Certification Report
Total Page:16
File Type:pdf, Size:1020Kb
MINISTERIO DE LA PRESIDENCIA Y PARA LAS ADMINISTRACIONES TERRITORIALES REF: 2017-49-INF-2218 v2 Created by: CERT10 Target: Expediente Revised by: CALIDAD Date: 21.06.2018 Approved by: TECNICO CERTIFICATION REPORT File: 2017-49 Windows 10: build 10.0.15063 (a.k.a. 1703) (Creators Update) Applicant: Microsoft Corporation References: [EXT-3602] Certification request [EXT-3752] Evaluation Technical Report v2.0. The product documentation referenced in the above documents. This is the Certification Report of the product: Windows Operating Systems (OS): Microsoft Windows 10 Home Edition (Creators Update) (32-bit version) Microsoft Windows 10 Pro Edition (Creators Update) (64-bit versions) Microsoft Windows 10 Enterprise Edition (Creators Update) (64-bit versions) Microsoft Windows 10 S Edition (Creators Update) (64-bit versions) TOE Versions: Windows 10: build 10.0.15063 (also known as version 1703) The following security updates must be applied for: Windows 10, all critical updates as of August 9, 2017 The certification was requested on 26/09/2017, and evaluated by the laboratory Epoche & Espri S.L.U., as detailed in the Evaluation Technical Report [EXT-3752] received on 23/01/2018. Page 1 of 17 https://oc.ccn.cni.es Email: [email protected] MINISTERIO DE LA PRESIDENCIA Y PARA LAS ADMINISTRACIONES TERRITORIALES TABLE OF CONTENTS EXECUTIVE SUMMARY .................................................................................................................................. 3 TOE SUMMARY .............................................................................................................................................. 4 SECURITY ASSURANCE REQUIREMENTS ................................................................................................ 6 SECURITY FUNCTIONAL REQUIREMENTS .............................................................................................. 6 IDENTIFICATION .............................................................................................................................................. 7 SECURITY POLICIES ....................................................................................................................................... 8 ASSUMPTIONS AND OPERATIONAL ENVIRONMENT ........................................................................... 8 THREATS ......................................................................................................................................................... 8 OPERATIONAL ENVIRONMENT FUNCTIONALITY ................................................................................. 9 ARCHITECTURE.............................................................................................................................................. 10 LOGICAL ARCHITECTURE ......................................................................................................................... 10 PHYSICAL ARCHITECTURE ....................................................................................................................... 11 DOCUMENTS .................................................................................................................................................... 11 PRODUCT TESTING ........................................................................................................................................ 11 PENETRATION TESTING............................................................................................................................. 11 EVALUATED CONFIGURATION ................................................................................................................. 12 EVALUATION RESULTS ................................................................................................................................ 13 COMMENTS & RECOMMENDATIONS FROM THE EVALUATION TEAM ....................................... 13 CERTIFIER RECOMMENDATIONS ............................................................................................................ 13 GLOSSARY ........................................................................................................................................................ 14 BIBLIOGRAPHY ............................................................................................................................................... 14 SECURITY TARGET ........................................................................................................................................ 14 RECOGNITION AGREEMENTS .................................................................................................................... 16 EUROPEAN RECOGNITION OF ITSEC/CC – CERTIFICATES (SOGIS-MRA) ...................................................... 16 INTERNATIONAL RECOGNITION OF CC – CERTIFICATES (CCRA) ..................................................................... 16 Page 2 of 17 https://oc.ccn.cni.es Email: [email protected] MINISTERIO DE LA PRESIDENCIA Y PARA LAS ADMINISTRACIONES TERRITORIALES EXECUTIVE SUMMARY This document constitutes the Certification Report for the certification file of the product: Windows Operating Systems (OS): Microsoft Windows 10 Home Edition (Creators Update) (32-bit version) Microsoft Windows 10 Pro Edition (Creators Update) (64-bit versions) Microsoft Windows 10 Enterprise Edition (Creators Update) (64-bit versions) Microsoft Windows 10 S Edition (Creators Update) (64-bit versions) TOE Versions: Windows 10: build 10.0.15063 (also known as version 1703) The following security updates must be applied for: Windows 10, all critical updates as of August 9, 2017 The TOE includes the Windows 10 operating system, and those applications necessary to manage, support and configure the operating system. Windows 10 can be delivered preinstalled on a new computer or downloaded from the Microsoft website. Developer/manufacturer: Microsoft Corporation. Sponsor: Microsoft Corporation. Certification Body: Centro Criptológico Nacional (CCN) del Centro Nacional de Inteligencia (CNI). ITSEF: Epoche & Espri S.L.U.. Protection Profile: General Purpose Operating Systems Protection Profile, Version 4.1, March 9, 2016 (GP OS PP). Evaluation Level: Common Criteria v3.1 R5 (assurance packages according to the [GPOSPP]). Evaluation end date: 23/01/2018. All the assurance components required by the evaluation level of the [GPOSPP] have been assigned a “PASS” verdict. Consequently, the laboratory Epoche & Espri S.L.U assigns the “PASS” VERDICT to the whole evaluation due all the evaluator actions are satisfied for the [GPOSPP] assurance level packages, as defined by the Common Criteria v3.1 R5, the [GPOSPP] and the CEM v3.1 R5. Page 3 of 17 https://oc.ccn.cni.es Email: [email protected] MINISTERIO DE LA PRESIDENCIA Y PARA LAS ADMINISTRACIONES TERRITORIALES Considering the obtained evidences during the instruction of the certification request of the product Windows 10: build 10.0.15063 (also known as version 1703), a positive resolution is proposed. TOE SUMMARY Windows 10 editions, collectively called “Windows”, are preemptive multitasking, multiprocessor, and multi-user operating systems. In general, operating systems provide users with a convenient interface to manage underlying hardware. They control the allocation and manage computing resources such as processors, memory, and Input/Output (I/O) devices. Windows expands these basic operating system capabilities to controlling the allocation and managing higher level IT resources such as security principals (user or machine accounts), files, printing objects, services, window station, desktops, cryptographic keys, network ports traffic, directory objects, and web content. Multi-user operating systems such as Windows keep track of which user is using which resource, grant resource requests, account for resource usage, and mediate conflicting requests from different programs and users. TOE major security features The major security features implemented by the TOE and subject to evaluation (no assurance can be supposed to any other functionality) to can be summarised as follows: Security Audit: Windows has the ability to collect audit data, review audit logs, protect audit logs from overflow, and restrict access to audit logs. Audit information generated by the system includes the date and time of the event, the user identity that caused the event to be generated, and other event specific data. Authorized administrators can review audit logs and have the ability to search and sort audit records. Authorized Administrators can also configure the audit system to include or exclude potentially auditable events to be audited based on a wide range of characteristics. In the context of this evaluation, the protection profile requirements cover generating audit events, selecting which events should be audited, and providing secure storage for audit event entries. Cryptographic Support: Windows provides CAVP validated cryptographic functions that support encryption/decryption, cryptographic signatures, cryptographic hashing, cryptographic key agreement, and random number generation. The TOE additionally provides support for public keys, credential management and certificate validation functions and provides support for the National Security Agency’s Suite B cryptographic algorithms. Windows also provides extensive auditing support of cryptographic operations, the ability to replace cryptographic functions and random number generators with Page 4 of 17 https://oc.ccn.cni.es