DOCSLIB.ORG

Windows 2000 Security Target

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Windows 2000 Security Target Windows 2000 Security Target ST Version 2.0 18 October 2002 Prepared For: Microsoft Corporation Corporate Headquarters One Microsoft Way Redmond, WA 98052-6399 Prepared By: Science Applications International Corporation 7125 Gateway Drive Columbia, MD 21046 Windows 2000 Security Target Rev 2.0 10/18/02 ST Master, 10/18/02, Rev 1.9 1. SECURITY TARGET INTRODUCTION......................................................................................... 1 1.1 SECURITY TARGET, TOE, AND CC IDENTIFICATION....................................................................... 1 1.2 CC CONFORMANCE CLAIMS ........................................................................................................... 1 1.3 STRENGTH OF ENVIRONMENT ......................................................................................................... 2 1.4 CONVENTIONS, TERMINOLOGY, ACRONYMS................................................................................... 2 1.4.1 Conventions ............................................................................................................................ 2 1.4.2 Terminology............................................................................................................................ 2 1.4.3 Acronyms ................................................................................................................................ 3 1.5 SECURITY TARGET OVERVIEW AND ORGANIZATION....................................................................... 3 2. TOE DESCRIPTION........................................................................................................................... 4 2.1 PRODUCT TYPE ............................................................................................................................... 4 2.2 PRODUCT DESCRIPTION................................................................................................................... 5 2.3 PRODUCT FEATURES ....................................................................................................................... 5 2.3.1 Windows 2000 Administration and Management Features.................................................... 5 2.3.2 Windows 2000 Network Security Features............................................................................. 7 2.3.3 Windows 2000 Scalability Features ....................................................................................... 7 2.4 SECURITY ENVIRONMENT AND TOE BOUNDARY............................................................................ 8 2.4.1 Logical Boundaries................................................................................................................. 8 2.4.2 Physical Boundaries.............................................................................................................10 2.5 TOE SECURITY SERVICES ............................................................................................................. 10 3. SECURITY ENVIRONMENT.......................................................................................................... 12 3.1 THREATS TO SECURITY ................................................................................................................. 12 3.2 ORGANIZATIONAL SECURITY POLICIES ......................................................................................... 12 3.3 SECURE USAGE ASSUMPTIONS ...................................................................................................... 13 3.3.1 Connectivity Assumptions..................................................................................................... 13 3.3.2 Personnel Assumptions......................................................................................................... 13 3.3.3 Physical Assumptions ........................................................................................................... 14 4. SECURITY OBJECTIVES ............................................................................................................... 15 4.1 IT SECURITY OBJECTIVES ............................................................................................................. 15 4.2 NON-IT SECURITY OBJECTIVES .................................................................................................... 16 5. IT SECURITY REQUIREMENTS................................................................................................... 17 5.1 TOE SECURITY FUNCTIONAL REQUIREMENTS.............................................................................. 17 5.1.1 Audit (FAU) Requirements ................................................................................................... 20 5.1.2 Cryptographic Support (FCS) .............................................................................................. 24 5.1.3 User Data Protection (FDP) Requirements ......................................................................... 24 5.1.4 Identification and Authentication (FIA)................................................................................ 26 5.1.5 Management Requirements (FMT)....................................................................................... 28 5.1.6 Protection of the TOE Security Functions (FPT) ................................................................. 32 5.1.7 Resource Utilization (FRU).................................................................................................. 33 5.1.8 TOE Access (FTA)................................................................................................................33 5.1.9 Trusted Path/Channels ......................................................................................................... 34 5.2 TOE SECURITY ASSURANCE REQUIREMENTS ............................................................................... 34 5.2.1 Configuration Management (ACM)...................................................................................... 35 5.2.2 Delivery and Operation (ADO) ............................................................................................ 37 5.2.3 Development (ADV).............................................................................................................. 38 5.2.4 Guidance Documents (AGD)................................................................................................ 43 5.2.5 Life Cycle Support (ALC) ..................................................................................................... 44 5.2.6 Security Testing (ATE)..........................................................................................................47 5.2.7 Vulnerability Assessment (AVA) ........................................................................................... 49 ©Microsoft Corporation, 2002 i Windows 2000 Security Target Rev 2.0 10/18/02 5.3 SECURITY REQUIREMENTS FOR THE IT ENVIRONMENT................................................................. 51 6. TOE SUMMARY SPECIFICATION............................................................................................... 52 6.1 TOE SECURITY FUNCTIONS .......................................................................................................... 52 6.1.1 Audit Function ...................................................................................................................... 52 6.1.2 User Data Protection Function ............................................................................................ 56 6.1.3 Identification and Authentication Function.......................................................................... 62 6.1.4 Security Management Function............................................................................................ 67 6.1.5 TSF Protection Function ...................................................................................................... 69 6.1.6 Resource Utilization Function.............................................................................................. 74 6.1.7 Session Locking Function..................................................................................................... 74 6.2 TOE SECURITY ASSURANCE MEASURES....................................................................................... 75 6.2.1 Process Assurance................................................................................................................ 75 6.2.2 Delivery and Guidance......................................................................................................... 76 6.2.3 Design Documentation ......................................................................................................... 76 6.2.4 Tests...................................................................................................................................... 78 6.2.5 Vulnerability Assessment...................................................................................................... 78 7. PROTECTION PROFILE CLAIMS................................................................................................ 80 7.1 PROTECTION PROFILE REFERENCE ................................................................................................ 80 7.2 PP REQUIREMENTS IN ST.............................................................................................................. 80 7.3 PROTECTION PROFILE DIFFERENCES AND ENHANCEMENTS .......................................................... 80 7.3.1 Protection Profile Differences.............................................................................................
Load more

Recommended publications
  • Open Directory & Openldap
    Open Directory & OpenLDAP David M. O’Rourke Engineering Manager Overview • Background on Apple’s Open Directory Technology (8 minutes) – What is it – What is Directory Services • How has Apple integrated OpenLDAP (20 minutes or less) – what has Apple added to OpenLDAP? • Questions and Answers (remaining time) Open Directory • Open Directory is a technology name – Covers both client access technologies and server technologies – Integrates and promotes industry standard technologies • Open Directory is built into Mac OS X & Mac OS X Server – Been there since 10.0 • Open Sourced as part of Darwin – http://developer.apple.com/darwin/projects/ opendirectory/ What Is Directory Services • Abstraction API for read/write access to system configuration and management data – Users, groups, mount records and others – Authentication abstraction Mac OS X Software Directory Services NetInfo LDAP BSD Files Other… Directory Services in 10.3 • Includes – LDAPv3 (read/write), Native Active Directory, NetInfo, NIS, BSD/etc files – Service Discovery: Rendezvous, SMB, AppleTalk, and SLP – LDAPv3 client support replication fail over • Documented Access API and plug-in API – SDK posted – Sample code, sample plug-in, notes – Directory Services Headers are installed in – /System/Library/Frameworks/DirectoryService.framework – Command line tool for directory editing ‘dscl’ 10.3 Usage of Directory Services • Login Window uses Directory Services for all user authentication – Managed Desktop • All Security Framework authentication uses Directory Services • Legacy Unix
    [Show full text]
  • AWS Directory Service Setup with Netapp Cloud Volumes Service for AWS Prabu Arjunan, Netapp August 2019
    AWS Directory service setup with NetApp Cloud Volumes Service for AWS Prabu Arjunan, NetApp August 2019 Abstract This document provides instructions to help users set up the AWS directory services environment for using NetApp® Cloud Volumes Service for Amazon Web Services (AWS). TABLE OF CONTENTS 1 Overview ................................................................................................................................................ 3 2 Requirements ........................................................................................................................................ 3 3 Creating the AWS Active Directory service ....................................................................................... 4 4 Adding the Active Directory server to Cloud Volumes Service ..................................................... 10 5 Creating a cloud volume that uses the Active Directory server .................................................... 12 Common errors messages....................................................................................................................... 14 References ................................................................................................................................................. 14 Version History ......................................................................................................................................... 14 2 AWS Directory service setup with NetApp Cloud Volume Service for AWS © 2019 NetApp, Inc. All rights reserved. 1 Overview
    [Show full text]
  • 11.7 the Windows 2000 File System
    830 CASE STUDY 2: WINDOWS 2000 CHAP. 11 11.7 THE WINDOWS 2000 FILE SYSTEM Windows 2000 supports several file systems, the most important of which are FAT-16, FAT-32, and NTFS (NT File System). FAT-16 is the old MS-DOS file system. It uses 16-bit disk addresses, which limits it to disk partitions no larger than 2 GB. FAT-32 uses 32-bit disk addresses and supports disk partitions up to 2 TB. NTFS is a new file system developed specifically for Windows NT and car- ried over to Windows 2000. It uses 64-bit disk addresses and can (theoretically) support disk partitions up to 264 bytes, although other considerations limit it to smaller sizes. Windows 2000 also supports read-only file systems for CD-ROMs and DVDs. It is possible (even common) to have the same running system have access to multiple file system types available at the same time. In this chapter we will treat the NTFS file system because it is a modern file system unencumbered by the need to be fully compatible with the MS-DOS file system, which was based on the CP/M file system designed for 8-inch floppy disks more than 20 years ago. Times have changed and 8-inch floppy disks are not quite state of the art any more. Neither are their file systems. Also, NTFS differs both in user interface and implementation in a number of ways from the UNIX file system, which makes it a good second example to study. NTFS is a large and complex system and space limitations prevent us from covering all of its features, but the material presented below should give a reasonable impression of it.
    [Show full text]
  • White Paper | September 2 0 1 7
    Oracle Directory Services Buyer’s Guide ORACLE WHITE PAPER | SEPTEMBER 2 0 1 7 Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. ORACLE DIRECTORY SERVICES – BUYER’S GUIDE Table of Contents Introduction 1 Business Drivers 2 Oracle Directory Services 3 Key Considerations for Some Popular Scenarios 4 Cloud 4 Mobile 4 Customer-Facing Internet 4 Employee-Facing Intranet 5 Directory Services Checklist 5 Conclusion 7 ORACLE DIRECTORY SERVICES – BUYER’S GUIDE Introduction In the late 1990s, directory servers were essentially designed as white-page applications for providing users with secure access to enterprise resources through authentication and authorization processes. Since then, their use has been extended to partners and customers, thus creating the need to support an increasing number of diverse users and communities. Today, directory services need to accommodate hundreds of millions of users and provide additional services to break identity silos. With the ubiquitous use of mobile devices as well as cloud deployments and the integration of social networks identities into the enterprise fabric, billions of objects are transacted everyday through directory services. Modern directory services now go beyond the initial capability to store objects in an identity repository. Directory solutions have evolved around three foundation services: » Storage: Persisting and maintaining entries representing identities.
    [Show full text]
  • The 12 Essential Tasks of Active Directory Domain Services
    WHITE PAPER ACTIVE DIRECTORY DOMAIN SERVICES The 12 Essential Tasks of Active Directory Domain Services Using the right tools and processes helps reduce administrative overhead and ensures directory service is always available By Nelson Ruest and Danielle Ruest Sponsored by WHITE PAPER ACTIVE DIRECTORY DOMAIN SERVICES ABSTRACT Active Directory Domain Services (AD DS) administration and management includes Sponsored by 12 major tasks. These tasks cover a wide breadth of business needs and are not all performed solely by AD DS administrators. In fact, administrators can and should delegate several tasks to other members of their technical community, technicians, help desk personnel, even users such as team managers and administrative assistants. While delegation is a way to reduce the amount of work administrators have to do when managing AD DS infrastructures, it really only addresses one or two of the 12 tasks, for example, user and group administration as well as end point device administration. The other ten tasks can be staggering in nature—security, networked service administration, OU-Specific Management, Group Policy Object management and many more—and because of this can take up inordinate amounts of time. You can rely on Microsoft’s built-in tools to reduce some of this workload, but are the native tools enough? Perhaps it’s time to reduce AD DS administration overhead by automating most tasks and tightening internal security. Address this by first, determining what the twelve essential labors of Active Directory are and then, see how you can reduce AD DS workloads through the implementation of proper management and administration tools.
    [Show full text]
  • Page 1 of 3 How to Enable NTLM 2 Authentication 2/8/2012 Http
    How to enable NTLM 2 authentication Page 1 of 3 Article ID: 239869 - Last Review: January 25, 2007 - Revision: 4.7 How to enable NTLM 2 authentication System Tip This article applies to a different version of Windows than the one you are using. Content in this article may not be relevant to you. Visit the Windows 7 Solution Center This article was previously published under Q239869 SUMMARY Historically, Windows NT supports two variants of challenge/response authentication for network logons: • LAN Manager (LM) challenge/response • Windows NT challenge/response (also known as NTLM version 1 challenge/response) The LM variant allows interoperability with the installed base of Windows 95, Windows 98, and Windows 98 Second Edition clients and servers. NTLM provides improved security for connections between Windows NT clients and servers. Windows NT also supports the NTLM session security mechanism that provides for message confidentiality (encryption) and integrity (signing). Recent improvements in computer hardware and software algorithms have made these protocols vulnerable to widely published attacks for obtaining user passwords. In its ongoing efforts to deliver more secure products to its customers, Microsoft has developed an enhancement, called NTLM version 2, that significantly improves both the authentication and session security mechanisms. NTLM 2 has been available for Windows NT 4.0 since Service Pack 4 (SP4) was released, and it is supported natively in Windows 2000. You can add NTLM 2 support to Windows 98 by installing the Active Directory Client Extensions. After you upgrade all computers that are based on Windows 95, Windows 98, Windows 98 Second Edition, and Windows NT 4.0, you can greatly improve your organization's security by configuring clients, servers, and domain controllers to use only NTLM 2 (not LM or NTLM).
    [Show full text]
  • [MS-DSSP]: Directory Services Setup Remote Protocol
    [MS-DSSP]: Directory Services Setup Remote Protocol Intellectual Property Rights Notice for Open Specifications Documentation . Technical Documentation. Microsoft publishes Open Specifications documentation (“this documentation”) for protocols, file formats, data portability, computer languages, and standards support. Additionally, overview documents cover inter-protocol relationships and interactions. Copyrights. This documentation is covered by Microsoft copyrights. Regardless of any other terms that are contained in the terms of use for the Microsoft website that hosts this documentation, you can make copies of it in order to develop implementations of the technologies that are described in this documentation and can distribute portions of it in your implementations that use these technologies or in your documentation as necessary to properly document the implementation. You can also distribute in your implementation, with or without modification, any schemas, IDLs, or code samples that are included in the documentation. This permission also applies to any documents that are referenced in the Open Specifications documentation. No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation. Patents. Microsoft has patents that might cover your implementations of the technologies described in the Open Specifications documentation. Neither this notice nor Microsoft's delivery of this documentation grants any licenses under those patents or any other Microsoft patents. However, a given Open Specifications document might be covered by the Microsoft Open Specifications Promise or the Microsoft Community Promise. If you would prefer a written license, or if the technologies described in this documentation are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting [email protected].
    [Show full text]
  • Pingdirectory Administration Guide Version
    Release 7.3.0.3 Server Administration Guide PingDirectory | Contents | ii Contents PingDirectory™ Product Documentation................................................ 20 Overview of the Server............................................................................. 20 Server Features.................................................................................................................................20 Administration Framework.................................................................................................................21 Server Tools Location....................................................................................................................... 22 Preparing Your Environment....................................................................22 Before You Begin.............................................................................................................................. 22 System requirements..............................................................................................................22 Installing Java......................................................................................................................... 23 Preparing the Operating System (Linux).......................................................................................... 24 Configuring the File Descriptor Limits.................................................................................... 24 File System Tuning.................................................................................................................25
    [Show full text]
  • Oracle Internet Directory 11G R1
    2 3 Directory services are key building blocks for secure identity-enabled business applications and the underlying enterprise identity management (IdM) architecture. Well-structured and organized directory services are the foundation of efficient and effective security services. This is because all IDM applications and most commercial off the shelf (COTS) business applications that require a standard mechanism to access identity attributes, and the most common way to access identity attributes is using LDAP. Example identity attributes include user credentials, access privileges and profile information. Additionally the modern enterprise has different identity attribute needs than they did when LDAP servers first appeared on the market in the 1990s. This is because modern enterprises often have multiple LDAP storage-based servers as well as identity stored in non-LDAP repositories such as HR or CRM databases. Furthermore, new computing initiatives, such as mobile computing, cloud computing and social networking, require LDAP to manage extremely large number of objects, to deliver high performance to manage dynamic data like location and presence, and to be elastic to grow with the cloud. These requirements led to several challenges in deploying identity related applications within the enterprise: While Microsoft Active Directory is pervasive within enterprises, it does not provide the functionality to be a general purpose Enterprise Directory Service because of limitations imposed on it being the Network Operating System directory for Windows. To address Active Directory limitations, Microsoft provides Active Directory Lightweight Directory Services (AD LDS)1. However, due to AD LDS‟s application specific nature, the 1 AD LDS formerly known as Active Directory Application Mode (ADAM) 4 proliferation of AD LDS within enterprises is like weeds in a garden resulting in cost and manageability issues.
    [Show full text]
  • When Windows 2000 Or Windows Server 2003 Is Introduced
    IMPORTANT INFORMATION FOR PRIMERGY CUSTOMERS July 11th, 2007 FUJITSU, LTD. NOTICE: Any server using an Intel Xeon 7100 or higher model CPU and has either Windows 2000, Windows 2000 Server, or Windows 2003 Server installed may encounter a “blue screen.” The problem occurs when the operating system running on a computer with a fast processor and a large L3 cache encounters a timing problem with asynchronous hardware. Although Fujitsu has not received any reports of this problem to date, there is a possibility that PRIMERGY server products may be affected. Problem: Any computer running any edition of Windows 2000, Windows 2000 Server, or Windows 2003 with an Intel Xeon processor (model 7100 or higher) that utilizes a large L3 cache may generate a “blue screen.” An error similar to: STOP 0x0000008E(parameter1, parameter2, parameter3, parameter4) KERNEL_MODE_EXCEPTION_NOT_HANDLED or STOP 0x0000001E(parameter1, parameter2, parameter3, parameter4) KERNEL_MODE_EXCEPTION_NOT_HANDLED may be displayed with Windows 2003-based and Windows 2000-based computers, respectively. Affected Operating Systems: Microsoft® Windows® 2000 Server Microsoft® Windows® 2000 Advanced Server Microsoft® Windows Server® 2003, Standard Edition (*) Microsoft® Windows Server® 2003, Enterprise Edition (*) (*)This problem has been corrected in Service Pack 1 for Windows Server 2003. Therefore Windows 2003 Server SP1 is not affected by this problem. Affected Fujitsu PRIMERGY models: The following models use Intel Xeon 7100 or higher processors. PRIMERGY Models, Product Codes, and CPU z PRIMERGY RX600 S3 (SAS), Product codes PGR603D* and PGR603B* ¾ Dual Core Intel® Xeon® Processor 7140M (3.40GHz)/7120M (3GHz) z PRIMERGY RX600 S3, Product codes PGR6038* and PGR6036* ¾ Dual Core Intel® Xeon® Processor 7140M (3.40GHz)/7120M (3GHz) * Changes by type.
    [Show full text]
  • Qualifying Operating Systems
    Qualifying Operating Systems The following operating systems qualify for the Windows 10 Pro Upgrade and/or Windows 10 Enterprise Upgrade through Microsoft Volume Licensing. New Enterprise Microsoft Products Agreement and Services Existing EA/ Microsoft Cloud Academic and Qualifying Operating Systems (EA)/Open Value Agreement OV-CW2 Agreement Charity Company-Wide (MPSA)/Select (OV-CW)1 Plus/Open3 Windows 10 4 Enterprise (N, KN) , Pro (N, KN) Education, Home Windows 8 and Windows 8.1 Enterprise (N, K, KN), Pro (N, K, KN, diskless) Windows 8 and Windows 8.1 (including Single Language) Windows 7 Enterprise (N, K, KN), Professional (N, K, KN, diskless), Ultimate Home Premium, Home Basic, or Starter Edition Windows Vista Enterprise (N, K, KN), Business (N, K, KN, Blade), Ultimate Home Premium, Home Basic, Starter Edition Windows XP Professional (N, K, KN, Blade), Tablet Edition (N, K, KN, Blade), XP Pro N, XP Pro Blade PC Home and Starter Edition Apple Apple Macintosh Windows Embedded Operating Systems Windows 10 IoT Enterprise Windows Vista Business for Embedded Systems, Ultimate for Embedded Systems Windows 2000 Professional for Embedded Systems Windows 7 Professional for Embedded Systems, Ultimate for Embedded Systems Windows XP Professional for Embedded Systems Windows Embedded 8 and 8.1 Pro, Industry Pro Windows 10 IoT Enterprise for Retail or Thin Clients5 5 Windows Embedded 8 and 8.1 Industry Retail Windows Embedded POSReady 7 Pro5 5 Windows Embedded for Point of Service Windows Embedded POSReady 20095 5 Windows Embedded POSReady 7 5 Windows XP Embedded Windows Embedded Standard 75 5 Windows Embedded 2009 5 Windows Embedded 8 Standard 1Also applicable to Qualified Devices acquired through merger or acquisition.
    [Show full text]
  • Windows 2000 Accessibility Options
    © 2004 Microsoft Corporation Step By Step Tutorials for Microsoft® Windows 2000 Accessibility Options Step by Step Tutorials for Microsoft Windows 2000 Accessibility Options Table of Contents Overview .................................................................................................................................. 4 Using the Accessibility Wizard ............................................................................................... 6 Opening Accessibility Wizard ............................................................................................... 7 Changing the Font Size of Text on the Screen ...................................................................... 9 Switching to a Lower Screen Resolution to Increase the Size of Items on the Screen ....... 10 Changing the Size of Items on the Screen ........................................................................... 11 Disabling Personalized Menus ............................................................................................ 13 Setting Options for People Who Are Blind or Have Difficulty Seeing Things on the Screen ............................................................................................................................................. 14 Setting Options for People Who Are Deaf or Have Difficulty Hearing Sounds from the Computer ............................................................................................................................. 16 Setting Options for People Who Have Difficulty Using the Keyboard
    [Show full text]