Microsoft Windows Common Criteria Evaluation Microsoft Windows 10 Version 1511 Operational Guidance

Yüklə 290,96 Kb.

səhifə	4/8
tarix	14.10.2017
ölçüsü	290,96 Kb.
	#4531

1 2 3 4 5 6 7 8

3.2Managing Audit Policy

3.2.1Local Administrator Guidance

The following log locations are always enabled:

Windows Logs -> System
Windows Logs -> Setup
Windows Logs -> Security (for startup and shutdown of the audit functions and of the OS and kernel, and clearing the audit log)

The following TechNet topic describes the categories of audits in the Windows Logs -> Security log:

Advanced Audit Policy Configuration: http://technet.microsoft.com/en-us/library/jj852202(v=ws.10).aspx

The following TechNet topic describes how to select audit policies by category, user and audit success or failure in the Windows Logs -> Security log:

Auditpol set: https://technet.microsoft.com/en-us/library/cc755264.aspx

For example, to enable all audits in the given subcategories of the Windows Logs -> Security log run the following commands at an elevated command prompt:

Logon operations:

auditpol /set /subcategory:”Logon” /success:enable /failure:enable

audit policy changes:

auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable

IPsec operations:

auditpol /set /subcategory:”IPsec Main Mode” /success:enable /failure:enable

auditpol /set /subcategory: “IPsec Quick Mode” /success:enable /failure:enable

Configuring IKEv1 and IKEv2 connection properties:

auditpol /set /subcategory:" Filtering Platform Policy Change" /success:enable /failure:enable

auditpol /set /subcategory:"Other Policy Change Events" /success:enable /failure:enable

registry changes (modifying TLS Cipher Suite priority):

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

In addition to enabling audit policy as noted above, each registry key to be audited must also have its auditing permissions enabled. This is done as follows:

Start the registry editor tool by executing the command regedit.exe as an administrator
Navigate to the registry path for the key that should be audited, right-click the key’s node and select Permissions… on the key’s context menu to open the Permissions dialog
Click the Advanced button to open the Advanced Security Settings dialog, click on the Auditing tab and click the Add button to open the Auditing Entry dialog
Click the Select a principal to open the Select User or Group dialog to select a user (e.g. Administrator) and click the OK button.
Choose the desired audits using the Type, Applies to and Basic Permissions attributes and click OK
Click OK on the Advanced Security Settings dialog
Click OK on the Permissions dialog

The following is the list of registry keys that must be audited:

HKEY_LOCAL_MACHINE/Software/Microsoft/PolicyManager
HKEY_LOCAL_MACHINE /Software/Policies/Microsoft/Windows/DeviceInstall/Restrictions
HKEY_LOCAL_MACHINE /Software/Policies/Microsoft/Windows/SettingSync/DisableSettingSync
HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Policies/System

To enable/disable TLS event logging in the System Event Log, see the following link:

https://technet.microsoft.com/en-us/library/Dn786445.aspx#BKMK_HowToEnableSchannelEventLogging

To enable/disable event logging in the Application and Services Logs, see the following link describing how to enumerate the log names³ and set their enabled state:

Wevtutil: http://technet.microsoft.com/en-us/library/cc732848.aspx

To view audit logs, see the following link:

Get-EventLog: http://technet.microsoft.com/en-us/library/hh849834.aspx

4.Managing Wipe

This section contains the following Common Criteria SFRs:

Extended: TSF Wipe (FCS_CKM_EXT.5)

4.1IT Administrator

Windows 10 devices can be configured for wipe after exceeding a maximum number of consecutive authentication failures by the MDM administrator by using the “Number of failed logon attempts before the device is wiped” policy as described in the following TechNet topic (see “Password” heading):

General settings for Mobile Devices in Configuration Manager: https://technet.microsoft.com/en-us/library/dn376523.aspx#BKMK_Password

The “Password” settings are enforced only if the “Require password settings on mobile devices”policy is also set.

4.2Local Administrator Guidance

The following Windows help topic describes how to reset Windows 10 devices with removal of all user data (the “Fully clean the drive” option wipes all protected data):

How to refresh, reset, or restore your PC: http://windows.microsoft.com/en-us/windows-10/windows-10-recovery-options

5.Managing EAP-TLS

This section contains the following Common Criteria SFRs:

Extended: Trusted Channel Communication (FTP_ITC_EXT.1)
Extended: PAE Authentication (FIA_PAE_EXT.1)
Extended: Trusted Channel Communication (FTP_ITC_EXT.1)
Extended: Wireless Network Access (FTA_WSE_EXT.1)
Specifications of Management Functions (FMT_SMF_EXT.1)

5.1IT Administrator Guidance

An MDM system can be used to manage Wi-Fi profiles.

The following links specify the server certificate requirements for EAP-TLS and the procedure to create a Wi-Fi profile in System Center 2012 R2 Configuration Manager:

Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS: http://support.microsoft.com/kb/814394/en-us
Wi-Fi Profiles in Configuration Manager: https://technet.microsoft.com/en-us/library/dn261221.aspx

Steps 1 – 4 in the following link describe how to configure the IT infrastructure for EAP-TLS using WPA2-Enterprise (based on 802.1x authentication and 802.11-2012 encryption standards):

Creating a secure 802.1x wireless infrastructure using Microsoft Windows: http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx

Group policy can be used to specify the wireless networks (SSIDs) that a user may connect to.

Configure Network Permissions and Connection Preferences : https://msdn.microsoft.com/en-us/library/dd759204.aspx

Yüklə 290,96 Kb.

Dostları ilə paylaş:

1 2 3 4 5 6 7 8