WIXLIB

CN11-ST-0001Common Criteria Security TargetforCitrix XenDesktop 7.6 Platinum Edition andCitrix XenApp 7.6 Platinum EditionVersion 1-0 2015 Citrix Systems, Inc. All rights reserved2 March 2015

CN11-ST-0001Summary of AmendmentsVersion1-0Date2 March 2015Ver 1-0 TB 2 March 2015NotesFirst definitive versionPage 2 of 61

CN11-ST-00010. Preface0.1Objectives of DocumentThis document presents the Common Criteria (CC) Security Target (ST) to express thesecurity and evaluation requirements for the Citrix Citrix XenDesktop 7.6 Platinum Editionand Citrix XenApp 7.6 Platinum Edition products.The products are CitrixSystems,Inc.The Sponsor and Developer for the EAL2 evaluations is Citrix Systems, Inc.0.2Scope of DocumentThe scope of the Security Target within the development and evaluation process is describedin the Common Criteria for Information Technology Security Evaluation [CC]. In particular,a Security Target defines the IT security requirements of an identified TOE and specifies thefunctional and assurance security measures offered by that TOE to meet stated requirements[CC1, Section C.1].Security Functional Requirements (SFRs), as defined in [CC2], are the basis for the TOE ITsecurity functional requirements expressed in this Security Target. These requirementsdescribe the desired security behaviour expected of a TOE and are intended to meet thesecurity objectives as stated in this Security Target. Security Functional Requirementsexpress security requirements intended to counter threats in the assumed operatingenvironment of the TOE, and cover any identified organisational security policies andassumptions.0.3Intended ReadershipThe target audience of this ST are consumers, developers, certifiers and evaluators of theTOE, additional information can be found in [CC1, Section 6.2].0.4Related DocumentsCommon Criteria1[CC1]1Common Criteria for Information Technology Security Evaluation,Part 1: Introduction and General Model,CCMB-2012-09-001, Version 3.1 Revision 4, September 2012.For details see http://www.commoncriteriaportal.org/Ver 1-0 TB 2 March 2015Page 3 of 61

CN11-ST-0001[CC2]Common Criteria for Information Technology Security Evaluation,Part 2: Security Functional Components,CCMB-2012-09-002, Version 3.1 Revision 4, September 2012.[CC3]Common Criteria for Information Technology Security Evaluation,Part 3: Security Assurance Components,CCMB-2012-09-003, Version 3.1 Revision 4, September 2012.[CEM]Common Methodology for Information Technology Security Evaluation,Evaluation Methodology,CCMB-2012-09-004, Version 3.1, Revision 4, September 2012.Note: the 3 separate parts of Common Criteria are also referred to collectively as “[CC]”.Developer documentation[CCECG]Common Criteria Evaluated Configuration Guide for Citrix XenApp 7.6Platinum Edition and XenDesktop 7.6 Platinum Edition, 27 February 2015,document code: 2/27/2015 14:17:44Other[FIPS140-2]0.5Federal Information Processing Standards PublicationSecurity Requirements for Cryptographic ModulesFIPS PUB 140-2, NIST, 25 May 2001Significant AssumptionsNone0.6Outstanding d Encryption StandardDDCDelivery Controller (the leading ‘D’ ispresent for historical reasons and to avoidpotential confusion with ‘DomainController’)EALEvaluation Assurance LevelFIPSFederal Information Processing StandardsICAIndependent Computing ArchitectureLANLocal Area NetworkOSPOrganisational Security PolicyVer 1-0 TB 2 March 2015Page 4 of 61

CN11-ST-0001AcronymMeaningPPProtection ProfileSARSecurity Assurance RequirementSFPSecurity Function PolicySFRSecurity Functional RequirementSTSecurity TargetTLSTransport Layer SecurityTOETarget of EvaluationTSFTOE Security FunctionalityVDAVirtual Delivery AgentWCFWindows Communication Foundation0.8GlossaryTermMeaningAccess permissions for virtual desktopsconfiguration data within the TOE which determines whichvirtual desktops each user is permitted to access.Accesspermissionsapplicationsconfiguration data within the TOE which determines whichpublished applications each user is permitted to access (cf.Permitted Published Applications (q.v.)).for(published)Assurancegrounds for confidence that a TOE meets the SFRs [CC1]Cataloga collection of machines of the same Machine Type. Catalogsare managed as a single entity. Desktops or servers from morethan one catalog can be allocated to a delivery group.Citrix Receiverinstalled on user devices, this is a client that provides directICA connections to server or desktop Virtual Delivery Agents.Although this is a Citrix framework that supports various plugins, in the evaluated configuration it will only be used with theCitrix Online Plug-in.Citrix Studioprovides the administration interface to the Delivery Controllerfor managing access permissions for virtual desktops, virtualdesktop configuration data, published applications, publishedapplication configuration data (permitted publishedapplications for each application user) and Endpoint dataaccess control policy.Configdataconfiguration data within the TOE; which includes accesspermissions for virtual desktops and published applcations,Virtual Desktop configuration data and Endpoint data accesscontrol policy. See section 3.1.ControllerDelivery Controller (q.v.)Delivery Controllerauthenticates administrators and users, manages the assemblyof users’ virtual desktop and application environments andbrokers connections between users and their virtual desktopsand applications. In Citrix documentation often identifiedsimply as the Controller.Delivery Groupan administrative grouping of machines to supply desktopsVer 1-0 TB 2 March 2015Page 5 of 61

CN11-ST-0001TermMeaningand/or applications that are allocated to users or groups ofusers. Machines from one or more catalogs are used to createthe delivery group. Users can be given permissions to accessone or more delivery groups, but in the evaluated configurationeach user is given access to only a single desktop deliverygroup and a single application delivery group.Domain pass-througha means of authentication in which single sign-on is providedusing the domain credentials (either smartcard and PIN, orusername and password) used to log on to a domain-joinedclient running Citrix Receiver.Endpoint data access control policya set of rules, configured within the TOE, which determinewhether or not a user can access User Device resources fromwithin a virtual desktop or published application: specificallyclipboard, local drives, USB devices; used in conjunction withinput evidence values to determine specific settings for anyparticular virtual desktop.Evaluation Assurance Levelan assurance package, consisting of assurance requirementsdrawn from CC Part 3, representing a point on the CCpredefined assurance scale. [CC1]ICA Filea file used with the Independent Computing Architecture,which contains configuration information enabling a client toconnect to a server.Independent Computing Architecturea presentation services protocol, used to present input(keystrokes, mouse clicks etc.) to the virtual desktop andpublished applications for processing and to return output(display, audio etc.) to the Citrix Receiver running on theclient.License Servera server that issues licenses for Citrix products.Machine Typedefines the machine type (desktop or server OS) as well as anumber of other properties relating to how machines in acatalog are provisioned, allocated and managed.In the evaluated configuration only manually provisionedmachine types will be used. The manually provisioned machinetype enables the use of XenDesktop and XenApp to manageand deliver user desktops and applications that have alreadybeen migrated to VMs in the data centre.In the evaluated configuration, only static pre-assigned desktopmachines are used, which means that each user is assigned aspecific virtual desktop by an administrator, and the userreceives this virtual desktop at each logon.Objecta passive entity in the TOE, that contains or receivesinformation, and upon which subjects perform operations.[CC1]Operational Environmentthe environment in which the TOE is operated. [CC1]Organisational Security Policya set of security rules, procedures, or guidelines imposed (orpresumed to be imposed) now and/or in the future by an actualor hypothetical organisation in the operational environment.[CC1]Ver 1-0 TB 2 March 2015Page 6 of 61

CN11-ST-0001TermMeaningPermitted Published ApplicationsThe set of published applications to which an authorised Userhas been granted access.(See also Published Applications)Protection Profilean implementation-independent statement of security needs fora TOE type. [CC1]Provisioningact of creating new virtual desktops and/or publishedapplications, including the operating system image for thedesktops and related configuration.Published ApplicationsThe applications that administrators can configure to beaccessible by authorised Users. The definition also includesdata and resources associated with a given application (e.g.data defining the initial configuration or appearance of anapplication). Different authorised Users may have access todifferent sets of applications (see Permitted PublishedApplications).Security Assurance Requirementa description of how assurance is to be gained that the TOEmeets the SFRs. [CC1]Security Attributea property of subjects, users (including external IT products),objects, information, sessions and/or resources that is used indefining the SFRs and whose values are used in enforcing theSFRs. [CC1]Security Function Policya set of rules describing specific security behaviour enforcedby the TSF and expressible as a set of SFRs. [CC1]Security Functional Requirementa translation of the security objectives for the TOE into astandardised language[CC1], describing the desired securitybehaviour expected of a Target of Evaluation (TOE) [CC2].Security Objectivea statement of intent to counter identified threats and/or satisfyidentified organisation security policies and/or assumptions.[CC1]Security Targetan implementation-dependent statement of security needs for aspecific identified TOE. [CC1]Sitea collection of Catalogs, Delivery Groups, PublishedApplications, virtual desktops and Configdata that are defined,managed and accessed via the same Delivery Controller, andwhich are stored within a common, shared database. In theevaluated configuration, there will only be a single applicationdelivery group and a single desktop delivery group defined inthe site.StoreFronta server that provides a user with an interface to an self-servicestore which allows them to subscribe to and launch theirchosen apps and desktops following authentication.Subjectan active entity in the TOE that performs operations on objects.[CC1]Target of Evaluationa set of software, firmware and/or hardware possiblyaccompanied by guidance. [CC1]TOE Security Functionalitya set consisting of all hardware, software, and firmware of theTOE that must be relied upon for the correct enforcement ofthe SFRs. [CC1]Ver 1-0 TB 2 March 2015Page 7 of 61