Certification Report

Certification Report

Reference: 2019-22-INF-2839-v2 Created by: CERT10 Target: Público Revised by: CALIDAD Date: 27.08.2019 Approved by: TECNICO CERTIFICATION REPORT Dossier # 2019-22 TOE Microsoft Windows 10 and Server version 1903 (May 2019 Update) Applicant 600413485 - Microsoft Corporation References [EXT-4964] Certification request [EXT-5229] Evaluation Technical Report v2.0 Certification report of the product Microsoft Windows 10 and Server version 1903 (May 2019 Update), as requested in [EXT-4964] dated 22/05/2019, and evaluated by Epoche & Espri S.L.U., as detailed in the Evaluation Technical Report [EXT-5229] received on 23/07/2019. https://oc.ccn.cni.es 1/17 [email protected] CONTENTS EXECUTIVE SUMMARY ........................................................................................................................... 3 TOE SUMMARY ................................................................................................................................... 4 SECURITY ASSURANCE REQUIREMENTS ............................................................................................ 6 SECURITY FUNCTIONAL REQUIREMENTS ........................................................................................... 6 IDENTIFICATION ..................................................................................................................................... 8 SECURITY POLICIES ................................................................................................................................. 9 ASSUMPTIONS AND OPERATIONAL ENVIRONMENT ......................................................................... 9 CLARIFICATIONS ON NON-COVERED THREATS ................................................................................ 10 OPERATIONAL ENVIRONMENT FUNCTIONALITY ............................................................................. 10 ARCHITECTURE ..................................................................................................................................... 10 LOGICAL ARCHITECTURE .................................................................................................................. 10 PHYSICAL ARCHITECTURE ................................................................................................................. 11 DOCUMENTS ........................................................................................................................................ 11 PRODUCT TESTING ............................................................................................................................... 11 PENETRATION TESTING .................................................................................................................... 12 EVALUATED CONFIGURATION ............................................................................................................. 12 EVALUATION RESULTS ......................................................................................................................... 14 COMMENTS & RECOMMENDATIONS FROM THE EVALUATION TEAM ............................................... 14 CERTIFIER RECOMMENDATIONS ......................................................................................................... 14 GLOSSARY ............................................................................................................................................. 14 BIBLIOGRAPHY ..................................................................................................................................... 14 SECURITY TARGET ................................................................................................................................ 15 RECOGNITION AGREEMENTS ............................................................................................................... 16 European Recognition of ITSEC/CC – Certificates (SOGIS-MRA) ...................................................... 16 International Recognition of CC – Certificates (CCRA) ..................................................................... 16 https://oc.ccn.cni.es 2/17 [email protected] EXECUTIVE SUMMARY This document constitutes the Certification Report for the certification file of the product: Windows Operating Systems (OS): Microsoft Windows 10 Home edition (May 2019 Update) (32-bit and 64-bit versions) Microsoft Windows 10 Pro edition (May 2019 Update) (64-bit version) Microsoft Windows 10 Enterprise edition (May 2019 Update) (64-bit version) Microsoft Windows Server Standard edition, version 1903 Microsoft Windows Server Datacenter edition, version 1903 TOE Versions: Windows 10: build 10.0.18362 (also known as version 1903) Windows Server: build 10.0 18362 (also known as version 1903) The following security updates must be applied for: Windows 10 and Windows Server: all critical updates as of May 30, 2019 Developer/manufacturer: Microsoft Corporation Sponsor: Microsoft Corporation. Certification Body: Centro Criptológico Nacional (CCN) del Centro Nacional de Inteligencia (CNI). ITSEF: Epoche & Espri S.L.U. Protection Profile: Windows 10 editions: General Purpose Operating Systems Protection Profile, Version 4.2.1, April 22, 2019 ([GPOSPP]). General Purpose Operating Systems Protection Profile/ Mobile Device Fundamentals Protection Profile Extended Package (EP) Wireless Local Area Network (WLAN) Clients, version 1.0, February 8, 2016 ([GPOSPP-WLAN-EP]). Windows Server editions: General Purpose Operating Systems Protection Profile, Version 4.2.1, April 22, 2019 ([GPOSPP]). Evaluation Level: Level: Common Criteria version 3.1 release 5 (assurance packages according to the [GPOSPP] and [GPOSPP-WLAN-EP]. Evaluation end date: 23/07/2019. https://oc.ccn.cni.es 3/17 [email protected] All the assurance components required by the evaluation level of the [GPOSPP] and [GPOSPP- WLAN-EP] have been assigned a “PASS” verdict. Consequently, the laboratory assigns the “PASS” VERDICT to the whole evaluation due all the evaluator actions are satisfied for the [GPOSPP] and [GPOSPP-WLAN-EP] assurance level packages, as defined by the Common Criteria version 3.1 release 5, the [GPOSPP], the [GPOSPP-WLAN-EP] and the Common Criteria Evaluation Methodology version 3.1 release 5. Considering the obtained evidences during the instruction of the certification request of the product Microsoft Windows 10 and Server version 1903 (May 2019 Update), a positive resolution is proposed. TOE SUMMARY All Windows 10 and Windows Server editions, collectively called “Windows”, are preemptive multitasking, multiprocessor, and multi-user operating systems. In general, operating systems provide users with a convenient interface to manage underlying hardware. They control the allocation and manage computing resources such as processors, memory, and Input/Output (I/O) devices. Windows expands these basic operating system capabilities to controlling the allocation and managing higher level IT resources such as security principals (user or machine accounts), files, printing objects, services, window station, desktops, cryptographic keys, network ports traffic, directory objects, and web content. Multi-user operating systems such as Windows keep track of which user is using which resource, grant resource requests, account for resource usage, and mediate conflicting requests from different programs and users. TOE major security features Security Audit: Windows has the ability to collect audit data, review audit logs, protect audit logs from overflow, and restrict access to audit logs. Audit information generated by the system includes the date and time of the event, the user identity that caused the event to be generated, and other event specific data. Authorized administrators can review audit logs and have the ability to search and sort audit records. Authorized Administrators can also configure the audit system to include or exclude potentially auditable events to be audited based on a wide range of characteristics. In the context of this evaluation, the protection profile requirements cover generating audit events, selecting which events should be audited, and providing secure storage for audit event entries. Cryptographic Support: Windows provides FIPS 140-2 CAVP validated cryptographic functions that support encryption/decryption, cryptographic signatures, cryptographic hashing, cryptographic key agreement, and random number generation. The TOE additionally provides support for public keys, credential management and certificate validation functions and provides support for the National Security Agency’s Suite B cryptographic algorithms. Windows also provides extensive auditing support of https://oc.ccn.cni.es 4/17 [email protected] cryptographic operations, the ability to replace cryptographic functions and random number generators with alternative implementations, and a key isolation service designed to limit the potential exposure of secret and private keys. In addition to using cryptography for its own security functions, Windows offers access to the cryptographic support functions for user-mode and kernel-mode programs. Public key certificates generated and used by Windows authenticate users and machines as well as protect both user and system data in transit. User Data Protection: In the context of this evaluation, Windows protects user data and provides virtual private networking capabilities. Identification and Authentication: Each Windows user must be identified and authenticated based on administrator-defined

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    17 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us