This section contains the following Common Criteria SFRs:
-
Extended: Bluetooth Authentication (FIA_BLT_EXT.1)
-
Specifications of Management Functions (FMT_SMF_EXT.1)
11.1IT Administrator
The TOE includes a Policy Configuration Service Provider (CSP) that is able to handle policy configuration requests from MDM systems. The following MSDN topic describes how to configure the Bluetooth trusted channel policies a) disable/enable the Discoverable mode (for BR/EDR), b) change the Bluetooth device name, c) disable/enable Advertising (for LE):
-
Policy CSP: https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx
-
See Bluetooth/AllowDiscoverableMode, Bluetooth/LocalDeviceName and Bluetooth/AllowAdvertising
Bluetooth is enabled and disabled in the Settings -> Devices -> Bluetooth user interface by setting the radio button labeled Bluetooth to the On or Off state.
No configuration is necessary to ensure the Bluetooth services provided before login are limited.
11.3User Guidance
The following topic describes how to initiate and complete pairing with a Bluetooth device:
-
Add a Bluetooth device: https://www.microsoft.com/surface/en-us/support/hardware-and-drivers/add-a-bluetooth-device?os=windows-10
Bluetooth pairing uses a protected communication channel by default so there is no configuration necessary.
12.1Strong Passwords
This section contains the following Common Criteria SFRs:
-
Extended: Password Management (FIA_PMG_EXT.1)
12.1.1IT Administrator Guidance
An MDM system may be used to enforce use of strong passwords.
12.1.2Local Administrator Guidance
The following TechNet topics describe the characteristics for passwords that are available, instructions for setting the enforcement mechanism and a discussion of strong passwords and recommended minimum settings:
-
Enforcing Strong Password Usage Throughout Your Organization: https://technet.microsoft.com/en-us/library/hh994562(v=ws.10).aspx
-
Strong Password: http://technet.microsoft.com/en-us/library/cc756109(v=ws.10).aspx
-
Password Best practices: http://technet.microsoft.com/en-us/library/cc784090(v=ws.10).aspx
12.2Protecting Passwords
This section contains the following Common Criteria SFRs:
-
Protected Authorization Feedback (FIA_UAU.7)
12.2.1User Guidance
The following Windows Help topic describes how to conduct initial logon authentication for users:
-
Sign in to or out of Windows: http://windows.microsoft.com/en-us/windows-8/sign-in-out-of-windows
Windows 10 do not require any configuration to ensure the password is obscured by default. The following best practices should be observed:
Keep your device in a secure location where unauthorized people do not have physical access to it. As with any password entry, be aware of line of sight and potential recording devices that intrude on your screen.
This section contains the following Common Criteria SFRs:
-
Extended: Authentication for Cryptographic Operation (FIA_UAU_EXT.1)
-
Extended: Timing of Authentication (FIA_UAU_EXT.2)
-
Extended: Re-Authorizing (FIA_UAU_EXT.3)
-
Specifications of Management Functions (FMT_SMF_EXT.1)
12.3.1Local Administrator Guidance
The out of box experience requires that when user accounts are created a password is assigned to the account.
To change an account password do either of the following:
-
Tap the Start menu, tap the account picture, tap Change account settings, tap Sign-in options, tap Change under Password.
-
Type the secure attention sequence: CTRL-ALT-DEL
The inactivity time period for TSF-initiated session locking is configured by the administrator via Windows security policy. The relevant security policy is “Interactive logon: Machine inactivity limit” as described in the following Technet topic in the section heading titled “New and changed functionality”:
-
Security Policy Settings Overview: http://technet.microsoft.com/en-us/library/2fdcbb11-8037-45b1-9015-665393268e36
The following Technet topics include guidance for administrators to open the Local Group Policy Editor tool or the Group Policy Management Console, respectively, that are used to configure the Windows security policy:
-
Local Group Policy Editor: http://technet.microsoft.com/en-us/library/dn265982.aspx
12.3.2User Guidance
To configure screen lock timeout:
-
Go to Settings -> System -> Power & sleep -> Additional power settings -> Change when the computer sleeps
To initiate a session lock:
-
Tap the Start menu, tap the account picture, click Lock.
To manage notifications on the lock screen:
-
Go to Settings -> System -> Notifications & actions
13.Managing Certificates
This section contains the following Common Criteria SFRs:
-
Extended: Validation of Certificates (FIA_X509_EXT.1)
-
Extended: Certificate Authentication (FIA_X509_EXT.2)
-
Extended: Cryptographic Key Storage (FCS_STG_EXT.1)
13.1Developer Guidance
Application developers import and use keys and secrets with the Windows.Security.Cryptography.Certificates namespace as described by the following MSDN topic:
-
Windows.Security.Cryptography.Certificates namespace: https://msdn.microsoft.com/en-us/library/windows/apps/windows.security.cryptography.certificates.aspx?f=255&MSPPError=-2147217396
Developers have a choice when enrolling for a certificate to use either CertificateEnrollmentManager base class or the derived class UserCertificateEnrollmentManager. When using UserCertificateEnrollmentManager the keys are secured by the user account credentials and user account ACLs. When using the CertificateEnrollmentManager base class the keys are only available to the application that imported or created the keys.
Dostları ilə paylaş: |