Microsoft Windows Common Criteria Evaluation Microsoft Windows 10 Version 1511 Operational Guidance

Yüklə 290,96 Kb.

səhifə	7/8
tarix	14.10.2017
ölçüsü	290,96 Kb.
	#4531

1 2 3 4 5 6 7 8

11.Managing Bluetooth

This section contains the following Common Criteria SFRs:

Extended: Bluetooth Authentication (FIA_BLT_EXT.1)
Specifications of Management Functions (FMT_SMF_EXT.1)

11.1IT Administrator

The TOE includes a Policy Configuration Service Provider (CSP) that is able to handle policy configuration requests from MDM systems. The following MSDN topic describes how to configure the Bluetooth trusted channel policies a) disable/enable the Discoverable mode (for BR/EDR), b) change the Bluetooth device name, c) disable/enable Advertising (for LE):

Policy CSP: https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx
- See Bluetooth/AllowDiscoverableMode, Bluetooth/LocalDeviceName and Bluetooth/AllowAdvertising

11.2Local Administrator Guidance

Bluetooth is enabled and disabled in the Settings -> Devices -> Bluetooth user interface by setting the radio button labeled Bluetooth to the On or Off state.

No configuration is necessary to ensure the Bluetooth services provided before login are limited.

11.3User Guidance

The following topic describes how to initiate and complete pairing with a Bluetooth device:

Add a Bluetooth device: https://www.microsoft.com/surface/en-us/support/hardware-and-drivers/add-a-bluetooth-device?os=windows-10

Bluetooth pairing uses a protected communication channel by default so there is no configuration necessary.

12.Managing Passwords

12.1Strong Passwords

This section contains the following Common Criteria SFRs:

Extended: Password Management (FIA_PMG_EXT.1)

12.1.1IT Administrator Guidance

An MDM system may be used to enforce use of strong passwords.

12.1.2Local Administrator Guidance

The following TechNet topics describe the characteristics for passwords that are available, instructions for setting the enforcement mechanism and a discussion of strong passwords and recommended minimum settings:

Enforcing Strong Password Usage Throughout Your Organization: https://technet.microsoft.com/en-us/library/hh994562(v=ws.10).aspx
Strong Password: http://technet.microsoft.com/en-us/library/cc756109(v=ws.10).aspx
Password Best practices: http://technet.microsoft.com/en-us/library/cc784090(v=ws.10).aspx

12.2Protecting Passwords

This section contains the following Common Criteria SFRs:

Protected Authorization Feedback (FIA_UAU.7)

12.2.1User Guidance

The following Windows Help topic describes how to conduct initial logon authentication for users:

Windows 10 do not require any configuration to ensure the password is obscured by default. The following best practices should be observed:

As with all forms of authentication, when entering your password, avoid allowing other people to watch you as you sign in.

Keep your device in a secure location where unauthorized people do not have physical access to it. As with any password entry, be aware of line of sight and potential recording devices that intrude on your screen.

12.3Logon/Logoff Password Policy

This section contains the following Common Criteria SFRs:

Extended: Authentication for Cryptographic Operation (FIA_UAU_EXT.1)
Extended: Timing of Authentication (FIA_UAU_EXT.2)
Extended: Re-Authorizing (FIA_UAU_EXT.3)
Specifications of Management Functions (FMT_SMF_EXT.1)

12.3.1Local Administrator Guidance

The out of box experience requires that when user accounts are created a password is assigned to the account.

To change an account password do either of the following:

Tap the Start menu, tap the account picture, tap Change account settings, tap Sign-in options, tap Change under Password.
Type the secure attention sequence: CTRL-ALT-DEL

The inactivity time period for TSF-initiated session locking is configured by the administrator via Windows security policy. The relevant security policy is “Interactive logon: Machine inactivity limit” as described in the following Technet topic in the section heading titled “New and changed functionality”:

Security Policy Settings Overview: http://technet.microsoft.com/en-us/library/2fdcbb11-8037-45b1-9015-665393268e36

The following Technet topics include guidance for administrators to open the Local Group Policy Editor tool or the Group Policy Management Console, respectively, that are used to configure the Windows security policy:

Local Group Policy Editor: http://technet.microsoft.com/en-us/library/dn265982.aspx

12.3.2User Guidance

To configure screen lock timeout:

Go to Settings -> System -> Power & sleep -> Additional power settings -> Change when the computer sleeps

To initiate a session lock:

Tap the Start menu, tap the account picture, click Lock.

To manage notifications on the lock screen:

Go to Settings -> System -> Notifications & actions

13.Managing Certificates

This section contains the following Common Criteria SFRs:

Extended: Validation of Certificates (FIA_X509_EXT.1)
Extended: Certificate Authentication (FIA_X509_EXT.2)
Extended: Cryptographic Key Storage (FCS_STG_EXT.1)

13.1Developer Guidance

Application developers import and use keys and secrets with the Windows.Security.Cryptography.Certificates namespace as described by the following MSDN topic:

Windows.Security.Cryptography.Certificates namespace: https://msdn.microsoft.com/en-us/library/windows/apps/windows.security.cryptography.certificates.aspx?f=255&MSPPError=-2147217396

Developers have a choice when enrolling for a certificate to use either CertificateEnrollmentManager base class or the derived class UserCertificateEnrollmentManager. When using UserCertificateEnrollmentManager the keys are secured by the user account credentials and user account ACLs. When using the CertificateEnrollmentManager base class the keys are only available to the application that imported or created the keys.

Yüklə 290,96 Kb.

Dostları ilə paylaş:

1 2 3 4 5 6 7 8