OpenText NetIQ ® Group Policy Administrator™6.9.4 Security Target Last Updated: November 13, 2024 Version: 0.10 Prepared By: OpenText Prepared For: OpenText 275 Frank Tompa Drive Waterloo ON N2L OA1 Canada November 13, 2024 Group Policy Administrator 6.9.4.4 Table of Contents 1. Security Target Introduction (ASE_INT)..............................................................................................4 1.1. Security Target Reference:............................................................................................................4 1.2. Target of Evaluation Reference: ...................................................................................................4 1.3. Target of Evaluation (TOE) Overview: ........................................................................................4 1.4. Product Overview: ........................................................................................................................5 1.5. Security Target Conventions:......................................................................................................10 1.6. Acronyms:...................................................................................................................................12 1.7. Security Target Organization:.....................................................................................................13 2. CC Conformance Claims (ASE_CCL)................................................................................................14 2.1. PP Claim .....................................................................................................................................14 2.2. Package Claim ............................................................................................................................14 2.3. Conformance Rationale: .............................................................................................................14 3. Security Problem (ASE_SPD).............................................................................................................15 3.1. Introduction:................................................................................................................................15 3.2. Threats to the TOE......................................................................................................................16 3.3. Assumptions................................................................................................................................16 3.4. Organizational Security Policies.................................................................................................17 4. Security Objectives (ASE_OBJ)..........................................................................................................18 4.1. Security Objectives for the Environment....................................................................................18 4.2. Rationale .....................................................................................................................................18 4.3. Security Objectives Rationale.....................................................................................................18 4.4. Security Objectives Rationale for the TOE.................................................................................18 4.5. Security Objectives Rationale for the Environment....................................................................22 5. Extended Components Definition (ASE_ECD) ..................................................................................25 5.1. Class WMP: Windows Management Policy Proxy: ............. Fel! Bokmärket är inte definierat. 5.2. Administrator Management (WMP_ADM).......................... Fel! Bokmärket är inte definierat. 5.3. Privilege Map (WMP_VLD) ................................................ Fel! Bokmärket är inte definierat. 6. IT Security Requirements (ASE_REQ)...............................................................................................26 6.1. TOE Security Functional Requirements .....................................................................................26 6.1.2 User Data Protection (FDP) ..............................................................................................27 6.1.3 Identification and authentication (FIA).............................................................................27 6.1.3.2 User authentication before any action (FIA_UAU.2)........................................................28 6.1.3.3 User identification before any action (FIA_UID.2)...........................................................28 6.1.4 Security management (FMT)............................................................................................28 6.1.5 Windows Management Policy Proxy (WMP)...................................................................29 6.2. Security Assurance Requirements ..............................................................................................29 6.3. Security Assurance Requirements Rationale ..............................................................................30 6.4. Requirement Dependency Rationale...........................................................................................30 6.5. Security Requirements Rationale................................................................................................31 6.6. Explicitly Stated Requirements Rationale ............................ Fel! Bokmärket är inte definierat. 7. TOE Summary Specification (ASE_TSS)...........................................................................................35 7.1. TOE Security Functions..............................................................................................................35 7.2. Security Audit.............................................................................................................................35 7.3. User Data Protection...................................................................................................................35 7.4. Identification and Authentication................................................................................................36 7.5. Security Management .................................................................................................................37 November 13, 2024 Group Policy Administrator 6.9.4.4 7.6. Windows Management Policy Proxy.................................... Fel! Bokmärket är inte definierat. 8. Appendix A - Privileges ......................................................................................................................39 Figures: Figure 1: GPA Configuration........................................................................................................................4 Figure 2: GPA Functional Architecture ......................................................................................................7 Figure 3: GPA...............................................................................................................................................8 Figure 4: Evaluated Configuration..............................................................................................................10 Tables: Table 1: Threats on the TOE……………………………………………………………………………….16 Table 2: Assumptions……………………………………………………………………………………...16 Table 3: Security Objectives for the Environment………………………………………………………...18 Table 4: Threats to Objectives Correspondence……………………………………………………………18 Table 5: Objectives on the TOE…………………………………………………………………………...19 Table 6: Rationale for TOE Objectives……………………………………………………………………19 Table 7: Complete Coverage – environmental assumptions………………………………………………23 Table 8: Rationale for Environmental Objectives…………………………………………………………23 Table 9: TOE Security Functional Requirements.....................................................................................306 Table 10: Security Assurance Requirements……………………………………………………………....29 Table 11: Requirements Dependencies……………………………………………………………………30 Table 12: Objectives to Requirements Correspondence…………………………………………………..31 Table 13: SFR Sufficiency Rationale……………………………………………………………………..31 Table 14: Security Functions vs. Requirements Mapping………………………………………………...31 Table 15: Tasks...........................................................................................................................................40 November 13, 2024 Group Policy Administrator 6.9.4.4 1. Security Target Introduction (ASE_INT) This section presents the following information: • Security Target Reference • Target of Evaluation Reference • TOE Overview • CC Conformance Claims • Specifies the Security Target conventions, • Describes the Security Target Organization 1.1. Security Target Reference: 1.2. Target of Evaluation Reference: 1.3. Target of Evaluation (TOE) Overview: GPA Server Subsystem (TOE) SQL Server ` Console Subsystem (TOE) DC Figure 1: GPA Configuration The NetIQ GPA 6.9.4 (Figure 1 above) consists of the following components: ST Title: NetIQ® Group Policy Administrator ™ 6.9.4 Security Target ST Version: 0.10 ST Date: November 13, 2024 ST Author: Dawn Adams TOE Reference: NetIQ® Group Policy Administrator™ 6.9.4 TOE Version #: 6.9.4 TOE Developer: OpenText Evaluation Assurance Level (EAL): EAL2+ TOE Components: Console Subsystem NetIQ Group Policy Administrator Server Subsystem November 13, 2024 Group Policy Administrator 6.9.4.4 • Console Subsystem (aka NetIQ Group Policy Administrator Console Subsystem) • NetIQ Group Policy Administrator Server Subsystem • Domain Controller (DC) (excluded from evaluation) • Microsoft SQL Server 2019 Standard or Enterprise Edition (excluded from evaluation) 1.4. Product Overview: NetIQ® Group Policy Administrator (also referred to as GPA) provides the ability to securely model and predict the impact of Group Policy changes in an environment (both offline and online). Whether you are tasked with planning, executing, controlling, troubleshooting or reporting on Group Policies, GPA provides you the controls necessary to help identify and prevent unplanned, unmanaged, or malicious change—improving the security and overall availability of your IT environment. GPA provides the following capabilities: A secure offline repository for modeling and testing Group Policy Object (GPO) changes A robust workflow and delegation model to safely allow for stakeholders to approve change Built-in tools that help you analyze, compare, troubleshoot, and test GPOs In addition GPA reduces down time and operational risks to Group Policies that may be caused by malicious or accidental changes. Key benefits of GPA include: • Offers secure offline repository Reduces the number of privileged accounts, by offering secure offline Group Policy management without having to provide permissions within Active Directory. • Provides robust workflow and delegation model – Allows administrators to push the administration of Active Directory lower in the organization to safely involve all Group Policy stakeholders. • Reduces error risk when configuring GPOs – Enables you to configure settings once, and then replicate and apply those settings to GPOs in other domains and even other forests. This feature guarantees that your settings are configured correctly and reduces the risk of accidentally mis-configuring or losing a setting. • Provides advanced analysis – Simulate the effect of modifying the Group Policy environment without having to first deploy the modified GPO using online Resultant Set of Policy (RSoP) functionality. In addition, health checking, event logging, and the ability to compare GPOs help to quickly troubleshoot errors and take corrective action. • Live and offline RSoP analysis – Determines the set of effective policies that apply to a user when logged on to a specific machine in the live environment; simulates the impact of making changes without affecting production; and even allows customers to troubleshoot issues by directly comparing two RSoP reports. • Centralized GPO control and synchronization across trust boundaries – Enables GPOs to be centrally controlled and synchronized from domain to domain, both trusted and untrusted, and across forests—even disconnected forests. • After-hours GPO deployment – Uses Windows Task Scheduler to schedule unattended GPO roll-outs from the NetIQ® Group Policy Administrator™ repository to AD. • Check-out, check-in and approval – November 13, 2024 Group Policy Administrator 6.9.4.4 Allows GPOs to be checked out before editing and allows only the person checking them out to edit them. The objects can be checked back in after modification. Once complete, approval must be granted for the modification to be transferred to the live Active Directory environment. • Tight integration with NetIQ® Change Guardian for Group Policy™ – Allows you to view NetIQ Change Guardian for Group Policy change activity from within GPA for a more complete GPO management experience. • Point-in-time analysis reports – Captures what the Group Policy environment looked like at a particular point in time and reports on how many changes have been made and who made them. • Rollback features – Provides administrators with a one button rollback capacity to allow a prior version of a GPO to be returned to production. • Offline mirror – Provides a utility to automatically mirror production Active Directory Organizational Units and GPOs in an offline repository, making the offline environment look just like the online environment. • Enterprise GPO consistency enforcement and comparison – Provides the ability to automatically synchronize GPO changes enterprise-wide with just one click; also provides a GPO comparison report to ensure master GPOs are consistent across domains. • Administration delegation – Allows you to strategically limit the authority to create and change GPOs so that Group Policy administration can be delegated without any permissions being granted within Active Directory. • Support for Group Policy Preferences – Allows the administrator to manage and assess Group Policy Preferences within GPA TOE Components: For the purpose of this certification includes the: The NetIQ Group Policy Administrator Console Subsystem includes the following functionality: • Enables / disables group policies • Allows you to edit Group Policy Objects(GPO) Offline • Enables access to versions • Provides notification of changes • Enables workflows The NetIQ Group Policy Administrator Server Subsystem enables the extension and management of Microsoft Group Policies. GPA extends GPA management capability to individuals while: • protecting Group Policy Objects (GPO) consistency • providing improved audit capability Communications: The IT Environment will provide communication protections. Communications are protected with: • GPA connects to the SQL DB with a ODBC connection string. GPA doesn’t add any encryption and uses the “Microsoft ADO with MS ODBC driver” and “Microsoft ADO.NET with SqlClient data provider” to communicate with the SQL Server. November 13, 2024 Group Policy Administrator 6.9.4.4 • The GPA console is an MMC snap-in, that runs on an instance of MMC.exe. When Untrusted Access Account and Export Only Account credentials are getting set with GPA console, advapi32.dll is loaded. The CryptEncrypt function is implemented with advapi32.dll as per MS DOC - https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt- cryptencrypt • GPA uses the ADSI Functions to Bind Directly to an Object. Currently it’s not encrypted. The path between the console and server uses .NET Remoting. The data exchanged between Server and Client will be encrypted. It is under the scope of the upcoming GPA release. Major Security Features of the TOE: The TOE provides the ability to: • protect GPO consistency • improve audit capability • improve the integrity by validating all administrative changes • enables the ability to automate administrative functions The TSF provides the following security functions: • Security Audit • User Data Protection • Identification and Authentication • Security Management • Windows Management Policy Proxy GPA Server Subsystem (TOE) SQL Server ` Console Subsystem (TOE) DC Figure 2: GPA Functional Architecture1 Security Audit The TOE can be set up to produce detailed audit reports for events and to aid in their analysis via the use of the Console Subsystem. The TOE reporting capabilities are completely configurable. 1 Objects that are in grey boxes are not part of the TOE. November 13, 2024 Group Policy Administrator 6.9.4.4 User Data Protection The TOE implements multiple levels of access as well as functions to enforce them. In addition the transactions are authenticated, and exportable. Data can be imported and exported from the TOE as well as moved across different components in the TOE. In addition residual data created by the TOE is cleaned up. Inter-TSF data confidentiality transfers are protected by use of the Operating Environments native communications process. Identification and Authentication Users of the TOE depend on the IT Environment to handle initial access authentication, however errors and transactions are logged by the TOE. While the TOE depends on the IT Environment for protection of passwords and service credentials (via file protections and access controls), the subject binding is enabled at the SQL Server and the GPA Server. The subject binding allows the TOE to provide privileges (or groups of privileges) for individuals or groups of individuals. Security Management Security functions and attributes in the TOE are controlled / managed and specified at different levels or roles by the TSF and the IT Environment. The TOE and IT Environment can also be used to revoke indivual access. TOE Type: For the purpose of this security target the TOE Type is a Windows Management Policy Proxy (WMP). Non-TOE hardware/software/firmware required by the TOE: GPA Server Subsystem (TOE) SQL Server ` Console Subsystem (TOE) DC Figure 3: GPA Note: For the purpose of this evaluation all operating system and the hardware (or emulations in a virtual machine) are excluded. The Console Subsystem will be evaluated on the following operating systems: • Windows Server 2019 November 13, 2024 Group Policy Administrator 6.9.4.4 • The Console Subsystem requires the following minimum hardware: CPU 1 Pentium III, 800MHz RAM 1 GB Disk space 100 MB Note: Or equivalent emulated in a virtual machine. The GPA Server Subsystem will be evaluated on the following operating systems: • Windows Server 2019 • The GPA server requires the following minimum hardware: CPU 1 GHz (x86 processor) or 1.4 GHz (x64 processor) RAM 1 GB Disk space 100 MB Note: Or equivalent emulated in a virtual machine. Excluded TOE Items: These environments (components) are not part of the TOE, but are required to demonstrate TOE functionality. • DC: The DC can run on the following operating systems: o Windows 2012 Server R2 o The SQL Server can be installed on the following operating systems: Windows 2012, 2014 or 2016 • The SQL Server requires the following minimum hardware: CPU 1 GHz (x86 processor) or 1.4 GHz (x64 processor) RAM 1 GB Disk space 1 GB (able to expand to 5 GB) Note: Or equivalent emulated in a virtual machine. In addition, the system requires a network which may consist of routers, switches, hubs, and other technology used in a TCP/IP based network, which are also not part of the TOE. November 13, 2024 Group Policy Administrator 6.9.4.4 GPA Server Subsystem (TOE) SQL Server ` Console Subsystem (TOE) DC Figure 4: Evaluated Configuration Those elements labeled TOE in Figure 4 are covered by this ST. • Console Subsystem: o While the Console Subsystem can run on multiple operating systems, it will be evaluated on the following operating system: o Windows 2019 • GPA Server Subsystem: o The GPA Server Subsystem will be evaluated on the following operating system: o Windows 2019 TOE Physical Scope: The NetIQ Group Policy Administrator is a software only TOE; The TOE physical boundary consists of the Console Subsystem, the GPA Server Subsystem running on their supporting operating systems and hardware. User installation and guidance documentation is supplied with the TOE. For the purpose of this evaluation the Domain Controller (DC) is not included in the TOE. The components that make up the evaluated configuration are: • Console Subsystem • GPA Server Subsystem 1.5. Security Target Conventions: This section specifies the formatting information used in the ST. The notation, conventions, and formatting in this security target are consistent with Version 3.1 R5 of the Common Criteria for Information Security Evaluation. Clarifying information conventions, as well as font styles were developed to aid the reader. • Security Functional Requirements – Part 1, section C.2, of the CC defines the approved set of operations that may be applied to functional requirements: assignment, iteration, refinement, and selection. o Assignment: allows the specification of an identified parameter or parameter(s). o Iteration: allows a component to be used more than once with varying operations. o Selection: allows the specification of one or more elements from a list. November 13, 2024 Group Policy Administrator 6.9.4.4 • Within section 6 of this ST the following conventions are used to signify how the requirements have been modified from the CC text. o Assignments are indicated using bold and are surrounded by brackets (e.g., [assignment]). o Iteration is indicated by a letter placed at the end of the component. For example FDP_ACC.1a and FDP_ACC.1b indicate that the ST includes two iterations of the FDP_ACC.1 requirement, a and b. o Refinements are indicated using bold, for additions, and strike-through, for deletions (e.g., “… every object …” or “… all things …”). o Selections are indicated using italics and are surrounded by brackets (e.g., [selection]). • Other sections of the ST – Other sections of the ST use bolding to highlight text of special interest, such as acronyms, definitions, or captions. November 13, 2024 Group Policy Administrator 6.9.4.4 1.6. Acronyms: AD Active Directory API Application programming interface CC Common Criteria CEM Common Evaluation Methodology CCEVS Common Criteria Evaluation and Validation Scheme DC Domain Controller GPA Group Policy Administrator GPO Group Policy Objects EAL Evaluation Assurance Level FIPS Federal Information Processing Standards GUI Graphical User Interface HLD High-level Design IA Initial Assessment IDS Intrusion Detection Systems NSS Network Security System NIAP National Information Assurance Partnership NIST National Institute of Standards and Technology NRC NetIQ Reporting Center Console NSA National Security Agency OS Operating system PP Protection Profile SMTP Simple Mail Transport Protocol SNMP Simple Network Monitoring Protocol SOF Strength of Function SSL Secure Socket Layer ST Security Target TOE Target of Evaluation TSF TOE Security Functionality TSP TOE Security Policy UI User Interface WMP Windows Management Policy Proxy November 13, 2024 Group Policy Administrator 6.9.4.4 1.7. Security Target Organization: The Security Target (ST) contains the following sections: Section 1 Security Target Introduction (ASE_INT) The ST introduction describes the Target of Evaluation (TOE) in a narrative with three levels of abstraction: A TOE reference, TOE overview, a TOE description (in terms of physical and logical boundaries) and scoping for the TOE. Section 2 CC Conformance Claims (ASE_CCL) This section details any CC and PP conformance claims. Section 3 Security Problem (ASE_SPD) This section summarizes the threats addressed by the TOE and assumptions about the intended environment. Section 4 Security Objectives (ASE_OBJ) This section provides a concise statement in response to the security problem defined in definition. Section 5 Extended Components Definition (ASE_ECD) This section provides information about security requirements outside of components described in CC Part 2 or CC Part 3. Section 6 IT Security Requirements (ASE_REQ) This section provides a description of the expected security behavior of the TOE. Section 7 TOE Summary Specification (ASE_TSS) This section provides a general understanding of the TOE implementation. November 13, 2024 Group Policy Administrator 6.9.4.4 2. CC Conformance Claims (ASE_CCL) This TOE and ST are conformant to the following CC specifications: • Common Criteria for Information Technology Security Evaluation Part 2: Security Functional Requirements, Version 3.1 Revision 5, April 2017. Part 2 Conformant • Common Criteria for Information Technology Security Evaluation Part 3: Security Assurance Requirements, Version 3.1 Revision 5, April 2017. Part 3 Conformant • The TOE is augmented with ALC_FLR.3 Systematic Flaw Remediation. • The Evaluation Assurance Level (EAL) is 2+ (EAL2+) 2.1. PP Claim The TOE does not claim conformance to any Protection Profiles (PPs). 2.2. Package Claim The TOE claims conformance to the EAL2 assurance package defined in Part 3 of the Common Criteria Version 3.1 Revision 5 (April 2017). The TOE does not claim conformance to any functional package. 2.3. Conformance Rationale No conformance rationale is necessary for this evaluation since this Security Target does not claim conformance to a Protection Profile. November 13, 2024 Group Policy Administrator 6.9.4.4 3. Security Problem (ASE_SPD) This section summarizes the threats addressed by the TOE and assumptions about the intended environment of the TOE. Note that while the identified threats are mitigated by the security functions implemented in the TOE, the overall assurance level (EAL2+) also serves as an indicator of whether the TOE would be suitable for a given environment. 3.1. Introduction: In order to simplify the security problem, the TOE can be broken into 3 areas. These areas are the: • Assets elements of the TOE that need protections • Subjects persons with legitimate access to the TOE • Attackers persons that are not legitimate users Assets: The assets can be broken down into two classes – Primary and Secondary. The main aim of this TOE is to protect the primary assets against unauthorized access, manipulation, and disclosure. The primary assets are: • Data stored on the GPA Server and the SQL Server. • Configuration information stored on the GPA Server Subsystem, SQL Server, and Console Subsystem. • Data in transit from / to the GPA Server Subsystem, SQL Server, and the Console Subsystem. The Secondary assets are themselves of minimal value, the possession of these assets enables or eases access to primary assets. Therefore these assets need to be protected as well. • Credentials (i.e. account information and associated passwords) for access to the TOE • Security attributes (i.e. File access permissions) on the TOE. • Explicit Product privileges afforded to users of the TOE • Subjects Subjects: Administrators: The Administrators can perform all tasks associated with Group Policy Objects (GPOs). These tasks are enumerated in Appendix A. GPA Admin2 : The GPA Admin can perform all tasks associated with Group Policy Objects (GPOs). These tasks are enumerated in Appendix A. GPA Users: GPA Users are delegated one or more task functions from the enumerated list in Appendix A, based on their responsibilities in the GPA. For ease of use, roles have been grouped into the following: • GPO Importer • GPO Exporter • GPR Security Manager • GPO Approver • GPO Synchronizer These default roles may be customized to include other privileges. Attacker: 2 A GPA Admin is a user who is in the GPA_REPOSITORY_MANAGEMENT group. By default, the user installing/configuring GPA is in this group, but others can be assigned to it as need be. November 13, 2024 Group Policy Administrator 6.9.4.4 An Attacker is a person (or persons) who is not a user or administrator, and does not have physical access to any device in the infrastructure. This means that their only mode of access would be from outside the corporate environment (i.e. a machine on the Internet). A successful attacker would be able to gain access to TOE resources. Assuming successful access that attacker would then attempt to: • access the DC and subsequent Active Directory (AD) and create / modify / delete group policy objects (GPO) • access the GPA repository and create / modify / delete group policy objects (GPO) • delete all Group Policy entries in the AD • view the contents of the AD and GPA repository 3.2. Threats to the TOE Threat Description T.ADMIN_ERROR An authorized administrator may incorrectly install or configure the TOE resulting in ineffective security mechanisms. T.AUDIT An unauthorized user may compromise the audit records so events are not associated with a user. T.MASQUERADE An unauthorized user, process, or external IT entity may masquerade as an authorized entity to gain access to TOE data or TOE resources. T.NO_HALT An authorized administrator may incorrectly install or configure the TOE resulting in ineffective security mechanisms.unauthorized entity may attempt to compromise the continuity of the TOE by halting execution of the TOE or TOE Components. T.PRIV An unauthorized entity may gain access to the TOE and exploit functionality to gain access or privile ges to TOE security functions and data. T.MAL_INTENT An authorized user could initiate changes that grant themselves additional unauthorized privileges. T.TSF_COMPROMISE A malicious user may cause configuration data to be inappropriately accessed (viewed, modified or deleted). T.MAL_ACT Malicious activity, such as introductions of Trojan horses and viruses, may occur on an IT System the TOE monitors. T.MIS_NORULE Unauthorized accesses and activity, indicative of misuse, may occur on an IT System the TOE is installed on and the TOE response may not occur if no event rules are specified in the TOE. T.SC_MISCFG Improper security configuration settings may exist in the IT System the TOE is on and could make the TOE audit ineffective. T.SC_MALRUN Users could execute malicious code on an IT System that the TOE is installed on which causes modification of the TOE protected data or undermines the IT System security functions. T.SC_NVUL Vulnerabilities may exist in the IT System the TOE is installed on which causes the TOE to be compromised. Table 1: Threats on the TOE 3.3. Assumptions Assumption Description November 13, 2024 Group Policy Administrator 6.9.4.4 A.LOCATE The TOE will be located within controlled access facilities, which will prevent unauthorized physical access. A.MANAGE There will be one or more competent individuals assigned to manage the TOE and the security of the information it contains. A.NOEVIL The authorized administrators are not careless, willfully negligent, or hostile, and will follow and abide by the instructions provided by the TOE documentation. A.AVAIL The systems, networks and all components will be available for use. A.CONFIG The systems will be configured to allow for proper usage of the application. A.TIME The environment will provide a reliable time source for the TOE. A.DOMAIN The environment will provide a secure domain for execution for the TOE. Table 2: Assumptions 3.4. Organizational Security Policies There are no organizational security policies for this evaluation. November 13, 2024 Group Policy Administrator 6.9.4.4 4. Security Objectives (ASE_OBJ) 4.1. Security Objectives for the Environment Objective Description OE.INSTAL The TOE is installed according to the User manuals provided by the TOE vendor. OE.CREDEN Only authorized, non-malicious users manage the TOE. OE.PERSON Personnel working as authorized administrators shall be carefully selected and trained for proper operation of the System. OE.PHYCAL Those responsible for the TOE must ensure that those parts of the TOE critical to security policy are protected from any physical attack. OE.INTROP The TOE is interoperable with the Environment it manages. OE.TIME The IT environment will provide a time source that provides reliable time stamps. OE.TOE_PROT The IT environment will protect the TOE and its assets from external interference or tampering. Table 3: Security Objectives for the Environment 4.2. Rationale This section provides the rationale for completeness and consistency of the Security Target. The rationale addresses the following areas: o Security Objectives; o Security Functional Requirements; o Security Assurance Requirements; o Requirement Dependencies; o TOE Summary Specification 4.3. Security Objectives Rationale This section shows that all secure usage and threats are covered by security objectives. In addition, each objective counters or addresses at least one threat. 4.4. Security Objectives Rationale for the TOE This section provides evidence describing the coverage of threats by the security objectives. O.ADMIN_ROLE O.MANAGE O.AUDIT O.RESPONSE O.GPA_AUTH O.GPA_AUDIT O.GPA_REP O.GPA_ACPOL O.TOE_PROTECTION Threats to the TOE T.ADMIN_ERROR x T.AUDIT x x T. MASQUERADE x x x x x T.NO_HALT x x November 13, 2024 Group Policy Administrator 6.9.4.4 T.PRIV x x x T.MAL_INTENT x x x x T.TSF_COMPROMISE x T.MAL_ACT x x x T.MIS_NORULE x x T.SC_MISCFG x x T.SC_MALRUN x x T.SC_NVUL x Table 4: Threats to Objective Correspondence 4.5. Security Objectives for the TOE Objective Description O.ADMIN_ROLE The TOE will define authorizations that determine the actions authorized administrator roles may perform. O.MANAGE The TOE will allow administrators to effectively manage the TOE and its security functions. O.AUDIT The TOE audits events and associates events with users. O.RESPONSE The TOE must respond appropriately to trigger events. O.GPA_AUTH The TOE must ensure that only authorized users are able to access functionality. O.GPA_AUDIT The TOE must collect and store transactional information that can be used to audit changes to the AD and group policy objects. O.GPA_REP The TOE must provide identification for source and target objects. O.GPA_ACPOL The TOE must provide an access policy. O.TOE_PROTECTION The TOE must enable the detection of external interference or tampering and allow for mitigation. Table 5: Objectives on the TOE 4.6. Security Objectives Rationale T.ADMIN_ERROR An authorized administrator may incorrectly install or configure the TOE resulting in ineffective security mechanisms. This threat is countered by: O.MANAGE: The TOE counters this threat by providing a user interface that allows assistant administrators to effectively manage the TOE and its security functions. In addition, the TOE ensures that only authorized entities are able to access such functionality. T.AUDIT An unauthorized user may access audit records and remove associations of users to events so the identity of a person who caused an event would be unknown. This threat is countered by: O.AUDIT: This requires the TOE to produce audit records that are associated to a user. O.MANAGE: November 13, 2024 Group Policy Administrator 6.9.4.4 The TOE counters this threat by providing a user interface that allows assistant administrators to effectively manage the TOE and its security functions. In addition, the TOE ensures that only authorized entities are able to access such functionality. T.MASQUERADE An unauthorized user, process, or external IT entity may masquerade as an authorized entity to gain access to data or TOE resources. This threat is countered by: O.ADMIN_ROLE: The TOE counters this threat by defining authorizations that determine the actions / roles that authorized entities may perform. O.GPA_AUTH: The TOE counters this threat by re-verifying the user credentials prior to execution of commands as well as mapping credentials to explicit sets of privileges. O.GPA_AUDIT: The TOE counters this threat by providing transactional based audit capabilities. O.GPA_REP: The TOE counters this threat by providing identification for all source and target objects transactions. O.GPA_ACPOL: The TOE counters this threat by use of an access policy that restricts authorized entities to specific activities. T.NO_HALT: An unauthorized entity may attempt to compromise the continuity of the TOE by halting execution of the TOE or TOE Components. This threat is countered by: O.ADMIN_ROLE: The TOE counters this threat by defining authorizations that determine the actions authorized entities may perform. O.RESPONSE: The TOE defines triggers that can be used to notify of events. This threat can be mitigated by configuring a trigger when a shutdown is attempted. T.PRIV: An unauthorized entity may gain access to the TOE and exploit functionality to gain access or privileges to TOE security functions and data. This threat is countered by: O.ADMIN_ROLE: The TOE counters this threat by providing strict access controls which determine the actions / roles authorized assistant administrators may perform. Note: Authorized assistant administrators are users with privileges specified in Appendix A. November 13, 2024 Group Policy Administrator 6.9.4.4 O.GPA_AUTH: The TOE counters this threat by evaluating the request to defined sets of privileges. O.GPA_AUDIT: The TOE counters this threat by providing transactional based audit capabilities. T.MAL_INTENT: An authorized user could initiate changes that grant themselves additional unauthorized privileges. This threat is countered by: O.RESPONSE: The TOE counters this event by responding appropriately to trigger events. O.GPA_AUDIT: The TOE counters this event by collecting and storing transactional information that can be used to audit changes to the AD. O.GPA_ACPOL: The TOE counters this threat by providing an access policy. O.TOE_PROTECTION: The TOE counters this by providing detailed audit logs as well as the ability to rollback changes. OE.TIME: The IT Environment counters this threat by providing a time source. OE.TOE_PROTECTION: The IT Environment counters this threat by protecting the TOE and its assets from external interference or tampering. T.TSF_COMPROMISE A malicious user may cause configuration data to be inappropriately accessed (viewed, modified or deleted). This threat is countered by: OE.TOE_PROTECTION: The IT environment will protect the TOE and its assets from external interference or tampering. T. MAL_ACT Malicious activity, such as introductions of Trojan horses and viruses, may occur on an IT System the TOE. This threat is countered by: O.RESPONSE: The TOE counters this threat by responding to events that may indicate attempts to perform unauthorized activities. O.GPA_AUDIT: The TOE counters this threat by collecting and storing transactional information that can be used to audit changes to the AD. O.TOE_PROTECTION: The TOE counters this by providing detailed audit logs as well as the ability to rollback changes. November 13, 2024 Group Policy Administrator 6.9.4.4 T. MIS_NORULE Unauthorized accesses and activity, indicative of misuse, may occur on an IT System the TOE is installed on and the TOE response may not occur if no rules are specified in the TOE. This threat is countered by: O.GPA_AUDIT: The TOE collects and stores transactional information that can be used to audit changes to the AD. O.GPA_ACPOL: The TOE protects against this threat by providing access policies. T. SC_MISCFG Improper security configuration settings may exist in the IT System the TOE is on and could make the TOE audit ineffective. This threat is countered by: O.GPA_AUTH: The TOE protects against this threat by ensuring that only authorized administrators are able to access functionality. O.GPA_ACPOL: The TOE counters this threat by providing an access policy. T. SC_MALRUN Users could execute malicious code on an IT System that the TOE is installed on which causes modification of the TOE protected data or undermines the IT System security functions. This threat is countered by: O.GPA_AUDIT: The TOE counters this threat by providing transactional based audit capabilities. O.GPA_REP: The TOE counters this threat by providing identification for all source and target objects transactions. T. SC_NVUL Vulnerabilities may exist in the IT System the TOE is installed on which causes the TOE to be compromised. This threat is countered by: OE.TOE_PROTECTION: The IT Environment protects the TOE and its assets from external interference or tampering. Table 6: Rationale for TOE Objectives 4.7. Security Objectives Rationale for the Environment This section provides evidence demonstrating coverage of the environment security objectives by the environmental assumptions. The following table shows this assumption to objective mapping. November 13, 2024 Group Policy Administrator 6.9.4.4 Security Objectives OE.INSTAL OE.CREDEN OE.PERSON OE.PHYCAL OE.INTROP OE.TIME OE.TOE_PROT ION A.LOCATE x A.NOEVIL x x A.AVAIL x A.CONFIG x A.MANAGE x x A.TIME x A.DOMAIN x Table 7: Complete coverage – environmental assumptions A.LOCATE The TOE will be located within controlled access facilities, which will prevent unauthorized physical access. This Assumption is satisfied by: OE.PHYCAL: The OE.PHYCAL provides for the physical protection of the TOE. A.MANAGE There will be one or more competent individuals assigned to manage the TOE and the security of the information it contains. This Assumption is satisfied by: OE.CREDEN: This objective ensures that only authorized personnel administer the TOE. The OE.PERSON objective ensures all authorized administrators are qualified and trained to manage the TOE. A.NOEVIL The authorized administrators are not careless, willfully negligent, or hostile, and will follow and abide by the instructions provided by the TOE documentation. This Assumption is satisfied by: OE.PERSON: This objective ensures the managers of the TOE are not malicious. OE.CREDEN: This objective ensures that the TOE is securely managed by trained administrators. A.AVAIL The IT environment will be available for use by the TOE. This Assumption is satisfied by: OE. INTROP: November 13, 2024 Group Policy Administrator 6.9.4.4 The OE.INTROP objective ensures that the TOE can interoperate with the environment it is deployed in. A.CONFIG The IT environment is properly configured for use by the TOE. This Assumption is satisfied by: OE.INSTAL: This objective requires that the TOE is securely installed and managed according to the vendor documentation. A.TIME The IT environment is properly configured for use by the TOE. This Assumption is satisfied by: OE.TIME: This objective requires the environment to provide the TOE with a reliable timestamp for audit entries. A.DOMAIN The environment provides a secure domain for execution of the TOE. This Assumption is satisfied by: OE.TOE_PROT: This objective requires the IT environment to protect the TOE and its assets from external interference or tampering. Table 8: Rationale for Environment Objectives November 13, 2024 Group Policy Administrator 6.9.4.4 5. Extended Components Definition (ASE_ECD) There are no extended components. November 13, 2024 Group Policy Administrator 6.9.4.4 6. IT Security Requirements (ASE_REQ) This section defines the security functional requirements for the TOE as well as the security assurance requirements against which the TOE has been evaluated. All of the requirements have been copied from version 3.1 R5 of the applicable Common Criteria documents, with the exception of the explicitly stated Security Functional Requirements. 6.1. TOE Security Functional Requirements Class Component FAU: Security Audit FAU_ARP.1: Security alarms FAU_GEN.1: Audit data generation FAU_GEN.2: User identity association FAU_SAA.1: Potential violation analysis FAU_SAR.1: Audit review FAU_STG.1: Protected audit trail storage FDP: User Data Protection FDP_ACC.1: Subset access control FDP_ACF.1: Security attribute based access control FDP_ROL.1 Basic rollback FIA: Identification and Authentication FIA_ATD.1: User attribute definition FIA-UAU.2: User authentication before any action FIA_UID.2: User identification before any action FMT: Security management FMT_MOF.1: Management of security functions behavior FMT_MSA.1: Management of Security Attributes FMT_MSA.3: Static Attribute Initialization FMT_MTD.1: Management of TSF data FMT_SMF.1: Specification of management Functions FMT_SMR.1: Security roles Table 9: TOE Security Functional Requirements 6.1.1 Security Audit (FAU) 6.1.1.1 Security alarms (FAU_ARP.1) FAU_ARP.1 The TSF shall take [post a message, block the transaction, and generate a log entry] upon detection of a potential security violation. 6.1.1.2 Audit data generation (FAU_GEN.1) FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events: a) Start-up and shutdown of the audit functions; b) All auditable events for the [detailed] level of audit; and c) [transactional to trace log, server side auditing to event log]. FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: a) Date and time of the event, type of event, subject identity (if applicable), and the outcome (success or failure) of the event; and b) For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, [server side auditing]. November 13, 2024 Group Policy Administrator 6.9.4.4 6.1.1.3 User Identity Association (FAU_GEN.2) FAU_GEN.2.1 For audit events resulting from actions of identified users, the TSF shall be able to associate each auditable event with the identity of the user that caused the event. 6.1.1.4 Potential violation analysis (FAU_SAA.1) FAU_SAA.1.1 The TSF shall be able to apply a set of rules in monitoring the audited events and based upon these rules indicate a potential violation of the enforcement of the SFRs. FAU_SAA.1.2 The TSF shall enforce the following rules for monitoring audited events: a) Accumulation or combination of [no such events specified] known to indicate a potential security violation; b) [all transactions performed by authorized TOE users]. 6.1.1.5 Audit review (FAU_SAR.1) FAU_SAR.1.1 The TSF shall provide [Administrators, GPA Admins] with the capability to read [all audit information] from the audit records. FAU_SAR.1.2 The TSF shall provide the audit records in a manner suitable for the user to interpret the information. 6.1.1.6 Protected audit trail storage (FAU_STG.1) FAU_STG.1.1 The TSF shall protect the stored audit records in the audit trail from unauthorized deletion. FAU_STG.1.2 The TSF shall be able to [prevent] unauthorized modifications to the stored audit records in the audit trail. 6.1.2 User Data Protection (FDP) 6.1.2.1 Subset access control (FDP_ACC.1) FDP_ACC.1: The TSF shall enforce the [access control] on [All GPA Components for read, write, modify, or execute access provided to authorized administrators.] 6.1.2.2 Security attribute based access control (FDP_ACF.1) FDP_ACF.1.1 The TSF shall enforce the [access control] to objects based on the following: [Membership in the: System Administrators group or Membership in the GPA Administrators group, or by membership in the GPA Users3 groups for Read, Write, Execute access to All GPA objects]. FDP_ACF.1.2 The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [user execution of functionality based on membership in either the System Administrators group, or membership in the GPA Administrators group, or by membership in the GPA Users4 ] group. 3 GPA Users is a definition for users that have privileges granted from table 11. 4 GPA Users is a definition for users that have privileges granted from table 11. November 13, 2024 Group Policy Administrator 6.9.4.4 FDP_ACF.1.3 The TSF shall explicitly authorize access of subjects to objects based on the following additional rules: [none]. FDP_ACF.1.4 The TSF shall explicitly deny access of subjects to objects based on the following additional rules: [users not in the System Administrators group, or the GPA Administrators group, or defined as GPA Users5 ]. 6.1.2.3 Basic Rollback (FDP_ROL.1) FDP_ROL.1.2 The TSF shall permit operations to be rolled back within the to the [previous GPO]. FDP_ROL.1.1 The TSF shall enforce [access control SFP(s) to permit the rollback of the [GPO rollback] on the [GPA]. 6.1.3 Identification and authentication (FIA) 6.1.3.1 User attribute definition (FIA_ATD.1) FIA_ATD.1 The TSF shall maintain the following list of security attributes belonging to individual users: roles: [authorizations]. 6.1.3.2 User authentication before any action (FIA_UAU.2) FIA_UAU.2 The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user. 6.1.3.3 User identification before any action (FIA_UID.2) FIA_UID.2 The TSF shall require each user to be successfully identified before allowing any other TSF-mediated actions on behalf of that user. 6.1.4 Security management (FMT) 6.1.4.1 Management of security functions behavior (FMT_MOF.1 ) FMT_MOF.1.1 The TSF shall restrict the ability to [enable and disable] the functions [that enable changes to the Group Policy Objects (GPOs) and audit capabilities] to [Administrators, members of the GPA Admin group]. 6.1.4.2 Management of Security Attributes (FMT_MSA.1(1)) FMT_MSA.1.1(1) The TSF shall enforce the [Access Control SFP] to restrict the ability to [modify, or delete, [add]] the security attributes [privileges and groups of privileges] to [Administrators and GPA Admins]. 6.1.4.3 Management of Security Attributes (FMT_MSA.1(2)) 5 GPA Users is a definition for users that have privileges granted from table 11. November 13, 2024 Group Policy Administrator 6.9.4.4 FMT_MSA.1.1(2) The TSF shall enforce the [Access Control SFP] to restrict the ability to [modify or delete, [delegate authorized users]] the security attributes [issue administrative commands and make system changes based on privileges.]] to [Administrators and GPA Admins]. 6.1.4.4 Static attribute initialization (FMT_MSA.3) FMT_MSA.3.1 The TSF shall enforce the [Access Control] to provide [restrictive] default values for security attributes that are used to enforce the SFP. FMT_MSA.3.2 The TSF shall allow the [Administrators, GPA Admins] to specify alternative initial values to override the default values when an object or information is created. 6.1.4.5 Management of TSF data (FMT_MTD.1) FMT_MTD.1.1 The TSF shall restrict the ability to [modify] the [GPO privileges]6 to [Administrators, GPA Admins]. 6.1.4.6 Specification of Management Functions (FMT_SMF.1) FMT_SMF.1.1 The TSF shall be capable of performing the following security management functions: [only administrators can modify the behaviour of administrators or users]. 6.1.4.7 Security Roles (FMT_SMR.1) FMT_SMR.1.1 The TSF shall maintain the roles [Administrators, GPA Admins, GPA Users]. FMT_SMR.1.2 The TSF shall be able to associate users with roles. 6.1.5 Security Assurance Requirements This section defines the assurance requirements for the TOE. Assurance requirements are taken from the CC v3.1 Revision 5, Part 3. The TOE consists of the requirements specified for EAL2 of assurance augmented by Systematic Flaw Remediation (ALC_FLR.3). The following table summarizes the requirements. The following table summarizes the requirements. 6 GPO Privileges are defined in Appendix A. November 13, 2024 Group Policy Administrator 6.9.4.4 Assurance Class Assurance Components ADV: Development ADV_ARC.1 Security architecture description ADV_FSP.2 Security –enforcing functional specification ADV_TDS.1 Basic design AGD Guidance documents AGD_OPE.1 Operational user guidance AGD_PRE.1 Preparative procedures ALC: Life-cycle support ALC_CMC.2 Use of a CM system ALC_CMS.2 Parts of the TOE CM coverage ALC_DEL.1 Delivery procedures ALC_FLR.3 Systematic Flaw Remediation ASE: Security Target evaluation ASE_CCL.1 Conformance claims ASE_ECD.1 Extended components definition ASE_INT.1 Introduction ASE_OBJ.2 Security objectives ASE_REQ.2 Derived security requirements ASE_SPD.1 Security problem definition ASE_TSS.1 TOE Summary specification ATE: Tests ATE_COV.1 Evidence of coverage ATE_FUN.1 Functional testing ATE_IND.2 Independent testing - sample AVA: Vulnerability Assessment AVA_VAN.2 Vulnerability analysis Table 1: Security Assurance Requirements 6.2 Security Assurance Requirements Rationale EAL2+ was chosen to provide a low level of assurance that is consistent with good commercial practices. As such minimal additional tasks are placed upon the vendor assuming the vendor follows reasonable software engineering practices and can provide support to the evaluation for design and testing efforts. The chosen assurance level is appropriate with the threats defined for the environment. While the System may monitor a hostile environment, it is expected to be in a non-hostile position and embedded in or protected by other products designed to address threats that correspond with the intended environment. At EAL2+, the System will have incurred a search for obvious flaws to support its introduction into the non-hostile environment. The ALC_FLR.3 augmentation was claimed since fault level remediation is important to the customers of the product. 6.3 Requirement Dependency Rationale The following table demonstrates that all dependencies among the claimed security requirements are satisfied and therefore the requirements work together to accomplish the overall objectives defined for the TOE. SFR Dependencies Met By FAU_ARP.1 FAU_SAA.1 Included FAU_GEN.1 FPT_STM.1 Met by environment FAU_GEN.2 FAU_GEN.1 FIA_UID.1 Met by FAU_GEN.1 and FIA_UID.2 FAU_SAA.1 FAU_GEN.1 Included FAU_SAR.1 FAU_GEN.1 Included FAU_STG.1 FAU_GEN.1 Included November 13, 2024 Group Policy Administrator 6.9.4.4 SFR Dependencies Met By FDP_ACC.1 FDP_ACF.1 Included FDP_ACF.1 FDP_ACC.1, FMT_MSA.3 Included FDP_ROL.1 FDP_ACC.1 Included FIA_ATD.1 None None FIA_UAU.2 FIA_UID.1 Met by FIA_UID.2 FIA_UID.2 None None FMT_MOF.1 FMT_SMR.1, FMT_SMF.1 Included FMT_MSA.1 FDP_ACC.1 FMT_SMR.1 FMT_SMF.1 Included Included Included FMT_MSA.3 FMT_MSA.1 FMT_SMR.1 Included Included FMT_MTD.1 FMT_SMR.1, FMT_SMF.1 Included FMT_SMF.1 None None FMT_SMR.1 FIA_UID.1 Met by FIA_UID.2 Table 11: Requirement Dependency 6.4 Security Requirements Rationale This section demonstrates how there is at least one functional component for each objective (and how all SFRs map to one or more objectives) by a discussion of the coverage for each objective. O.ADMIN_ROLE O.MANAGE O.AUDIT O.TOE_PROTECTION O.RESPONSE O.GPA_AUTH O.GPA_AUDIT O.GPA_REP O.GPA_ACPOL FAU_ARP.1 X FAU_GEN.1 X X FAU_GEN.2 X X FAU_SAA.1 X FAU_SAR.1 X FAU_STG.1 X X X FDP_ACC.1 X X X X FDP_ACF.1 X FDP_ROL.1 X FIA_ATD.1 X FMT_MOF.1 X X FMT_MSA.1(1) X X FMT_MSA.1(2) X X FMT_MSA.3 X X FMT_MTD.1 X X FMT_SMF.1 X FMT_SMR.1 X November 13, 2024 Group Policy Administrator 6.9.4.4 Table 12: Objective to Requirement Correspondence OBJECTIVE RATIONALE O.ADMIN_ROLE This objective ensures that only authorized administrators roles can perform actions based on authorizations. This is met by: FDP_ROL.1 which ensures only administrators can perform a rollback of a GPO. FIA_ATD.1 which ensures that the TOE allows access to functions based on explicit privileges (powers) provided to Administrators. FMT_SMR.1 which ensures the TOE maintains roles for Administrators. O.MANAGE This objective allows the Administrator to manage the TOE and its security functions. This is met by: FMT_MOF.1 which restricts the ability to manage settings to authorized Administrators and authorized GPA Admins FMT_MSA.1(1) which restricts access to modify, add or delete privileges to authorized Administrators. FMT_MSA.1(2) which allows the Administrator to delegate certain commands to authorized users. FMT_MSA.3 which allows the administrator to modify the TOE default privileges. FMT_MTD.1 which restricts modification of the GPO privileges to the Administrator and GPA Admins. FMT_SMF.1 which allows only authorized Administrators the ability to manage GPA Admins and Users. O.AUDIT FAU_GEN.1 which ensures that the TOE generates audit data for ALL transactions attempted and executed through GUI/UI (Console Subsystem). FAU_GEN.2 which associates audit events with users causing the events. O.RESPONSE This objective ensures the TOE responds to trigger events. This is met by: FAU_ARP.1 which ensures that If a user attempts to make a change they are not authorized for, they receive a message, the transaction is blocked, and an entry is made into the Audit log. FAU_SAA.1 which ensures that the TOE provides functions to analyze audit events and trends as part of the GUI/UI (Console Subsystem) analysis reporting subsystem. O.GPA_AUTH This objective ensures that only authorized users can access TOE functionality. This is met by: November 13, 2024 Group Policy Administrator 6.9.4.4 FDP_ACC.1 which ensures only authorized users are able to access TOE functionality. FMT_MSA.1(1) which ensures only Administrators are able to add, modify delete privileges. FMT_MSA.1(2) which ensures that Administrators can delegate activities. FMT_MSA.3 which ensures the Administrator and GPA Admins are allowed to change default privileges. O.GPA_AUDIT This objective ensures that the TOE collects and stores transactional information that can be used to audit changes to the AD and group policy objects. This is met by: FAU_GEN.1 which ensures that the TOE generates audit data for ALL transactions attempted and executed through GUI/UI (Console Subsystem). FAU_SAR.1 which ensures the TOE provides event audit review as part of the GUI / UI (Console Subsystem). FAU_STG.1 which ensures the TOE stores audit event information in a protected area on the GPA Server Subsystem FMT_MOF.1 which ensures that the TOE restricts the ability to manage settings to Administrators and GPA Admins. FMT_MTD.1 which ensures that the TOE restricts the modification of GPO privileges to Administrators and GPA Admins. O.GPA_REP This objective ensures the TOE provides identification for source and target objects. This is met by: FDP_ACC.1 which The TOE allows access to information by enforcing user privileges as defined by being a GPA Administrator, or by being a GPA User, or by being in the Systems Administrator group. O.GPA_ACPOL This objective ensures the TOE provides an access control policy. This is met by: FDP_ACC.1 The TOE allows access to information by enforcing user privileges as defined by being a GPA Administrator, or by being a GPA User, or by being in the Systems Administrator group. FDP_ACF.1 The TOE enforces access to functions based on the user privileges as defined by being a GPA Administrator, or by being a GPA Users, or by being in the Systems Administrator group. O.TOE_PROTECTION This objective ensures that the TOE can detect external interference or tampering and allows for mitigation. This is met by: FAU_GEN.1 which generates audit data for ALL transactions attempted and executed through GUI/UI (Console Subsystem). FAU_STG.1 which ensures TOE stores audit event information in a protected area on the GPA Server Subsystem. November 13, 2024 Group Policy Administrator 6.9.4.4 FDP_ACC.1 The TOE allows access to information enforcing user privileges as defined by being a GPA Administrator, or by being a GPA User, or by being in the Systems Administrator group. Table 13: SFR Sufficiency Rationale 6.5 Security Functions Mapped to SFRs This Section in conjunction with Section 7, the TOE Summary Specification, provides evidence that the security functions are suitable to meet the TOE security requirements. The collection of security functions work together to provide all of the security requirements. The security functions described in the TOE summary specification are all necessary for the required security functionality in the TSF. The table (below) describes the relationship between security requirements and security functions. SFRs Security Audit User Data Protection Identification & Authentication Security Management FAU_ARP.1 X FAU_GEN.1 X FAU_GEN.2 X FAU_SAA.1 X FAU_SAR.1 X FAU_STG.1 X FDP_ACC.1 X FDP_ACF.1 X FDP_ROL.1 X FIA_ATD.1 X X X FIA_UAU.2 X FIA_UID.2 X FMT_MOF.1 X FMT_MSA.1(1) X FMT_MSA.1(2) x FMT_MSA.3 X FMT_MTD.1 X FMT_SMF.1 X FMT_SMR.1 X Table 14: Security Functions vs. Requirements Mapping November 13, 2024 Group Policy Administrator 6.9.4.4 7 TOE Summary Specification (ASE_TSS) This chapter describes the security functions associated with the TOE. 7.1 TOE Security Functions The TOE is comprised of four different security functions: • Security Audit • User Data Protection • Identification and Authentication • Security Management 7.2 Security Audit The NetIQ Group Policy Administrator provides the ability to make changes to Group Policy Objects. When the Administrators, GPA Admins, or GPA Users make a change using NetIQ GPA, changes are logged. In addition the GPA Users can not delegate or alter their privileges. All commands and changes are logged and can be rolled back as well. Access to the GPA audit is restricted to Administrators and GPA Admins. The Security Audit function is designed to satisfy the following security functional requirements: FAU_ARP.1 The TOE allows access to functions based on explicit privileges (powers) provided to Administrators, GPA admins, or GPA Users. If a user attempts to make a change they are not authorized for, they receive a message, the transaction is blocked, and an entry is made into the Audit log. FAU_GEN.1 The TOE generates audit data for ALL transactions attempted and executed through GUI/UI (Console Subsystem). FAU_GEN.2 The TOE associates auditable events with a user that caused the event to occur. FAU_SAA.1 The TOE provides functions to analyze audit events and trends as part of the GUI/UI (Console Subsystem) analysis reporting subsystem. FAU_SAR.1 The TOE provides event audit review as part of the GUI / UI (Console Subsystem). FAU_STG.1 The TOE stores audit event information in a protected area on the GPA Server Subsystem. 7.3 User Data Protection The GPA provides protection of the group policy objects by enforcing the privileges associated to individual users. These privileges are associated in the following ways: • by virtue of being an Administrator (i.e. membership in the Administrators group), • or being in the a GPA Administrators group, • or by having privileges specified in the privilege table. FDP_ROL.1 The TOE can revert to a previous GPO in order to maintain data continuity, ensuring no data is lost between GPO upgrades. November 13, 2024 Group Policy Administrator 6.9.4.4 FDP_ACC.1 The TOE allows access to information by enforcing user privileges as defined by being a GPA Administrator, or by being a GPA User, or by being in the Systems Administrator group. FDP_ACF.1 The TOE enforces access to functions based on the user privileges as defined by being a GPA Administrator, or by being a GPA Users, or by being in the Systems Administrator group. FIA_ATD.1 The TOE will maintain a list of security attributes belonging to individual roles (authorizations) (i.e. for GPA Admins and GPA Users). 7.4 Identification and Authentication GPA provides a user Console Interface GUI / UI that administrators may use to define GPA Admins as well as delegate responsibilities to Users (GPA Users). The GPA Console Interface GUI / UI application does not identify and authenticate individual administrators. When an Administrator, GPA Admin, or GPA User attempts to access the GPA Console Interface GUI / UI, the GPA Console Interface GUI / UI gets the users credentials from the operating system. These credentials are then forwarded to the IT environment. Note that, if the credentials are insufficient to perform any tasks, the Console Subsystem exits. If the user has been successfully identified and authenticated by the environment, and if the user has been successfully identified and authenticated as an Administrator, GPA Admin, or GPA User, the GPA Console Interface GUI / UI provides access to the appropriate interfaces. Authorization data maintained by the TOE for each role that the TOE recognizes is used to determine the functions that a user possessing a given role may perform. The TOE recognizes the following operating system groups and users which each correspond to TOE roles: • Administrators • GPA Admins • GPA Users Operating system groups and functions are described further in section 3.1.2. The Identification and authentication function is designed to satisfy the following security functional requirements: FIA_ATD.1 The TOE maintains authorization information that determines which TOE functions a role may perform. FIA_UAU.2 The TOE does not allow any actions to be performed until a user has been authorized. FIA_UID.2 The TOE does not allow any actions to be performed until a user has been identified. November 13, 2024 Group Policy Administrator 6.9.4.4 7.5 Security Management The GPA application includes the following components: • Console Subsystem • GPA Server Subsystem • SQL Servers (not part of TOE) • Domain Controller (not part of TOE) To use the Console Subsystem, the authorized Administrator must be a member of one of the following groups: • Administrators • GPA Admins • GPA Users In order for the program to function, the System Administrator (as defined by the IT Environment) must access the AD and either assign users to the groups above or enable them with privileges as specified in Appendix A. The Security management function is designed to satisfy the following security functional requirements: FIA_ATD.1 The TOE maintains authorization information that determines which TOE functions an Administrator, GPA Admin or GPA User may perform. FMT_MOF.1 The TOE restricts the ability to manage settings to authorized Administrators and authorized GPA Admins. FMT_MSA.1(1) The TOE restricts access to modify, add, or delete the privileges to Administrators and GPA Admins. FMT_MSA.1(2) Authorized administrators can delegate running of commands to authorized users.to FMT_MSA.3 The TOE provides a default set of privileges as well as the ability for Administrators and GPA Admins to modify the default. FMT_MTD.1 The TOE restricts the ability to modify the GPO privileges7 to Administrators and GPA Admins. FMT_SMF.1 The TOE provides authorized Administrators with the ability to manage GPA Admins and GPA Users. 7 GPO Privileges are defined in Appendix A November 13, 2024 Group Policy Administrator 6.9.4.4 FMT_SMR.1 The TOE maintains roles for Administrators, GPA Admins, and GPA Users. November 13, 2024 Group Policy Administrator 6.9.4.4 8 Appendix A - Privileges # Task Notes 1 Full Control Sets permissions for all tasks at all levels 2 Full GP Repository Server Control Sets permissions for tasks 3-5 3 Add GP Repository User This privilege allows the addition of a GP Repository User 4 Add Remote User This privilege allows the addition of a Remote User 5 Customize Deployment Options This privilege allows the Customization of Deployment Options 6 Full Domain Control Sets all domain-level permissions for tasks 8, 9, 10, 12, and 14 7 Create New Domain This privilege allows the Cteation of a New Domain 8 Delete Domain This privilege allows the Deletion of a Domain 9 Migrate GPO This privilege allows the Migration of a GPO 10 Import GPO from Active Directory This privilege allows the Importation of a GPO from an Active Directory 11 Synchronize ADMX from the Central Store This task is directly associated with the Import GPO from Active Directory task at the GP Repository and domain levels. You cannot set permissions for this task directly. When you enable the Import GPO from Active Directory task, you also set permissions for this task. 12 Export GPO to Active Directory This privilege allows the Exportation of a GPO to an Active Directory 13 Export ADMX to the Central Store This task is directly associated with the Export GPO to Active Directory and Modify Export Status tasks at the GP Repository and domain levels. You cannot set permissions for this task directly. When you enable the Export GPO to Active Directory and Modify Export Status tasks, you also set permissions for this task. 14 Edit Domain Maps This privilege allows the Editting of Domain Maps 15 Full Category Control Sets all category-level permissions for tasks 16-19 16 Create Category This privilege allows the Creation of a Category 17 Delete Category This privilege allows the Deletion of a Categoy 18 Paste GPO Category Link This privilege allows the Pasting of a GPO Category Link 19 Rename Category This privilege allows a Category to be Renamed 20 Full GPO Control Sets all permissions below this level except Manage GPR Security 21 Create GPO This privilege allows the Creation of a GPO 22 Add ADMX This task is directly associated with the Create GPO task at the GP Repository and domain levels. You cannot set permissions for this task directly. When you enable the Create GPO task, you also set permissions for this task. 23 Modify GPO Sets permissions for tasks 24-27 24 Modify GPO Settings Allows the Modification of GPO Settings November 13, 2024 Group Policy Administrator 6.9.4.4 # Task Notes 25 Modify GPO Links Allows the Modification of GPO Links 26 Modify GPO Security Allows the Modification of GPO Security 27 Rename GPO Allows a GPO to be Renamed 28 Delete GPO Allows the Deletion of a GPO 29 Remove ADMX This task is directly associated with the Delete GPO task at the GP Repository and domain levels. You cannot set permissions for this task directly. When you enable the Delete GPO task, you also set permissions for this task. 30 Check Out GPO Allows a GPO to be Checked Out. 31 Override Check Out Allows the overriding of a Checked Out GPO 32 Rollback Allows a GPO change to be Rolled Back 33 Approve/ Unapprove GPO Allows a GPO to be Approved or Unapproved 34 Approve/ Unapprove ADMX Files This task is directly associated with the Approve/ Unapprove GPO task at the GP Repository and domain levels. You cannot set permissions for this task directly. When you enable the Approve/ Unapprove GPO task, you also set permissions for this task. 35 Modify Export Status Allows the Export Status of a GPO to be Modified 36 Modify GPO Security Filters Allows GPO Security Filters to be Modified 37 Modify GPO Enterprise Sync Enables user to designate master and controlled GPOs 38 GPO Synchronizer Enables user to modify GPOs using Enterprise Synchronization 39 Manage GPR Security Enables user to change all security settings Table 2: Tasks