Microsoft Windows Common Criteria Evaluation Microsoft Windows 10 Version 1511 Operational Guidance



Yüklə 290,96 Kb.
səhifə2/8
tarix14.10.2017
ölçüsü290,96 Kb.
#4531
1   2   3   4   5   6   7   8

1.Introduction


This document provides operational guidance information for a Common Criteria evaluation describing only the security functionality which the administrator should use – any security functionality not described in this document is not part of the evaluation.

1.1Configuration

1.1.1Evaluated Configuration


The Common Criteria evaluation includes a specific configuration of Windows, the “evaluated configuration”. To run Windows deployments using the evaluated configuration follow the deployment steps and apply the security policies and security settings indicated below. The Security Target section 1.1 describes the Windows editions and security patches included in the evaluated configuration.

The operating system is pre-installed on the devices in the evaluated configuration. When the device is turned on for the first time the Out of Box Experience (OOBE) runs to complete the configuration.

The following security policies are applied after completing the OOBE:


Security Policy

Policy Setting

Local Policies\Security Options\System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithm

Enabled

Administrative Template\Windows Components\Credentials User Interface\Do not display the password reveal button

Enabled

The following security settings are applied to create the evaluated configuration:



  • Cipher suite selection is configured according to section 5 Managing TLS

  • Volume encryption is enabled according to section 8 Managing Volume Encryption

  • VPN connections route all traffic through the VPN tunnel as described section 9 Managing VPN

  • Passwords use a minimum of six alphanumeric characters and symbols according to section 12.1 Strong Passwords

  • RSA machine certificates are configured according to section 13 Managing Certificates to use a minimum 2048 bit key length

  • Session locking is enabled according to section 16 Locking a Device

  • Devices are enrolled for device management according to section 18 Device Enrollment

  • Enrolled policy must have the Enterprise Data Protection settings enabled

The following Windows Update packages must be installed:

  • All critical updates as of December 31, 2015

Some of the links in this document may be written for Windows versions that are earlier than Windows 10. The content in all these links apply to the Windows 10 version.


1.1.2Mobile Device Management Solutions


Many of the configurations described in this guide for the IT Administrator role are applied to the device through a Mobile Device Management (MDM) solution. The specific steps to perform a configuration through the MDM are solution-specific and are not described in this document. Examples of possible configuration option text are provided in this document, but are not guaranteed to match any specific MDM solution. See the MDM solution documentation for detailed configuration actions.

2.Management Functions


The following table maps management functions to roles:




Management Function

User Guidance

Local Administrator Guidance

IT Administrator Guidance

1

Configure password policy








2

Configure session locking policy








3

Enable/disable the VPN protection








4

Enable/disable [Wi-Fi, Bluetooth]








5

Enable/disable [camera, microphone]








6

Specify wireless networks (SSIDs) to which the TSF may connect








7

Configure security policy for connecting to wireless networks








8

Transition to the locked state








9

TSF10 wipe of protected data









10

Configure application installation policy








11

Import keys/secrets into the secure key storage








12

Destroy imported keys/secrets and any other keys/secrets in the secure key storage








13

Import X.509v3 certificates into the Trust Anchor Database








14

Remove imported X.509v3 certificates and any other X.509v3 certificates in the Trust Anchor Database









15

Enroll the TOE in management









16

Remove applications








17

Update system software








18

Install applications 








19

Remove Enterprise applications








20

Configure the Bluetooth trusted channel








21

Enable/disable display notification in the locked state









22

Enable/disable all data signaling over [USB hardware ports]









24

Enable/disable developer modes








25

Enable data-at rest protection








26

Enable removable media’s data at rest protection








28

Wipe Enterprise data








30

Configure whether to allow a trusted channel if certificate validation is not possible








32

Read audit logs kept by the TSF








33

Configure certificate used to validate digitally signed applications








34

Approve exceptions for shared use of keys/secrets by multiple applications








35

Approve exceptions for destruction of keys/secrets by other applications








36

Configure the unlock banner








37

Configure the auditable items









38

Retrieve TSF-software integrity verification values









40

Enable/disable backup to remote system








44

Enable/disable location services








Yüklə 290,96 Kb.

Dostları ilə paylaş:
1   2   3   4   5   6   7   8



Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©www.genderi.org 2024
rəhbərliyinə müraciət
    Ana səhifə
Psixologiya