NetIQ Corporation NetIQ ® Directory Resource Administrator ™ 9.0 Security Target Initial Draft Date: December 1, 2015 Last Updated: December 7, 2016 Version: 1.7 Prepared By: NetIQ Corporation Prepared For: NetIQ Corporation Suite 1200 515 South Post Oak Blvd Houston, TX 77027 December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 2 of 44 Table of Contents 1. Security Target Introduction (ASE_INT)..............................................................................................5 1.1. Security Target Reference:............................................................................................................5 1.2. Target of Evaluation Reference: ...................................................................................................5 1.3. Target of Evaluation Overview (TOE): ........................................................................................5 1.3.1. Product Overview: ................................................................................................................5 1.3.2. TOE Components:.................................................................................................................6 1.3.3. Logical TOE Boundary (Major Security Features of the TOE):...........................................7 1.3.4. TOE Type: ............................................................................................................................9 1.3.5. Non-TOE hardware/software/firmware required by the TOE ............................................10 1.3.6. Excluded TOE Items:..........................................................................................................10 1.3.7. Evaluated Configuration .....................................................................................................11 1.3.8. Physical Scope of TOE .......................................................................................................11 1.4. Security Target Conventions:......................................................................................................12 1.5. Acronyms:...................................................................................................................................13 1.6. Security Target Organization......................................................................................................14 2. CC Conformance Claims (ASE_CCL)................................................................................................15 2.1. PP Claim .....................................................................................................................................15 2.2. Package Claim ............................................................................................................................15 2.3. Conformance Rationale: .............................................................................................................15 3. Security Problem (ASE_SPD).............................................................................................................16 3.1. Introduction:................................................................................................................................16 3.1.1. Assets:.................................................................................................................................16 3.1.2. Subjects:..............................................................................................................................16 3.1.3. Attacker:..............................................................................................................................16 3.2. Assumptions................................................................................................................................17 3.2.1. Intended Usage Assumptions..............................................................................................17 3.2.2. Physical Assumptions .........................................................................................................17 3.2.3. Personnel Assumptions.......................................................................................................17 3.2.4. Connectivity Assumptions ..................................................................................................17 3.3. Threats.........................................................................................................................................17 4. Security Objectives (ASE_OBJ)..........................................................................................................19 4.1. Security Objectives for the TOE.................................................................................................19 4.2. Security Objectives for the Non-IT Environment.......................................................................19 4.3. Security Objectives for the IT Environment ...............................................................................19 4.4. Rationale .....................................................................................................................................20 4.4.1. Security Objectives Rationale.............................................................................................20 4.4.2. Security Objectives Rationale for the TOE and Environment ............................................20 4.5. Security Objectives Rationale for Environment Assumptions....................................................23 4.5.1. A.ACCESS..........................................................................................................................24 4.5.2. A.ASCOPE .........................................................................................................................24 4.5.3. A.DYNIMC ........................................................................................................................24 4.5.4. A.LOCATE.........................................................................................................................24 4.5.5. A.MANAGE .......................................................................................................................24 4.5.6. A.NOEVIL..........................................................................................................................24 4.5.7. A.AVAIL ............................................................................................................................25 4.5.8. A.CONFIG..........................................................................................................................25 4.5.9. A.NETCON ........................................................................................................................25 4.6. Security Requirements Rationale................................................................................................25 December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 3 of 44 4.6.1. O.ADMIN_ROLE...............................................................................................................26 4.6.2. O.DRA_ACPOL .................................................................................................................26 4.6.3. O.DRA_AUDIT..................................................................................................................26 4.6.4. O.DRA_AUTH ...................................................................................................................27 4.6.5. O.DRA_DATVAL..............................................................................................................27 4.6.6. O.DRA_REP.......................................................................................................................27 4.6.7. O.DRA_TDS:......................................................................................................................27 4.6.8. O.MANAGE .......................................................................................................................27 4.6.9. O. OFLOWS .......................................................................................................................28 4.6.10. O. RESPONSE....................................................................................................................28 4.6.11. O.TOE_PROTECTION ......................................................................................................28 4.7. Security Assurance Requirements Rationale ..............................................................................29 4.7.1. Requirement Dependency Rationale...................................................................................29 4.8. Explicitly Stated Requirements Rationale ..................................................................................29 4.9. TOE Summary Specification Rationale......................................................................................30 5. Extended Components Definition (ASE_ECD) ..................................................................................31 5.1. Definition for WMAP_ADM.1 (EX)..........................................................................................31 5.1.1. Data Review (WMAP _ADM.1 (EX))................................................................................31 5.1.2. Dependencies:.....................................................................................................................31 5.1.3. Management:.......................................................................................................................31 5.2. Definition for WMAP _ALR.1 (EX) ..........................................................................................31 5.2.1. Data Alarms (WMAP _ALR.1 (EX)) .................................................................................31 5.2.2. Dependencies:.....................................................................................................................32 5.2.3. Management:.......................................................................................................................32 5.3. Definition WMAP_STG.1 (EX) .................................................................................................32 5.3.1. Data Loss Prevention (WMAP_STG.1 (EX)).....................................................................32 5.3.2. Management:.......................................................................................................................32 6. IT Security Requirements (ASE_REQ)...............................................................................................33 6.1. TOE Security Functional Requirements .....................................................................................33 6.1.1. Security Audit (FAU)..........................................................................................................33 6.1.2. User Data Protection (FDP) ................................................................................................35 6.1.3. Identification and Authentication (FIA)..............................................................................36 6.1.4. Security Management (FMT)..............................................................................................36 6.1.5. Windows Management Administrative Proxy (WMAP)....................................................37 6.2. Security Assurance Requirements ..............................................................................................37 7. TOE Summary Specification (ASE_TSS)...........................................................................................38 7.1. Security Audit.............................................................................................................................38 7.2. User Data Protection...................................................................................................................38 7.3. Identification and Authentication................................................................................................39 7.4. Security Management .................................................................................................................39 7.5. Windows Management Administrative Proxy............................................................................40 Appendix A – DRA Privileges / Roles / Powers list...................................................................................41 Figures: Figure 1-1: Directory Resource Administrator 9.0 Configuration................................................................6 Figure 1-2: DRA Functional Architecture ....................................................................................................8 Figure 1-3: NetIQ Directory Resource Administrator ................................................................................10 Figure 1-4: Evaluated Configuration ..........................................................................................................11 Figure 5-1: WMAP_ADM Component Leveling .......................................................................................31 December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 4 of 44 Figure 5-2: WMAP_ALR Component Leveling ........................................................................................31 Figure 5-3: WMAP_STG Component Leveling.........................................................................................32 Tables: Table 1: FIPS Certificate Numbers............................................................. Error! Bookmark not defined. Table 2: Threats to Objectives correspondence ..........................................................................................20 Table 3: Complete coverage – environmental assumptions........................................................................24 Table 4: Objective to Requirement Correspondence ..................................................................................26 Table 5: Requirement Dependency.............................................................................................................29 Table 6: Security Functions vs. Requirements Mapping ............................................................................30 Table 7: Extended Functional Components................................................................................................31 Table 8: TOE Security Functional Requirements.......................................................................................33 Table 9: Auditable Events...........................................................................................................................35 Table 10: Security Assurance Requirements ..............................................................................................37 December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 5 of 44 Security Target Introduction (ASE_INT) This section presents the following information:  Security Target Reference  Target of Evaluation Reference  TOE Overview  Security Target conventions  Acronyms  Security Target Organization 1.1. Security Target Reference: 1.2. Target of Evaluation Reference: 1.3. Target of Evaluation Overview (TOE): 1.3.1. Product Overview: The NetIQ® Directory Resource Administrator™ 9.0.2 (DRA) product enables the extension and management of Microsoft Active Directory (AD). DRA extends AD management capability to individuals while:  protecting AD consistency  providing improved audit capability  improving the integrity by validating all administrative changes  enables the ability to automate administrative functions DRA does this by providing:  granular delegation of permissions  robust change management policies  simplified workflow automation In addition DRA reduces down time and operational risks to Active Directory that may be caused by malicious or accidental changes. 1 Note: The official name of the product is: NetIQ® Directory Resource Administrator ™ 9.0 . The released product can be uniquely identified as: NetIQ® Directory Resource Administrator ™ 9.0.2. 358 or NetIQ® Directory Resource Administrator ™ 9.0.2 . The product name may also be abbreviated as DRA 9.0 or simply DRA, or the TOE. For the purpose of this certification, and the associated documentation, all of the above references are equivalent. ST Title: NetIQ® Directory Resource Administrator™ 9.0 Security Target ST Version: 1.7 ST Date: December 7, 2016 ST Author: Michael F. Angelo 713-418-5396 angelom@netiq.com TOE Reference: NetIQ® Directory Resource Administrator™ 9.01 TOE Version #: 9.0.2.358 TOE Developer: NetIQ Corporation Evaluation Assurance Level (EAL): EAL2+ TOE Components: Console Subsystem DRA Server Subsystem December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 6 of 44 Key benefits of DRA include:  Policy and regulation compliance Provides for the assessment, operation, and control of systems and resources in accordance with security standards, best practices, and regulatory requirements and provides logging and auditing capabilities that help demonstrate compliance.  Operational integrity Prevents malicious or incorrect changes that affect the performance and availability of systems and services by providing granular access control for administrators and managing access to systems and resources.  Process enforcement Maintains the integrity of key change management processes that help you improve productivity, reduce errors, save time, and increase administration efficiency. DRA Server Subsystem(TOE) SQL Server ` Console Subsystem (TOE) ` DC ` NRC DRA Server(s) Excluded from TOE Included in TOE Figure 1-1: Directory Resource Administrator 9.0 Configuration The NetIQ DRA 9.0 (Figure 1-12 above) consists of the following components:  NetIQ Directory Resource Administrator Console Subsystem (which provides a Interface GUI / UI and is included in TOE)  NetIQ Directory Resource Administrator Primary Server (which provides a DRA Server Interface and is included in TOE) The TOE also provides the following roles  Administrator  Assistant Administrator  User In addition additional roles / powers can be defined or added to extend the user roles. A list of these can be found in Appendix A. 1.3.2. TOE Components: For the purpose of this certification we will include: 2 Components that are not part of the TOE are in grey boxes. December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 7 of 44 The NetIQ Directory Resource Administrator Console Subsystem which includes the following functionality:  Account and Resource Management Console – Used to administer objects in any managed domain. The Account and Resource Management console, can view and modify accounts, resources, temporary group assignments, and Microsoft Exchange mailboxes.  Delegation and Configuration Console – Provides a mechanism to securely delegate administrative tasks in the managed domain, set policies and automation triggers, and configure the Administration server.  Directory and Resource Reporting – Provides a mechanism to view and print administration activity reports. This enables auditing of your enterprise security and track administration activities.  Command-Line Interface – Provides a mechanism to perform operations from the command line. The NetIQ Directory Resource Administrator Primary Server which provides audit, authentication, authorization, management and communications functionality. 1.3.3. Logical TOE Boundary (Major Security Features of the TOE): The TSF provides the following security functions:  Security Audit  User Data Protection  Identification and Authentication  Security Management  Windows Management Administrative Proxy Functions December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 8 of 44 DC AD NRC ACF Console Secondary DRA Server Secondary DRA Server ADLDS SQL Primary DRA Server Subsystem AD Collector DRA Collector Query Service Log Archive Service Primary DRA Server Web Service SQL Server Registry NT Events ADLDS DCOM TRACE Datastore ACF Threat Model SOAP over TCP/IP Auth: Windows SSL ACF Threat Model TCP/IP (1433) Auth: Windows Console Subsystem DRA GUI / UI (win 32) Regist ry LDAP (50000). .NET API: Windows Auth Either Thread creds, or override creds. .NET Remoting: TCP/IP (8989) TCP/IP (1433) Auth: Windows Setup +SSL Cfg: TCP/IP (1433) Auth: Windows DCOM (135) , Auth:Windows DCOM (135, 139, 445) Auth=Windows (Packet Privacy) TCP/IP (1433) Auth: Windows XmlCheckin TCP/IP (1433) Auth: Windows MSMQ (SM Threat Model) Windows Auth SM Threat Model C++ as well as C# API: LDAP (50000) : Windows Auth Either Threads creds/ override Creds, ADLDS Replication (135+ RPC Port) (Protocol = RPC, Auth=Windows) WCF: SOAP over TCP/ IP (50101) Auth: Windows DCOM (135) Auth:Windows .NET API. Protocol: LDAP (389) Auth: Windows Either Thread creds or override creds, LDAP (389) Windows Auth Either Thread creds, or Override creds Figure 1-2: DRA Functional Architecture3 1.3.3.1. Security Audit The TOE can be set up to produce audit reports for events. The TOE reporting capabilities are completely configurable and can even define rules to take automatic responses. 3 Objects that are in grey boxes are not part of the TOE. December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 9 of 44 1.3.3.2. User Data Protection The TOE implements multiple levels of access as well as functions to enforce them. In addition the transactions are authenticated, and exportable. The TOE can also be configured to control where functionality can be accessed. Data can be imported and exported from the TOE as well as moved across different components in the TOE. Inter-TSF data confidentiality transfers are protected by use of the Operating Environments native communications process. 1.3.3.3. Identification and Authentication Users of the TOE depend on the IT Environment to handle access authentication, however all errors and transactions are logged by the TOE. In addition the TOE has multiple privileges for individuals or groups of individuals. The TOE depends on the IT Environment for protection of passwords and service credentials, as well as for user authentication, identification, subject binding4 . 1.3.3.4. Security Management Security functions and attributes in the TOE are controlled / managed and specified at different levels or roles by the TSF and the IT Environment . The TOE and IT Environment can also be used to revoke indivual access. 1.3.3.5. Windows Management Administrative Proxy Functions The NetIQ Directory Resource Administrator also provides additional functions. The TOE will provide authorized users with the ability to collect data, and generate reports in a manner suitable for the user to interpret. The TOE will generate alarms using various notification mechanisms. The TOE will react if the storage capacity has been reached. 1.3.4. TOE Type: For the purpose of this security target the TOE Type is a Windows Management Adminstrative Proxy (WMAP). The WMAP consists of the following functions: WMAP_ADM The TOE will provide authorized users with the ability to collect data, and generate reports in a manner suitable for the user to interpret. As part of this it provides the following management mechanisms:  a mechanism whereby administrators can delegate to authorized users the capability to issue administrative commands and changes.  a mechanism whereby administrators can delegate to authorized users a group or set of abilities. WMAP _ALR The TOE will generate an alarm for operations and events that are performed using one or more of the following notification mechanisms:  Display alarm information to the administrator console  Send alarm information to administrators using email  Execute a command  Execute a script WMAP _STG The TOE will react if the storage capacity has been reached. 4 (tying users to actions) December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 10 of 44 1.3.5. Non-TOE hardware/software/firmware required by the TOE DRA Server Subsystem (TOE) ` Console Subsystem (TOE) ` DC Excluded from TOE Included in TOE Figure 1-3: NetIQ Directory Resource Administrator Those elements labeled TOE in Figure 1-3 are covered by this ST. Note: For the purpose of this evaluation all operating system and the hardware (or emulations in a virtual machine) are excluded. The NetIQ DRA Server Subsystem requires a server that is capable of supporting:  Windows Server 2012 R2  The DRA server requires the following minimum hardware: CPU 1 GHz (x86 processor) or 1.4 GHz (x64 processor) RAM 1 GB Disk space 100 MB Note: Or equivalent emulated in a virtual machine. Console Subsystem:  Windows Server 2012 R2, Internet Explorer 11.0  The Console Subsystem requires the following minimum hardware: CPU 1 Pentium III, 800MHz RAM 1 GB Disk space 100 MB Note: Or equivalent emulated in a virtual machine. 1.3.6. Excluded TOE Items: These environments (components) are not part of the TOE, but are required to demonstrate TOE functionality. December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 11 of 44 While the NetIQ DRA Server Subsystem is capable of running on the following 64-bit versions of Microsoft Windows: Microsoft Windows Server 2008, Microsoft Windows Server 2008 R2, and Microsoft Windows Server 2012 no testing was done on them. While the Console Subsystem is capable of running on Microsoft Internet Explorer 8.0 and 9.0 no testing was done on them. The NetIQ Agents (DC) can run on the Windows Server 2012 R2 operating system. These environments (components) are not part of the TOE.  NetIQ Agents (DC) In addition the system requires a network which may consist of routers, switches, hubs, and other technology used in a TCP/IP based network, which are also not part of the TOE. Finally the system may employMSMQ, DCOM, and .net Remoting for communications, which are provided by a third party and are not part of the TOE. 1.3.7. Evaluated Configuration DRA Server Subsystem (TOE) ` Console Subsystem (TOE) ` DC Excluded from TOE Included in TOE Figure 1-4: Evaluated Configuration 1.3.8. Physical Scope of TOE The NetIQ Directory Resource Administrator is a software only TOE; The TOE physical boundary consists of the Console Subsystem and the DRA Server Subsystem running on their supporting operating systems and hardware. User installation and guidance documentation is supplied with the TOE. For the purpose of this evaluation the Agent (DC), secondary or additional DRA server(s), and the SQL server are not included in the TOE. The Console Subsystem will be evaluated on the following operating systems:  Windows Server 2012 R2  The Console Subsystem will be evaluated with Internet Explorer 11. The DRA Server Subsystem will be evaluated in the consolidated configuration with the following operating systems: December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 12 of 44  Windows Server 2012 R2 Further details for installation, administrative, and user guidance can be found in the following documentation:  NetIQ® Directory and Resource Administrator™ NetIQ® Exchange Administrator™ Installation Guide February 2016  Directory and Resource Administrator and Exchange Administrator Administrator Guide July 2016  Directory and Resource Administrator and Exchange Administrator User Guide February 2016 1.4. Security Target Conventions: This section specifies the formatting information used in the ST. The notation, conventions, and formatting in this security target are consistent with Version 3.1 of the Common Criteria for Information Security Evaluation. Clarifying information conventions, as well as font styles were developed to aid the reader.  Security Functional Requirements – Part 1, section C.2, of the CC defines the approved set of operations that may be applied to functional requirements: assignment, iteration, refinement, and selection. o Assignment: allows the specification of an identified parameter or parameter(s). o Iteration: allows a component to be used more than once with varying operations. o Refinement: allows the addition of details. o Selection: allows the specification of one or more elements from a list.  Within section 6 of this ST the following conventions are used to signify how the requirements have been modified from the CC text. o Assignments are indicated using bold and are surrounded by brackets (e.g., [assignment]). o Iteration is indicated by a letter placed at the end of the component. For example FDP_ACC.1a and FDP_ACC.1b indicate that the ST includes two iterations of the FDP_ACC.1 requirement, a and b. o Refinements are indicated using bold, for additions, and strike-through, for deletions (e.g., “… every object …” or “… all things …”). o Selections are indicated using italics and are surrounded by brackets (e.g., [selection]).  Other sections of the ST – Other sections of the ST use bolding to highlight text of special interest, such as acronyms, definitions, or captions. December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 13 of 44 1.5. Acronyms: ACF Analysis Center Framework AD Active Directory ADLDS Active Directory Lightweight Directory Services ARM DRA Account and Resource Management CC Common Criteria D&C DRA Delegation and Configuration DCOM Distributed Component Object Model DES Data Encryption Standard DRA Directory Resource Administrator DRA AG DRA Administrator Guide DRA IG DRA Installation Guide DRA UG DRA User Guide EAL Evaluation Assurance Level FIPS Federal Information Processing Standards GUI Graphical User Interface ILS Internet Location Server MSMQ Microsoft Message Queue NetIQ DRA NetIQ Directory Resource Administrator NIST National Institute of Standards and Technology NRC NetIQ Reporting Center OU Organizational Unit OS Operating system PP Protection Profile SMTP Simple Mail Transport Protocol SSL Secure Socket Layer ST Security Target TOE Target of Evaluation TRACE Security Manager Log Archive Hook TSF TOE Security Functions TSS TOE Summary Specification UI User Interface VA1 Virtual Attribute WMAP Windows Management Administrative Proxy WTS Windows Terminal Service (check) December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 14 of 44 1.6. Security Target Organization The Security Target (ST) contains the following sections: Section 1 Security Target Introduction (ASE_INT) The ST introduction describes the Target of Evaluation (TOE) in a narrative with three levels of abstraction: A TOE reference, TOE overview, a TOE description (in terms of physical and logical boundaries) and scoping for the TOE. Section 2 CC Conformance Claims (ASE_CCL) This section details any CC and PP conformance claims. Section 3 Security Problem (ASE_SPD) This section summarizes the threats addressed by the TOE and assumptions about the intended environment. Section 4 Security Objectives (ASE_OBJ) This section provides a concise statement in response to the security problem defined in definition. Section 5 Extended Components Definition (ASE_ECD) This section provides information about security requirements outside of components described in CC Part 2 or CC Part 3. Section 6 IT Security Requirements (ASE_REQ) This section provides a description of the expected security behavior of the TOE. Section 7 TOE Summary Specification (ASE_TSS) This section provides a general understanding of the TOE implementation. December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 15 of 44 2. CC Conformance Claims (ASE_CCL) This TOE is conformant to the following CC specifications:  Common Criteria for Information Technology Security Evaluation Part 2: Security Functional Requirements, Version 3.1 Release 4, September 2012. Part 2 Extended  Common Criteria for Information Technology Security Evaluation Part 3: Security Assurance Requirements, Version 3.1 Release 4, September 2012. Part 3 Conformant  The Evaluation Assurance Level (EAL) is 2+ (EAL2+) the augmentation is ALC_FLR.1 Basic Flaw remediation. 2.1. PP Claim The ST does not claim conformance to any Protection Profiles (PPs). 2.2. Package Claim The ST claims conformance to the EAL2 assurance package defined in Part 3 of the Common Criteria Version 3.1 Revision 4 (September 2012). The ST does not claim conformance to any functional package. 2.3. Conformance Rationale: No conformance rationale is necessary for this evaluation since this Security Target does not claim conformance to a Protection Profile. December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 16 of 44 3. Security Problem (ASE_SPD) This section summarizes the threats addressed by the TOE and assumptions about the intended environment of the TOE. Note that while the identified threats are mitigated by the security functions implemented in the TOE, the overall assurance level (EAL2+) also serves as an indicator of whether the TOE would be suitable for a given environment. 3.1. Introduction: In order to simplify the security problem, the TOE can be broken into 3 areas. These areas are the:  Assets elements of the TOE that need protections  Subjects persons with legitimate access to the TOE  Attackers persons who are not legitimate users 3.1.1. Assets: The assets can be broken down into two classes – Primary and Secondary. The main aim of this TOE is to protect the primary assets against unauthorized access, manipulation, and disclosure. The primary assets are:  Data stored on the DRA Server Subsystem in the local Trace Datastore.  Configuration information stored on the DRA Server Subsystem and Console Subsystem’s.  Data in transit from / to the DRA Server Subsystem, Console Subsystem  The Secondary assets are themselves of minimal value, the possession of these assets enables or eases access to primary assets. Therefore these assets need to be protected as well.  Credentials (i.e. account information and associated passwords) for access to the TOE  Security attributes (i.e. File access permissions) on the TOE.  Explicit Product privileges afforded to users of the TOE. 3.1.2. Subjects: 3.1.2.1. Administrator: Members of this group manage all objects, define the security model policy, as well as configure and start the Administration server. 3.1.2.2. Assistant Administrators: Assistant Administrators are users that are afforded a subset of privileges via the DRA Admin. 3.1.2.3. Administrators from Managed Domains: Members of this group manage accounts, groups, contacts, and resources in a domain where the Member is an Administrator. 3.1.3. Attacker: An Attacker is a person (or persons) who is not a user or administrator, and does not have physical access to any device in the infrastructure. This means that their only mode of access would be from outside the corporate environment (i.e. a machine on the Internet). A successful attacker would be able to gain access to TOE resources. Assuming successful access that attacker would then attempt to:  access the Active Directory (AD) and create / modify / delete accounts  delete the entire Data in the Primary Server’s Trace Datastore  view the contents of the AD December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 17 of 44 3.2. Assumptions 3.2.1. Intended Usage Assumptions A.ACCESS The TOE has access to all the IT System data it needs to perform its functions. A.DYNMIC The TOE will be managed in a manner that allows it to appropriately address changes in the IT System the TOE monitors. A.ASCOPE The TOE is appropriately scalable to the IT System the TOE monitors. 3.2.2. Physical Assumptions A.LOCATE The server components of the TOE will be located within controlled access facilities, which will prevent unauthorized physical access. 3.2.3. Personnel Assumptions A.MANAGE There will be one or more competent individuals assigned to manage the TOE and the security of the information it contains. A.NOEVIL The authorized administrators are not careless, willfully negligent, or hostile, and will follow and abide by the instructions provided by the TOE documentation. 3.2.4. Connectivity Assumptions A.AVAIL The systems, networks and all components will be available for use. A.CONFIG The systems will be configured to allow for proper usage of the application. A.NETCON All networks will allow for communications between the components. 3.3. Threats T.ADMIN_ERROR An authorized administrator may incorrectly install or configure the TOE resulting in the exposure of data, applications, or capabilities. Improper installation can also affect the security mechanisms in the product for example access control and audit functions. T.MASQUERADE An unauthorized user, process, or external IT entity may masquerade as an authorized entity to gain access to TOE data or TOE resources. T.NO_HALT An unauthorized entity may attempt to compromise the integrity of the TOE or assets the TOE controls through denying services provided by the TOE by halting the execution of the entire TOE or one of its components. T.PRIV An unauthorized entity may gain access to the TOE and exploit functionality to gain access or privileges to TOE security functions and data. T.MAL_INTENT An authorized user could initiate changes via the TOE that enable additional privileges as specified in Appendix A. These privileges may not have been authorized via appropriate channels. T.TSF_COMPROMISE A malicious user may cause configuration data to be inappropriately accessed (viewed, modified or deleted). T.MAL_ACT A vulnerability in the IT system, on which the TOE is present, may allow for malicious activity, such as the introduction of malware (i.e. Trojan horses and viruses) by either an authorized entity or a vulnerability in the IT system. This may in turn lead to the compromise of the TOE. T.MIS_NORULE An unauthorized user, performing an unauthorized activity, indicative of misuse, may occur on an IT System the TOE is December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 18 of 44 installed on. If no event rules are specified in the TOE to cover the action, then the TOE may not issue an alert or log entry. T.SC_MISCFG An administrator may improperly define the security configuration settings in the IT System the TOE is operating within. The lack of proper IT system configuration could make the TOE security features, such as access control or audit features, ineffective. T.SC_MALRUN Users could execute malicious code on an IT System that the TOE is installed on which causes modification of the TOE protected data or undermines the IT System security functions. December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 19 of 44 4. Security Objectives (ASE_OBJ) 4.1. Security Objectives for the TOE O.ADMIN_ROLE The TOE will define authorizations that determine the actions authorized administrator roles may perform. O.MANAGE The TOE will allow administrators to effectively manage the TOE and its security functions, O.OFLOWS The TOE must appropriately handle potential System data storage overflows. O.RESPONSE The TOE must respond appropriately to trigger events. O.TOE_PROTECTION The TOE must protect itself and its assets from external interference or tampering. O.DRA_AUTH The TOE must ensure that only authorized administrators are able to access functionality. O.DRA_AUDIT The TOE must collect and store transactional information that can be used to audit changes to the Active Directory. O.DRA_TDS The TOE must protect entries in the Log Archive Trace Datastore. O.DRA_REP The TOE must provide identification for source and target objects. O.DRA_ACPOL The TOE must provide an access policy. O.DRA_DATVAL The TOE must provide audit data that is tamper evident. 4.2. Security Objectives for the Non-IT Environment OE.ADMIN Those responsible for the TOE must ensure that the TOE is administered in a manner consistent with IT security administration. OE.CONFIG Those responsible for the TOE must ensure that the TOE is configured in a manner consistent with IT security and according to the MS Configuration Guidance Documentation. OE.INSTAL Those responsible for the TOE must ensure that the TOE is delivered, installed, managed, and operated in a manner which is consistent with IT security. OE.CREDEN Those responsible for the TOE must ensure that all access credentials are protected by the users in a manner which is consistent with IT security. OE.PERSON Personnel working as authorized administrators shall be carefully selected and trained for proper operation of the System. OE.PHYCAL Those responsible for the TOE must ensure that those parts of the TOE critical to security policy are protected from any physical attack. OE.INTROP The TOE is interoperable with the AD Environment it manages. 4.3. Security Objectives for the IT Environment OE.ADMIN_ROLE The IT environment will provide authorized administrator roles to isolate administrative actions. OE.AVAILABILITY The IT environment is responsible for providing protection against loss of systems or services. OE.CONNECT The IT environment will provide network connectivity between components OE.USER_AUTHENTICATION The IT environment will verify the claimed identity of users. OE.USER_IDENTIFICATION The IT environment will uniquely identify users. December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 20 of 44 OE.TIME The IT environment will provide a time source that provides reliable time stamps. OE.TOE_PROTECTION The IT environment will protect the TOE and its assets from external interference or tampering. 4.4. Rationale This section provides the rationale for completeness and consistency of the Security Target. The rationale addresses the following areas:  Security Objectives;  Security Functional Requirements;  Security Assurance Requirements;  Requirement Dependencies;  TOE Summary Specification; and,  PP Claims. 4.4.1. Security Objectives Rationale This section shows that all secure usage assumptions, organizational security policies, and threats are completely covered by security objectives. In addition, each objective counters or addresses at least one assumption, organizational security policy, or threat. 4.4.2. Security Objectives Rationale for the TOE and Environment This section provides evidence demonstrating the coverage of threats by the security objectives. O.ADMIN_ROLE O.MANAGE O.OFLOWS O.RESPONSE O.DRA_AUTH O.DRA_AUDIT O.DRA_TDS O.DRA_REP O.DRA_ACPOL O.DRA_DATVAL O.TOE_PROTECTION OE.ADMIN_ROLE OE.USER_AUTHENTICATION OE.USER_IDENTIFICATION OE.TIME OE.TOE_PROTECTION Threats T.ADMIN_ERROR X T.MASQERADE X X X X X X X X X X T.NOHALT X X T.PRIV X X T.MAL_INTENT X X X X X X T.TSF_COMPROMISE X X T.MAL_ACT X X X X X T.MIS_NORULE X X T.SC_MISCFG X X X T.SC_MALRUN X X X X X Table 1: Threats to Objectives correspondence 4.4.2.1. T.ADMIN_ERROR An authorized administrator may incorrectly install or configure the TOE resulting in the exposure of data, applications, or capabilities. Improper installation can also affect the security mechanisms in the product for example access control and audit functions. December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 21 of 44 This Threat is countered by ensuring that: O.MANAGE: The TOE counters this threat by providing a user interface that allows assistant administrators to effectively manage the TOE and its security functions. In addition the TOE ensures that only authorized entities are able to access such functionality. 4.4.2.2. T.MASQUERADE An unauthorized user, process, or external IT entity may masquerade as an authorized entity to gain access to data or TOE resources. This Threat is countered by ensuring that: O.DRA_AUTH: The TOE counters this threat by only allowing users to execute functions based on their credentials or group memberships. O.ADMIN_ROLE: The TOE counters this threat by defining authorizations that determine the actions / roles that authorized entities may perform. O.DRA_AUDIT: The TOE counters this threat by providing transactional based audit capabilities. O.DRA_TDS: The TOE protects entries in the log facility by using cascaded hashes and not enabling modification of existing records. O.DRA_REP: The TOE counters this threat by providing identification for all source and target objects transactions. O.DRA_ACPOL: The TOE counters this threat by use of an access policy that restricts authorized entities to specific activities. O.DRA_DATVAL: The TOE counters this threat by providing audit data that is tamper evident by applying cascaded hashes. OE.ADMIN_ROLE: The IT Environment counters this threat by providing authorized roles to isolate actions. OE.USER_AUTHENTICATION: The IT Environment counters this threat by verifying the claimed identity of users. OE.USER_IDENTIFICATION: The IT Environment counters this threat by uniquely identify users. 4.4.2.3. T.NOHALT: An unauthorized entity may attempt to compromise the integrity of the TOE or assets the TOE controls through denying services provided by the TOE by halting the execution of the entire TOE or one of its components. This Threat is countered by ensuring that: O.ADMIN_ROLE: The TOE counters this threat by defining authorizations that determine the actions authorized entities may perform. O.RESPONSE: The TOE defines triggers that can be used to notify of events. This threat can be mitigated by configuring a trigger when a shutdown is attempted. 4.4.2.4. T.PRIV: An unauthorized entity may gain access to the TOE and exploit functionality to gain access or privileges to TOE security functions and data. This Threat is countered by ensuring that: O.ADMIN_ROLE: The TOE counters this threat by providing strict access controls which determine the actions / roles authorized assistant administrators may perform. December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 22 of 44 O.DRA_AUDIT: The TOE counters this threat by providing transactional based audit capabilities. 4.4.2.5. T.MAL_INTENT: An authorized user could initiate changes via the TOE that enable additional privileges as specified in Appendix A. These privileges may not have been authorized via appropriate channels. This Threat is countered by ensuring that: OE.TIME: The IT Environment counters this by providing timestamps that can be used in the audit. OE.TOE_PROTECTION: The IT Environment counters this threat by protecting assets from external interference or tampering. O.RESPONSE: The TOE counters this event by responding appropriately to trigger events. O.DRA_AUDIT: The TOE counters this event by collecting and storing transactional information that can be used to audit changes to the AD. O.DRA_TDS: The TOE protects entries in the log facility by using cascaded hashes. O.DRA_ACPOL: The TOE counters this threat by providing an access policy. 4.4.2.6. T.TSF_COMPROMISE A malicious user may cause configuration data to be inappropriately accessed (viewed, modified or deleted). This Threat is countered by ensuring that: O.TOE_PROTECTION: The TOE counters this threat by using event triggers to protect itself and its assets from external interference or tampering. OE.TOE_PROTECTION: The IT environment will protect the TOE and its assets from external interference or tampering. 4.4.2.7. T. MAL_ACT A vulnerability in the IT system, on which the TOE is present, may allow for malicious activity, such as the introduction of malware (i.e. Trojan horses and viruses) by either an authorized entity or a vulnerability in the IT system. This may in turn lead to the compromise of the TOE. This Threat is countered by ensuring that: O.RESPONSE: The TOE counters this threat by responding to events that may indicate attempts to perform unauthorized activities. O.DRA_AUDIT: The TOE counters this threat by collecting and storing transactional information that can be used to audit changes to the AD. O.DRA_DATVAL: The TOE counters this threat by providing audit data that is tamper evident. OE.TIME: The IT environment counters this threat by providing a reliable timestamp. OE.TOE_PROTECTION: The IT environment will protect the TOE and its assets from external malicious activity. 4.4.2.8. T. MIS_NORULE An unauthorized user, performing an unauthorized activity, indicative of misuse, may occur on an IT System the TOE is installed on. If no event rules are specified in the TOE to cover the action, then the TOE may not issue an alert or log entry. December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 23 of 44 This Threat is countered by ensuring that: O.DRA_AUDIT: The TOE collects and stores transactional information that can be used to audit changes to the AD. O.DRA_ACPOL: The TOE protects against this threat by providing access policies. 4.4.2.9. T. SC_MISCFG An administrator may improperly define the security configuration settings in the IT System the TOE is operating within. The lack of proper IT system configuration could make the TOE security features, such as access control or audit features, ineffective. This Threat is countered by ensuring that: O.DRA_AUTH: The TOE protects against this threat by ensuring that only authorized administrators are able to access functionality. O.DRA_ACPOL: The TOE counters this threat by providing an access policy. O.OFLOWS: The TOE counters this threat by requiring the TOE handle data storage overflows. 4.4.2.10. T. SC_MALRUN Users could execute malicious code on an IT System that the TOE is installed on which causes modification of the TOE protected data or undermines the IT System security functions. This Threat is countered by ensuring that: O.ADMIN_ROLE: The TOE counters this threat by defining authorizations that determine the actions / roles that authorized entities may perform. O.DRA_AUDIT: The TOE counters this threat by providing transactional based audit capabilities. O.DRA_TDS: The TOE protect entries in the log facility by using cascaded hashes and not enabling modification of existing records. O.DRA_REP: The TOE counters this threat by providing identification for all source and target objects transactions. O.DRA_DATVAL: The TOE counters this threat by providing audit data that is tamper evident by applying cascaded hashes. 4.5. Security Objectives Rationale for Environment Assumptions This section provides evidence demonstrating coverage of the Non-IT security objectives by the environmental assumptions. The following table shows this assumption to objective mapping. OE.ADMIN OE.AVAILABILITY OE.CONFIG OE.CONNECT OE.INSTAL OE.CREDEN OE.PERSON OE.PHYCAL OE.INTROP Intended usage assumptions A.ACCESS x A.ASCOPE x A.DYNMIC x x Physical assumptions A.LOCATE x Personnel assumptions A.MANAGE x A.NOEVIL x x Connectivity Assumptions A.AVAIL x x A.CONFIG x December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 24 of 44 OE.ADMIN OE.AVAILABILITY OE.CONFIG OE.CONNECT OE.INSTAL OE.CREDEN OE.PERSON OE.PHYCAL OE.INTROP A.NETCON x Table 2: Complete coverage – environmental assumptions 4.5.1. A.ACCESS The TOE has access to all the IT System data it needs to perform its functions. This Assumption is satisfied by ensuring that: OE.INTROP: The OE.INTROP objective ensures the TOE has the needed access. 4.5.2. A.ASCOPE The TOE is appropriately scalable to the IT System the TOE monitors. This Assumption is satisfied by ensuring that: OE.INTROP: The OE.INTROP objective ensures the TOE has the necessary interactions with the IT System it monitors. 4.5.3. A.DYNIMC The TOE will be managed in a manner that allows it to appropriately address changes in the IT System the TOE monitors. This Assumption is satisfied by ensuring that: OE.PERSON: The OE.PERSON objective ensures that the TOE will be managed appropriately. OE.INTROP: The OE.INTROP objective ensures the TOE has the proper access to the IT System. 4.5.4. A.LOCATE The server components of the TOE will be located within controlled access facilities, which will prevent unauthorized physical access. This Assumption is satisfied by ensuring that: OE.PHYCAL: The OE.PHYCAL objective provides for the physical protection of the TOE. 4.5.5. A.MANAGE There will be one or more competent individuals assigned to manage the TOE and the security of the information it contains. This Assumption is satisfied by ensuring that: OE.PERSON: The OE.PERSON objective ensures all authorized administrators are qualified and trained to manage the TOE. 4.5.6. A.NOEVIL The authorized administrators are not careless, willfully negligent, or hostile, and will follow and abide by the instructions provided by the TOE documentation. This Assumption is satisfied by ensuring that: December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 25 of 44 OE.INSTAL: The OE.INSTAL objective ensures that the TOE is properly installed and operated. OE.CREDEN: The OE.CREDEN objective supports this assumption by requiring protection of all authentication data 4.5.7. A.AVAIL The TOE will be installed in an IT environment that provides the systems, networks, and all components. . This Assumption is satisfied by ensuring that: OE.ADMIN: The OE.ADMIN objective ensures that only Administrators can access the management functions for the TOE. OE.AVAILABILITY: The OE.AVAILABILITY objective ensures that the system is fully available and fully redundant. 4.5.8. A.CONFIG The TOE environment will be properly configured to allow for proper usage of the application. This Assumption is satisfied by ensuring that: OE.CONFIG: The OE.CONFIG objective ensures that the system is configured in a manner consistent with IT security and according to the MS Configuration Guidance Documentation. 4.5.9. A.NETCON The TOE will be installed in an IT environment that allows for communications between the components. This Assumption is satisfied by ensuring that: OE.CONNECT: The OE.CONNECT objective addresses A.NETCON. 4.6. Security Requirements Rationale This section demonstrates how there is at least one functional component for each objective (and how all SFRs map to one or more objectives) by a discussion of the coverage for each objective. December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 26 of 44 O.ADMIN_ROLE O.DRA_ACPOL O.DRA_AUDIT O.DRA_AUTH O.DRA_DATVAL O.DRA_REP O.DRA_TDS O.MANAGE O.OFLOWS O.RESPONSE O.TOE_PROTECTION FAU_ARP.1 X FAU_GEN.1 X X X FAU_SAA.1 X X FAU_SAR.1 X FAU_STG.1 X X X X FDP_ACC.1 X X X X FDP_ACF.1 X FIA_ATD.1 X FMT_MOF.1 X X FMT_MSA.1 X X FMT_MSA.3 X FMT_MTD.1 X X X FMT_SMF.1 X FMT_SMR.1 X WMAP_ADM.1(EX) X X WMAP_ALR.1(EX) X X X WMAP_STG.1(EX) X X Table 3: Objective to Requirement Correspondence 4.6.1. O.ADMIN_ROLE The TOE will define authorizations that determine the actions authorized administrator roles may perform. This TOE Security Objective is satisfied by ensuring that: FIA_ATD.1: The TOE maintains authorization information that determines which TOE functions a role may perform. FMT_SMR.1: The TOE recognizes any user account that is assigned in the IT environment to one or more system-defined operating system user groups as an “authorized administrator”. WMAP_ADM.1 (EX): The TOE provides authorized administrators with the ability to delegate to assistants the ability to interactively modify resources using the UI. 4.6.2. O.DRA_ACPOL The TOE must provide an access policy. This TOE Security Objective is satisfied by ensuring that: FDP_ACC.1: The TOE can be configured to limit access to Administrators, Assistant Administrators, or Domain Administrators. FDP_ACF.1: The TOE can be configured to enforce access control to objects. 4.6.3. O.DRA_AUDIT December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 27 of 44 The TOE must collect and store transactional information that can be used to audit changes to the Active Directory. This TOE Security Objective is satisfied by ensuring that: FAU_GEN.1: The TOE provides the ability to generate audit records. FAU_SAR.1: The TOE provides authorized users the capability to read all audit information. FAU_STG.1: The TOE provides the ability to protect the audit record outside of the system. FMT_MOF.1: The TOE restricts the ability to enable and disable audit functions to Administrators, Assistant Administrators, or Administrators from Managed Domains. FMT_MTD.1: The TOE restricts the ability to modify the audit configuration to Administrators, Assistant Administrators, or Administrators from Managed Domains. 4.6.4. O.DRA_AUTH The TOE must ensure that only authorized administrators are able to access functionality. This TOE Security Objective is satisfied by ensuring that: FDP_ACC.1: The TOE can be configured to limit access to Administrators, Assistant Administrators, or Domain Administrators. FMT_MSA.1: The TOE will enforce access controls that restrict the ability to alter security attributes powers or groups of powers to Administrators, Assistant Administrators, or Domain Administrators. 4.6.5. O.DRA_DATVAL This TOE Security Objective is satisfied by ensuring that: FAU_SAA.1: The TOE can provide Analysis of the Audit data to determine if the data was modified. 4.6.6. O.DRA_REP The TOE must provide identification for source and target objects. This TOE Security Objective is satisfied by ensuring that: FDP_ACC.1: The TOE can be configured to limit access to Administrators, Assistant Administrators, or Domain Administrators. FMT_MTD.1: The TOE can be configured to limit access to the audit configuration to Administrators, Assistant Administrators, or Administrators from Managed Domains 4.6.7. O.DRA_TDS: The TOE must protect entries in the Log Archive Trace Datastore. This TOE Security Objective is satisfied by ensuring that: FAU_GEN.1: The TOE provides the ability to generate an audit record. FAU_STG.1: The TOE provides the ability to protect the audit record outside of the system. WMAP_STG.1 (EX): The TOE provides the ability to abort an attempted command and display a message if the storage capacity has been reached. WMAP_ALR.1 (EX): The TOE provides the ability to define groups of rules as well as rules for the generation of events using one or more notification mechanisms. 4.6.8. O.MANAGE The TOE will allow administrators to effectively manage the TOE and its security functions December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 28 of 44 This TOE Security Objective is satisfied by ensuring that: FMT_MOF.1: The TOE restricts the ability to manage WMAP settings to authorized administrators. FMT_MSA.1 The TOE enforces the access control policy and restricts the ability to modify, add, or delete the security roles to Administrators, Assistant Administrators, or Administrators from Managed Domains. FMT_MSA.3 The TOE enforces the access control policy to provide restrictive default values for security attributes that are used to enforce the SFP. The TOE also allows Administrators, Assistant admin groups, and Administrators from Managed Domains to specify alternative initial values that override the default values when an object or information is created. FMT_MTD.1: The TOE restricts the ability to query collected data and generated reports to authorized users. FMT_SMF.1: The TOE provides authorized administrators with the ability to manage WMAP settings and review collected data. WMAP _ADM.1(EX): The TOE provides authorized administrators with the ability to delegate to assistants the ability to interactively modify resources using the UI. 4.6.9. O. OFLOWS The TOE must appropriately handle potential System data storage overflows This TOE Security Objective is satisfied by ensuring that: FAU_STG.1: The TOE provides audit information for all transactions. WMAP_ALR.1 (EX): The TOE generates an event failure alarm (message) when audit storage space is exceeded. WMAP_STG.1 (EX): The TOE stops transactions from occurring when audit storage space is exceeded. Failed attempts due to storage generate messages. 4.6.10. O. RESPONSE The TOE must respond appropriately to trigger events. This TOE Security Objective is satisfied by ensuring that: FAU_ARP.1: The TOE allows access to functions based on explicit privileges (powers) provided to an assistant admin. If a user attempts to make a change they are not authorized for, they receive a message, the transaction is blocked, and an entry is made into the Audit Repository on the DRA Server. FAU_SAA.1: The TOE can be configured to look at an events occurrence and generate an alarm. WMAP_ALR.1 (EX): The TOE generates alarms that notify authorized administrators or assistants using the console, using email, using SMTP, and/or executing a command in a configured script. Note that alarms may be generated in response to administratively-configured processing rules. 4.6.11. O.TOE_PROTECTION The TOE must protect itself and its assets from external interference or tampering. This TOE Security Objective is satisfied by ensuring that: FAU_GEN.1: The TOE provides the ability to generate an audit record. FAU_STG.1: The TOE provides the ability to protect the audit record outside of the system. December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 29 of 44 FDP_ACC.1: The TOE provides the ability to limit access to only Administrative users with defined group associations. 4.7. Security Assurance Requirements Rationale EAL2 was chosen to provide a low level of assurance that is consistent with good commercial practices. As such minimal additional tasks are placed upon the vendor assuming the vendor follows reasonable software engineering practices and can provide support to the evaluation for design and testing efforts. The chosen assurance level is appropriate with the threats defined for the environment. While the System may monitor a hostile environment, it is expected to be in a non-hostile position and embedded in or protected by other products designed to address threats that correspond with the intended environment. At EAL2, the System will have incurred a search for obvious flaws to support its introduction into the non-hostile environment. The ALC_FLR.1 augmentation was claimed since fault level remediation is important to the customers of the product. 4.7.1. Requirement Dependency Rationale The following table demonstrates that all dependencies among the claimed security requirements are satisfied and therefore the requirements work together to accomplish the overall objectives defined for the TOE. SFR Dependencies Met By FAU_ARP.1 FAU_SAA.1 Included FAU_SAA.1 FAU_GEN.1 Included FAU_GEN.1 FPT_STM.1 OE.TIME FAU_SAR.1 FAU_GEN.1 Included FAU_STG.1 FAU_GEN.1 Included FDP_ACC.1 FDP_ACF.1 Included FDP_ACF.1 FDP_ACC.1 FMT_MSA.3 Included Included FIA_ATD.1 None None FMT_MOF.1 FMT_SMR.1, FMT_SMF.1 Included FMT_MSA.1 FDP_ACC.1 FMT_SMR.1 FMT_SMF.1 Included Included Included FMT_MSA.3 FMT_MSA.1 FMT_SMR.1 Included Included FMT_MTD.1 FMT_SMR.1 FMT_SMF.1 Included Included FMT_SMF.1 None None FMT_SMR.1 FIA_UID.1 OE.USER_IDENTIFICATION WMAP_ADM.1(EX) None None WMAP_ALR.1(EX) None None WMAP_STG.1(EX) WMAP_ALR.1(EX) Included Table 4: Requirement Dependency 4.8. Explicitly Stated Requirements Rationale A class of WMAP requirements was created to specifically address the administrative proxy capability of a WMAP. The audit class of the CC (FAU) was used as a model for creating these requirements. The purpose of this class of requirements is to address the unique functionality of WMAP’s including capabilities for making, reviewing, and managing administrative changes. December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 30 of 44 4.9. TOE Summary Specification Rationale Each subsection in the TSS describes a security function of the TOE. Each description is followed with rationale that indicates which requirements are satisfied by aspects of the corresponding security function. The set of security functions work together to satisfy all of the security functions and assurance requirements. Furthermore, all of the security functions are necessary in order for the TSF to provide the required security functionality. This Section in conjunction with Section 7, the TOE Summary Specification, provides evidence that the security functions are suitable to meet the TOE security requirements. The collection of security functions work together to provide all of the security requirements. The security functions described in the TOE summary specification are all necessary for the required security functionality in the TSF. Table 5: Security Functions vs. Requirements Mapping demonstrates the relationship between security requirements and security functions. Security Audit User Data Protection Identification and Authentication Security Management Windows Management Administrative Proxy Functions FIA_ATD.1 X FMT_MOF.1 X FMT_MTD.1 X FMT_SMF.1 X FMT_SMR.1 X X FMT_MSA.1 X FMT_MSA.3 X FAU_ARP.1 X FAU_GEN.1 X FAU_SAA.1 X FAU_SAR.1 X FAU_STG.1 X FDP_ACC.1 X FDP_ACF.1 X WMAP_ADM.1(EX) X X WMAP_ALR.1(EX) X X WMAP_STG.1(EX) X X Table 5: Security Functions vs. Requirements Mapping December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 31 of 44 5. Extended Components Definition (ASE_ECD) This chapter defines a new class required by Windows Management Adminstrative Proxy Devices. The class consists of the following family members WMAP_ADM, WMAP_ALR, and WMAP_STG. This class is defined because the Common Criteria (Parts 2) does not contain any SFRs which cover these functions. The families in this class address requirements for data review, alarms, collection controls, correlation, and loss prevention. Table 6: Extended Functional Components 5.1. Definition for WMAP_ADM.1 (EX) For the TOE described in this ST it was necessary to provide authorized entities with a mechanism to read and perform administrative functions as specified in Appendix A or by being an Administrator, Administrative Assistant or User of the program. This mechanism is covered by the WMAP_ADM family and contains the components as shown in Figure 5-1 below. WMAP_ADM WMAP_ADM.1 Figure 5-1: WMAP_ADM Component Leveling 5.1.1. Data Review (WMAP _ADM.1 (EX)) WMAP_ADM.1.1 The TSF shall provide authorized users with the capability to delegate to authorized users the capability to issue administrative commands and make changes to users. WMAP_ADM.1.2 The TSF shall provide authorized users a group or set of abilities that can be delegated to users. 5.1.2. Dependencies:  None 5.1.3. Management:  None 5.2. Definition for WMAP _ALR.1 (EX) For the TOE described in this ST it was necessary to define a new family (WMAP_ALR) that addresses what happens by enabling the creation of rules which define the generation of alerts, messages, and the disposition of events. This family contains the component as shown in Figure 5-2 below. WMAP_ALR WMAP_ALR.1 Figure 5-2: WMAP_ALR Component Leveling 5.2.1. Data Alarms (WMAP _ALR.1 (EX)) WMAP_ALR.1.1 The TSF shall provide rules, or groups of rules for events that [selection, any of following: display information on the administrator console, transmit information to the administrators using email, execute a command, execute a script] as (a/an) notification mechanism(s). Class Component WMAP: Windows Management Administrative Proxy WMAP_ADM.1(EX): Data Review WMAP _ALR.1(EX): Data Alarms WMAP _STG.1(EX): Data Loss Prevention December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 32 of 44 5.2.2. Dependencies:  None 5.2.3. Management:  None 5.3. Definition WMAP_STG.1 (EX) For the TOE described in this ST it is necessary to define a new family (WMAP_STG) that address what happens when the system runs out of storage capacity. This family contains the components as shown in Figure 5-3 below. WMAP_STG WMAP_STG.1 Figure 5-3: WMAP_STG Component Leveling 5.3.1. Data Loss Prevention (WMAP_STG.1 (EX)) WMAP_STG.1.1 This TSF shall [selection, any of the following: block the collection of System data, block the execution of all TOE transactions, generate a message] if the storage capacity has been reached. Dependencies:  WMAP_ALR.1 5.3.2. Management:  None December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 33 of 44 6. IT Security Requirements (ASE_REQ) This section defines the security functional requirements for the TOE as well as the security assurance requirements against which the TOE has been evaluated. All of the requirements have been copied from version 3.1 of the applicable Common Criteria documents, with the exception of the explicitly stated Security Functional Requirements. 6.1. TOE Security Functional Requirements Class Component FAU: Security Audit FAU_ARP.1: Security alarms FAU_GEN.1: Audit data generation FAU_SAA.1: Potential violation analysis FAU_SAR.1: Audit review FAU_STG.1: Protected audit trail storage FDP: User Data Protection FDP_ACC.1: Subset access control FDP_ACF.1: Security attribute based access control FIA: Identification and Authentication FIA_ATD.1: User attribute definition FMT: Security Management FMT_MOF.1: Management of security functions behavior FMT_MTD.1: Management of TSF data FMT_SMF.1: Specification of management functions FMT_SMR.1: Security roles FMT_MSA.1: Management of Security Attributes FMT_MSA.3: Static attribute initialization WMAP: Windows Management Administrative Proxy WMAP_ADM.1(EX): Data Review WMAP_ALR.1(EX): Data Alarms WMAP_STG.1(EX): Data Loss Prevention Table 7: TOE Security Functional Requirements 6.1.1. Security Audit (FAU) 6.1.1.1. Security alarms (FAU_ARP.1) FAU_ARP.1.1 The TSF shall [post a message, block the transaction, and generate a log entry] upon detection of a potential security violation. 6.1.1.2. Audit data generation (FAU_GEN.1) FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events: a) Start-up and shutdown of the audit functions; b) All auditable events for the [detailed] level of audit; and c) [All auditable events listed in Table 9]. FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: a) Date and time of the event, type of event, subject identity (if applicable), and the outcome (success or failure) of the event; and b) For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, [All auditable events listed in Table 9]. FAU_ARP.1 The TOE allows access to functions based on explicit privileges (powers) provided to an assistant admin. If a user attempts to make a change they are not authorized for, they receive a message, the transaction is blocked, December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 34 of 44 and an entry is made into the Audit Repository on the DRA Server. FAU_GEN.1 The TOE generates audit data for ALL transactions attempted and executed through the Console Subsystem. Audit data may include includes information about the operation that was performed including:  the type of object  who performed that operation (name, GUID, one point path of this account)  the name of the target object, GUID of the target object, one point path of the target object  Domain Controller used  what properties were changed (before and after values),  policy details & trigger details  UTC date and time, transaction id, and return code. FAU_SAA.1 The TOE provides functions to analyze audit events (all transactions attempted and executed) and trends as part of the Console Subsystem analysis reporting subsystem. FAU_SAR.1 The TOE provides event audit review for all attempted and executed jobs as part of the Console Subsystem via the ability to read audit records from the audit log. FAU_STG.1 The TOE stores audit event information for all attempted and executed changes in the DRA Server Subsystem. FDP_ACC.1 The TOE generate audit information regarding changes to access control. FDP_ACF.1 The TOE shall enforce access control to Audit records (containing all attempted and executed transactions) and prevent unauthorized deletion or modification of audit records. Audit data may include includes information about the operation that was performed including:  the type of object  who performed that operation (name, GUID, one point path of this account)  the name of the target object, GUID of the target object, one point path of the target object  Domain Controller used  what properties were changed (before and after values),  policy details & trigger details  UTC date and time, transaction id, and return code. Details of privileges required for are defined in Appendix A FMT_MOF.1 The TOE shall generate audit information regarding enabling / disabling /roles or the creation of groups of roles5 . FMT_MSA.1 The TOE shall generate audit information regarding changes to privileges. The TOE shall also generate audit information regarding changes to default privileges. FMT_MSA.3 The TOE shall provide audit records detailing changes from restrictive to permissive as well as changes from initial (default) values.to new values. 5 For an explicit list of Roles please refer to Appendix A. December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 35 of 44 FMT_MTD.1 The TOE shall generate audit information for changes to configuration data and roles. FMT_SMF.1 The TOE shall generate audit information for addition of users, changes to user, or addition of role groups. The TOE will also generate audit information for the use of management functions. FMT_SMR.1 The TOE shall generate audit information for changes to the users associated with the roles (Administrator, Assistant administrators, or Users). The TOE will also generate audit information for actions performed by Administrators, Assistant administrators, and users. WMAP_ADM.1(EX) The TOE provides the ability to audit delegations to authorized users and groups of users. WMAP_ALR.1(EX) The TOE provides the ability to generate audit information for messages or alarms. WMAP_STG.1(EX) The TOE provides the ability to block transactions when audit storage capacity has been reached. Table 8: Auditable Events 6.1.1.3. Security audit analysis (FAU_SAA.1) FAU_SAA.1.1 The TSF shall be able to apply a set of rules in monitoring the audited events and based upon these rules indicate a potential violation of the enforcement of the SFRs. FAU_SAA.1.2 The TSF shall enforce the following rules for monitoring audited events: a) Accumulation or combination of [no such events specified] known to indicate a potential security violation; b) [all transactions performed by authorized TOE users]. 6.1.1.4. Audit review (FAU_SAR.1) FAU_SAR.1.1 The TSF shall provide [authorized users] with the capability to read [all audit information] from the audit records. FAU_SAR.1.2 The TSF shall provide the audit records in a manner suitable for the user to interpret the information. 6.1.1.5. Protected audit trail storage (FAU_STG.1) FAU_STG.1.1 The TSF shall protect the stored audit records in the audit trail from unauthorized deletion. FAU_STG.1.2 The TSF shall be able to [prevent] unauthorized modifications to the stored audit records in the audit trail. 6.1.2. User Data Protection (FDP) 6.1.2.1. Subset access control (FDP_ACC.1) FDP_ACC.1.1 The TSF shall enforce the [access control policy] on [all users with defined ‘powers’ as specified in Appendix A] 6.1.2.2. Security attribute based access control (FDP_ACF.1) FDP_ACF.1.1 The TSF shall enforce the [access control policy] to objects based on the following: [membership to Administrator, Assistant administrator groups / Administrators from Managed Domains and functions as listed in Appendix A]. December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 36 of 44 FDP_ACF.1.2 The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [user execution of functionality based on group membership and / or roles6 ]. FDP_ACF.1.3 The TSF shall explicitly authorize access of subjects to objects based on the following additional rules: [none]. FDP_ACF.1.4 The TSF shall explicitly deny access of subjects to objects based on the following additional rules: [users or member of groups with lack of explicitly granted powers as specified in Appendix A]. 6.1.3. Identification and Authentication (FIA) 6.1.3.1. User attribute definition (FIA_ATD.1) FIA_ATD.1.1 The TSF shall maintain the following list of security attributes belonging to individual users: roles: [authorizations]. 6.1.4. Security Management (FMT) 6.1.4.1. Management of security functions behavior (FMT_MOF.1) FMT_MOF.1.1 The TSF shall restrict the ability to [enable and disable] the functions [Related to: Security Audit, User Data Protection, Identification and Authentication, Security Management, Windows Management Administrative Proxy] to [Administrators, Assistant administrator groups, or Administrators from Managed Domains]. 6.1.4.2. Management of security attributes (FMT_MSA.1) FMT_MSA.1.1 The TSF shall enforce the [access control policy] to restrict the ability to [modify, add, or delete] the security attributes [powers and groups of powers] to [Administrators, Assistant administrator groups, or Administrators from Managed Domains]. 6.1.4.3. Static attribute initialization (FMT_MSA.3) FMT_MSA.3.1 The TSF shall enforce the [access control policy] to provide [restrictive] default values for security attributes that are used to enforce the SFP. FMT_MSA.3.2 The TSF shall allow the [Administrators, Assistant administrator groups, Administrators from Managed Domains] to specify alternative initial values to override the default values when an object or information is created. 6.1.4.4. Management of TSF data (FMT_MTD.1) FMT_MTD.1.1 The TSF shall restrict the ability to [modify] the [configuration data, report formats] to [Administrators, members of the Assistant administrators groups with the appropriate powers7 , or Administrators from Managed Domains]. 6.1.4.5. Specification of management Functions (FMT_SMF.1) FMT_SMF.1.1 The TSF shall be capable of performing the following security management functions: [Modify the behavior of Assistant administrators by the addition of Roles in Appendix A, Modify the behavior of operational events8 , and Query collected transaction log and generate associated report]. 6.1.4.6. Security roles (FMT_SMR.1) 6 As described in Appendix A 7 Powers are the list of privileges / group of privileges 8 Operational events are included in Appendix A and include creation, modification, and deletion of accounts. December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 37 of 44 FMT_SMR.1.1 The TSF shall maintain the roles [Administrators, Assistant administrators groups, Administrators from Managed Domains]. FMT_SMR.1.2 The TSF shall be able to associate users with roles. 6.1.5. Windows Management Administrative Proxy (WMAP) 6.1.5.1. Data Review (WMAP_ADM.1 (EX)) WMAP_ADM.1.1 The TSF shall provide authorized users with the capability to delegate to authorized users the capability to issue administrative commands and make changes to users. WMAP _ADM.1.2 The TSF shall provide authorized users a group or set of abilities that can be delegated to users. 6.1.5.2. Data Alarms (WMAP_ALR.1 (EX)) WMAP _ALR.1.1 The TSF shall provide rules, or groups of rules for events that [display information on the administrator console, transmit information to the administrators using email, execute a command, execute a script] as (a/an) notification mechanism(s). 6.1.5.3. Data Loss Prevention (WMAP_STG.1 (EX)) WMAP _STG.1.1 This TSF shall [block the collection of System data, block the execution of all TOE transactions, generate a message] if the storage capacity has been reached. 6.2. Security Assurance Requirements This section defines the assurance requirements for the TOE. The TOE assurance requirements are taken from the CC v3.1 Release 4, Part 3. The TOE functional security requirements are verified by the specified security assurance requirements. The following table summarizes the requirements. Assurance Class Assurance Components ADV: Development ADV_ARC.1 Security architecture description ADV_FSP.2 Security –enforcing functional specification ADV_TDS.1 Basic design AGD Guidance documents AGD_OPE.1 Operational user guidance AGD_PRE.1 Preparative procedures ALC: Life-cycle support ALC_CMC.2 Use of a CM system ALC_CMS.2 Parts of the TOE CM coverage ALC_DEL.1 Delivery procedures ALC_FLR.1 Basic flaw remediation ASE: Security Target evaluation ASE_CCL.1 Conformance claims ASE_ECD.1 Extended components definition ASE_INT.1 ST Introduction ASE_OBJ.2 Security objectives ASE_REQ.2 Derived security requirements ASE_SPD.1 Security problem definition ASE_TSS.1 TOE Summary specification ATE: Tests ATE_COV.1 Evidence of coverage ATE_FUN.1 Functional testing ATE_IND.2 Independent testing - sample AVA: Vulnerability Assessment AVA_VAN.2 Vulnerability analysis Table 9: Security Assurance Requirements December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 38 of 44 7. TOE Summary Specification (ASE_TSS) This chapter describes the security functions. 7.1. Security Audit The NetIQ Directory Resource Adminsitrator provides the ability to audit changes to the Active Directory made through the NetIQ Directory Resource Administrator application. When the ‘Assistant Admins’ make a change using NetIQ DRA, all changes are logged. In addition the Assistant Admin can only execute commands they are authorized to execute. The changes are logged in DRA’s audit repository. This repository is a check in repository, that is you can write but not update or delete records. In addition this information can be published to the Windows Event Log. The TOE generates audit records for Security Relevant events and stores them. The table of the audit events generated by the TOE is provided in Table 9: Auditable Events.. The TOE provides functions to review and analyze audit events (all attempted and executed) and trends as part of the Console Susbsystem analysis reporting subsystem. Access to the Audit log is restricted to a search UI, that has been explicitly been authorized for an assistant administrator to use. This privilige is provided by the DRA Administrator. The Security Audit function is designed to satisfy the following security functional requirements of FAU_GEN.1, The TOE generates audit data for ALL transactions attempted and executed through Console Subsystem. Audit data may include: o information about the operation that was performed including: the type of object o who performed that operation (name, GUID, one point path of this account) o the name of the target object, GUID of the target object, one point path of the target object o Domain Controller used o what properties were changed (before and after values), o policy details & trigger details o UTC date and time, transaction id, and return code. FAU_SAA.1 The TOE provides functions to analyze audit events (all transactions attempted and executed) and trends as part of the Console Subsystem analysis reporting subsystem. FAU_SAR.1 The TOE provides event audit review for all attempted and executed jobs as part of the Console Subsystem via the ability to read audit records from the audit log. FAU_STG.1. The TOE stores audit event information for all attempted and executed changes in the DRA Server Subsystem. 7.2. User Data Protection The NetIQ Directory Resource Administrator enables protection of data by enforcing the list of security attributes belonging to individual roles. These roles are defined in either the Assistant Administrators role or as explicit privileges provided by virtue of membership in the Administrators group. FDP_ACC.1 The TOE allows access to information by enforcing user privileges as defined in the Assistant Administrator’s explicit privileges, or in the Administrator groups. FDP_ACF.1 The TOE enforces access to functions based on the user privileges as defined in the Assistant Administrator’s explicit privileges or in the Administrator groups. December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 39 of 44 WMAP_ADM.1.1 The TOE defines mechanisms for administrators to delegate privileges to individuals. WMAP_ADM.1.2 The TOE defines mechanisms for administrators to delegate privileges to groups of individuals. 7.3. Identification and Authentication The NetIQ Directory Resource Administrator provides user interfaces that administrators may use to define assistants and delegate responsibilities. The DRA GUI application examines the identification and authentication information for individual administrators and assistant administrators. When an administrator or assistant administrator attempts to access the DRA GUI, the DRA GUI interfaces first check to see if the user has been authenticated by the operating system in the IT Environment. If the user has been successfully identified and authenticated by the IT Environment, and if the user has been successfully identified and authenticated as a member of an administrative system and/or administrative sub group that the TOE recognizes, the DRA GUI provides access to its interfaces according to authorization data. Authorization data maintained by the TOE for each role that the TOE recognizes is used to determine the functions that a user possessing a given role (i.e. membership in an administrative system and/ or assistant administration group) may perform. The TOE recognizes the following operating system and assistant administrator groups, which each correspond to TOE roles:  Administrator,  Assistant Administrator Groups,  Administrators from Managed Domains Operating system groups and functions are described further in section 3.1.2. The Identification and authentication function is designed to satisfy the following security functional requirements: FIA_ATD.1: The TOE maintains authorization information that determines which TOE functions a role may perform. FMT_SMR.1: The TOE uses the operating system for the definition of different groups prior to allowing access. 7.4. Security Management The NetIQ Directory Resource Administrator application includes the following components:  DRA Primary Server  Console Subsystem To use the Console Subsystem the authorized administrator operating system account must be a member of one of the following groups:  Administrators,  Assistant Administrators Groups,  Administrators from Managed Domains The Security management function is designed to satisfy the following security functional requirements: FMT_MOF.1: The TOE restricts the ability to manage WMAP settings to authorized administrators and authorized assistant administrators. FMT_MSA.1 The TOE provides the ability to enforce the access control policy to provide .the ability to add / delete/ and modify security attributes to Administrators, Assistant administrator groups with the appropriate powers (listed in Appendix A) and Administrators from Managed Domains. December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 40 of 44 FMT_MSA.3 The TSF provides the ability to modify the initial restrictive access controls. It also enables Administrators, Assistant administrator groups and Administrators from Managed Domains to change default values. FMT_MTD.1: The TOE restricts the ability to query and modify the collected data and generated reports to authorized users. FMT_SMF.1: The TSF provides authorized administrators with the ability to manage assistant administrators by adding roles or privileges in Appendix A. In addition it allows for the modification of the behavior of operational events as well, the ability to modify the information that is collected and any associated reports. FMT_SMR.1: The TSF maintains roles for Administrators, Assistant administrator groups, and Administrators from Managed Domains. It also allows authorized administrators the ability to associate users with roles. 7.5. Windows Management Administrative Proxy NetIQ DRA is a Windows Management Administrative Proxy. By this we mean that it proxies all changes to the Windows Management. NetIQ DRA also provides a facility that can be used to review all changes. Logging is critical to the success of the product; hence all transactions will be logged. In the event of a log failure the user will be informed that the action did not take place. The Window Management Administrative Proxy function is designed to satisfy the following security functional requirements: WMAP_ADM.1 The TSF shall provide authorized users the capability to delegate to authorized users the capability to issue administrative commands and changes. (EX) WMAP _ADM.1.2 The TSF shall provide authorized users the capability to delegate to users a group or set of abilities(EX) WMAP _ALR.1.1 The TSF can generate an alarm using one or more of the following notification mechanisms: Display alarm information to the administrator console Send alarm information to administrators using email Execute a command Execute a script in response to one or more of the following rule types: Event rules WMAP _STG.1.1 The TSF shall abort the attempted command and display a message if the storage capacity has been reached. December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 41 of 44 Appendix A – DRA Privileges / Roles / Powers list Power Power Power Create Private Advanced Query Create Public Advanced Query Delete Public Advanced Query Execute Advanced Query Execute Saved Advanced Query Modify Public Query View Advanced Query Export UI Reports Generate UI Reports Modify Clone Exceptions View Clone Exceptions Create Computer and Modify All Properties Delete Computer Account Delete Computer Account Permanently Modify All Computer Properties Modify Computer Dial-in Properties Modify General Computer Properties Reset Computer Account Reset Password for Local Administrator Start Computer Shutdown Stop Computer Shutdown Synchronize Domain Controllers View All Computer Properties View Name of Local Administrator Clone Contact and Modify All Properties Delete Contact Account Delete Contact Account Permanently Create Contact and Modify All Properties Create Contact and Modify Limited Properties Enable Email for New Contact Delete Email for Contact Enable Email for Cloned Contact Enable Email for Contact Modify Exchange Mailbox Email Addresses for Contact Modify All Contact Properties Modify Contact Address Properties Modify Contact Extension Attributes Modify Contact Name Modify General Contact Properties View All Contact Properties Modify Advanced Exchange Mailbox Properties for Contact Modify All Exchange Mailbox Properties for Contact Modify Exchange Mailbox Custom Attributes for Contact Modify Exchange Mailbox Delivery Restrictions for Contact Modify Exchange Mailbox ILS Settings for Contact Modify General Exchange Mailbox Properties for Contact View All Exchange Mailbox Properties for Contact Modify the VA1 property of User Retrieves the VA1 property of User Execute Custom Tools Manage Custom Tools View All Domain Properties Set Active Directory Collectors Enable / Disable DRA Collectors and Management Reporting Collectors Information Set Database Configuration Information View Active Directory Collectors View DRA Collectors and Management Reporting Collectors information View Database Configuration Information Delete Mailbox Enable/Disable Exchange Mailbox Unified Messaging Modify All Exchange Mailbox Features Modify Exchange Mailbox Unified Messaging Properties View All Exchange Mailbox Features View Exchange Mailbox Unified Messaging Properties Clone Exchange Mailbox and Modify All Properties Clone Exchange Mailbox Only Create Exchange Mailbox and Modify All Properties Create Exchange Mailbox Only Modify All Exchange Properties Modify General Exchange Mailbox Properties Move Exchange Mailbox View All Exchange Mailbox Properties December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 42 of 44 Power Power Power Modify All Mailbox Rights Modify Delete Mailbox Storage Rights Modify Mailbox Associated External Account Rights Modify Mailbox Change Permissions Modify Mailbox Full Access Rights Modify Mailbox Ownership Rights Modify Mailbox Read Permissions Modify Mailbox Receive As Rights Modify Mailbox Send As Rights View All Mailbox Rights Modify Advanced Exchange Mailbox Properties Modify Exchange Custom Attributes Modify Exchange Mailbox Delivery Options Modify Exchange Mailbox Delivery Restrictions Modify Exchange Mailbox Email Addresses Modify Exchange Mailbox ILS Settings Modify Exchange Mailbox Storage Limits Delete Group Account Permanently Delete Group Account Modify All Group Properties Modify General Group Properties View All Group Properties Add Cloned Group to ActiveView Clone Group and Modify All Properties Add New Group to ActiveView Create Group and Modify All Properties Create Group and Modify Limited Properties Enable Email for New Group Hide Group Membership in Distribution List Modify Advanced Exchange Mailbox Properties for Group Modify All Exchange Mailbox Properties for Group Modify Exchange Mailbox Custom Attributes for Group Modify Exchange Mailbox Delivery Restrictions for Group Modify General Exchange Mailbox Properties for Group Show Group Membership in Distribution List View All Exchange Mailbox Group Properties Delete Email for Group Enable Email for Group Modify Exchange Mailbox Email Addresses for Group View Email Address for Group Add Computer to Group Add Contact to Group Add Group to Group Add Object to Group Add User to Group Modify Group Membership Security Remove Computer from Group Remove Contact from Group Remove Group from Group Remove Object from Group Remove User from Group Modify Group Description Modify Group Name Modify Group Type Create Temporary Group Assignments Delete Temporary Group Assignments Modify Temporary Group Assignments Reset Temporary Group Assignment State View Temporary Group Assignments Modify Properties of a Custom Power View Power Properties Clone OU and Modify All Properties Create OU and Modify All Properties Delete OU Modify All OU Properties Modify General OU Properties Modify OU Name Move Computer to OU Move Contact to OU Move Group to OU Move Object to OU Move Organizational Unit to OU Move Printers to OU Move User to OU View All OU Properties Delete Published Printer Print Job Delete Published Printer Print Job Submitted by Managed User Modify All Published Printer Print Job Properties Modify All Published Printer Print Job Properties Submitted by Managed User Modify Published Printer Print Job Priority Pause Published Printer Print Job Pause Published Printer Print Job Submitted by Managed User Restart Published Printer Print Job Restart Published Printer Print Job Submitted by Managed User December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 43 of 44 Power Power Power Resume Published Printer Print Job Resume Published Printer Print Job Submitted by Managed User View All Published Printer Print Job Properties Modify All Published Printer Properties Pause Published Printer Resume Published Printer View All Published Printer Properties Delete Computer from Recycle Bin Delete Contact from Recycle Bin Delete Group from Recycle Bin Delete User from Recycle Bin Restore Computer from Recycle Bin Restore Contact from Recycle Bin Restore Group from Recycle Bin Restore User from Recycle Bin View All Recycle Bin Objects Delete Files from Server Set File Information Upload Files to Server Disconnect Any User Disconnect Managed User View All Connected User Properties Modify All Device Properties Start Device Stop Device View All Device Properties Clear Event Log Modify All Event Log Properties View Administration Server Events Only View All Event Log Properties Close Any Open File Close Open File for Managed User View All Open File Properties Delete Print Job Delete Print Job for Managed User Modify All Print Job Properties Modify All Properties of Print Job Submitted by Managed User Modify Print Job Priority Pause Print Job Pause Print Job for Managed User Restart Print Job Restart Print Job For Managed User Resume Print Job Resume Print Job for Managed User View All Print Job Properties Modify All Printer Properties Modify Printer Scheduling Properties Pause Printer Resume Printer View All Printer Properties Modify All Service Properties Modify General Service Properties Modify Service Logon Properties Pause Service Resume Service Start Service Stop Service View All Service Properties Clone Share and Modify All Properties Create Share and Modify All Properties Delete Share Modify All Share Properties View All Share Properties Manage My Account Modify All User Properties View All User Properties Clone Exchange Mailbox during User Clone Clone User and Modify All Properties Clone User and Modify Limited Properties Enable Email for Cloned User Add New User to Group Create User and Modify All Properties Create User and Modify Limited Properties Enable Email for New User Copy User to Another ActiveView Delete User Account Delete User Account Permanently Disable User Account Enable and Provision Users Enable User Account Manage User Password and Unlock Account Modify DES Encryption Modify Kerberos Authentication Requirements Modify Reversible Encryption for Password Reset User Account Password Specify When User Can Logon Specify Whether Account Can Be Delegated Specify Whether Account Is Trusted for Delegation Specify Whether Password Expires Specify Whether Password Is Required for Logon December 7, 2016 NetIQ® Directory Resource Administrator™ 9.0 Security Target NetIQ Corporation Page 44 of 44 Power Power Power Specify Whether SmartCard Is Required for Logon Specify Whether User Can Modify Password Specify Whether User Must Modify Password at Next Logon Specify Which Computers User Can Logon Unlock User Account Delete Email for User Enable Email for User View Email Address for User Modify User Account Expiration Modify User Comment Modify User Description Modify User Employee ID Modify User Fax Number Modify User Home Phone Modify User IP Phone Modify User Mobile Phone Modify User Name Modify User Pager Number Modify User Primary Group Modify User Type Modify User WTS Environment Properties Modify User WTS Remote Control Properties Modify User WTS Session Properties Modify User WTS Terminal Properties View User Primary Group Modify General User Properties Modify User Account Properties Modify User Address Properties Modify User Dial-in Properties Modify User Netware Properties Modify User Organization Properties Modify User Profile Properties Modify User Telephone Properties Modify User WTS Properties Add a User to Groups Found in a Template Modify Address Properties while Transforming a User Account Modify All Properties while Transforming a User Account Modify Description while Transforming a User Account Modify General Properties while Transforming a User Account Modify Office while Transforming a User Account Modify Organization Properties while Transforming a User Account Modify Telephone Properties while Transforming a User Account Remove a User from Groups Found in a Template Associate Virtual Attribute Create Virtual Attribute Disable Virtual Attribute Disassociate Virtual Attribute Enable Virtual Attribute