedirectory.
Itcanalsoaddorremovecross-referencestodomainsinexternaldirectories.
RelativeIdentifier(RID)master-thesingleDCresponsibleforprocessingRIDPoolrequestsforcertainuniquesecurityidentifiersfromallDCswithinagivendomain.
Users,computers,andgroupsthatarestoredinADareassignedSIDs,whichareuniquealphanumericnumericstringsthatmaptoasingleobjectinthedomain.
SIDSconsistofadomain-wideSIDconcatenatedwithamonotonically-increasingRIDthatisallocatedbyeachDCinthedomain.
EachDCisassignedapoolofRIDs.
PrimaryDC(PDC)emulator-aWindows2003/XPDCthatadvertisesitselfasthePDCtomemberserversanddomaincontrollers.
Infrastructuredaemon-theDCresponsibleforupdatinganobject'sSIDanddistinguishednameinacross-domainobjectreference.
ThefirsttwoFSMOrolesmustbeuniquewithinaforest.
Thelastthreemustbeuniquewithineachdomainwithinaforest.
MicrosoftCorporation,2008AllRightsReserved.
121Version3.
0,11/19/07DSreplicationisnotbasedontime,butonUpdateSequenceNumbers(USNs).
EachDCholdsatablecontainingentriesforitsownUSNandtheUSNsofitsreplicationpartners.
Duringreplication,theDCcomparesthelastknownUSNofitsreplicationpartner(savedinthetable),withthecurrentUSNthatthereplicationpartnerprovides.
Iftherehavebeenrecentchanges(thatis,ifthereplicationpartnerprovidesahigherUSN),thedatastorerequestsallchangesfromthereplicationpartner(thisisknownaspullreplication).
Afterreceivingthedata,thedirectorystoresetstheUSNtothesamevalueasthatofthereplicationpartner.
IfpropertiesonthesameobjectarechangedondifferentDCs,theDCsreconcilethedatabypropertyversionnumber,bytimestampiftheversionnumbersarethesame,orbycomparingthebuffersizeofabinarymemorycopyoperationperformedoneachproperty.
Ifthetwobuffersareequal,theattributesarethesame,onecanbediscarded.
Notethatallreconciliationoperationsarelogged,andauthorizedadministratorshavetheoptionofrecoveringandusingtherejectedvalues.
6.
1.
6.
4PartialSystemRestoreTheSystemRestoreServiceofWindowsXPenablesauthorizedadministratorstorestorespecificallyselectedarchiveddataonmachinesintheeventofaproblem.
SystemRestoremonitorsacoresetofsystemandapplicationfiles,recordingandsometimescopyingstatesofthesefilesbeforechangesaremade.
SystemRestoreautomaticallycreatesrestorepoints;nouserinterventionisrequired.
Tocreatearestorepoint,SystemRestoretakesafullsnapshotoftheregistryandsomedynamicsystemfiles.
Thespecificdataincludedintherestorepointisasfollows:a)Registryb)Profiles(localonly—roaminguserprofilesnotimpactedbyrestore)c)COM+databased)WindowsFileProtection(WFP)cachee)WMIdatabasef)FileswithextensionslistedintheportionoftheMonitoredFileExtensionslistTorestoreasystem,SystemRestorerevertsfilechangesdonetomonitoredfiles,recapturingthefilestateatthetimeoftheselectedrestorepoint.
Itthenreplacesthecurrentregistrywiththe"snapshotted"one,whichcoincideswiththeselectedrestorepoint.
Somesecurityanddynamicrightsandauthenticationinformationfromthecurrentregistryisthencopiedtotherestoredregistry.
Overtimethearchivecollectsmultiplerestorepoints,eachofwhichrepresentsthesystemstateatvariouspointsintime.
ThesepointsintimearemadevisibletotheuserintheSystemRestoreuserinterface.
TherestorepointarchiveofSystemRestoreresidesinthesystemvolumeinformationdirectory,whichisahiddensystemdirectory.
ThisarchiveisprotectedbythesystemACLsinNTFS.
Overtimethefiles,registries,andlogsassociatedwitholderrestorepointsarepurgedonafirst-in-first-out(FIFO)basis,limitingtheamountofdiskspaceusedbySystemRestoreandcreatingsufficientstoragespacefornewrestorepoints.
6.
1.
6.
5WindowsUpdatesTheWindowsServerUpdatesServicesconsistofaserverandaclientportion.
ClientsareTOEmachinesresidingwithintheTOE.
Theserverportionisresponsibleforconnectingandstoringtheupdates,aswellasmakingtheupdatesavailabletoclientsontheTOE.
Theclientportionisresponsiblefordownloadingandinstallingupdatesontoitself.
Theserverandtheclientcommunicateusingaprotectedinterfacethatensuresonlyprivilegeduserscaninteractwitheitherinterface.
Additionally,theTOEperformsbothaCRCandcertificatechecktoensuretheupdateisaMicrosoftcreatedupdate.
Theserverreceivesupdatesfromatrustedsource(eitherdirectlyfromtheMicrosoftwebsiteorfromanauthorizedadministrator).
Theserverstoresitsupdateinformation,eventinformationaboutupdateactionsonclientmachines,andserversettingsinaMicrosoftSQLServer2000DesktopEngine(Windows)(WMSDE)database.
MicrosoftCorporation,2008AllRightsReserved.
122Version3.
0,11/19/07Theauthorizedadministratorthenmanagestheupdatesreceivedbytheserver.
Theadministratorhastheabilitytodetermineifanupdateshouldbeapplied.
Iftheadministratorapprovesanupdates,theupdatecanthenbeeitherpushedorpulledfromtheserver.
Inapulloperation,theadministratorcanletclientmachinespolltheserverlookingfornewupdates.
Inthepushoperation,WSUSserverdownloadsupdatesandpushesthemtotheAutoUpdateClientoneachsysteminthelocalnetwork.
Theclienttheninstallstheupdates.
Theadministratorcanconfiguretheservertorequireallclientmachinestoperformanimmediateupdate.
Theadministratoralsohastheabilitytosetadeadlinebywhichtimeallclientsmustdownloadanupdate(i.
e.
,performapulloperation)ortheserverwillpushtheupdate.
6.
1.
6.
6ReferenceMediationAccesstoobjectsonthesystemisgenerallypredicatedonobtainingahandletotheobject.
Handlesareusuallyobtainedastheresultofopeningorcreatinganobject.
Inthesecases,theTSFensurethataccessvalidationoccursbeforecreatinganewhandleforasubject.
Handlesmayalsobeinheritedfromaparentprocessordirectlycopied(withappropriateaccess)fromanothersubject.
Inallcases,beforecreatingahandle,theTSFensuresthatthatthesecuritypolicyallowsthesubjecttohavethehandle(andtherebyaccess)totheobject.
Ahandlealwayshasagrantedaccessmaskassociatedwithit.
Thismaskindicateswhataccessrightstotheobjectthesubjectwasgrantedtotheobjectaccordingtothesecuritypolicy.
Oneveryattempttouseahandle,theTSFensurethattheactionrequestedisallowedaccordingtothehandle'sgrantedaccessmask.
Inafewcases,suchaswithDS,objectsaredirectlyaccessedbynamewithouttheintermediatestepofobtainingahandlefirst.
Inthesecases,theTSFcheckstherequestagainsttheaccesspolicydirectly(ratherthancheckingforagrantedaccessmask).
6.
1.
6.
7DomainSeparationTheTSFprovidesasecuritydomainforitsownprotectionandprovidesprocessisolation.
ThesecuritydomainsusedwithinandbytheTSFconsistsofthefollowing:Hardware;Kernel-modesoftware;Trusteduser-modeprocesses;and,User-modeAdministrativetoolsprocess.
TheTSFhardwareismanagedbytheTSFkernel-modesoftwareandisnotmodifiablebyuntrustedsubjects.
TheTSFkernel-modesoftwareisprotectedfrommodificationbyhardwareexecutionstateandmemoryprotection.
TheTSFhardwareprovidesasoftwareinterruptinstructionthatcausesastatechangefromusermodetokernelmode.
TheTSFkernel-modesoftwareisresponsibleforprocessingallinterrupts,anddetermineswhetherornotavalidkernel-modecallisbeingmade.
Inaddition,theTSFmemoryprotectionfeaturesensurethatattemptstoaccesskernel-modememoryfromusermoderesultsinahardwareexception,ensuringthatkernel-modememorycannotbedirectlyaccessedbysoftwarenotexecutinginthekernelmode.
TheTSFprovidesprocessisolationforalluser-modeprocessesthroughprivatevirtualaddressspaces(privateperprocesspagetables),executioncontext(registers,programcounters,etc.
),andsecuritycontext(handletableandtoken).
Thedatastructuresdefiningprocessaddressspace,executioncontextandsecuritycontextareallstoredinprotectedkernel-modememory.
AllsecurityrelevantprivilegesareconsideredtoenforceTSFProtection.
User-modeadministratortoolsexecutewiththesecuritycontextoftheprocessrunningonbehalfoftheauthorizedadministrator.
Administratorprocessesareprotectedlikeotheruser-modeprocesses,byprocessisolation.
LikeTSFprocesses,userprocessesalsoareprovidedaprivateaddressspaceandprocesscontext,andthereforeareprotectedfromeachother.
Additionally,on64-bitbasedhardwareplatforms,theTSFhastheaddedabilitytoprotectmemorypagesusingHardwareDEP.
Hardware-enforcedDEPmarksallmemorylocationsinaprocessasnon-executableunlessthelocationexplicitlycontainsexecutablecode.
Hardware-enforcedDEPreliesonprocessorhardwaretomarkmemorywithanattributethatindicatesthatcodeMicrosoftCorporation,2008AllRightsReserved.
123Version3.
0,11/19/07shouldnotbeexecutedfromthatmemory.
DEPfunctionsonaper-virtualmemorypagebasis,usuallychangingabitinthepagetableentry(PTE)tomarkthememorypage.
Processorsthatsupporthardware-enforcedDEParecapableofraisinganexceptionwhencodeisexecutedfromapagemarkedwiththeappropriateattributeset.
Theevaluatedconfigurationisrestrictedtodevicesthatdonotallowfortheloadingofexecutabledata.
6.
1.
6.
8AbstractMachineTestingDuringtheevaluationoftheTOE,testswereexecutedtodemonstratethehardwaremechanismsincludedintheTOEperformcorrectlytosupporttheSFs6.
1.
6.
9TimeServiceEachhardwareplatformsupportedbytheTOEincludesareal-timeclock.
Thereal-timeclockisadevicethatcanonlybeaccessedusingfunctionsprovidedbytheTSF.
Specifically,theTSFprovidesfunctionsthatallowusers,includingtheTSFitself,toqueryandsettheclock,aswellasfunctionstosynchronizeclockswithinadomain.
Theabilitytoquerytheclockisunrestricted,whiletheabilitytosettheclockrequiresaprivilegededicatedtothatpurpose.
Thisprivilegeisonlygrantedtoauthorizedadministratorstoprotecttheintegrityofthetimeservice.
Eachclockmaybesubjecttosomeamountoferror(e.
g.
,"drift"),andmanagementofthaterrorisatopicintheadministratorguidance.
Additionally,sinceitmaybeimportanttohavetemporalcorrespondenceacrosssystemswithinasingledomain,theTSFincludesadomainclocksynchronizationfunction.
OneoftheDCsisdesignatedtoprovidethereferencetime.
Allclients(includingotherDCs)withinthedomainperiodicallycontactthereferenceDCtoadjusttheirlocalclock.
Thetimebetweensynchronizationactionsdependsonthedeviationbetweenthelocalandreferenceclock(i.
e.
,themoredeviation,thesoonerthenextsynchronizationwillbescheduled).
SFRMapping:TheTSFProtectionfunctionsatisfiesthefollowingSFRs:TRANSFER_PROT_EX.
1–TheTSFprovidesinternet-basedstandardprotocolsforIPsecurityandKeymanagement.
IPSecwithAHandESPimplementationsprotecttransferredTSFdatafromdisclosureandmodification.
AHprovidesdatasignaturefunctionalitytoprotectagainstmodification;ESPprovidesencryptiontoprotectagainstdisclosureaswellasmodification.
FPT_TRC_EX.
1–TheTSFprovidesconsistencyofreplicatedGPOsandDSdatabyimplementingawell-definedTSFreplicationalgorithm.
TRANSFER_PROT_EX.
3-TheTSFimplementsIPAH.
AHprovidesintegrity,authenticationandanti-replay.
AHusesahashingalgorithm,suchasSHA-1,tocomputeakeyedmessagehashforeachIPpacket.
Additionally,IPSecpoliciesandfiltersmaybeconfiguredtorejectthepacketoraudittheeventiftheresultsofaserviceappliedtoapacketchallengestheintegrityofthepacket(modification,insertionofdata,replayofdata).
FPT_RPL_EX.
1–TheTSFimplementsIPAH.
AHprovidesintegrity,authenticationandanti-replay.
AHusesahashingalgorithm,suchasSHA-1,tocomputeakeyedmessagehashforeachIPpacket.
TheTSFmayrejectthepacketoraudittheeventiftheIPSecserviceresultschallengetheintegrityofthepacket.
FPT_RST_EX.
1–TheXPportionoftheTSFhastheabilitytocreaterestorepointswherebyitcanrestoreselectedportionsofthesystemtoaknownstate.
Theauthorizedadministratorhastheabilitytochoosethefollowinginformationforarchival:Registry,Profiles(localonly—roaminguserprofilesnotimpactedbyrestore),COM+database,WFP.
dllcache,WMIdatabase,andFileswithextensionslistedintheportionoftheMonitoredFileExtensionslist.
MicrosoftCorporation,2008AllRightsReserved.
124Version3.
0,11/19/07FPT_RVM.
1–TheTSFprovidesreferencemediationofalltheobjectscoveredbytheDACpolicy.
Referencemediationisprimarilyenforcedthroughhandleenforcement.
OnceanaccesspolicydecisionismadebytheTSF,thispolicyisenforcedviathehandleenforcementchecksappliedeverytimeahandleisused.
Inthismanner,accesstoobjectsisassuredtobeconsistentwiththesecuritypolicyeventhoughthesecuritypolicyisnotcheckedonalluseofanobject.
Someobjectsaredirectlyaccessedbynamewithoutobtainingahandlefirst.
Inthesecases,theTSFcheckstherequestagainsttheaccesspolicydirectly.
FPT_SEP.
1–TheTSFprovidesasecuritydomaintoprotectitselfthroughhardware,theprocessorkernelmode,controlledstate-transitions,processisolation,andmemoryprotection.
ProcessesaremanagedbytheTSFkernel-modesoftwareandhaveprivateaddressspacesandprocesscontext.
FPT_SEP_EX.
1–TheTSFimplementsmemoryprotectionbynotexecutingcodeonpagesmarkedfordataonly.
Theowingprocesshastheabilitytosettheflagsassociatedwithitsmemorypages.
FPT_STM.
1,FMT_MTD.
1(g)-Thereal-timeclockineachWindows2003/XPplatform,inconjunctionwithperiodicdomainsynchronizationandrestrictingtheabilitytochangetheclocktoauthorizedadministrators,providesareliablesourceoftimestampsfortheTSF.
FPT_SUS_EX.
1,FPT_SUS_EX.
2,FPT_SUS_EX.
3,FPT_SUS_EX.
4,FPT_SUS_EX.
5,FPT_SUS_EX.
6–TheTSFprovidesanupdateservicewherebytheTSFdownloadsupdatesfromatrustedsourceintoaTOEserverandthenclientTOEmachinescandownloadandinstalltheupdatesfromtheserver.
Administratorsmanagetheupdatesbyapprovingallupdates,settingatimeframebywhichallupdatesmustbeinstalled,andforcingimmediateupdatesifnecessary.
FPT_AMT.
1-TestswereavailableduringtheevaluationthatdemonstratedthecorrectoperationofthehardwaremechanismsincludedintheTOE.
6.
1.
7ResourceUtilizationFunctionTheTSFprovidesafunctionthatcanlimittheamountofdiskspacethatcanbeusedbyanidentifieduseronaspecificNTFS-formatteddiskvolume.
EachNTFSvolumehasasetofproperties,includingadescriptionofapplicablediskquotasthatcanbechangedonlybyanauthorizedadministrator.
Thesepropertiesallowanauthorizedadministratortoenableordisablequotamanagementontheselectedvolume,specifydefaultandspecificquotathresholdsandwarninglevels,andselecttheactiontotakewhenquotasareexceeded.
Thediskspacequotathresholdandwarninglevelpropertiescanbespecifiedperuseraccount,eachoftheotherpropertiesapplytoallusersofthevolume.
Anydiskspacethatisusedisassociatedwiththeaccountthat"owns"theobject,basedontheownerpropertyoftheobject.
Whenquotamanagementisenabled,thefirsttimethatanobjectiscreatedonavolumeforagivenaccount,aquotarecordwillbecreatedforthataccount(ifithasn'talreadybeenexplicitlycreated).
Thisquotarecordisinitiallyassignedthedefaultdiskspaceandwarninglevelsandisusedsubsequentlytomanagethataccount'suseofdiskspace.
Wheneveragivenaccountcausesmorediskspacetobeallocated,thequotarecordforthataccountismodifiedandthethresholdsarechecked.
Ifthewarninglevelordiskspacequotaisexceeded,theadministrator-selectedactionistaken.
SFRMapping:TheResourceUtilizationfunctionsatisfiesthefollowingSFR:FRU_RSA.
1-ThequotafeatureofNTFSprovidesanauthorizedadministratortheabilitytoeffectivelylimitthetotalamountofdiskspacethataspecifiedusercanuseonaspecificNTFSdiskvolume.
MicrosoftCorporation,2008AllRightsReserved.
125Version3.
0,11/19/076.
1.
8TOEAccessFunction6.
1.
8.
1SessionLockingTheTSFprovidestheabilityforausertolocktheirinteractivelogonsessionimmediatelyorafterauser-definedtimeinterval.
Additionally,theTSFprovidestheabilityfortheadministratortospecifyadefinedintervalofinactivityafterwhichthesessionwillbelocked.
Onceauserisloggedon,theycaninvokethesessionlockingfunctionbyusingthesamekeysequenceusedtoinvokethetrustedpath(Ctrl+Alt+Del).
ThiskeysequenceiscapturedbytheTSFandcannotbeinterceptedoralteredbyanyuserprocess.
Theresultofthatkeysequenceisamenuoffunctions,oneofwhichistolocktheworkstation.
Alternately,ausercaninvokeafunctiontosetscreensaverpropertiesfortheirinteractivelogonsession.
Theusercanselectaprogramtouseasascreensaver,theamountofinactivitybeforethescreensaverwillstart,andwhetherapasswordwillberequiredtoresumetheuser'ssession(effectivelymakingthescreensaverasessionlock).
TheTSFconstantlymonitorsthemouseandkeyboardforactivityandiftheyareinactivefortheuser-specifiedtimeperiod,theTSFwilllocktheworkstation(assumingtheuserconfiguredittolockthesession)andexecutethescreensaverprogram(assumingtheuserselectedascreensaverprogram).
Notethatiftheworkstationwasnotlockedmanually,theTSFwillstartthescreensaverprogramifandwhentheinactivityperiodisexceeded.
Whentheworkstationislockedmanually,orwhenthereismouseorkeyboardactivityafterthescreensaverprogramhasstarted(assumingapasswordisrequired,otherwisethesessionimmediatelyresumes),theTSFwilldisplaytheuser'sdefaultbackgroundandadialogindicatingthattheusermustusetheCtrl+Alt+Delsequencetore-authenticate.
Regardlessofhowtheworkstationwaslocked,theusermustusetheCtrl+Alt+Delfunctionthatwillresultinanauthenticationdialog.
Theusermustthenre-entertheirpassword,whichhasbeencachedbythelocalsystemfromtheinitiallogon,afterwhichtheuser'sdisplaywillberestoredandthesessionwillresume.
Alternately,anauthorizedadministratorcanentertheiradministratoridentityandpasswordintheauthenticationdialog.
IftheTSFcansuccessfullyauthenticatetheadministrator,theuserwillbeloggedoff,ratherthanreturningtotheuser'ssession,leavingtheworkstationreadytoauthenticateanewuser.
Thewebserver(IIS)configurationvalues(inthemetabase)includesavaluethatdefinesthetimeinsecondsthatIISwaitsbeforeitdisconnectsaninactivesession.
Onlyanauthorizedadministratorcandefinethisvalue.
SFRMapping:TheTOEAccessfunctionsatisfiesthefollowingSFRs:FTA_SSL.
1-Windows2003/XPallowsusersandtheauthorizedadministratortodefineaninactivityinterval,afterwhichtheirsessionwillbelocked.
Thelockeddisplayhasonlytheuser'sdefaultbackground,instructionstounlock,andoptionallytheoutputfromauser-selectedscreensaverprogram.
Theusermustre-entertheirpasswordtounlocktheworkstation.
FTA_SSL.
2-Windows2003/XPalsoallowsausertodirectlyinvokethesessionlockasdescribedabove.
FTA_SSL.
3-IISdisconnectsaninactivesessionaftertheauthorizedadministratordefinedtimehaselapsed.
FMT_MOF.
1(c)-Onlytheauthorizeduserandanauthorizedadministratorcanunlockalockedsession.
FMT_MTD.
1(k)-TheTSFallowsanauthorizedusertodefineandmodifythetimeintervalofinactivitybeforethesessionassociatedwiththatuserwillbelocked.
6.
2TOESecurityAssuranceMeasuresThefollowingassurancemeasuresareappliedtoWindows2003/XPtosatisfytheCCEAL4assurancerequirements:MicrosoftCorporation,2008AllRightsReserved.
126Version3.
0,11/19/07ProcessAssurance;DeliveryandGuidance;DesignDocumentation;Tests;and,VulnerabilityAssessment.
6.
2.
1ProcessAssurance6.
2.
1.
1ConfigurationManagementTheConfigurationManagement(CM)measuresappliedbyMicrosoftensurethatConfigurationItems(CIs)areuniquelyidentified,andthatdocumentedproceduresareusedtocontrolandtrackchangesthataremadetotheTOE.
MicrosoftensureschangestotheimplementationrepresentationarecontrolledwiththesupportofautomatedtoolsandthatTOEassociatedCImodificationsareproperlycontrolled.
MicrosoftperformsCMontheTOEimplementationrepresentation,design,tests,userandadministratorguidance,theCMdocumentation,lifecycledocumentation,vulnerabilityanalysis,andsecurityflaws.
MicrosoftdocumentsandfollowsanacceptanceplanforhowCIsareapproved.
MicrosoftensuresthattheTOEisuniquelyreferencedandlabeledwithitsreference.
Microsoftuses,anddocumentshowtheyuse,automatedtoolstosupportTOEgeneration.
TheseactivitiesaredocumentedintheWindowsServer2003SP2andWindowsXPSP2WithADFSandWSUSConfigurationManagementManual.
Microsoftappliesprocedurestoacceptandactuponreportedsecurityflawsandrequeststocorrectsecurityflaws.
Microsoftdesignatesspecificpointsofcontactforuserreportsandsecurityrelatedinquiries.
Theproceduresaredocumentedanddescribehowsecurityflawsaretracked,thatforeachsecurityflawadescriptionandstatusofthecorrectionofthesecurityflawisprovided,thatcorrectiveactionsareidentifiedforeachsecurityflaw,howflawinformationisprovided(correctiveactionsandguidanceoncorrectiveactions).
TheproceduresensurethatallreportedflawsarecorrectedandthatcorrectionsareissuestoTOEusers,andthattheflawsdonotintroducenewflaws.
Theproceduresalsoensureatimelyresponsetoreportedflawsandtheautomaticdistributionofsecurityflawreportstotheaffectedusers.
TheseactivitiesaredocumentedintheWindowsServer2003SP2andWindowsXPSP2WithADFSandWSUSConfigurationManagementManual.
6.
2.
1.
2Life-CycleSupportMicrosoftensurestheadequacyoftheproceduresusedduringthedevelopmentandmaintenanceoftheTOEthroughtheuseofacomprehensivelife-cyclemanagementplan.
MicrosoftincludessecuritycontrolsonthedevelopmentenvironmentthatareadequatetoprovidetheconfidentialityandintegrityoftheTOEdesignandimplementationthatisnecessarytoensurethatsecureoperationoftheTOE.
MicrosoftachievesthisthroughtheuseofadocumentedmodeloftheTOElifecycleandwell-defineddevelopmenttoolsthatyieldconsistentandpredictableresults.
Additionally,Microsoftdocumentstheimplementationdependentoptionsandthemeaningofallstatementsusedintheimplementation.
ThisinformationandtheseproceduresaredocumentedintheWindowsServer2003SP2andWindowsXPSP2WithADFSandWSUSAssuranceLifecycleManualandWindowsServer2003SP2andWindowsXPSP2WithADFSandWSUSConfigurationManagementManual.
SAMMapping:TheProcessassurancemeasuresatisfiesthefollowingSARs:ACM_AUT.
1;ACM_CAP.
4;ACM_SCP.
2;ALC_DVS.
1;ALC_FLR.
3;ALC_LCD.
1;and,MicrosoftCorporation,2008AllRightsReserved.
127Version3.
0,11/19/07ALC_TAT.
1.
6.
2.
2DeliveryandGuidanceMicrosoftprovidesdeliverydocumentationandprocedurestoidentifytheTOE,allowdetectionofunauthorizedmodificationsoftheTOEandinstallationandgenerationinstructionsatstart-up.
Microsoft'sdeliveryproceduresdescribetheelectronicandnon-electronicprocedurestobeusedtodetectmodificationtotheTOE.
TheinstallationandgenerationproceduresdescribethestepsnecessarytoplaceWindows2003/XPintotheevaluatedconfiguration.
ThesedeliveryproceduresaredocumentedintheWindowsServer2003SP2andWindowsXPSP2withADFSandWSUSDeliveryProcedures.
.
TheconfigurationguidanceisfoundinWindowsXPProfessionalwithSP2SecurityConfigurationGuide,Version3.
0andWindowsServer2003withSP2SecurityConfigurationGuide,Version3.
0.
MicrosoftprovidesadministratoranduserguidanceonhowtoperformtheTOEsecurityfunctionsandwarningstoauthorizedadministratorsandusersaboutactionsthatcancompromisethesecurityoftheTOE.
AdministratorandUserguidanceisdocumentedinthefollowing:WindowsServer2003withSP2EvaluatedConfigurationAdministrator'sGuide,Version3.
0WindowsXPProfessionalwithSP2EvaluatedConfigurationAdministrator'sGuide,Version3.
0WindowsXPProfessionalwithSP2EvaluatedConfigurationUser'sGuide,Version3.
0SAMMapping:TheDeliveryandGuidanceassurancemeasuresatisfiesthefollowingSARs:ADO_DEL.
2;ADO_IGS.
1;AGD_ADM.
1;and,AGD_USR.
1.
6.
2.
3DesignDocumentationTheWindows2003/XP"SecurityDesignDocumentation"isanextensivesetofdocumentsdescribingallaspectsoftheTOEsecuritydesign,architecture,mechanisms,andinterfaces.
TheSecurityDesignDocumentationconsistsofalargenumberofrelateddocuments.
Thesedocumentsare:Introduction:Describestheform,content,andorganizationoftheSystemDesigndocumentation.
SecurityPolicy:Providesaninformaldescriptionandmodeloftheaccesscontrolpolicyforthesystem.
SystemDecompositionSummary:Thisdocumentdescribesthedecompositionofthesystemandidentifiesthesubsystemsintermsofcomponents.
ComponentDescriptions(several):Thereareseveralofthesedocuments;oneeachforthesystemcomponentsdefinedintheDecompositionSummarydocument.
Eachdocumentdescribesthecomponentandidentifiesthemoduleswithinthecomponentintermsofsubcomponents.
SubcomponentDesigns(many):Therearemanyofthesedocuments;oneeachforthesubcomponentsdefinedintheseveralComponentDescriptiondocuments.
Eachsubcomponentdesigndocumentpresentsthefollowing:Summaryidentifyingthesubcomponent'sname,implementationlocation,andexecutionenvironment.
Adescriptionofthedesignofthesubcomponentandasummaryofitssecurityfunctionsandmechanisms.
MicrosoftCorporation,2008AllRightsReserved.
128Version3.
0,11/19/07AspecificationofeachTSFinterfaceimplementedbythesubcomponent.
ThefollowingisprovidedforeachTSFinterface:purpose,parameters,securitychecks,andsecurityeffects.
AcorrespondencematrixthatidentifiesforeachTSFinterface,whichsecurityfunctionstheinterface'schecksandeffectshelpimplement.
Thematrixincludesarationaleforthiscorrespondence.
AtestfamilysummarythatdescribestestcasesimplementedinthesecuritytestsforeachAPI.
SAMMapping:TheDesignDocumentationassurancemeasuresatisfiesthefollowingSARs:ADV_FSP.
2-ThesumofallTSFinterfacespecificationsfromeachoftheSubcomponentDesigndocumentsfullydescribesallinterfacestotheTSF.
ADV_HLD.
2-ThesystemcomponentssatisfytherequirementfordecomposingtheTOEintosubsystems.
Eachcomponentcorrespondstoasubsystem.
TheComponentDecompositionSummarydocumentandalloftheComponentDescriptiondocumentsfullydescribeeachcomponent.
ADV_IMP.
1-ThesourcecodeusedtogeneratetheTOEsatisfiesthisrequirement.
ADV_LLD.
1-Thesubcomponents,whichareafurtherdecompositionofthecomponents,satisfytherequirementtodecomposeeachsubsystemintomodule.
Eachsubcomponentisamodule.
ThedesigndescriptionsandTSFinterfacespecificationsfromeachoftheSubcomponentDesigndocumentsfullydescribeseachsubcomponent.
ADV_SPM.
1-TheSecurityPolicydocumentfullypresentsaninformalsecuritymodelfortheTOE.
ADV_RCR.
1-Mostofthecorrespondencebetweenthevariousdesigndocumentationisimplicittothewayinwhichthedocumentationisstructured.
Thewaythatthiscorrespondenceisevidentwithinthedesigndocumentationis:oST-TSStoFSP-ThisistheprincipalexplicitcorrespondenceprovidedwithintheSecurityDesigndocumentation.
ThiscorrespondenceiscapturedinalltheTSFinterfacecorrespondencematricesfromeachoftheSubcomponentDesigndocuments.
oFSPtoHLD-SincetheFSPispresentedonaper-subcomponentbasis,thiscorrespondenceisimplicitsinceeachComponentDescriptiondocumentexplicitlyidentifieswhichsubcomponents(andhencewhichTSFinterfaces)arecontainedwithineachComponent.
oHLDtoLLD-Asabove,theComponentDescriptiondocumentsexplicitlyidentifytheassociationbetweencomponentsandsubcomponents.
oLLDtoIMP-ThesummaryinformationforeachSubcomponentDesigndocumentidentifiesthelocationwithintheTOEsourcecodetreewherethatsubcomponentimplementationiscontained.
6.
2.
4TestsTheTOEtestdocumentationhasbeencreatedtodemonstrateappropriatebreadthanddepthofcoverage.
ThetestdocumentationdescribeshowallsecurityrelevantAPIsaretested,specificallydescribingalltestcasesandvariationsnecessarytodemonstratethatallsecuritychecksandeffectsrelatedtotheAPIarecorrectlyimplemented.
Thetestdocumentationprovidescorrespondencebetweenthesecurity-relevantAPIsandapplicabletestsandtestvariations.
Thetestdocumentationdescribestheactualtests,procedurestosuccessfullyexecutethetests,andexpectedresultsofthetests.
Thetestdocumentationalsoincludesresultsintheformoflogsresultingfromcompletelyexercisingallofthesecuritytestprocedures.
MicrosoftCorporation,2008AllRightsReserved.
129Version3.
0,11/19/07Thetestdocumentationconsistsoffourparts:atestplan("Windows2003/XPSecurityTestPlan"),testfamilies,testsuites,andtestresults.
Thetestplandescribestheform,content,andorganizationoftestdocumentation.
Italsosummarizeseachofthetestsuitesandincludeshigh-levelproceduresforexercisingthetests.
Thetestfamiliesdescribedthesetofsecurity-relevanttestcasesonaper-subcomponentbasis.
Thesedescriptionsincludereferencestothecorrespondingtestsuitesthatimplementthosetestcases.
Notethateverytestcasecorrespondstoatleastonetestsuite.
Thetestsuitesincludebothdocumentationandanactualimplementedtest(ifapplicable).
Testsuitesareorganizedaroundteststhatshareacommontheme,suchashandleenforcement,privilegeenforcement,auditing,etc.
Thetestsuitedocumentationdescribesthepurposeand"theme"forthetestsuite,thesetoftestvariationsthatareexercisedforeachofitscorrespondingtestcases,procedurestosuccessfullyexercisethetestsuite,andtheexpectedresults.
Thetestsuitedocumentationalsoimplicitlyincludestheactualteststhatprovidespecificdetailsregardingtestvariationsandexpectedresults.
Thetestresultsareessentiallythesetoflogsresultingfromcompletelyexercisingallofthesecuritytestprocedures.
Theselogsincludesummariesoftheresultsintermsoftotaltestvariations,countsofvariationsthatpassed,failed,orblocked(i.
e.
,wereunabletorun),anddetailedinformationabouteachvariationthatwasattempted,includingmoredetailedresultsandexpectedresults.
SAMMapping:TheTestsassurancemeasuresatisfiesthefollowingSARs:ATE_COV.
2-Thesetoftestfamiliesdescribethetestcasesforeachofthesecurity-relevantinterfacesoftheTOE.
Thetestfamiliesindicatewhichtestsuites(andthereforewhichtests)areusedtosatisfythetestcasesidentifiedforeachinterface.
ATE_DPT.
1-Thetestsuitesincludetestvariationdescriptionsthatdemonstratethatallofthecorrespondingtestcases(andthereforesecuritychecksandeffects)areappropriatelyexercised.
ATE_FUN.
1-Together,thetestdocumentsdescribethesecurityfunctionstobetested,howtosuccessfullytestallofthem,theexpectedresults,andtheactualtestresultsafterexercisingallofthetests.
ATE_IND.
2-TheTOEandtestsuiteswillbeavailableforindependenttesting.
6.
2.
5VulnerabilityAssessment6.
2.
5.
1EvaluationofMisuseTheadministratorguidancedocumentationdescribestheoperationofWindows2003/XPandhowtomaintainasecurestate.
TheadministratorguidealsodescribesalloperatingassumptionsandsecurityrequirementsoutsidethescopeofcontroloftheTOE.
Theadministratorguidancedocumentationhasbeendevelopedtoserveasacomplete,clear,consistent,andreasonableadministratorreference.
ThemisuseanalysisshowsthattheadministrativeguidancecompletelyaddressesmanagingtheTOEinasecureconfiguration.
WindowsServer2003SP2andWindowsXPSP2withADFSandWSUSMisuseAnalysisMicrosoftCorporation,2008AllRightsReserved.
130Version3.
0,11/19/076.
2.
5.
2StrengthofTSFsandVulnerabilityAnalysisThestrengthofTSFanalysisdemonstratesthattheSOFclaimsmadeintheSTforallprobabilisticorpermutationmechanismsarecorrect.
MicrosoftperformsasystematicvulnerabilityanalysesoftheTOEtoidentifyweaknessesthatcanbeexploitedintheTOE.
Microsoftdocumentsthestatusofidentifiedvulnerabilitiesanddemonstratesthatforeachvulnerability,thevulnerabilitycannotbeexploitedintheintendedenvironmentandthattheTOEishighlyresistanttoobviouspenetrationattacks.
TheSOFandvulnerabilityanalysisaredocumentedin:WindowsServer2003SP2andWindowsXPSP2withADFSandWSUSStrengthofFunctionAnalysisMicrosoftWindowsServer2003withSP2/XPProfessionalwithSP2VulnerabilityAnalysisVersion3.
0SAMMapping:TheVulnerabilityAssessmentassurancemeasuresatisfiesthefollowingSARs:AVA_MSU.
2;AVA_SOF.
1;and,AVA_VLA.
2.
MicrosoftCorporation,2008AllRightsReserved.
131Version3.
0,11/19/077.
ProtectionProfileClaimsThissectionprovidesthePPconformanceclaimstatementsandsupportingjustificationsofconformancewiththeCAPP.
7.
1CAPPConformanceClaimReferenceTheTOEconformstotheControlledAccessProtectionProfile(CAPP),Version1.
d,NationalSecurityAgency,8October1999.
7.
1.
1CAPPRequirementsinSTTheCAPPrequirementsincludedinthisSTareidentifiedinSection5.
ForeachCAPPrequirementincludedinthisST,Section5alsoindicateswhatoperation,ifanyhasbeenperformed.
ThespecificoperationsthatwereperformedarehighlightedinSection5aspartoftherequirementstatements.
7.
1.
2CAPPDifferencesandEnhancementsThefollowinglistinTable7-1clearlyidentifiesthedeltabetweenthisSTandtheCAPPwithrespecttothreats,assumptions,policies,objectives,SFRsandassurancerequirements.
TheSThasprimarilyaddedadditionalitems,orinthecaseofassurancerequirements,enhancedrequirementsfromEAL3,asrequiredintheCAPP,toEAL4.
Thissectioncategorizesthedeltaintodifferencesandenhancements.
DifferencesareconsideredchangestothePPcontent.
EnhancementsareconsideredtheadditionofnewitemsorthereplacementofanitemintheCAPPwithahigherhierarchicalitem.
ThissectionprovidesrationalethateachdifferenceandenhancementcomplieswithCAPPanddoesnotintroduceanyinconsistencies.
Table7-1alsoindicateswhenarequirementthatisincludedintheCAPPhaschangedduetoanInternationalInterpretation,andisthereforedifferentaspresentedinthisST.
TheserequirementsareidentifiedinTable7-1bytheword"Interpreted"intheModificationcolumn.
NotethattheserequirementsaredenotedinSection5byanitalicizedparentheticalfollowingthosechangedrequirementelements(e.
g.
(perInternationalInterpretation#51))Table7-1CAPPModificationsCategoryNameModificationThreatT.
AUDIT_CORRUPTAdditionThreatT.
CONFIG_CORRUPTAdditionThreatT.
OBJECTS_NOT_CLEANAdditionThreatT.
SPOOFAdditionThreatT.
SYSACCAdditionThreatT.
UNAUTH_ACCESSAdditionThreatT.
UNAUTH_MODIFICATIONAdditionThreatT.
UNDETECTED_ACTIONSAdditionThreatT.
USER_CORRUPTAdditionThreatT.
ADMIN_ERRORAdditionThreatT.
AUDIT_COMPROMISEAdditionThreatT.
EAVESDROPAdditionMicrosoftCorporation,2008AllRightsReserved.
132Version3.
0,11/19/07CategoryNameModificationThreatT.
MASQUERADEAdditionThreatT.
POOR_DESIGNAdditionThreatT.
POOR_IMPLEMENTATIONAdditionThreatT.
REPLAYAdditionThreatT.
UNATTENDED_SESSIONAdditionThreatT.
UNIDENTIFIED_ACTIONSAdditionThreatT.
ADDRESS_MASQUERADEAdditionThreatT.
TCPIP_ATTACKAdditionThreatT.
MALICIOUS_CODE_EXECAdditionPolicyP.
AUTHORIZATIONAdditionPolicyP.
ADD_IPSECAdditionPolicyP.
WARNAdditionObjectiveO.
AUDIT_PROTECTIONAdditionObjectiveO.
PROTECTAdditionObjectiveO.
TRUSTED_PATHAdditionObjectiveO.
LEGAL_WARNINGAdditionObjectiveO.
LIMIT_AUTHORIZATIONAdditionObjectiveO.
ENCRYPTED_DATAAdditionObjectiveO.
IPSECAdditionObjectiveO.
ASSURANCEAdditionObjectiveO.
MEDIATEAdditionObjectiveO.
SOFTWARE_PROTECTAdditionSFRFAU_GEN.
1RefinementSFRFAU_LOG_EX.
1AdditionSFRFAU_SAR.
1RefinementSFRFAU_STG.
1Interpreted,RefinementSFRFAU_STG.
4RefinementSFRFCS_COP.
1(a)thru(j)AdditionSFRFCS_CKM.
1(a)thru(e)AdditionSFRFCS_CKM.
2AdditionSFRFCS_CKM.
4AdditionSFRFCS_CKM_EX.
1AdditionSFRFCS_CKM_EX.
2AdditionSFRFDP_ACC.
2(a)AdditionMicrosoftCorporation,2008AllRightsReserved.
133Version3.
0,11/19/07CategoryNameModificationSFRFDP_ACC.
2(b)AdditionSFRFDP_ACC.
2(c)AdditionSFRFDP_ACC.
2(d)AdditionSFRFDP_ACF.
1(a)RefinementSFRFDP_ACF.
1(b)AdditionSFRFDP_ACF.
1(c)AdditionSFRFDP_ACF.
1(d)AdditionSFRFDP_IFC.
1(a)AdditionSFRFDP_IFC.
1(b)AdditionSFRFDP_IFC.
1(c)AdditionSFRFDP_IFF.
1(a)AdditionSFRFDP_IFF.
1(b)AdditionSFRFDP_IFF.
1(c)AdditionSFRFDP_ITT.
1AdditionSFRFDP_UCT.
1AdditionSFRFDP_UIT.
1AdditionSFRFIA_AFL.
1AdditionSFRFIA_SOS.
1RefinementSFRFIA_UAU.
6AdditionSFRFIA_USB.
1_EX.
1RefinementSFRFMT_MOF.
1(a)AdditionSFRFMT_MOF.
1(b)AdditionSFRFMT_MOF.
1(c)AdditionSFRFMT_MOF.
1(d)AdditionSFRFMT_MOF.
1(e)AdditionSFRFMT_MSA.
1(b)thru(h)AdditionSFRFMT_MSA_EX.
2AdditionSFRFMT_MSA.
3(b)thru(g)AdditionSFRFMT_MTD.
1(e)thru(p)AdditionSFRFMT_MTD.
2AdditionSFRFMT_SAE.
1AdditionSFRFMT_SMF.
1AdditionSFRFMT_SMR.
3AdditionSFRTRANSFER_PROT_EXAdditionMicrosoftCorporation,2008AllRightsReserved.
134Version3.
0,11/19/07CategoryNameModificationSFRFPT_RST_EX.
1AdditionSFRFPT_SEP_EX.
1AdditionSFRFPT_SUS_EX.
1AdditionSFRFPT_SUS_EX.
2AdditionSFRFPT_SUS_EX.
3AdditionSFRFPT_SUS_EX.
4AdditionSFRFPT_SUS_EX.
5AdditionSFRFPT_SUS_EX.
6AdditionSFRFPT_TRC_EX.
1AdditionSFRTRANSFER_PROT_EX.
3AdditionSFRFPT_RPL_EX.
1AdditionSFRFRU_RSA.
1AdditionSFRFTA_LSA_EX.
1AdditionSFRFTA_MSC_EX.
1AdditionSFRFTA_SSL.
1AdditionSFRFTA_SSL.
2AdditionSFRFTA_SSL.
3AdditionSFRFTA_TAB.
1AdditionSFRFTA_TSE.
1AdditionSFRFTA_TRP.
1AdditionSARACM_AUT.
1AdditionforEAL4SARACM_CAP.
4UpgradeforEAL4SARACM_SCP.
2UpgradeforEAL4SARADO_IGS.
1InterpretedSARADO_DEL2UpgradeforEAL4SARADV_FSP.
2UpgradeforEAL4SARADV_IMP.
1UpgradeforEAL4SARADV_LLD.
1AdditionforEAL4SARADV_SPM.
1AdditionforEAL4SARALC_FLR.
3AugmenttoEAL4SARALC_LCD.
1AdditionforEAL4SARALC_TAT.
1AdditionforEAL4SARATE_COV.
2AdditionforEAL4SARAVA_MSU.
2UpgradeforEAL4MicrosoftCorporation,2008AllRightsReserved.
135Version3.
0,11/19/077.
1.
2.
1ThreatEnhancementsTheCAPPdoesnotidentifyspecificthreatsthataretobeaddressedbyacompliantTOE.
TheSTincludesspecificthreatstohelpreadersunderstandthetypesofattacksthattheTOEcanaddress.
ThesethreatsapplytoaspectsoftheTOEthatareincludedintheCAPPaswellasadditionalTOEfeaturespresentedinthisST.
7.
1.
2.
2PolicyEnhancementsTheSTincludesthreeadditionalorganizationalpoliciesfromtheCAPP,whichtheTOEaddresses.
Oneofthesepoliciesreflectsanoptionalpolicy,whichtheTOEcansupport,dependinguponconfigurationsettingsidentifiedinGuidanceDocuments.
TheoptionalpolicyreflectstheTOEabilitytoprovideIPSec.
SinceIPSECmaynotbeappropriateforalldeploymentsoftheTOE,itisincludedintheSTasanoptionalpolicy,P.
ADD_IPSEC.
ThisTSFimplementationofIPSecisdiscussedintheTSS,correspondstoafunctionalsecurityrequirement,whichinturnsupportstheP.
ADD_IPSECorganizationalpolicy.
IncludingtheIPSecpolicyintheST,complementstheCAPPpolicies.
TheremainingpolicesreflectotherareaswheretheTOEincludesfunctionalitythatisbeyondthatspecifiedintheCAPP.
TheadditionalfunctionalityandcorrespondingsupportedpoliciesarefullycompatiblewiththeCAPP.
7.
1.
2.
3ObjectiveEnhancementsTheadditionalobjectivesintheSTreflectadditionalfunctionalityanddetailthatwasnotincludedintheCAPP.
Theseobjectivesgenerallyarearesultoftheadditionalmaterial(e.
g.
,threatsandpolicies)usedtocharacterizetheenvironment.
TheRationale,Section8providestraceabilitybetweenobjectivesandrequirements.
7.
1.
2.
4SFREnhancementsTheadditionalSFRsreflectadditionalfunctionalitythattheTOEprovidestomeetthesecurityobjectivesfortheenvironmentthatischaracterizedintheST.
TheadditionalSFRsarecompatiblewiththeCAPP.
FDP_ACC.
2(a)isincludedinthisSTandishierarchicaltotheCAPPrequirementsFDP_ACC.
1.
AsindicatedinTable7-1sixrequirementsintheCAPPwerefurtherrefined.
TheserequirementsareFAU_GEN.
1,FAU_SAR.
1,FAU_STG.
1,FAU_STG.
4,FDP_ACF.
1(a),andFIA_SOS.
1.
TheserefinementsaredescribedbelowandtheserequirementsremaincompliantwiththeCAPP.
FAU_GEN.
1isrefinedfurtherthantheCAPPtospecifytheauditeventsthatarerelatedtoSFRsthatarenotincludedintheCAPP.
TheCAPPFAU_GEN.
1requirementincludesthestatementthattheeventslistedmeetthebasiclevelofaudit,withtheexceptionofFIA_UID.
1'suseridentityduringfailures.
TheeventslistedintheFAU_GEN.
1requirementinthisSTisasupersetoftheeventslistedintheCAPPFAU_GEN.
1requirement.
TheadditionaleventsarerelatedtotheadditionalSFRsincludedinthisSTthatarenotintheCAPP,however,theseadditionaleventsarenotatthebasiclevelofaudit.
TherefinementsmadeintheFAU_GEN.
1requirementinthisSTaretoclarifythedistinctionbetweentheauditeventsthatareincludedforCAPPcompliancyandthosethatareaddedbeyondtheCAPPandtoclarifythattheadditionalauditeventsarenotclaimedtobeatanyspecifiedlevelofaudit.
FAU_SAR.
1isrefinedtorestricttheabilitytoviewtheauditrecordstoonlytheauthorizedadministratorandtoprovidetheauthorizedadministratorwithatooltoaccesstheauditrecords.
FAU_STG.
1isrefinedtomakeastrongerclaimofprotectionoftheauditrecordsbyrequiringthattheauditrecordsbeprotectedfromallmodification,byremovingtheabilitytoperform"authorized"modifications.
FAU_STG.
4isrefinedonlytoallowforamorereadablerequirement.
FDP_ACF.
1(a)isrefinedfurtherthantheCAPPtoaddadditionalsecurityattributesassociatedwithasubjectthattheDACpolicyisbasedupon.
MicrosoftCorporation,2008AllRightsReserved.
136Version3.
0,11/19/07FIA_SOS.
1isrefinedfurtherthantheCAPPtorequireastrongersecretthanthatspecifiedintheCAPPandalsotorequireadelaybetweenauthenticationattempts.
FIA_USB.
1_EX(whichislabeledFIA_USB.
1intheCAPPbutisanexplicitrequirement)isrefinedtoensuretheuseridentityassociatedwithauditableeventsisuniqueandtoallowfortheassociationofamaximumresourcequotatosubjectsactingonbehalfofusers.
7.
1.
2.
5SecurityAssuranceRequirementEnhancementsTheSThasupgradedandaddedadditionalsecurityassurancerequirementstoreflectthattheassurancemeasuresinplacefortheTOEareatEAL4andaugmentedwithALC_FLR.
3(SystematicFlawRemediation).
TheSTaugmentedEAL4isanappropriateclaimasdiscussedintherationalesection8.
2.
2.
TheCAPPrequiresEAL3.
SinceEAL4augmentedishierarchicaltoEAL3,theSARupgradesstillfullycomplywiththeassurancerequirementsintheCAPP.
MicrosoftCorporation,2008AllRightsReserved.
137Version3.
0,11/19/078.
RationaleThissectionprovidestherationaleforcompletenessandconsistencyoftheST.
Therationaleaddressesthefollowingareas:SecurityObjectives;SecurityFunctionalRequirements;SecurityAssuranceRequirements;TOESummarySpecification;SecurityFunctionalRequirementDependencies;and,InternalConsistency.
8.
1SecurityObjectivesRationaleThissectionshowsthatallthreats,secureusageassumptions,andorganizationalsecuritypoliciesarecompletelycoveredbysecurityobjectives.
Inaddition,eachobjectivecountersoraddressesatleastoneassumption,organizationalsecuritypolicy,orthreat.
Tables8.
1and8.
2presentthemappingofobjectivestothesecurityenvironment.
8.
1.
1TOEITSecurityObjectivesRationaleThissectionprovidesevidencedemonstratingthecoverageofthreatsandorganizationalpoliciesbytheITsecurityobjectives.
ThefollowingtableshowsthethreatsandorganizationalpoliciesthateachITsecurityobjectiveaddresses.
Table8-1ITSecurityObjectivesRationaleMappingITSecurityObjectivesThreatsandOrganizationalPoliciesO.
AUTHORIZATIONT.
SYSACCT.
MASQUERADET.
UNATTENDED_SESSIONP.
AUTHORIZED_USERST.
UNAUTH_ACCESSO.
DISCRETIONARY_ACCESST.
USER_CORRUPTP.
NEED_TO_KNOWO.
AUDITINGT.
UNDETECTED_ACTIONST.
AUDIT_COMPROMISEP.
ACCOUNTABILITYT.
UNIDENTIFIED_ACTIONSO.
AUDIT_PROTECTIONT.
AUDIT_CORRUPTT.
AUDIT_COMPROMISEO.
RESIDUAL_INFORMATIONP.
NEED_TO_KNOWT.
OBJECTS_NOT_CLEANMicrosoftCorporation,2008AllRightsReserved.
138Version3.
0,11/19/07ITSecurityObjectivesThreatsandOrganizationalPoliciesO.
MANAGEP.
ACCOUNTABILITYP.
AUTHORIZED_USERSP.
NEED_TO_KNOWT.
UNIDENTIFIED_ACTIONSO.
ENFORCEMENTP.
ACCOUNTABILITYP.
AUTHORIZED_USERSP.
NEED_TO_KNOWP.
ADD_IPSECO.
PROTECTT.
UNAUTH_MODIFICATIONT.
CONFIG_CORRUPTT.
USER_CORRUPTT.
AUDIT_COMPROMISET.
UNAUTH_ACCESSO.
TRUSTED_PATHT.
SPOOFT.
REPLAYO.
LEGAL_WARNINGP.
WARNO.
LIMIT_AUTHORIZATIONP.
AUTHORIZATIONO.
IPSECP.
ADD_IPSECT.
EAVESDROPT.
REPLAYO.
ENCRYPTED_DATAT.
USER_CORRUPTT.
UNAUTH_ACCESSO.
ASSURANCET.
ADMIN_ERRORT.
POOR_DESIGNT.
POOR_IMPLEMENTATIONT.
UNATTENDED_SESSIONT.
UNIDENTIFIED_ACTIONST.
TCPIP_ATTACKO.
MEDIATET.
ADDRESS_MASQUERADEO.
SOFTWARE_PROTECTT.
MALICIOUS_CODE_EXECO.
PARTIAL_RECOVERYT.
LOST_DATAO.
OUTDATED_SWT.
OLD_SWThefollowingobjectivesaresufficienttoaddressallofthethreatsandorganizationalpoliciesintheST.
MicrosoftCorporation,2008AllRightsReserved.
139Version3.
0,11/19/07O.
AUTHORIZATION–EnsuringthattheTOEanditsresourcesareprotectedfromunauthorizedaccesscountersthethreatsT.
UNAUTH_ACCESSandT.
SYSACCsincetheexecutionofthesethreatsreliesuponunauthorizedaccesstotheTOE.
T.
MASQUERADEisalsomitigatedbythisobjectivebecauseitensuresthatonlyauthorizedusersareallowedaccesstoaresource.
Additionally,thisobjectiveimplementsthepolicyP.
AUTHORIZED_USERbyensuringthatonlyauthorizedusersgainaccesstotheTOEanditsresources.
T.
UNATTENDED_SESSIONismitigatedbyensuringtheTOEdoesnotallowunauthorizedaccesstotheTOEanditsresources.
O.
DISCRETIONARY_ACCESS–Byensuringthatauthorizeduserscandefinewhichuserscanaccesstheirresources,thethreatT.
USER_CORRUPTiscounteredbecausetheTSFenforcestheauthorizedusers'restrictionsthuspreventingusersfromaccessingdatanotallowedbytheuserauthorizedtorestrictaccesstothatdata.
ThisobjectiveensuresthattheTSFenforcestherestrictionstoresourcesdefinedbytheauthorizedusers,therebyimplementingthepolicyP.
NEED_TO_KNOW.
O.
AUDITING–ByensuringthattheTSFrecordsecurityrelevantactionsofusersandpresentthemtotheauthorizedadministrator,thethreatT.
UNDETECTED_ACTIONSiscounteredbecausetherecordofactionsproducedbytheTSFwillensurethatunauthorizedactionswillnotgoundetected.
T.
AUDIT_COMPROMISEismitigatedbythisobjectivebecausetheobjectiveensuresthatthegenerationofauditdatacannotbepreventedbyunauthorizedusers.
ThisobjectiveensuresthatarecordofactionsisproducedandmadeavailabletotheauthorizedadministratortherebyimplementingthepolicyP.
ACCOUNTABILITYbyprovidingtheabilitytoreviewactionsofindividualsontheTOEandtoholdthemaccountablefortheiractions.
T.
UNIDENTIFIED_ACTIONSismitigatedbyensuringtheTOEpresentauditdatatotheauthorizedadministrator.
O.
AUDIT_PROTECTION–Byensuringthattheauditinformationisprotected,thethreatsT.
AUDIT_CORRUPTandT.
AUDIT_COMPROMISEarecounteredbecauseunauthorizedaccesswillbepreventedandauditinformationwillnotbelostortamperedwithbyunauthorizedusers.
O.
RESIDUAL_INFORMATION–Byensuringthatinformationinaprotectedresourceisnotreleasedwhentheresourceisrecycled,thethreatT.
OBJECTS_NOT_CLEANiscounteredbecausetheTSFwillalwaysremovedatafromresourcesbetweenusesbydifferentusers.
ThisobjectivesupportsthepolicyP.
NEED_TO_KNOWbecauseitenforcestherestrictionsonresourcesdefinedbyauthorizedusersbyensuringthatinformationisnotleftbehindinaresourcethatmayhavedifferentrestrictionsplaceduponit.
O.
MANAGE–ByensuringthatallthefunctionsandfacilitiesnecessarytosupporttheauthorizedadministratorinmanagingTOEsecurityareprovided,supportisprovidedtoimplementtheP.
ACCOUNTABILITY,P.
AUTHORIZED_USERS,andP.
NEED_TO_KNOWpoliciesbecauseitrequiresthesystemtoprovidefunctionalitytosupportthemanagementofaudit,resourceprotection,andsystemaccessprotection.
T.
UNIDENTIFIED_ACTIONSismitigatedbyensuringtheTOEoffersthenecessarymanagementfunctionsfortheauthorizedadministratortosecurelymanagetheTOE.
O.
ENFORCEMENT–Byensuringthatorganizationalpoliciesareenforced,thepoliciesP.
ACCOUNTABILITY,P.
AUTHORIZED_USERS,P.
ADD_IPSEC,andP.
NEED_TO_KNOWaresupportedbecausetheobjectiveensuresthatfunctionsareinvokedandoperatecorrectly.
O.
PROTECT–ByensuringthattheTSFprotectsitselfincludingitsdataandresourcesfromexternaltampering,thethreatsT.
UNAUTH_ACCESSandT.
CONFIG_CORRUPTarecountered.
Additionally,supporttocounterthethreatsT.
USER_CORRUPT,T.
UNAUTH_MODIFICATIONandT.
AUDIT_COMPROMISEaresupported.
EnsuringthatunauthorizedaccesstotheTSFdataandresourcesispreventeddisallowstheabovethreatsfrombeingexecutedsincetheyrelyuponunauthorizedaccesstoTSFdataorthemodificationoftheTSFtoastatewherethesecurityfunctionsarenotenforcedtherebyensuringthattheTSFisneverbypassed.
O.
TRUSTED_PATH–ByensuringthatthereisacapabilitytoallowuserstoensuretheyarecommunicatingwiththeTSFduringinitialuserauthentication,thethreatT.
SPOOFiscounteredbecausetheexecutionofthethreatreliesupontheabilitytomasqueradeastheTSF.
CounteringT.
REPLAYissupportedinthatauthenticationdatacannotbecapturedbyanauthorizedentity.
MicrosoftCorporation,2008AllRightsReserved.
140Version3.
0,11/19/07O.
LEGAL_WARNING–ByensuringthatusersareawareoflegalissuesinvolvinguseoftheTOEbeforeaccesstoresourceisallowedimplementsthepolicyP.
WARNbecauseitprovidestheuserswithawarningoftheramificationsofunauthorizeduseoftheTOE.
O.
LIMIT_AUTHORIZATION–Byprovidingacapabilitytolimittheextentauser'sauthorizations,thepolicyP.
AUTHORIZATIONisimplementedbecauseeachuser'sauthorizationscanbelimited.
O.
IPSEC–ByensuringthattheacapabilityisprovidedtoprotectsystemdataintransmissionbetweenseparatepartsoftheTOE,thepolicyP.
ADD_IPSECisimplementedbecauseitrequiresthesystemtoprovidethiscapabilitytoprotectsystemdataintransmissionbetweendistributedpartsoftheTOE.
ByprotectingdataduringtransmissiondatacannotbeinterceptedallowingtheTOEtomitigateT.
EAVESDROP.
ThemitigationofT.
REPLAYisassistedbyensuringdataduringtransmissionisprotectedfromcaptureandresubmission.
O.
ENCRYPTED_DATA–ByensuringthatonlyusersthatencrypteddatamayreceivethatdatadecryptedthethreatT.
USER_CURRUPTandT.
UNAUTH_ACCESSarecounteredbecauseaccesstodecrypteddatafromauserotherthantheuserthatencryptedthedataispreventedO.
ASSURANCE–ByensuringthattheguidancedocumentationisaccurateandnotmisleadingthethreatthattheTOEisincorrectlyinstalledorconfigured,T.
ADMIN_ERROR,iscountered.
Theapplicationofsounddesignprinciplesandtechniques,functionaltesting,andpenetrationtestingmitigatethethreatsT.
POOR_DESIGNandT.
POOR_IMPLEMENTATIONthaterrorsexistintheTOEdesignandimplementation.
T.
UNATTENDED_SESSIONandT.
UNIDENTIFIED_ACTIONSaremitigatedbyensuringthereissufficientguidancetousersandauthorizedadministratorswithrespecttousingthesecurityfunctions.
T.
TCPIP_ATTACKismitigatedbyensuringtheTOEhasundergoneavulnerabilityanalysisandpenetrationtestingwhichwillensuretheTOEissufficientlyrobusttoprotectitselfagainstpublishedexploits.
O.
MEDIATE–ByensuringthatallnetworkpacketsthatflowthroughtheTOEaresubjecttotheinformationflowpolicies,ausercannotmodifytheidentificationTOEinterfaceassociatedwiththemwhichmitigatesthethreatT.
ADDRESS_MASQUERADE.
O.
SOFTWARE_PROTECT–Byensuringthatusershavetheabilitytoprotecttheirassociatedmemory,thethreatT.
MALICIOUS_CODE_EXECiscounteredbecausemaliciouscodecannotbeinsertedintoauser'sprotectedmemory.
O.
PARTIAL_RECOVERY–ByensuringtheTSFhasameanstorecoverfromsystemfailures,thethreatT.
LOST_DATAisaddressedbecausetheTSFprovidestheabilitytorestoresomeofthearchivedTOEdata.
O.
OUTDATED_SW–ByensuringtheTSFhastheabilitytoinstallupdatedsoftwarefromatrustedsource,thethreatT.
OLD_SWisaddressedbecausenewersoftwarecanbeinstalledtopreventamalicioususerfromusingknownattacks.
AlloftheorganizationalpoliciesandthreatsareaddressedbytheITsecurityobjectives.
Foreachpolicyandthreat,theassociatedITsecurityobjectivesareappropriatetoaddresseachpolicyandthreatassociatedwiththeminTable8.
1.
GiventhattheITSecurityObjectivesaremet,theorganizationalpolicieswillbeimplementedandthethreatswillbecountered.
8.
1.
2Non-ITSecurityObjectivesfortheEnvironmentRationaleThissectionprovidesevidencedemonstratingthecoverageofenvironmentalassumptionsbytheNon-ITsecurityobjectives.
ThefollowingtableshowstheassumptionthateachNon-ITsecurityobjectiveaddresses.
Table8-2Non-ITSecurityObjectivesRationaleMappingNon-ITSecurityObjectivesEnvironmentalAssumptionsMicrosoftCorporation,2008AllRightsReserved.
141Version3.
0,11/19/07O.
INSTALLA.
MANAGEA.
NO_EVIL_ADMA.
PEERO.
PHYSICALA.
LOCATEA.
PROTECTA.
CONNECTO.
CREDENA.
COOPO.
INSTALL–ByensuringthattheTOEisdelivered,installed,managed,andoperatedinasecuremanner,theassumptionsA.
MANAGE,A.
NO_EVIL_ADM,andA.
PEERareaddressed.
ThisobjectiveensuresthattheTOEismanagedandadministeredinasecuremannerbyacompetentandsecurityawareindividualinaccordancewiththeadministratordocumentation.
O.
PHYSICAL–ByensuringthattheresponsibleindividualsensurethattheTOEisprotectedfromphysicalattack,theassumptionsA.
LOCATE,A.
PROTECT,andA.
CONNECTareaddressedbecausetheobjectiveensuresthattheTOEisprotectedfromunauthorizedphysicalaccess.
O.
CREDEN–ByensuringthataccesscredentialsareadequatelyprotectedaddressestheassumptionA.
COOPbecauseitensuresthatonlythoseusersthatareauthorizedareallowedtogainaccesstotheTOEwhichsupportsabenignenvironmentandcooperativeusers.
OfthedefinitionoftheenvironmentinthisST(assumptions,policies,andthreats),theassumptionsaretheonlyaspectsoftheenvironmentdefinitionthatareNon-ITrelated.
AllofthepoliciesandthreatsareaddressedbytheITsecurityobjectives.
Foreachassumption,theassociatedNon-ITSecurityObjectivesthereareappropriatenesstoaddresstheassumptionsassociatedwiththeminTable8.
2.
GiventhattheNon-ITSecurityObjectivesaremet,theassumptionswillbeachieved.
8.
2SecurityRequirementsRationaleThissectionprovidesevidencesupportingtheinternalconsistencyandcompletenessoftherequirementsintheST.
Table8.
3showsthatthesecurityobjectivesarecompletelymetbythesecurityfunctionalrequirements.
8.
2.
1SecurityFunctionalRequirementsRationaleThefollowingtableprovidesthecorrespondencemappingbetweensecurityobjectivesfortheTOEandtherequirementsthatsatisfythem.
Table8-3RequirementtoSecurityObjectiveCorrespondenceRequirementO.
AUTHORIZATIONO.
DISCRETIONARY_ACCESSO.
AUDITINGO.
AUDIT_PROTECTIONO.
RESIDUAL_INFORMATIONO.
MANAGEO.
ENFORCEMENTO.
PROTECTO.
TRUSTED_PATHO.
LEGAL_WARNINGO.
LIMIT_AUTHORIZATIONO.
IPSECO.
ENCRYPTED_DATAO.
ASSURANCEO.
MEDIATEO.
SOFTWARE_PROTECTO.
PARTIAL_RECOVERYO.
OUTDATED_SWO.
FRAMEWORKFAU_GEN.
1XFAU_GEN.
2XMicrosoftCorporation,2008AllRightsReserved.
142Version3.
0,11/19/07RequirementO.
AUTHORIZATIONO.
DISCRETIONARY_ACCESSO.
AUDITINGO.
AUDIT_PROTECTIONO.
RESIDUAL_INFORMATIONO.
MANAGEO.
ENFORCEMENTO.
PROTECTO.
TRUSTED_PATHO.
LEGAL_WARNINGO.
LIMIT_AUTHORIZATIONO.
IPSECO.
ENCRYPTED_DATAO.
ASSURANCEO.
MEDIATEO.
SOFTWARE_PROTECTO.
PARTIAL_RECOVERYO.
OUTDATED_SWO.
FRAMEWORKFAU_LOG_EX.
1XFAU_SAR.
1XXFAU_SAR.
2XFAU_SAR.
3(a),(b)XXFAU_SEL.
1XFAU_STG.
1XXFAU_STG.
3XXFAU_STG.
4XXXFCS_COP.
1(a)thru(j)XXFCS_CKM.
1(a)thru(e)XXFCS_CKM.
2XXFCS_CKM.
4XXFCS_CKM_EX.
1XXFCS_CKM_EX.
2XXFDP_ACC.
2(a)XFDP_ACC.
2(b)XFDP_ACC.
2(c)XFDP_ACC.
2(d)XFDP_ACF.
1(a)XFDP_ACF.
1(b)XFDP_ACF.
1(c)XFDP_ACF.
1(d)XFDP_IFC.
1(a)XXFDP_IFC.
1(b)XXFDP_IFC.
1(c)XFDP_IFF.
1(a)XXFDP_IFF.
1(b)XXFDP_IFF.
1(c)XFDP_ITT.
1XFDP_RIP.
2XFDP_UCT.
1XFDP_UIT.
1XNote1_EXXFIA_AFL.
1XFIA_ATD.
1XXXFIA_SOS.
1XFIA_UAU.
1XFIA_UAU.
6XFIA_UAU.
7XFIA_UID.
1XFIA_USB.
1_EXXXFMT_MSA.
1(a)XXFMT_MSA.
1(b)XXMicrosoftCorporation,2008AllRightsReserved.
143Version3.
0,11/19/07RequirementO.
AUTHORIZATIONO.
DISCRETIONARY_ACCESSO.
AUDITINGO.
AUDIT_PROTECTIONO.
RESIDUAL_INFORMATIONO.
MANAGEO.
ENFORCEMENTO.
PROTECTO.
TRUSTED_PATHO.
LEGAL_WARNINGO.
LIMIT_AUTHORIZATIONO.
IPSECO.
ENCRYPTED_DATAO.
ASSURANCEO.
MEDIATEO.
SOFTWARE_PROTECTO.
PARTIAL_RECOVERYO.
OUTDATED_SWO.
FRAMEWORKFMT_MSA.
1(c)XXFMT_MSA.
1(d)XXFMT_MSA.
1(e)XXFMT_MSA.
1(f)XXFMT)MSA.
1(g)XXFMT)MSA.
1(h)XFMT)MSA.
1(i)XFMT_MSA_EX.
2XFMT_MSA.
3(a)XXFMT_MSA.
3(b)XXFMT_MSA.
3(c)XXFMT_MSA.
3(d)XXFMT_MSA.
3(e)XXFMT_MSA.
3(f)XXFMT_MSA.
3(g)XFMT_MSA.
3(h)XFMT_MTD.
1(a)XXFMT_MTD.
1(b)XXFMT_MTD.
1(c)XXXFMT_MTD.
1(d)XXFMT_MTD.
1(e)XXFMT_MTD.
1(f)XXFMT_MTD.
1(g)XXFMT_MTD.
1(h)XFMT_MTD.
1(i)XXFMT_MTD.
1(j)XXFMT_MTD.
1(k)XFMT_MTD.
1(l)XFMT_MTD.
1(m)XXFMT_MTD.
1(n)XFMT_MTD.
1(o)XFMT_MTD.
1(p)XFMT_MTD.
2XXFMT_MOF.
1(a)XFMT_MOF.
1(b)XXFMT_MOF.
1(c)XXFMT_MOF.
1(d)XFMT_MOF.
1(e)XFMT_REV.
1(a)XXFMT_REV.
1(b)XFMT_SAE.
1XXFMT_SMF.
1XFMT_SMR.
1XXMicrosoftCorporation,2008AllRightsReserved.
144Version3.
0,11/19/07RequirementO.
AUTHORIZATIONO.
DISCRETIONARY_ACCESSO.
AUDITINGO.
AUDIT_PROTECTIONO.
RESIDUAL_INFORMATIONO.
MANAGEO.
ENFORCEMENTO.
PROTECTO.
TRUSTED_PATHO.
LEGAL_WARNINGO.
LIMIT_AUTHORIZATIONO.
IPSECO.
ENCRYPTED_DATAO.
ASSURANCEO.
MEDIATEO.
SOFTWARE_PROTECTO.
PARTIAL_RECOVERYO.
OUTDATED_SWO.
FRAMEWORKFMT_SMR.
3XTRANSFER_PROT_EX.
1XXTRANSFER_PROT_EX.
3XFPT_AMT.
1XFPT_RPL_EX.
1XFPT_RVM.
1XXFPT_RST_EX.
1XFPT_SEP.
1XXFPT_SEP.
EX.
1XFPT_STM.
1XFPT_SUS_EX.
1XFPT_SUS_EX.
2XFPT_SUS_EX.
3XFPT_SUS_EX.
4XFPT_SUS_EX.
5XFPT_SUS_EX.
6XFPT_TRC_EXXFRU_RSA.
1XFTA_LSA_EX.
1XFTA_MCS_EX.
1XFTA_SSL.
1XFTA_SSL.
2XFTA_SSL.
3XFTA_TAB.
1XFTA_TSE.
1XFTP_TRP.
1XACM_AUT.
1XACM_CAP.
4XACM_SCP.
2XADO_DEL.
2ADO_IGS.
1XADV_FSP.
2ADV_HLD.
2ADV_IMP.
1ADV_LLD.
1ADV_RCR.
1ADV_SPM.
1AGD_ADM.
1XAGD_USR.
1ALC_DVS.
1XALC_FLR.
3XALC_LCD.
1XMicrosoftCorporation,2008AllRightsReserved.
145Version3.
0,11/19/07O.
RESIDUAL_INFORMATIONO.
DISCRETIONARY_ACCESSO.
LIMIT_AUTHORIZATIONO.
SOFTWARE_PROTECTO.
PARTIAL_RECOVERYO.
AUDIT_PROTECTIONO.
ENCRYPTED_DATAO.
LEGAL_WARNINGO.
AUTHORIZATIONO.
TRUSTED_PATHO.
ENFORCEMENTO.
OUTDATED_SWO.
FRAMEWORKO.
ASSURANCEO.
AUDITINGO.
PROTECTO.
MEDIATEO.
MANAGEO.
IPSECRequirementALC_TAT.
1XATE_COV.
2XATE_DPT.
1XATE_FUN.
1XATE_IND.
2XAVA_MSU.
2XAVA_SOF.
1AVA_VLA.
2XO.
AUTHORIZATION:FIA_ATD.
1andFMT_MTD.
1(d)definedatatobeusedforauthenticationperuserandrestricttheabilitytoinitializeauthenticationdatatoonlyauthorizedadministrator,andtheabilitytomodifyauthenticationtoauthorizedadministratorsandauthorizedusers.
FTA_LSA_EX.
1restrictsauser'scapabilitiesbasedontheabilityforthemtologonwhichcanberestrictedbasedupontheabilityofausertologonlocallytoagivensystem,thetime,andtheday.
FIA_AFL.
1,FMT_MTD.
1(e)andFMT_MTD.
2allowtheauthorizedadministratortheabilitytosetthresholdsontheamountofattemptstologonthatcanbemadebeforeauserislockedoutandthedurationtheaccountlockedout.
FIA_SOS.
1definesametrictheauthenticationmechanismmustmeet.
FIA_UAU.
1,FIA_UID.
1andFIA_UAU.
7requireausertobeidentifiedandauthenticatedbeforeanyotherTSF-mediationactionontheirbehalf,withtheexceptionofwebserveraccess,isallowedandpreventtheuserrequestingaccessfromreceivinginsightfulauthenticationfeedbackduringtheauthentication.
FIA_UAU.
6requiresausertobeauthenticatedpriortochangingtheirpassword.
FTA_SSL.
1,FTA_SSL.
2,FTA_SSL.
3,FMT_MOF.
1(c),FMT_MTD.
1(k)allowfortheauthorizedusertodefineandmodifyaperiodofuserinactivitybeforethesessionislockedandfortheauthorizeduserorauthorizedadministratortounlockalockedsessionaswellasinitiatethelockingofasession.
Unlockingasessionbyanauthorizeduserrequiresre-authentication.
FMT_MTD.
1(f),FTA_TSE.
1,andFMT_SAE.
1providetheadministratorwiththeabilitytodefineauthenticationparametersthatfurtherrestricttheauthenticationmechanismwhichprovidesaccesstotheTOE.
FTA_MSC.
1allowstheadministratortoset,andtheTSFtoenforce,amaximumnumberofconcurrentinteractivesessionsperuserwhichfurtherrestrictsaccesstotheTOE.
Theyallowtheauthorizedadministratortheabilitytomodifytheminimumpasswordlengthandsetanexpirationlimitonauthenticationdatathatupontheexpirationtimetheuserispreventedfromloggingon.
FRU_RSA.
1limitsaccesstoNTFSvolumeresourcesbasedonquotas,thereby,supportingtheabilityoftheTOEtorestrictaccesstoitsresourcesandensuringthatonlyusersthathavenotexceededtheirquotacanaccessNTFSvolumeresources.
MicrosoftCorporation,2008AllRightsReserved.
146Version3.
0,11/19/07TheserequirementstogetherrestrictaccesstotheTOEbyenforcingauthenticationandidentificationofusersbasedontheuseraccountsincludinguserattributesandlimitsdefinedbytheauthorizedadministrator.
O.
DISCRETIONARY_ACCESS:FDP_ACC.
2(a)andFDP_ACF.
1(a);FDP_ACC.
2(b)andFDP_ACF.
1(b);FDP_ACC.
2(c)andFDP_ACF.
1(c);FDP_ACC.
2(d)andFDP_ACF.
1(d);defineseveraldiscretionarySecurityFunctionalPolicies(SFPs),eachidentifiesthesubjectsandobjectswhichthepolicycovers,thesecurityattributesthataccesstoobjectsisbasedupon,andtherulesofaccessbetweensubjectsandobjects.
ThediscretionarySFPsallowsforthecontrolofaccesstoresourcesbasedontheuseridentity.
FIA_ATD.
1andFIA_USB.
1_EXdefinethesecurityattributesassociatedwithusersthatusedtoenforcetheSFPs.
FMT_MSA.
1(a),FMT_MSA.
1(b),FMT_MSA.
1(e),FMT_MSA.
1(f),FMT_MSA.
1(g),FMT_MSA.
3(a),FMT_MSA.
3(d),FMT_MSA.
3(e),FMT_MSA.
3(f),andFMT_REV.
1(b)restricttheabilitytomodifyobjectsecurityattributestoauthorizedusers,ensuresthatthedefaultvaluesareknown(permissiveorrestrictive)forthesecurityattributesusedtoenforcetheSFPs,andensuresthatonlyauthorizeduserscanrevokethesecurityattributesusedtoenforcetheSFPs.
Theserequirementstogetherallowtheuserstheabilitytospecify,modify,andrevokehowobjectstheyareauthorizedtocontrolcanbeshared;ensuresthatthesystemenforcesthesharingspecified;andthatthesecurityattributesoftheuserscannotbemodifiedbyotherthantheauthorizedadministrator.
Eachoftheaboverequirementstogetherensurethataccessiscontrolledtoresourcesbasedonuseridentityandallowauthorizeduserstospecifywhichresourcesmaybeaccessedbywhichusers.
O.
AUDITING:FAU_GEN.
1,FAU_GEN.
2,FIA_USB.
1_EX,FPT_STM.
1,andFMT_MTD.
1(g)definetheeventsthatmustbeauditableandensuresthateacheventshallidentifytheuserthatcausedtheeventandthetimetheeventoccurred.
Similarly,theFAU_LOG_EX.
1SFrensurestheWSUSportionoftheTOElogseventsrelatedtoitssecurityoperations.
FAU_SAR.
1,FAU_SAR.
2,FAU_SAR.
3(a),FAU_SAR.
3(b),FAU_STG.
1,FAU_STG.
3,FAU_STG.
4,FMT_MTD.
1(j),FMT_MTD.
1(a),andFMT_MTD.
1(b)ensurethattheaudittrailiscompleteandthatauditeventscanbeselectedandreviewedbyonlytheauthorizedadministrator,andthattheauditlog(securitylog)canbemanagedappropriatelybytheauthorizedadministrator.
Additionally,FAU_SEL.
1providesthecapabilitytotheauthorizedadministratortoselecttheeventsthatwillbeauditedbaseduponspecificattributes(pre-selectionofauditevents).
Eachoftheaboverequirementstogetherensurethegenerationofauditrecords,theadequacyofthecontentofauditrecords,andthattheauditrecordsareavailabletoandmanagedbytheauthorizedadministrator.
O.
AUDIT_PROTECTION:FAU_STG.
1andFAU_STG.
4requiretheTOEtorestrictaccesstotheaudittrailandtopreventthelossofauditdata.
Byrestrictingaccesstotheaudittrailandpreventingthelossofauditdatatherequirementstogetherensurestheprotectionofauditrecords.
O.
RESIDUAL_INFORMATION:FDP_RIP.
2andNote1_EXrequiretheTSFtopurgeresidualdataassociatedwithobjectsandsubjectspriortoreuse.
Eachoftheaboverequirementstogetherensurethatresidualdataassociatedwithobjectsandsubjectsarepurged,therebyensuringthatinformationcontainedinprotectedresourcesdoesnotremainavailablewhentheresourceisrecycled.
O.
MANAGE:MicrosoftCorporation,2008AllRightsReserved.
147Version3.
0,11/19/07FAU_SAR.
1,FAU_SAR.
3(a),FAU_SAR.
3(b),FAU_STG.
3,FAU_STG.
4,FMT_MTD.
1(a),FMT_MTD.
1(b),andFMT_MTD.
1(j)ensuretheauthorizedadministratorcanmanageauditrecords.
FMT_MSA.
1(a),FMT_MSA.
1(b),FMT_MSA.
1(e),FMT_MSA.
1(f),FMT_MSA.
1(g),FMT_MSA.
1(c),FMT_MSA.
1(d),FMT_MSA.
3(a),FMT_MSA.
3(b),FMT_MSA.
3(c),FMT_MSA.
3(d),FMT_MSA.
3(e),FMT_MSA.
3(f),FMT_MSA.
3(g),FMT_MTD.
1(c)andFMT_REV.
1(a)ensuretheauthorizedadministratorcanmanageattributesusedtoenforcetheSFPs.
FMT_MTD.
1(d),FMT_MTD.
1(e),FMT_MTD.
1(f),FMT_MTD.
1(i),FMT_MTD.
2,FMT_MOF.
1(c),andFMT_SAE.
1ensuretheauthorizedadministratorcanmanageauthenticationrelateddata.
FMT_MTD.
1(l),FMT_MTD.
1(g),FMT_MTD.
1(h),FMT_MTD.
1(n)restricttheabilitytomodifyTSFdata(includingthepasswordcomplexityrequirements).
FMT_MTD.
1(m)preventsallusers(includingtheauthorizedadministrator)fromreadingpasswords.
FMT_MTD.
1(o)restrictstheinitializationoftheusersecurityattributeprivate/publickeypairtoauthorizedusersandtheauthorizedadministratorFMT_MTD.
1(p)limitstheWSUSconfigurationoptionstotheadministrator.
FMT_SMR.
1,andFMT_SMR.
3ensuretheroleoftheauthorizedadministratorisenforced.
FMT_SMF.
1ensurestheauthorizedadministratorisprovidedthecapabilitytochangeandmaintainsecurityrelevantdata(e.
g.
auditpolicy,accountpolicy,etc).
FMT_MOF.
1(a)andFMT_MOF.
1(b)ensuretheauthorizedadministratorcanmanagetheauditfunctionandthefunctiontoprotectTSFdataduringtransmission.
FMT_MOF.
1(d)ensuretheauthorizedadministratorcanmanagethewebserverpolicythatcontrolstheaccesstowebservercontent.
FMT_MOF.
1(d)ensuretheauthorizedadministratorcanmanagethegrouppolicycalculationfunctions.
FPT_TRC_EXensuresthatTSFdatacanbereplicatedbetweenpartsoftheTOEtoenableTSFstohavethemostrecentTSFdata.
Togethertheaboverequirementsensurethattheadministratorcanmanagedata(auditrecords,attributesusedtoenforcetheSFPs,authenticationdata),managefunctions(audit,protectionofdataintransmission,replicationofTSFdata),andensurethattheauthorizeduserandadministratorrolesareenforced.
ChangestospecificTSFdataaredistributedthroughouttheTOEassistinginthemanagementofadistributedTOE.
EachoftheaboverequirementscontributestoandtogetherensuresthattheauthorizedadministratorcanmanagetheTOEsecurely.
O.
ENFORCEMENT:FPT_RVM.
1,FPT.
SEP.
1,andFPT_AMT.
1ensuretheTOEmakesandenforcesthedecisionsoftheTSPsandthattheTSFisprotectedfrominterferencethatwouldpreventiffromperformingitsfunctions.
TogethertheaboverequirementsensurethattheunderlyingabstractmachinerelieduponbytheTSFisoperatingcorrectly,andthattheTSFcontinuestooperateeffectivelytoupholdtheTSPs.
Eachoftheaboverequirementstogetherensuresthattheorganizationalpoliciesareenforced.
O.
PROTECT:FMT_MTD.
1(c)ensuresthatusersecurityattributeswhichtheSFPsarebaseduponcanonlybeinitializedandmodifiedbyanauthorizedadministrator.
FMT_MSA_EX.
2ensuresthatonlyvalidpasswordvaluesareacceptedbytheTOEassecurityattributessupportingtheabilityfortheTOEtoprotectitself.
FMT_MTD.
1(m)protectstheTOEauthenticationdatabypreventingauthenticationfrombeingreadbyanyuser(includingtheadministrator).
TRANSFER_PROT_EXandFPT_SEP.
1ensurethattheTOEprovidesTSFprotectionofsystemresourcesandmaintainsaseparatedomainfortheTSF.
FDP_UCT.
1andFDP_UIT.
1ensurethatthedatacommunicationbetweenwebusersandthewebserverisprotectedfromunauthorizeddisclosureandmodification.
TogethertherequirementsensurethattheTSFdataisprotectedfrommodification,protectedintransmission,andthattheTSFcannotbemodifiedinanunauthorizedmanner.
MicrosoftCorporation,2008AllRightsReserved.
148Version3.
0,11/19/07EachoftheaboverequirementscontributestoandtogetherensuresthataseparatedomainismaintainedfortheTSFandtheTSFprotectsitsowndataandresources.
O.
TRUSTED_PATH:FTP_TRP.
1ensurestheTOEincludesacapabilityfortheusertoutilizeatrustedpathwiththeTSFforinitiallogonandsessionunlocking.
TheaboverequirementensuresthereisamechanismthatallowstheusertoassuredlycommunicatewiththeTSF,andnotanotherentitypretendingtobetheTSF,duringinitialuserauthenticationO.
LEGAL_WARNING:FTA_TAB.
1requirestheTOEtoprovidethecapabilityofdisplayingabannerbeforelogin.
FMT_MTD.
1(i)restrictsthemodificationofthebannercontenttoanauthorizedadministrator.
EachoftheaboverequirementstogetherensurethatabannercanbedisplayedbeforelogincontainingawarningdefinedbyanauthorizedadministratortoadviseusersoflegalissuesinvolvingthemisuseoftheTOEbeforeaccesstoresourcesisallowed.
O.
LIMIT_AUTHORIZATION:FMT_SMR.
1;FIA_ATD.
1;FMT_MTD.
1(c);andFMT_REV.
1(a)requiretheTOEtoprovidethecapabilitytolimituserauthorizationsbythedefinitionofroles,theuserprivileges,andtherevocationofsecurity-relevantauthorizations.
Byensuringthatsecurityattributesassociatedwithuserscanonlybeassignedandrevokedbytheadministratorandthatthesecurityattributesallowforspecificrolestobeenforced,theserequirementsensurethatthecapabilitiesofuserscanbelimited.
Eachoftheaboverequirementstogetherensuresthecapabilitytolimittheextentofeachuser'sauthorizations.
O.
IPSEC:FDP_ITT.
1,TRANSFER_PROT_EX.
1,FMT_MOF.
1(b)ensuresthecapabilitytoprotectTSFdatafromdisclosureandmodificationwhenintransmissionbetweendistributedpartsoftheTOEandprovidemanagementsupportforthesefunctions.
FPT_RPL_EX.
1andTRANSFER_PROT_EX.
3ensuresdataisintransmissionisprotectedbyrejectingorauditingTSFdataforwhichareplayofTSFdataisdetected.
FDP_IFC.
1(a)andFDP_IFF.
1(a)ensurethattheIPSecfilterscanbeusedtocontroltheflowoftrafficamongstthedifferentsystems(orTSFs)withintheTOE.
FDP_IFC.
1(b)andFDP_IFF.
1(b)ensurethattheTOEmaybeconfiguredtopreventunsolicitedtrafficintotheTSF.
FMT_MSA.
1(c),FMT_MSA.
1(d),FMT_MSA.
3(b),andFMT_MSA.
3(c)restricttheabilitytomodifysecurityattributestoauthorizedusersandensuresthatknowndefaultvaluesaredefinedforthesecurityattributesusedtoenforcetheSFP.
Additionally,allthecryptographicrequirements(allFCS_COPandFCS_CKMrelatedrequirements)supportIPSecinitsapplicationofsecurityservicesthatinvolvedigitalsignatures,encryption,decryption,thehashing.
,andotherservices.
TheseservicessupportofprotectionandcontroloftrafficintransmissionbetweenphysicallyseparatepartsoftheTOE.
TheaboverequirementstogetherprotecttheauthorizedadministratorwiththecapabilitytoconfigurethesystemtoprotectsystemdataintransmissionbetweendistributedpartsoftheTOE.
O.
ENCRYPTED_DATA:FCS_COP.
1(a)thru(j),FCS_CKM.
1(a)thru(e),FCS_CKM.
2,FCM_CKM.
4,FCS_CKM_EX.
1andFCS_CKM_EX.
2preventsthedecryptionofencrypteddataiftheuserattemptingdecryptionisnottheMicrosoftCorporation,2008AllRightsReserved.
149Version3.
0,11/19/07userthatencryptedthedataandsupportscryptographicoperationsthatsupporttheencryptionanddecryptionofdatasuchashashing,keygeneration,keyvalidation,keyhandlingandkeystorage.
Theserequirementstogetherpreventusersfromdecryptingdatatheydidnotencryptandensuresthatonlythoseusersthatencrypteddatacandecryptthatdata.
O.
ASSURANCE:AGD_ADM.
1,AVA_MSU.
2,ADO_IGS.
1supportthattheTOEisinstalledandconfiguredproperly.
ACM_AUT.
1,ACM_CAP.
4,ACM_SCP.
2,ALC_DVS.
1,ALC_FLR.
3,ALC_LCD.
1,andALC_TAT.
1supportthattheTOEisprotectedduringitsdevelopment.
ATE_COV.
2,ATE_DPT.
1,ATE_FUN.
1,ATE_IND.
2,andAVA_VLA.
2supportthattheTOEissufficientlyprotectandcanprotectitselfagainstthecasualattacker.
O.
MEDIATE:FDP_IFC.
1(a),FDP_IFC.
1(b),FDP_IFC.
1(c),FDP_IFF.
1(a),FDP_IFF.
1(b),andFDP_IFF.
1(c)supportthattheTOEensuresallnetworkpacketsthatflowthroughtheTOEaresubjecttoinformationflowpolicies.
FPT_RVM.
1ensuresthepolicycannotbebypassed.
O.
SOFTWARE_PROTECT:FPT_SEP_EX.
1ensuresthecapabilitytoprotectdataresidinginmemoryandprovidemanagementsupportforthisfunction.
O.
PARTIAL_RECOVERY:FPT_RST_EX.
1ensuresthecapabilitytoperformapartialbackupofspecificarchiveddatauponrequestoftheauthorizedadministrator.
O.
OUTDATED_SW:FPT_SUS_EX.
1,FPT_SUS_EX.
2,FPT_SUS_EX.
3,FPT_SUS_EX.
4,FPT_SUS_EX.
5,andFPT_SUS_EX.
6,ensurethecapabilitydownloadsoftwarefromatrustedsource.
TheseSRFsalsoensurethattheTSFinstallstheupdatesandthattheauthorizedadministratorcanforceaparticularportionoftheTSFtoperformanupdate.
.
8.
2.
2SARRationaleThisSTcontainstheassurancerequirementsfromtheCCEAL4assurancepackageaugmentedwithALC_FLR.
3.
TheCCallowsassurancepackagestobeaugmented,whichallowstheadditionofassurancecomponentsfromtheCCnotalreadyincludedintheEAL.
Augmentationwaschosentoprovidetheaddedassurancethatisprovidedbydefiningflawremediationproceduresandcorrectingsecurityflaws(ALC_FLR.
3).
ThisSTisbasedongoodrigorouscommercialdevelopmentpracticesandhasbeendevelopedforageneralizedenvironmentforaTOEthatisgenerallyavailableanddoesnotrequiremodificationtomeetthesecurityneedsoftheenvironmentspecifiedinthisST.
TheEALchosenisbasedonthestatementofthesecurityenvironment(threats,organizationalpolicies,assumptions)andthesecurityobjectivesdefinedinthisST.
ThesufficiencyoftheEALchosen(EAL4augmented)isjustifiedbasedonthoseaspectsoftheenvironmentthathaveimpactupontheassuranceneededintheTOE.
Userswillactinacooperativemannerinabenignenvironment(A.
COOP,O.
CREDEN);theadministrativestaffisconscientiousandnothostile(A.
NO_EVIL_ADM);theTOEisdesignedandimplementedinamannerwhichensuresthesecuritypoliciesareenforced(O.
ENFORCEMENT);and,theTOEisphysicallyprotected(O.
PHYSICAL)andproperlyandsecurelyconfigured(O.
INSTALL).
Giventheseaspects,aTOEbasedongoodcommercialdevelopmentpracticesissufficient.
TheCCstatesthatEAL4permitsadevelopertogainthemaximumassurancefrompositivesecurityengineeringbasedongoodcommercialdevelopmentpracticeswhich,thoughrigorous,donotrequiresubstantialspecialistknowledge,skills,andotherresources.
GiventheamountofassurancedeemednecessarytomeetthesecurityenvironmentandobjectivesoftheTOEandtheintentofEAL4,EAL4isanappropriatelevelofassurancefortheTOEdescribedinthisST.
Thereby,EAL4augmentedisanappropriatelevelofassurancefortheTOE.
MicrosoftCorporation,2008AllRightsReserved.
150Version3.
0,11/19/07WhiletheEALchosenisnotthesameasisspecifiedintheCAPP,thisSTremainsCAPPconformantbecausetheEALchoseninthisST(EAL4augmented)ishierarchicaltotheEALspecifiedintheCAPP(EAL3).
EAL4augmentedwaschoseninsteadofEAL3becausetheSTauthorschosetoachievethehighestlevelofassurancefeasiblebasedoncurrentdevelopmentpractices.
8.
2.
3RequirementDependencyRationaleTable8-4depictsthesatisfactionofallfunctionalrequirementdependencies.
ForeachfunctionalrequirementincludedintheST,theCCdependenciesareidentifiedinthecolumn"Dependencies.
"Additionally,alloperationsperformeduponrequirementswerereviewed.
NonewerefoundtoaddanydependenciesinadditiontothoseidentifiedintheCC.
Forexplicitlystatedrequirements(thoseendingwith"_EX"),theCCdependenciesidentifiedforsimilarrequirementswereusedasguidancetoidentifytheirdependencies,andadditionally,alltheexplicitlyincludedrequirementsintheSTwereconsidered.
Thefollowingpertains:ForFAU_LOG_EX.
1,adependencywasaddedonthetimestamprequirementssoaccurateaccountingcouldbemaintained.
ProtectionofthelogfileisaddressedthoughtheDACrequirements.
ForFIA_USB.
1_EXandNote1_EX,thereisnochangeinthedependenciesfromtheCCidentifieddependenciesfortheCCrequirementstheseexplicitrequirementsarebasedupon(FIA_USB.
1andFDP_RIP.
2)consideringthechangesbetweentheCCrequirementsandtheexplicitrequirements.
ForTRANSFER_PROT_EX.
1,therearenoCCidentifieddependenciesfortheCCrequirementsthisexplicitrequirementisbasedupon(FPT_ITT.
1).
ConsideringthechangesbetweentheCCrequirementsandtheexplicitrequirements,theTRANSFER_PROT_EXexplicitrequirementsisdependentupontheTOEprovidingthefunctionalitytoallowtheadministratortoenableordisablethefunctionalitydescribedintheseexplicitrequirementsandtheTOEprovidingcryptographicfunctionality.
Therefore,TRANSFER_PROT_EXisdependentuponFMT_MOF.
1(b)andFCS_COP.
1.
ForTRANSFER_PROT_EX.
3,thedependencyistoanexplicitrequirement(TRANSFER_PROT_EX.
1)whichissimilartotheCCidentifieddependencyandacceptableconsideringthedifferencebetweentheexplicitrequirementsandthesimilarCCrequirements(TRANSFER_PROT_EX.
1andFPT_ITT.
1;andTRANSFER_PROT_EX.
3andFPT_ITT.
3).
However,theexplicitrequirementrequiresthattheTOEprovidescryptographicfunctionalityandis,therefore,dependentuponFCS_COP.
1.
ForFPT_TRC_EX,thedependencyistoanexplicitrequirement(TRANSFER_PROT_EX)whichissimilartotheCCidentifieddependencyandacceptableconsideringthedifferencebetweentheexplicitrequirementsandthesimilarCCrequirements(TRANSFER_PROT_EX.
1andFPT_ITT.
1;andFPT_TRC_EXandFPT_TRC.
1).
ForFCS_CKM_EX.
1andFCS_CKM_EX.
2,therearenoCCrequirementsthataddressthenatureoftheserequirements.
ForFPT_RPL_EX.
1,therearenoCCidentifieddependenciesfortheCCrequirementthisexplicitrequirementisbasedupon(FPT_RPL.
1).
However,theexplicitrequirementrequiresthattheTOEprovidescryptographicfunctionalityandis,therefore,dependentuponFCS_COP.
1.
FPT_RST_EX.
1hasnodependenciessincethemanagementofthefunctionisincludedintheSFR.
FPT_SUS_EX.
1-3arealldependentonFMT_MTD.
1toproviderestrictionsfortheiradministrativefunctions.
ForFMT_MSA_EX.
2,thedependenciesidentifiedarethesamedependenciesastheCCidentifieddependenciesfortheCCrequirement,FMT_MSA.
2,thisexplicitrequirementisbasedupon.
FortheFCS_COP.
1requirement,theCCidentifiesthefollowingdependency:FDP_ITC.
1orFCS_CKM.
1,FCS_CKM.
4,andFMT_MSA.
2.
Thefollowingdependencyforthisrequirementisnotapplicableandtherationaleisasfollows:MicrosoftCorporation,2008AllRightsReserved.
151Version3.
0,11/19/07FDP_ITC.
1:thisrequirementappliestouserdatathatisimportedfromoutsideoftheTSFScopeofControl(TSC)andconcernedwithapplyingrulestotheimporteddata(e.
g.
ignoresecurityattributesassociatedwithdatawhenimported).
ThereisnouserdatawithintheTOEthatisimportedfromoutsidetheTSCand,therefore,thisrequirementisnotapplicable.
FMT_MSA.
2:thisrequirementisconcernedwithensuringthatonlysecurevaluesareacceptedforsecurityattributes.
TherearenosecurityattributesenteredbyuserswithinthecontextoftheoperationsspecifiedbyFCS_COP.
1,therefore,FMT_MSA.
2isnotapplicabletoFCS_COP.
1.
Thecomponentnumberincolumn"SatisfiedComponentNo"denotestherequirement(s)thatisincludedinthisSTtomeetthedependenciesofeachfunctionalrequirement.
Thecomponentnumberusedinthecolumn"SatisfiedComponentNo.
"isthecomponentnumberusedtoidentifyeachSTFunctionalRequirementincolumn"ComponentNo.
"Withtheexceptionoftherequirementforwhicharationaleisprovidedabove(FCS_COP.
1),allthedependenciesaresatisfiedbycomponentnumbersofrequirementsincludedinthisST.
Therefore,alldependencieshavebeensatisfied.
Notethattheletters"a"through"k"areusedtoenumerateiterationsoftherequirementsinthecolumn"STFunctionalRequirement.
"Table8-4DependencyRationaleMappingComponentNo.
STFunctionalRequirementDependenciesSatisfiedComponentNo.
1.
FAU_GEN.
1FPT_STM.
1772.
FAU_GEN.
2FAU_GEN.
1FIA_UID.
11,423.
FAU_LOG_EX.
1FPT_STM.
1774.
FAU_SAR.
1FAU_GEN.
115.
FAU_SAR.
2FAU_SAR.
146.
FAU_SAR.
3(a),(b)FAU_SAR.
147.
FAU_SEL.
1FAU_GEN.
1,FMT_MTD.
11,618.
FAU_STG.
1FAU_GEN.
119.
FAU_STG.
3FAU_STG.
1810FAU_STG.
4FAU_STG.
1811FCS_COP.
1(a)–(j)FDP_ITC.
1orFCS_CKM.
1FCS_CKM.
4FMT_MSA.
212,14,5312FCS_CKM.
1(a)–(e)FCS_CKM.
2orFCS_COP.
1FCS_CKM.
4,FMT_MSA.
211,14,5313FCS_CKM.
2FDP_ITC.
1orFCS_CKM.
1FCS_CKM.
4FMT_MSA.
212,14,5314FCS_CKM.
4FDP_ITC.
1orFCS_CKM.
1FMT_MSA.
212,53MicrosoftCorporation,2008AllRightsReserved.
152Version3.
0,11/19/07ComponentNo.
STFunctionalRequirementDependenciesSatisfiedComponentNo.
15FCS_CKM_EX.
1None16FCS_CKM_EX.
2None17FDP_ACC.
2(a)FDP_ACF.
12118FDP_ACC.
2(b)FDP_ACF.
12219FDP_ACC.
2(c)FDP_ACF.
12320FDP_ACC.
2(d)FDP_ACF.
12421FDP_ACF.
1(a)FDP_ACC.
1FMT_MSA.
317,5422FDP_ACF.
1(b)FDP_ACC.
1FMT_MSA.
318,5523FDP_ACF.
1(c)FDP_ACC.
1FMT_MSA.
319,5624FDP_ACF.
1(d)FDP_ACC.
1FMT_MSA.
350,5725FDP_IFC.
1(a)FDP_IFF.
12826FDP_IFC.
1(b)FDP_IFF.
12927FDP_IFC.
1(c)FDP_IFF.
13028FDP_IFF.
1(a)FDP_IFC.
1FDP_MSA.
325,5429FDP_IFF.
1(b)FDP_IFC.
1FDP_MSA.
326,5530FDP_IFF.
1(c)FDP_IFC.
1FDP_MSA.
327,5931FDP_ITT.
1FDP_ACC.
1orFDP_IFC.
11732FDP_RIP.
2None33FDP_UCT.
1[FTP_ITC.
1Inter-TSFtrustedchannel,orFTP_TRP.
1Trustedpath][FDP_ACC.
1Subsetaccesscontrol,orFDP_IFC.
1Subsetinformationflowcontrol]92,2534FDP_UIT.
1[FDP_ACC.
1Subsetaccesscontrol,orFDP_IFC.
1Subsetinformationflowcontrol][FTP_ITC.
1Inter-TSFtrustedchannel,orFTP_TRP.
1Trustedpath]92,2335Note1_EXNone36FIA_AFL.
1FIA_UAU.
139MicrosoftCorporation,2008AllRightsReserved.
153Version3.
0,11/19/07ComponentNo.
STFunctionalRequirementDependenciesSatisfiedComponentNo.
37FIA_ATD.
1None38FIA_SOS.
1None39FIA_UAU.
1FIA_UID.
14240FIA_UAU.
6None41FIA_UAU.
7FIA_UAU.
13942FIA_UID.
1None43FIA_USB.
1_EXFIA_ATD.
13744FMT_MOF.
1(a-e)FMT_SMR.
1FMT_SMF.
166,6745FMT_MSA.
1(a)FDP_ACC.
1orFDP_IFC.
1,FMT_SMR.
1FMT_SMF.
121,66,6746FMT_MSA.
1(b)FDP_ACC.
1orFDP_IFC.
1,FMT_SMR.
1FMT_SMF.
121,66,6747FMT_MSA.
1(c)FDP_ACC.
1orFDP_IFC.
1,FMT_SMR.
1FMT_SMF.
128,66,6748FMT_MSA.
1(d)FDP_ACC.
1orFDP_IFC.
1,FMT_SMR.
1FMT_SMF.
129,66,6749FMT_MSA.
1(e)FDP_ACC.
1orFDP_IFC.
1,FMT_SMR.
1FMT_SMF.
122,66,6750FMT_MSA.
1(f)FDP_ACC.
1orFDP_IFC.
1,FMT_SMR.
1FMT_SMF.
123,66,6751FMT_MSA.
1(g)FDP_ACC.
1orFDP_IFC.
1,FMT_SMR.
1FMT_SMF.
124,66,6752FMT_MSA.
1(h)FDP_ACC.
1orFDP_IFC.
1,FMT_SMR.
1FMT_SMF.
130,66,67MicrosoftCorporation,2008AllRightsReserved.
154Version3.
0,11/19/07ComponentNo.
STFunctionalRequirementDependenciesSatisfiedComponentNo.
53FMT_MSA_EX.
2ADV_SPM.
1FDP_ACC.
1orFDP_IFC.
1FMT_MSA.
1FMT_SMR.
1EAL4,21,45,6754FMT_MSA.
3(a)FMT_MSA.
1(a)FMT_SMR.
146,6755FMT_MSA.
3(b)FMT_MSA.
1(c)FMT_SMR.
147,6756FMT_MSA.
3(c)FMT_MSA.
1(d)FMT_SMR.
148,6757FMT_MSA.
3(d)FMT_MSA.
1(e)FMT_SMR.
149,6758FMT_MSA.
3(e)FMT_MSA.
1(f)FMT_SMR.
150,6759FMT_MSA.
3(f)FMT_MSA.
1(g)FMT_SMR.
151,6760FMT_MSA.
3(g)FMT_MSA.
1(h)FMT_SMR.
152,6761FMT_MTD.
1(a)–(p)FMT_SMR.
1FMT_SMF.
166,67162FMT_MTD.
2FMT_MTD.
1(e)FMT_SMR.
161,6763FMT_REV.
1(a)FMT_SMR.
16764FMT_REV.
1(b)FMT_SMR.
16765FMT_SAE.
1FMT_SMR.
1FPT_STM.
167,7766FMT_SMF.
1None67FMT_SMR.
1FIA_UID.
14268FMT_SMR.
3FMT_SMR.
16769TRANSFER_PROT_EX.
1FMT_MOF.
1(b)FCS_COP.
1441170TRANSFER_PROT_EX.
3FPT_ITT.
1(equivalenttoexplicitrequirementTRANSFER_PROT_EX.
1)FCS_COP.
1691171FPT_RPL_EX.
1FCS_COP.
111MicrosoftCorporation,2008AllRightsReserved.
155Version3.
0,11/19/07ComponentNo.
STFunctionalRequirementDependenciesSatisfiedComponentNo.
72FPT_RST_EX.
1None73FPT_TRC_EX.
1TRANSFER_PROT_EX.
16974FPT_RVM.
1None75FPT_SEP.
1None76FPT_SEP.
EX.
1None77FPT_STM.
1None78FPT_SUS_EX.
1FMT_MTD.
1(q)6179FPT_SUS_EX.
2FMT_MTD.
1(q)6180FPT_SUS_EX.
3FMT_MTD.
1(q)6181FPT_SUS_EX.
4FMT_MTD.
1(q)6182FPT_SUS_EX.
5FMT_MTD.
1(q)6183FPT_SUS_EX.
6FMT_MTD.
1(q)6184FRU_RSA.
1None85FTA_LSA_EX.
1None86FTA_MCS_EX.
1FIA_UID.
1FMT_SMF.
1426687FTA_SSL.
1FIA_UAU.
13988FTA_SSL.
2FIA_UAU.
13989FTA_SSL.
2FIA_UAU.
13990FTA_TAB.
1FMT_MTD.
1.
1(i)6191FTA_TSE.
1None92FTP_TRP.
1None8.
2.
4ExplicitlyStatedRequirementsRationaleTheSTincludesthefollowingexplicitlystatedrequirements:FAU_LOG_EX.
1;FCS_CKM_EX.
1;FCS_CKM_EX.
2;Note1_EX;FIA_USB.
1_EX;FMT_MSA_EX.
2;TRANSFER_PROT_EX;FPT_RPL_EX;FPT_RST_EX.
1;FPT_SEP_EX.
1;FPT_SUS_EX.
1-6;FPT_TRC_EX.
1;Note1_EX;and,FIA_USB.
1_EX,referredtoasFDP_RIP.
2.
Note1andFIA_USB.
1intheCAPP,areincludedintheCAPPalongwitharationaleforeachrequirement.
FAU_LOG_EX.
1:ThisSFRwascreatedtocapturetheloggingabilityoftheWindowsServerUpdateServices.
Asupdatesaredownloadedandapplies,theWindowsServerUpdateServiceslogsinformationabouttheupdatesinafileseparatefromthestandardaudittrail.
FCS_CKM_EX.
1:TheCCcryptographicsupportsectiondoesnotspecificallyaddresstheconceptsofkeyvalidationtechniques.
Althoughcloselytiedtogeneratedkeys,theseconceptstypicallygetimplementedjustafter,notduring,theactualgenerationofakey.
InthisST,FCS_CKM_EXP.
1allowsforspecificallyaddressingthesekeymanagement-relatedconceptsinsupportofO.
IPSECandO.
ENCRYPTED_DATA.
MicrosoftCorporation,2008AllRightsReserved.
156Version3.
0,11/19/07FCS_CKM_EX.
2:TheCCdoesnotprovidecomponentsforkeyhandlingandstorage.
InthisST,FCS_CKM_EX.
2allowsforspecificallyaddressingthesekeymanagement-relatedconceptsinsupportofO.
IPSECandO.
ENCRYPTED_DATA.
FMT_MSA_EX.
2:ToaddresstheTOEfunctionalityoftheabilitytoenforcethatpasswordsmeetthepasswordcomplexityrequirementsinsupportoftheobjectiveO.
PROTECT,theFMT_MSA.
2CCrequirementwasconsidered.
However,FMT_MSA.
2enforcesthatallsecurityattributesare"secure"whiletheTOEfunctionalityismoreadequatelyexpressedasensuringthepasswordsecurityattributesare"valid"inthattheymeetthepasswordcomplexityrequirementsdefinedbytheadministrator.
TRANSFER_PROT_EX.
1:ToaddresstheTOEfunctionalityoftheprotectionofdataintransmissionbetweendifferentpartsoftheTOEtosupporttheobjectiveO.
PROTECT,theFPT_ITT.
1CCrequirementwasconsidered.
However,becauseFPT_ITT.
1prescribesfunctionalitybeyondwhatisrequiredtomeetO.
PROTECTandO.
IPSEC,theSTauthorscreatedtheexplicitrequirementTRANSFER_PROT_EX.
Thefunctionalityto"always"protectdataintransmissionbetweenseparatepartsoftheTOEisnotnecessarytomeettheobjectiveO.
PROTECT(toprotectTSFdata)becauseofthephysicalprotectionofallpartsoftheTOEasrequiredbytheNon-ITsecurityobjectiveO.
PHYSICAL.
TheSTauthorsaddedthewords"beableto"totherequirementtoprovidethedesiredflexibilityintheevaluatedconfigurationtomeettheobjectivesO.
PROTECTandO.
IPSEC.
TheSTauthorsalsoqualifiedtherequirementtoapplytoprotectingalldatainsteadofonlyTSFdata.
Thischangeallowstheauthorizedadministratortobeabletodisablethisfunctionalityandremainwithintheevaluatedconfiguration.
TRANSFER_PROT_EX.
3:ToaddresstheTOEfunctionalityoftheprotectionofdataintransmissionbetweendifferentpartsoftheTOEtosupporttheobjectiveO.
IPSEC,theFPT_ITT.
3CCrequirementwasconsidered.
However,becauseFPT_ITT.
3prescribesfunctionalitybeyondwhatisrequiredtomeetO.
IPSEC,theSTauthorscreatedtheexplicitrequirementTRANSFER_PROT_EX.
3.
TheSTauthorsqualifiedtherequirementtoapplyonlytoprotectingalldatainsteadofonlyTSFdata.
FPT_RPL_EX:ToaddresstheTOEfunctionalitytodetectreplayinsupportofO.
IPSECtheCCrequirementFPT_RPL.
1wasconsidered.
However,becauseFPT_RPLprescribesfunctionalitybeyondwhatisneededtosupportO.
IPSEC,inthatthefunctionalityrequiredmustalwaysbeenforced.
TheSTauthorscreatedtheexplicitrequirementFPT_RPL_EXwhichmandatestheabilitytodetectreplays,however,thisfunctionalityneednotalwaysbeconfiguredtobeenforcedinitsevaluatedconfigurationtodoso(similartoFAU_GEN.
1).
FPT_RST_EX.
1:ThisSFRwasaddedtoaddressthespecificfunctionalityoftheXPportionoftheTSFbeingabletorestoresomeoftheTSFdata.
TheCCSFRwasconsideredbuttheTOEdoesnotperformanentiresystemrestoreasdefinedintheCC.
FPT_SEP_EX.
1:FPT_SEP_EX.
1isbasedupontheFPT_SEP.
1CCrequirement.
Itiswrittenexplicitlytoaddressthespecificfunctionalityofprotectingusermemorytoguardagainstsoftwareattacks.
FPT_SUS_EX.
1-6:ThissetofSFRswascreatedtoaddressthesecurityfeaturesspecifictotheWindowsServerUpdateServices.
NoexistingCCSFRscouldbeusedtocapturethissecurityfunctionality.
TheFMT_MTD.
1(q)SFRwasaddedtoaddressthemanagementoftheseSFRs.
FPT_TRC_EX:ToaddresstheTOEfunctionalityofTSFdatareplicationtosupporttheobjectiveO.
MANAGE,theFPT_TRC.
1CCrequirementwasconsidered.
However,becauseFPT_TRC.
1prescribesfunctionalitybeyondwhatisrequiredtomeetO.
MANAGEwhichtheTOEdoesnotimplement,theSTauthorscreatedtheexplicitrequirementFPT_TRC_EX.
Ensuringthatdatais"totally"consistentbetweenseparateTSFsinadistributedTOEappearstobetheintentofFPT_TRC.
1,whichisnotrequiredbyanyTOEObjectives.
TheSTauthorschosetocreateanexplicitrequirement,FPT_TRC_EX,toensurethatTSFdatachangedatoneTSFiscopiedtootherTSFsandthatthetargetTSFwillonlyacceptthechangedTSFdataifitismorerecentthanthelocalcopyofthatTSFdata.
FPT_TRC_EXsupportstheTOEobjectiveO.
MANAGEbyensuringthatchangestoimportantTSFdataarecopiedtosupporttheaccuracyandenforcementofTSFdataateachTSF.
FTA_MCS_EX:FTA_MCS_EXisbasedupontheFTA_MCS.
1CCrequirementandiswrittenexplicitlybecausethisfunctionalityisenforcedonlyonmembersofadomain.
Additionally,FTA_MCS_EXreplacestheassignmentinFTA_MCS.
1,whichallowstheSTauthortoenteradefaultamountofMicrosoftCorporation,2008AllRightsReserved.
157Version3.
0,11/19/07concurrentsessionsallowed,withtheabilityfortheauthorizedadministratortosetthislimit.
ThischangeintroducesadependencyuponFMT_SMF.
1whichisaddressedinitemi(initializeandmodifyusersecurityattributes).
FTA_LSA_EX:FTA_LSA_EXisbasedupontheFTA_LSA.
1CCrequirementandiswrittenexplicitlybecauseonlythisrequirementonlyappliestomembersofadomain.
Theassurancerequirementsarestillapplicableandappropriatewiththeinclusionoftheseexplicitlystatedrequirements.
TheexplicitlystatedrequirementsdonotdemandanyadditionaldocumentaryevidenceotherthanwhatisrequiredatEAL4.
8.
2.
5InternalConsistencyandMutuallySupportiveRationaleTheselectedrequirementsareinternallyconsistentandfullycompliantwiththeCAPP.
TheSTincludesallofthefunctionalrequirementsfromtheCAPPandadditionalrequirementstoreflectadditionalfunctionality,compatiblewiththeCAPPrequirements.
AlloperationsthathavebeenperformedontheadditionalrequirementsareinaccordancewiththeCC.
TheSTincludesnoinstanceofarequirementthatcontradictsanotherrequirementintheST.
Ininstanceswheredifferentrequirementsapplytothesameeventsortypesofdata,therequirementsandtheoperationsperformedwithintherequirementsdonotcontradicteachother.
TheselectedrequirementstogetherformamutuallysupportivewholebythesatisfactionofalldependenciesasdemonstratedinTable8-4;themappingandsuitabilityoftherequirementstosecurityobjectivesasjustifiedinSection8.
2.
1;theinclusionofarchitecturalrequirementsFPT_RVM.
1andFPT_SEP.
1toprotecttheTSF,theinclusionofauditrequirementstodetectattacksofothersecurityfunctionalrequirements;andtheinclusionofsecuritymanagementrequirementstoensureproperconfigurationandcontrolofothersecurityfunctionalrequirements.
8.
2.
6SOFRationaleTheTOEminimumSOFofSOF-mediumwaschosentobeconsistentwiththeCAPP.
TheexplicitSOFclaimfortheauthenticationmechanismdescribedinFIA_SOS.
1andFIA_UAU.
1ofguessingapasswordisstrongerthanthatspecifiedintheCAPPandisinturnconsistentwiththesecurityobjectivesdescribedinSection8.
2.
1.
TheSOF-mediumstrengthlevelissufficienttomeettheobjectivesoftheTOEgiventhesecurityenvironmentdescribedintheST,specificallygiventheassumptionA.
COOP(AuthorizeduserspossessthenecessaryauthorizationtoaccessatleastsomeoftheinformationmanagementbytheTOEandareexpectedtoactinacooperatingmannerinabenignenvironment.
)8.
3TSSRationaleThisSection,inconjunctionwithSection6,theTSS,providesevidencethattheSFsaresuitabletomeettheTOEsecurityrequirementsandtheassurancemeasuresaddresstheassurancemeasures.
EachsubsectionintheSection6.
1,TSFs,describesaSFoftheTOE.
EachdescriptionisfollowedwithrationalethatindicateswhichrequirementsaresatisfiedbyaspectsofthecorrespondingSF.
ThesetofSFsworktogethertosatisfyalloftheSFRs.
Furthermore,alloftheSFsarenecessaryinorderfortheTSFtoprovidetherequiredsecurityfunctionality.
ThecollectionofSFsworktogethertoprovideallofthesecurityrequirementsasindicatedinTable8-5.
ThecollectionofassurancemeasuresworktogethertoaddressalloftheSARsasindicatedinTable8-6.
TheSFsandassurancemeasuresdescribedintheTSSandindicatedinthetablesbelowareallnecessaryfortherequiredsecurityfunctionalityintheTSF.
Table8-5RequirementtoSecurityFunctionCorrespondenceMicrosoftCorporation,2008AllRightsReserved.
158Version3.
0,11/19/07RequirementAuditUserDataProtectionCryptographicProtectionI&ASecurityManagementTSFProtectionResourceUtilizationTOEAccessFAU_GEN.
1XFAU_GEN.
2XFAU_LOG_EX.
1XFAU_SAR.
1XFAU_SAR.
2XFAU_SAR.
3(a),(b)XFAU_SEL.
1XFAU_STG.
1XFAU_STG.
3XFAU_STG.
4XFCS_COP.
1(a)thru(j)XFCS_CKM.
1(a)thru(e)XFCS_CKM.
2XFCS_CKM.
4XFCS_CKM_EX.
1XFCS_CKM_EX.
2XFDP_ACC.
2(a)XFDP_ACC.
2(b)XFDP_ACC.
2(c)XFDP_ACC.
2(d)XFDP_ACF.
1(a)XFDP_ACF.
1(b)XFDP_ACF.
1(c)XFDP_ACF.
1(d)XFDP_IFC.
1(a)XFDP_IFC.
1(b)XFDP_IFC.
1(c)XFDP_IFF.
1(a)XFDP_IFF.
1(b)XFDP_IFF.
1(c)XFDP_ITT.
1XFDP_RIP.
2XFDP_UCT.
1XFDP_UIT.
1XNote1_EXXFIA_AFL.
1XFIA_ATD.
1XFIA_SOS.
1XFIA_UAU.
1XFIA_UAU.
6XFIA_UAU.
7XFIA_UID.
1XFIA_USB.
1_EXXFMT_MOF.
1(a)XMicrosoftCorporation,2008AllRightsReserved.
159Version3.
0,11/19/07RequirementAuditUserDataProtectionCryptographicProtectionI&ASecurityManagementTSFProtectionResourceUtilizationTOEAccessFMT_MOF.
1(b)XFMT_MOF.
1(c)XFMT_MOF.
1(d)XFMT_MOF.
1(e)XFMT_MSA.
1(a)XFMT_MSA.
1(b)XFMT_MSA.
1(c)XFMT_MSA.
1(d)XFMT_MSA.
1(e)XFMT_MSA.
1(f)XFMT_MSA.
1(g)XFMT_MSA.
1(h)XFMT_MSA_EX.
2XFMT_MSA.
1(d)XFMT_MSA.
3(a)XFMT_MSA.
3(b)XFMT_MSA.
3(c)XFMT_MSA.
3(d)XFMT_MSA.
3(e)XFMT_MSA.
3(f)XFMT_MSA.
3(g)XFMT_MTD.
1(a)XXFMT_MTD.
1(b)XFMT_MTD.
1(c)XFMT_MTD.
1(d)XFMT_MTD.
1(e)XFMT_MTD.
1(f)XFMT_MTD.
1(g)XFMT_MTD.
1(h)XFMT_MTD.
1(i)XFMT_MTD.
1(j)XFMT_MTD.
1(k)XFMT_MTD.
1(l)XFMT_MTD.
1(m)XFMT_MTD.
1(n)XFMT_MTD.
1(o)XFMT_MTD.
1(p)XFMT_MTD.
2XFMT_REV.
1(a)XFMT_REV.
1(b)XFMT_SAE.
1XFMT_SMR.
1XFMT_SMR.
3XTRANSFER_PROT_EX.
1XMicrosoftCorporation,2008AllRightsReserved.
160Version3.
0,11/19/07RequirementAuditUserDataProtectionCryptographicProtectionI&ASecurityManagementTSFProtectionResourceUtilizationTOEAccessTRANSFER_PROT_EX.
3XFPT_AMT.
1XFPT_RPL_EX.
1XFPT_RST_EX.
1XFPT_RVM.
1XFPT_SEP.
1XFPT_SEP_EX.
1XFPT_SUS_EX.
1XFPT_SUS_EX.
2XFPT_SUS_EX.
3XFPT_SUS_EX.
4XFPT_SUS_EX.
5XFPT_SUS_EX.
6XFPT_STM.
1XFPT_TRC_EXXFRU_RSA.
1XFTA_LSA_EX.
1XFTA_MCS_EX.
1XFTA_SSL.
1XFTA_SSL.
2XFTA_SSL.
2XFTA_TAB.
1XFTA_TSE.
1XFTP_TRP.
1XTable8-6AssuranceRequirementstoAssuranceMeasuresMappingsRequirementProcessAssuranceDeliveryandGuidanceDesignDocumentationTestVulnerabilityAssessmentACM_AUT.
1XACM_CAP.
4XACM_SCP.
2XADO_DEL.
2XMicrosoftCorporation,2008AllRightsReserved.
161Version3.
0,11/19/07RequirementProcessAssuranceDeliveryandGuidanceDesignDocumentationTestVulnerabilityAssessmentADO_IGS.
1XADV_FSP.
2XADV_HLD.
2XADV_IMP.
1XADV_LLD.
1XADV_RCR.
1XADV_SPM.
1XAGD_ADM.
1XAGD_USR.
1XALC_DVS.
1XALC_FLR.
3XALC_LCD.
1XALC_TAT.
1XATE_COV.
2XATE_DPT.
1XATE_FUN.
1XATE_IND.
2XAVA_MSU.
2XAVA_SOF.
1XAVA_VLA.
2XMicrosoftCorporation,2008AllRightsReserved.
162Version3.
0,11/19/079.
AdditionalProtectionProfileReferencesThissectionidentifiesadditionalPPstowhichconformanceisnotclaimedbutwereusedasasourcetoidentifyadditionalrequirementsapplicabletotheTOE.
TheadditionalPPsarethePPforSingle-levelOS'inEnvironmentsRequiringMediumRobustness(SLOSPP)andtheU.
S.
GovernmentWebServerProtectionProfile(WEBServerPP)forBasicRobustnessEnvironments.
AsubsectionforeachofthesePPsisincludedinthissectionthatprovidesfurtherdetailsregardinghowthisSTrelatestoeachofthePPsreferenced.
9.
1ProtectionProfileforSingle-levelOperatingSystems(SLOSPP)ReferenceThisTOEisanOSandwhileconformingwiththeCAPPitdoesprovideadditionalsecurityfunctionalitythatmeetsspecificrequirementsfromtheSLOSPP.
TheseadditionalrequirementsmandateadditionalsecurityfunctionalityanddonotconflictwithanyCAPPrequirementsasdemonstratedin7.
1.
2CAPPDifferencesandEnhancements.
TherequirementsincludedinthisSTthatwerebaseduponSLOSPPrequirementsare:FCS_COP.
1(a)thru(j)CryptographicOperation,FCS_CKM.
1(a)thruFCS_CKM.
1(e)CryptographicKeyGeneration,FCS_CKM.
2CryptographicKeyDistribution,FCS_CKM.
4CryptographicKeyZeroization,FCS_CKM_EX.
1CryptographicKeyValidationandPackaging,FCS_CKM_EX.
2CryptographicKeyHandlingandStorage,FDP_ITT.
1BasicInternalProtection,FIA_UAU.
6Re-authenticating,FMT_MSA_EX.
2ValidPasswordSecurityAttributes,TRANSFER_PROT_EX.
1InternalTSFDataTransferProtection,FPT_TRC_EXInternalTSFDataConsistency,TRANSFER_PROT_EX.
3InternalTSFDataIntegrityMonitoring,FPT_RPL_EXReplayDetection,FTA_LSA_EX.
1LimitonScopeofSelectableAttributes,andFTA_MCS_EX.
1BasicLimitationonMultipleConcurrentSessions.
9.
2WebServerPPReferenceThisTOEincludesawebserverwhichprovidessecurityfunctionalitythatmeetsseveralrequirementsU.
S.
GovernmentWEBServerPP.
TheseadditionalrequirementsmandateadditionalsecurityfunctionalityanddonotconflictwithanyCAPPrequirementsasdemonstratedin7.
1.
2CAPPDifferencesandEnhancements.
ThefollowingrequirementsincludedinthisSTwhicharebaseduponWEBServerPPrequirementsare:FDP_ACC.
2(b)WEBUSERCompleteAccessControl,FDP_ACC.
2(c)Content-ProviderCompleteAccessControl,MicrosoftCorporation,2008AllRightsReserved.
163Version3.
0,11/19/07FDP_ACF.
1(b)WEBUSERAccessControlFunctions,FDP_ACF.
1(c)Content-ProviderAccessControlFunctions,FDP_UCT.
1WEBUSERSFPBasicDataExchangeConfidentiality,FDP_UIT.
1WEBUSERSFPDataExchangeIntegrity,FMT_MOF.
1(d)ManagementofWebServer,FMT_MSA.
1(e)ManagementofWEBUSERObjectSecurityAttributes,FMT_MSA.
1(f)ManagementofContent-ProviderObjectSecurityAttributes,FMT_MSA.
3(d)WEBUSERStaticAttributeInitialization,FMT_MSA.
3(e)Content-ProviderStaticAttributeInitialization,andFTA_SSL.
3WEBUSERTSF-InitiatedTermination.
MicrosoftCorporation,2008AllRightsReserved.
164Version3.
0,11/19/07APPENDIXA—ListofAcronyms3DESTripleDESACEAccessControlEntryACLAccessControlListACMAccessControlManagementACPAccessControlPolicyADActiveDirectoryAESAdvancedEncryptionStandardAGDAdministratorGuidanceDocumentAHAuthenticationHeaderANSIAmericanNationalStandardsInstituteAPIApplicationProgrammingInterfaceCACertificateAuthorityCALGConfidentialityAlgorithmCAPPControlledAccessProtectionProfileCBCCipherBlockChainingCCCommonCriteriaCCSECanadianCommunicationSecurityEstablishmentCD-ROMCompactDiskReadOnlyMemoryCIConfigurationItemCIFSCommonInternetFileSystemCMConfigurationManagement;ControlManagementCOMComponentObjectModelCPContentProviderCPUCentralProcessingUnitCRLCertificateRevocationListMicrosoftCorporation,2008AllRightsReserved.
A-1Version3.
0,11/19/07CryptoAPICryptographicAPICSPCryptographicServiceProviderDACDiscretionaryAccessControlDACLDiscretionaryAccessControlListDPAPIDataProtectionAPIDCDomainControllerDEPDataExecutionPreventionDESDataEncryptionStandardDFSDistributedFileSystemDHDiffie-HellmanDHCPDynamicHostConfigurationProtocolDFSDistributedFileSystemDNSDomainNameSystemDoSDenialofServiceDODeliveryOperationDSDirectoryServiceDSADigitalSignatureAlgorithmEALEvaluationAssuranceLevelECBElectronicCodeBookEFSEncryptingFileSystemESPEncapsulatingSecurityProtocolEWFEnhancedWriteFilterFEKFileEncryptionKeyFIPSFederalInformationProcessingStandardFRSFileReplicationServiceFSMOFlexibleSingleMasterOperationGBGigabyteGCGlobalCatalogMicrosoftCorporation,2008AllRightsReserved.
A-2Version3.
0,11/19/07GHzGibahertzGINAGraphicalIdentificationandAuthenticationGPCGroupPolicyContainerGPOGroupPolicyObjectGPTGUIDPartitionTable;GroupPolicyTemplateGUIGraphicalUserInterfaceGUIDGloballyUniqueIdentifiersHMACHash-BasedMessageAuthenticationCodeHTTPHyperTextTransferProtocolHTTPSSecureHTTPI/OInput/OutputI&AIdentificationandAuthenticationIAInformationAssuranceICFInternetConnectionFirewallICMPInternetControlMessageProtocolICSInternetConnectionSharingIDIdentificationIECInternationalElectro-technicalCommissionIETFInternetEngineeringTaskForceIFSInstallableFileSystemIISInternetInformationServicesIIS6IISVersion6.
0IKEInternetKeyExchangeIPInternetProtocolIPv4IPVersion4IPv6IPVersion6IPCInter-processCommunicationIPSecIPSecurityMicrosoftCorporation,2008AllRightsReserved.
A-3Version3.
0,11/19/07ISAPIInternetServerAPIISATAPIntra-siteAutomaticTunnelAddressingProtocolISOInternationalOrganizationforStandardizationITInformationTechnologyKDCKeyDistributedCenterLANLocalAreaNetworkLDAPLightweightDirectoryAccessProtocolLPCLocalProcedureCallLSALocalSecurityAuthorityLSASSLSASubsystemServiceMACMessageAuthenticationCodeMBMegabyteMBRMasterBootRecordMMCMicrosoftManagementConsoleNATNetworkAddressTranslationNISTNationalInstituteofStandardsandTechnologyNTFSNewTechnologyFileSystemNSANationalSecurityAgencyNTLMNewTechnologyLANManagerOLEObjectLinkingandEmbeddingOSOperatingSystemPAEPhysicalAddressExtensionPC/SCPersonalComputer/SmartCardPDCPrimaryDCPINPersonalIdentificationNumberPKCSPublicKeyCertificateStandardPKIPublicKeyInfrastructurePPProtectionProfileMicrosoftCorporation,2008AllRightsReserved.
A-4Version3.
0,11/19/07RAIDRedundantArrayofIndependentDisksRAMRandomAccessMemoryRC4Rivest'sCipher4RIDRelativeIdentifierRNGRandomNumberGeneratorRPCRemoteProcedureCallRSARivest,ShamirandAdlemanRSASSARSASignatureSchemewithAppendixSASecurityAssociationSACLSystemAccessControlListSAMSecurityAssuranceMeasureSARSecurityAssuranceRequirementSASSecureAttentionSequenceSDSecurityDescriptorSHASecureHashAlgorithmSIDSecurityIdentifierSFSecurityFunctionsSFPSecurityFunctionalPolicySFRSecurityFunctionalRequirementSMBServerMessageBlockSOFStrengthofFunctionSPServicePackSPISecurityParametersIndexSRMSecurityReferenceMonitorSSLSecureSocketsLayerSTSecurityTargetSYSVOLSystemVolumeTCPTransmissionControlProtocolMicrosoftCorporation,2008AllRightsReserved.
A-5Version3.
0,11/19/07TDITransportDriverInterfaceTLSTransportLayerSecurityTOETargetofEvaluationTSCTOEScopeofControlTSFTOESecurityFunctionsTSSTOESummarySpecificationUIUserInterfaceUIDUserIdentifierUNCUniversalNamingConventionU.
S.
UnitedStatesURLUniformResourceLocatorUSBUniversalSerialBusUSNUpdateSequenceNumberv5Version5VDSVirtualDiskServiceVPNVirtualPrivateNetworkVSSVolumeShadowCopyServiceWANWideAreaNetworkWebDAVWebDocumentAuthoringandVersioningWUWEBUSERWMDWindowsDriverModelWMIWindowsManagementInstrumentationWSCWindowsSecurityCenterWWWWorld-WideWebX86IntelMicroprocessorsMicrosoftCorporation,2008AllRightsReserved.
A-6Version3.
0,11/19/07AppendixB—TOEComponentDecompositionCertificateServerComponentCertificateServiceCertificateServiceDefaultPolicyModuleCertificateServiceDefaultExitModuleExecutiveComponentExecutiveObjectServices64bitKernelDebugSupportApplicationCompatibilitySupportCacheManagerConfigurationManagerGraphicsDeviceInterfaceHardwareAbstractionLayer(HAL)KernelDebugManagerKernelModeWindowsManagementInstrumentationKernelRuntimeLocalProcessCommunicationMemoryManagerMicrokernelObjectManagerPlugandPlayManagerPowerManagerProcessManagerSecurityReferenceMonitorVirtualDOSMachineWindowManager(User)HardwareComponentIA32HardwareIA64HardwareWindowsFirewallComponentApplicationLayerGatewayServiceHomeNetworkingConfigurationManagerIPNetworkAddressTranslatorIPv6FirewallDriverMACBridgeDriverNetworkAddressTranslationHelperInternetInformationServerComponentADFSWebAgentISAPIExtensionADFSWebAgentISAPIFilterAPIRemotingWebServiceASP.
NETISAPIExtensionASP.
NETISAPIFilterBITSServerExtensionsISAPIMicrosoftCorporation,2008AllRightsReserved.
B-1Version3.
0,11/19/07DownstreamAuthorizationWebServiceInternetInformationServicesIISCoAdminIISISAPIHandlerIISMetadataDLLIISResetControlIISWebAdminServiceIISWebServerCoreIISWorkerProcessISAPIDLLforWebPrintingManagedCodeSingleSignOnLibraryManagedCodeSSOClaimTransformsLibraryMetadataandAdminServiceODBCHTTPServerExtensionSimpleTargetingAuthorizationWebServiceURLAuthorizationISAPIUrlScanFilterDLLWebApplicationManagerRegistrationWebDAVISAPIExtensionandFileHandleCacheWinHTTPWebProxyAutoDiscoveryServiceWSUSClientWebServiceWSUSReportingWebServiceWSUSServerSyncWebServiceIO:CoreComponentI/OManagerKernelSecurityDeviceDriverFileSystemRecognizerMountManagerIO:FileComponentCD-ROMFileSystemEncryptingFileSystemFastFATFileSystemMailslotDriverNPFSDriverNTFileSystemDriverUDFFileSystemDriverIO:NetComponentTCP/IPProtocolDriverAncillaryFunctionDriverforWinSockBrowserDistributedFileSystemFilterDriverGeneralPacketClassifierDriverHTTPDriverIPFilterDriverIPinIPEncapsulationDriverIPSecDriverIPv6DriverLoopbackNetworkDriverNDIS5.
1WrapperDriverMicrosoftCorporation,2008AllRightsReserved.
B-2Version3.
0,11/19/07NDISUserModeI/ODriverNetBTTransportDriverQoSPacketSchedulerDriverRedirectedDriveBufferingSubsystemDriverRemoteNDISMiniportServerDriverSMBMiniRedirectorSMBTransportDriverTDIWrapperWebDavMiniRedirectorWinsock2IFSLayerDriverMultipleUNCProviderandDFSClientDriverIO:DevicesComponentACPIDriverAdaptecadpu160mSCSI/RAIDControllerAdaptecASC-48300SAS-SATAHostAdapterAGP440BusFilterDriverATIATI2MPADMiniportDriverATIATI2MTAGMiniportDriverAudioPortClassDriverBCM5703GigabitEthernetBeepDriverBroadcomNetXtremeGigabitEthernetCompaqSmartArrayControllerSCSIMiniportDriverDiskManagerI/ODriverFileSystemFilterManagerFIPSCryptoDriverFloppyDiskControllerDriverFloppyDriverFTDiskDriverHIDClassLibraryHIDKeyboardFilterDriverHIDMouseFilterDriverHIDParsingLibraryi8042PortDriverIBMServeRAIDAdapterStorportMiniportDriverIDE/ATAPIPortDriverIMAPIKernelDriverIntele1000645NICMiniportDriverIntele100b645NICMiniportDriverIntelProAdapterDriverIntelPro1000AdapterDriverIntelPro1000MTServerAdapterIntelligentI/OMiniportDriverIntelligentI/OUtilityFilterDriverKeyboardClassDriverLSILogicPCISCSI-FCMPIMiniportDriverLSILogicSymbiosUltra3SCSIMiniportDriverMegaRAIDRAIDControllerDriverMicrosoftCorporation,2008AllRightsReserved.
B-3Version3.
0,11/19/07MouseClassDriverNullDriverParallelPortDriverPartitionManagerPlugandPlayPCIEnumeratorPlugandPlaySoftwareDeviceEnumeratorDriverPnPDiskDriverPnPISABusDriverProcessorDeviceDriverRedbookAudioFilterDriverSCSICD-ROMDriverSCSIClassSystemDriverSCSIFloppyDriverSCSIPortDriverSCSITapeClassDriverSerialDeviceDriverSerialPortEnumeratorSmartCardDriverLibraryStoragePortDriverUpdateDriverUSB1.
1&2.
0PortDriverUSBCCGenericParentDriverUSBCCIDDriverUSBHostControllerInterfaceMiniportDriversUSBMassStorageDriverUSBMiniportDriverforInputDevicesUSBRootHubDriverVGA/SuperVGAVideoDriverVideoPortDriverVolumeShadowCopyDriverWatchdogDriverWindowsManagementInterfaceforACPINetSupportComponentDomainNameServiceCOM+ConfigurationCatalogServerCOM+EventSystemServiceCOM+ServicesDHCPServiceDistributedCOMServicesInternetExtensionsforWin32IPv6overIPv4ServiceNetworkConnectionsManagerNetworkLocationAwarenessRoutingInformationProtocolforInternetProtocolRPCEndpointMapperRPCLocatorSimpleTCP/IPServicesServiceDLLTCP/IPNetBiosTransportServicesDLLMicrosoftCorporation,2008AllRightsReserved.
B-4Version3.
0,11/19/07TCP/IPServicesApplicationWebDAVServiceDLLOSSupportComponentContentIndexingServiceDistributedFileSystemServiceDistributedTransactionCoordinatorHelp&SupportHIDInputServiceImageMasteringAPILicenseLoggingServerLogicalDiskManagerAdministrativeServicePerformanceLogsandAlertsPrintSpoolerRemovableStorageManagerRSOPServiceApplicationSessionManagerRSOPServiceApplicationSSDPServiceDLLSystemRestoreServiceTaskSchedulerEngineUPnPDeviceHostUPSServiceWMIPerformanceAdapterServiceWMIProviderHostWMIServiceSecurityComponentActiveDirectoryReplicationManagementADFSSecurityPackageCoreDirectoryServiceCredentialManagerDataProtectionAPIDirectoryServicesRoleManagementEncryptingFileSystemServiceInter-SiteMessagingIPSecSPDServerKDCServiceKerberosSecurityPackageLDAPLSAAuditLSAAuthenticationLSAPolicyMAPIBasedDirectoryRequestMicrosoftAuthenticationPackagev1.
0MicrosoftDigestAccessNetLogonServiceDLLNTDirectoryServiceBackup&RestoreOakleyKeyManagerPKITrustInstallationandSetupMicrosoftCorporation,2008AllRightsReserved.
B-5Version3.
0,11/19/07ProtectedStorageServerSAMServerSecondaryLogonServiceTLS/SSLSecurityProviderTLS/SSLServiceforHTTPTrustSigningAPIsServicesComponentServicesandControllerAppADFSWebAgentAuthenticationServiceAlerterServiceApplicationExperienceLookupServiceAutoUpdateClientBITSOptionalComponentManagerComputerBrowserServiceDLLCryptographicServicesEventLoggingServiceFileReplicationServiceGenericHostProcessforWin32ServicesLogicalDiskManagerServiceNon-COMWMIEventProvisionAPIsNTMessengerServiceRemoteRegistryServiceServerServiceDLLSISGrovelerServiceSmartCardResourceManagementServerSystemEventNotificationService(SENS)UpdateServicesCatalogSyncAgentUpdateServicesContentSyncAgentUser-modePlug-and-PlayServiceVirtualDiskServiceVolumeShadowCopyServiceWindowsInstallerServiceWindowsSecurityCenterServiceWindowsSecurityConfigurationEditorEngineWindowsShellServicesDllWindowsTimeServiceWindowsUpdateAutoUpdateEngineWindowsUpdateAutoUpdateServiceWorkstationServiceWSUSServiceWindowsFirewallComponentApplicationLayerGatewayServiceHomeNetworkingConfigurationManagerIPNetworkAddressTranslatorIPv6FirewallDriverMACBridgeDriverNATHelperWinLogonComponentMicrosoftCorporation,2008AllRightsReserved.
B-6Version3.
0,11/19/07WindowsLogonApplicationAutoEnrollmentDLLGroupPolicyGroupPolicyObjectProcessingInfineonSICRYPTSmartCardCSPProfileMappingSyskeyTrustVerificationAPIsUserEnvironmentWindowsFileProtectionWin32ComponentClientServerRuntimeProcessBaseServerWindowsServerDLLAdministratorToolsComponentADFS_MMC_snap-inADFS_Proxy_MMC_snap_inADFS_Web_agent_MMC_snap_inAT.
exeCommandauditusrAuth_Mgr_GUIAutomaticUpdates(WSUSClient)Backup_and_RestoreBITSMgmtExtinMMCBITSAdminCertificationAuthorityGUI.
CertreqUtilitycipher.
exeCOM+ApplicationsComputerManagementConfigureYourServerWizardDataExecutionPreventionforSysdm.
cplDataExecutionPreventionforWMICDate_and_TimeDCOMConfigDefault_Group_Policy_Object_Restore_UtilityDeviceManagerDFSManagementDfsradmin.
exeCommandDefault_Group_Policy_Object_Restore_UtilityDHCPSnap-inDiskManagementDiskQuotaGUIDNSSnap-inDomainsandTrustsDriver_Verifier_ManagerefsaduErrorReportingServiceMicrosoftCorporation,2008AllRightsReserved.
B-7Version3.
0,11/19/07EventViewerExplorerGroupPolicySpecGroupPolicyRefreshGroupPolicyGUIComponentHelpandSupportIIS_Manager_GUIIMAPICDBurningIndexingServiceIPSecSettingsGUISpecIPv6MonitorDLLKeyringManagerLicenseLoggingNetworkNetworkIDOUDelegationPerformanceLogs&AlertsPrintersGUIRegistry_EditorRSoPSAMLockToolScheduledTasksSCWcmd.
exeSecurityConfigEditorSecurityPolicyGUISecurity_Config_WizardServicesSession_LockingShare_a_Folder_WizardSigverifDesignSpecSitesandServicesTaskScheduler(Schtasks.
exe)UsersandGroupsVolumeShadowCopyServiceCommandLineWindowsMngtInfra(WMI)Windows_Firewall_GUIWSUSWSUSutilMicrosoftCorporation,2008AllRightsReserved.
B-8