Residual Data Protection Function

The TOE ensures that any previous information content is unavailable upon allocation to subjects and objects. The TSF ensures that resources exported to user-mode processes do not have residual information in the following ways:

 All objects are based on memory and disk storage. Memory allocated for objects is either overwritten with all zeros or overwritten with the provided data before being assigned to an object. Objects stored on disk are restricted to only disk space used for that object. Read/write pointers prevent reading beyond the space used by the object. Only the exact value of what is most recently written can be read and no more. For varying length objects, subsequent reads only return the exact value that was set, even though the actual allocated size of the object may be greater than this.

 Subjects have associated memory and an execution context. The TSF ensures that the memory associated with subjects is either overwritten with all zeros or overwritten with user data before allocation as described in the previous bullet for memory allocated to objects. In addition, the execution context (registers) is initialized when new threads within a process are created and restored when a thread context switch occurs.

SFR Mapping:

The User Data Protection function satisfies the following SFRs:

 FDP_ACC.2a: The SRM mediates all access to objects, including kernel-based objects and user-mode TSF server-based objects. All access to objects is predicated on the SRM validating the access request. In the case of most objects, this DAC validation is performed on initial access (e.g., “open”) and subsequent use of the object is via a handle that includes a granted access

mask. For some objects (in particular DS objects), every reference to the object requires a complete DAC validation to be performed. The TSF mediates read access by subjects to

encrypted files by protecting user and recovery private keys and using those keys to protect the FEK.

 FDP_ACF.1a: The TSF enforces access to user objects based on SIDs and privileges associated with subjects contained in tokens (impersonation token, if one exist), and the security descriptors for objects. The rules governing access are defined as part of the DAC algorithm described above. The TSF uses the FEKs associated with the file and protected using authorized users’ private keys to protect the encrypted file contents.

 FDP_ACC.2b, FDP_ACC.2c, FDP_ACF.1b, and FDP_ACF.1c: The TSF enforces access to web server content based upon the web user’s identity and group memberships, the DACL associated with the object, URL authorization, and web permissions. The WEBUSER policy rules govern access to read the web content and modify the web content if specifically authorized (FDP_ACC.2b, FDP_ACF.1b). The CONTENT PROVIDER policy rules govern access to primarily control the ability to make web content available to web users and to modify web content (FDP_ACC.2c,

FDP_ACF.1c).

 FDP_ACC.2d and FDP_ACF.1d: The TSF enforces a Mandatory Integrity Control policy for process access to most objects covered by the DAC policy. The rules are enforced to ensure that process accesses to objects conform to rules that involve applicable attributes on the processes and objects as summarized earlier.

 FDP_IFC.1a, FDP_IFF.1a: The TSF controls the flow of traffic from one Windows 7 and Windows Server 2008 R2 system’s TSF to another using the IPSec’s capability to enforce filters that can be configured to restrict the flow of traffic based upon source IP address, destination IP address, source port, destination port, and protocol.

 FDP_IFC.1b, FDP_IFF.1b: The TSF controls the flow of traffic into a Windows 7 and Windows Server 2008 R2 system’s TSF by providing the capability to block all unsolicited traffic with the exceptions of traffic targeted to ports specified by the authorized administrator.

 FDP_UCT.1, FDP_UIT.1: The TSF protects data during transmission between the web user and the web server from unauthorized disclosure and modification by requiring that SSL/TLS is used to support this communication.

 FDP_ITT.1: The TSF prevents the disclosure and modification of user data using IPSec encryption and digital signature capabilities when user data is transmitted between different system

 FDP_RIP.2 - The TSF ensures that previous information contents of resources used for new objects are not discernable in the new object via zeroing or overwriting of memory and tracking read/write pointers for disk storage. Every process is allocated new memory and an execution context. Memory is zeroed or overwritten before allocation.

 FMT.MSA.1a, FMT_MSA.1b: The ability to change the DAC policy is controlled by the ability to change an object’s DACL. The following are the four methods that DACL changes are controlled:

o Object owner: Has implicit WRITE_DAC access.

o Explicit DACL change access: A user granted explicit WRITE_DAC access on the DACL can change the DACL.

o Take owner access: A user granted explicit WRITE_OWNER access on the DACL can take ownership of the object and then use the owner’s implicit WRITE_DAC access.

o Take owner privilege: A user with SeTakeOwner privilege can take ownership of the object and then user the owner’s implicit WRITE_DAC access.

 FMT_MSA.1b: The TSF associates private keys with users. Only the owner of the private key used to protect the FEK associated with the file or an administrator or subject with a specific privilege can delete the FEK.

 FMT_MSA.1c: The ability to change the security attributes upon which the IPSec Filter Policy is based upon is restricted to the authorized administrator.

 FMT_MSA.1d: The ability to change the security attributes upon which the Connection Firewall Policy is based upon is restricted to the authorized administrator.

 FMT_MSA.1e, FMT_MSA1f: The ability to change the security attributes upon which the WEBUSER and CONTENT PROVIDER policies are based upon is restricted to the authorized administrator.

 FMT_MSA.1g: The ability to change Mandatory Integrity Control related security attributes is restricted to processes holding a specific privilege (i.e., SeRelabelPrivilege) allowing the modification of object labels.

 FMT.MSA.3a - The TSF provides restrictive default values for security attributes used to provide access control via the process’s default DACLs which only allows access to the SYSTEM and the user creating the object. Users who create objects can specify a SD with a DACL to override the default. The initial keys are cryptographically generated and cannot be modified.

 FMT_MSA.3b: Filters can be defined and assigned to restrict traffic flow from one TSF to another. However, by default, there are no filters assigned and traffic is allowed to flow in an unrestricted manner. Only the authorized administrator can define or modify the IPSec filters that specify the rules for traffic flow.

 FMT_MSA.3c: By default, Windows 7 has a very restrictive default firewall policy while Server 2008 R2 has a permissive policy so that it can support client access to its services. Only the authorized administrator can specify ports for which unsolicited traffic will be accepted.

However, the firewall feature is optional and can be disabled in the evaluated configuration in which case no restriction on traffic flow is enforced.

 FMT_MSA.3d, FMT_MSA.3e: By default, only read access to web content is allowed and only an authorized administrator can define the configuration or the web permissions associated with the web content in the metabase.

 FMT_MSA.3f: By default, objects and processes are assigned Mandatory Integrity labels and policies that prevent writing to higher integrity labels and read access to processes and threads at higher integrity labels. The defaults cannot be changed during process or object creation, though some attributes can be changed later per FMT_MSA.1(g).

 FMT_MTD.1a: Only an authorized administrator can modify the values in the metabase which include the IIS configuration. These values define permissions to web content.

 FMT_REV.1b: The ability to revoke access to an object is controlled by the ability to change the DACL and is governed by the same conditions for FMT_MSA.1a above. The changed DACL is effective upon subsequent access checks against the object.