Microsoft Windows Common Criteria Evaluation Microsoft Windows 10 Version 1511 Operational Guidance



Yüklə 290,96 Kb.
səhifə6/8
tarix14.10.2017
ölçüsü290,96 Kb.
#4531
1   2   3   4   5   6   7   8

6.3User Guidance


Users may choose using TLS with HTTPS by using https in the URL typed into the browser.

7.Managing Apps


This section contains the following Common Criteria SFRs:

  • Extended: Security Attribute Based Access Control (FDP_ACF_EXT.1)

7.1IT Administrator Guidance


MDM solutions are capable of installing, removing and restricting the ability for applications to run on Windows 10.

7.2Local Administrator Guidance


The ability for users to run the Store app may be removed using a registry value on Windows 10 by performing the following steps:

  1. Start the registry editor tool by executing the command regedit.exe as an administrator

  2. Navigate to the registry path HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsStore. Note that the WindowsStore registry key may need to be created.

  3. Create a DWORD (32 bit) registry value with the name RemoveWindowsStore under the WindowsStore registry key. Set the registry value to 1.

Local administrators can also restrict the ability of users to install applications using AppLocker on Windows 10 as described in the AppLocker Overview: https://technet.microsoft.com/en-us/library/hh831440.aspx.

Local administrators remove applications in the same manner as device users.


7.3User Guidance


The following Windows help topic describes how users remove an app installed from the Store, or in the case of enrolled devices, from their Company Portal or installed automatically by their IT administrator, and any information the app contained:

  • Uninstall, change or repair a program: http://windows.microsoft.com/en-us/windows-10/repair-or-remove-programs#v1h=tab01

Note: If the system administrator has configured required Enterprise apps then those Enterprise apps will be re-installed if a user uninstalls them.

8.Managing Volume Encryption


This section contains the following Common Criteria SFRs:

  • Extended: Data at Rest Protection (FDP_DAR_EXT.1)

The following TechNet topic describes the BitLocker feature, including its use to encrypt the entire operation system volume or removable volumes:

  • BitLocker Overview: http://technet.microsoft.com/en-US/library/hh831713.aspx

8.1Local Administrator Guidance


The following TechNet topic describes the manage-bde command that should be executed in a command shell while running as an administrator to configure DAR protection:

  • Manage-bde: http://technet.microsoft.com/en-us/library/ff829849(v=ws.10).aspx

By default AES128 encrypion is used by the manage-bde command when enabling BitLocker for Windows 10 – the AES256 algorithm should be used instead. In addition, the TPM and PIN authorization factor must be used in the evaluated configuration. The Enhanced PIN capabilities must be used in the evaluated configuration.

To enable the TPM and Enhanced PIN authorization factors execute the following command:



  • Manage-bde –on : -tpmandpin -encryptionMethod aes256

The following is a link to BitLocker Policy settings:

  • https://technet.microsoft.com/en-us/library/jj679890.aspx

Administrators must create an Enhanced PIN value with a minimum of four and a maximum of 20 numeric characters, but can also include uppercase and lowercase English letters, symbols on an EN-US keyboard, numbers, and spaces. To enable the Enhanced PIN capabilities start the gpedit.msc MMC snap-in as an administrator and enable the following local or group policy:

  • Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drives\Allow enhanced PINs for startup

Other BitLocker policies that must be enabled to use the TPM and Enhanced PIN authenticator are:

  • Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drives\Enable use of BitLocker authentication requiring preboot keyboard input on slates

  • Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drives\Require additional authentication at startup

8.2User Guidance


Users may enable BitLocker on the system drive in the control panel. Users may also use BitLocker To Go in order to encrypt removable drives. The following details how to do this:

    1. Click Start, click Control Panel, click Security, and then click BitLocker Drive Encryption.

    2. On the BitLocker Drive Encryption page, follow the instructions in the Removable data drives – BitLocker To Go section.

9.Managing VPN


The native Window 10 VPN client is not part of this evaluation. Windows 10 does provides support for third-party IPsec VPN clients using the Windows.Networking.Vpn classes and the networkingVpnProvider capability. The link below provides documentation for Windows.Networking.Vpn:

  • https://msdn.microsoft.com/en-us/library/windows/apps/windows.networking.vpn.aspx

10.Managing Accounts


This section contains the following Common Criteria SFRs:

  • Extended: Authorization Failure Handling (FIA_AFL_EXT.1)

10.1Local Administrator Guidance


The following TechNet topic explains the net accounts command line utility for standalone computers (followed by command line options for managing account lockout policy):

  • Net Accounts: http://technet.microsoft.com/en-us/library/bb490698.aspx

In addition to the parameters given in the referenced article the following are also valid options:

/lockoutthreshold: number   : Sets the number of times a bad password may be entered until the account is locked out. If set to 0 then the account is never locked out.

/lockoutwindow: minutes   : Sets the number of minutes of the lockout window.

/lockoutduration: minutes   : Sets the number of minutes the account will be locked out for.

Exceeding the authentication failure limit is audited by Security log Id 4740. However, this information is lost when an enrolled device exceeds the authentication failure limit configured by the IT administrator as described in section “Managing Wipe”.

When the organizational user attempts to logon repeatedly with a bad password, they will eventually be prompted that the account is about to be locked out and that they will need a BitLocker recovery key to unlock. In certain configurations of the system, including the evaluated configuration, there will not be a Bitlocker recovery key to use once the maximum logon attempt threshold is passed. In such a situation the device is considered to be “wiped” as recovery of the data on the Bitlocker encrypted volumes is not possible. This is true even if the system prompts the user explicitly for a Bitlocker recovery key, as this prompt occurs even if no Bitlocker recovery key was ever configured.



Yüklə 290,96 Kb.

Dostları ilə paylaş:
1   2   3   4   5   6   7   8



Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©www.genderi.org 2024
rəhbərliyinə müraciət
    Ana səhifə
Psixologiya