NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Microsoft Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client

Certificate Date:  2016.12.29

Validation Report Number:  CCEVS-VR-VID10753-2016

Product Type:    Virtual Private Network

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Protection Profile for IPsec Virtual Private Network (VPN) Clients Version 1.4

CC Testing Lab:  Leidos Common Criteria Testing Laboratory

Maintenance Release:
CC Certificate [PDF] Security Target [PDF] * Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

* This is the Security Target (ST) associated with the latest Maintenance Release.  To view previous STs for this TOE, click here.

Product Description

The evaluated version of the TOE includes the following editions of Windows 10 (Anniversary Update) with all critical updates as of September 14, 2016:

•  Microsoft Windows 10 (Anniversary Update) Enterprise Edition (64-bit version)
•  Microsoft Windows 10 (Anniversary Update) Pro Edition (64-bit version)
•  Microsoft Windows 10 (Anniversary Update) Home Edition (64-bit version)
•  Microsoft Windows Server 2016

Windows 10 is suited for business desktops, notebook, convertible, and tablet computers. It is the workstation product and while it can be used by itself, it is designed to serve as a client within Windows domains. 

Evaluated Configuration

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme for the PP VPN IPSEC CLIENT, version 1.4. The criteria against which the Windows 10 IPsec VPN Client was judged are described in the Protection Profile Assurance Activities.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 revision 4. The product, when delivered configured as identified in the guidance document, satisfies all of the security functional requirements stated in the Microsoft Windows 10 (Anniversary Update) IPsec VPN Client Security Target, Version 0.04. The project underwent CCEVS validation team review.  The evaluation was completed in December 2016.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.

Environmental Strengths

Security Audit
Windows has the ability to collect audit data, review audit logs, protect audit logs from overflow, and restrict access to audit logs.  Audit information generated by the system includes the date and time of the event, the user identity that caused the event to be generated, and other event specific data.  Authorized administrators can review audit logs and have the ability to search and sort audit records. Authorized Administrators can also configure the audit system to include or exclude potentially auditable events to be audited based on a wide range of characteristics. In the context of this evaluation, the protection profile requirements cover generating audit events and selecting which events should be audited.

Cryptographic Support
Windows provides FIPS validated cryptographic functions that support encryption/decryption, cryptographic signatures, cryptographic hashing, cryptographic key agreement (which is not studied in this evaluation), and random number generation. The TOE additionally provides support for public keys, credential management and certificate validation functions and provides support for the National Security Agency’s Suite B cryptographic algorithms. Windows also provides extensive auditing support of cryptographic operations, the ability to replace cryptographic functions and random number generators with alternative implementations, and a key isolation service designed to limit the potential exposure of secret and private keys. In addition to using cryptography for its own security functions, Windows offers access to the cryptographic support functions for user-mode and kernel-mode programs. Public key certificates generated and used by Windows authenticate users and machines as well as protect both user and system data in transit.
•  IPsec: Windows implements IPsec to provide protected, authenticated, confidential, and tamper-proof networking between two peer computers.

User Data Protection
In the context of this evaluation Windows protects user data by means of protected network tunnel based on IPsec and zeroizes memory before it is allocated to a subject process.

Identification and Authentication
In the context of this evaluation, Windows provides the ability to use, store, and protect X.509 certificates that are used for IPsec VPN sessions along with capability to use a pre-shared key.

Protection of the TOE Security Functions
Windows provides a number of features to ensure the protection of TOE security functions.   Windows protects against unauthorized data disclosure and modification by using a suite of Internet standard protocols including IPsec, IKE, and ISAKMP.  Windows ensures process isolation security for all processes through private virtual address spaces, execution context, and security context.  The Windows data structures defining process address space, execution context, memory protection, and security context are stored in protected kernel-mode memory. Windows includes self-testing features that ensure the integrity of executable program images and its cryptographic functions. Finally, Windows provides a trusted update mechanism to update Windows binaries itself.

Trusted Path for Communications
Windows uses the IPsec suite of protocols to provide a Virtual Private Network Connection (VPN) between itself, acting as a VPN client, and a VPN gateway.

Security Management
Windows includes several functions to manage security policies.  Policy management is controlled through a combination of access control, membership in administrator groups, and privileges.

Vendor Information

Microsoft Corporation
Mike Grimm
+1 (425) 703 5683
+1 (425) 936 7329
Site Map              Contact Us              Home