NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Thycotic Secret Server Government Edition v10.1

Certificate Date:  2018.12.21

Validation Report Number:  CCEVS-VR-VID10953-2018

Product Type:    Enterprise Security Management

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Protection Profile for Enterprise Security Management - Identity and Credential Management Version 2.1

CC Testing Lab:  CygnaCom Solutions, Inc

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

The TOE is an enterprise identity and credential management application. The TOE is used as an enterprise credential manager, where it extends the ability of enrolled enterprise users to access IT systems within the enterprise that are not capable of consuming enterprise user definitions directly.

The TOE is used in enterprise settings to manage user credentials within a large organization. The TOE is responsible for associating domain users with different sets of privileges with access to operational environment resources and services.

Evaluated Configuration

In the evaluated configuration the TOE consists of the software application running on Windows Server 2016 Standard (x64), with Internet Information Service (IIS) 10.0 enabled, and integrated with a local Microsoft SQL Server 2016 database. In the operational environment, the TOE integrates with external Audit, Domain Controller, and CRL Servers.

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. The TOE was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 4.

The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 4.

CygnaCom Solutions has determined that the product meets the security criteria in the Security Target, which specifies compliance with the Protection Profile for Enterprise Security Management - Identity and Credential Management Version 2.1.

A team of validators, on behalf of the CCEVS Validation Body, monitored the evaluation. The evaluation was completed in December 2018.

Environmental Strengths

Enterprise Security Management

TOE users authenticate either locally using direct login, or remotely via a configured domain controller in the operational environment. The TOE requires each user to present a valid username and password to gain access to the TOE.

The TOE securely integrates with Active Directory (AD) using LDAPs. The TOE synchronizes with AD and can use both individual and group membership to grant access to specific IT resources. Additionally, the TOE is capable of creating and managing local user credentials independently from the domain controller.

Security Audit

The TOE is able to generate audit records of security relevant events as they occur. Audit data includes date, time, event type, subject identity, and other data as required. The TOE uses the Windows Event Log for storing local audit trail, and is capable of uploading logs to an external audit server over a secure channel.

Cryptographic Support

The TOE relies on the operating system to provide protocol and cryptographic functionality. Windows Server 2016 Standard (x64) implements a certified Cryptographic Primitives Library that is exclusively utilized to implement all cryptographic operations.

Identification and Authentication

The TOE associates all of user’s security attributes with the subjects acting on the behalf of that user. Users receive their privileges either directly or by way of membership in groups and/or roles.

Security Management

The TOE restricts management functions to authorized administrators. An administrator will authenticate to the TOE by providing their local or domain user credentials. The TOE maintains the following default roles: Read-only, User, Administrator. Each authenticated user is automatically associated by TSF with a role that determines the user’s authorization(s).

Protection of the TOE Security Function (TSF)

The TOE protects authentication data, such as stored passwords, so they are not directly accessible in plaintext. The TOE’s certificates and private keys are protected by the Windows Server 2016 Access Control List (ACL) and Data Protection API (DPAPI). The Operational Environment implements and manages both the Certificate Store and the DPAPI, which are accessed using the Microsoft CryptoAPI.

TOE Access

The TOE is capable of displaying a login banner to all users. The TOE also enforces inactivity timeouts.

Trusted Path/Channels

The TOE, in the evaluated configuration, exports audit records to an external audit server and synchronizes with an external authentication server over a secure channel. The TOE utilizes the Internet Information Services (IIS) web server to implement secure remote administration. The web server implements the TLS v1.1 or TLS v1.2 protocol and supports X.509v3 certificate-based server authentication.

Vendor Information

Jai Dargan
(202) 802-9399
Site Map              Contact Us              Home