Microsoft Windows Common Criteria Evaluation Microsoft Windows 10 Version 1511 Operational Guidance

Yüklə 290,96 Kb.

səhifə	8/8
tarix	14.10.2017
ölçüsü	290,96 Kb.
	#4531

1 2 3 4 5 6 7 8

13.2 IT Administrator Guidance

Root certificates can be added to and removed from devices using an MDM for enrolled devices. The following link is an example of MDM documentation for deploying root certificates:

How to Deploy Certificate Profiles in Configuration Manager: https://technet.microsoft.com/en-us/library/dn270540.aspx

Windows 10 can be configured to enroll for client certificates using an MDM for enrolled devices. The following link is an example of MDM documentation for configuring the enrollment of client certificates:

Certificate deployment with System Center 2012 R2 Configuration Manager and Windows Intune : http://blogs.technet.com/b/configmgrteam/archive/2014/04/28/certificate-deployment-with-system-center-2012-r2-configuration-manager-and-windows-intune.aspx

13.3Local Administrator Guidance

The following TechNet topic describes managing certificates (including the “Obtain a Certificate” sub-topic):

Manage Certificates : http://technet.microsoft.com/en-us/library/cc771377.aspx
Certutil: http://technet.microsoft.com/library/cc732443.aspx

The operational guidance for setting up a trusted channel to communicate with a CA is described in the operational guidance for FTP_ITC.1 (OS)).

The TOE comes preloaded with root certificates for various Certificate Authorities. The following TechNet topic describes how to manage trust relationships:

Manage Trusted Root Certificates: http://technet.microsoft.com/en-us/library/cc754841.aspx

The following TechNet topic describes how to delete a certificate:

Delete a Certificate: http://technet.microsoft.com/en-us/library/cc772354.aspx

Root certificates can be added to and removed from devices using an MDM for enrolled devices.

When validating a certificate with modern Windows applications the connection to a configured revocation server must be available or the validation will fail. This configuration cannot be changed.

The administrator configures certificate validation using the Set-NetFirewallSetting PowerShell cmdlet as described in the following TechNet topic:

Set-NetFirewallSetting: http://technet.microsoft.com/en-us/library/jj554878.aspx

The administrator configures certificate validation for network connections based on EAP-TLS using the “Set Up a Connection or Network” wizard in the “Smart Card or Other Certificate Properties” and “Configure Certificate Selection” screens as described in the following TechNet topic:

Extensible Authentication Protocol (EAP) Settings for Network Access (Smart Card or other Certificate Properties configuration items): https://technet.microsoft.com/en-us/library/hh945104.aspx#BKMK_LAN_SmartCard

The administrator configures certificate validation for HTTPS using the Security options checkboxes in the Advanced tab on the Internet Properties dialog for Control Panel. The “Warn about certificate address mismatch” setting configures whether the Web address must match the certificate subject field and warns the user of a mismatch. The following MSDN Blog describes the “Check for server certificate revocation” setting:

Understanding Certificate Revocation Checks: http://blogs.msdn.com/b/ieinternals/archive/2011/04/07/enabling-certificate-revocation-check-failure-warnings-in-internet-explorer.aspx

The administrator cannot configure certificate validation for code signing purposes.

Key lengths of keys used with certificates are configured in the certificate templates on the Certificate Authority used during enrollment and are not configured by the user or local administrator.

13.4User Guidance

The following TechNet topic describes how to manually import a certificate:

Import a Certificate: http://technet.microsoft.com/en-us/library/cc754489.aspx

When using HTTPS in a browsing scenario the user may choose to ignore a failed certificate validation and continue the connection.

13.5Custom Certificate Requests

Certificate requests with specific fields such as "Common Name", "Organization", "Organizational Unit", and/or "Country" can be generated by apps using the Certificates.CertificateEnrollmentManager.CreateRequestAsync API. The following link provides the documentation for the API:

https://msdn.microsoft.com/en-us/library/windows/apps/windows.security.cryptography.certificates.certificateenrollmentmanager.createrequestasync.aspx

14.Managing Time

This section contains the following Common Criteria SFRs:

Reliable Time Stamps (FPT_STM.1)

14.1Local Administrator Guidance

The administrator sets the time using the Set-Date PowerShell cmdlet that is documented here:

http://technet.microsoft.com/en-us/library/7f44d9e2-6956-4e55-baeb-df7a649fdca1

The administrator configures the time service to synchronize time from a time server using the W32tm command that is documented here:

http://technet.microsoft.com/en-us/library/cc773263(v=WS.10).aspx#w2k3tr_times_tools_dyax

The administrator ensures the communication path between the TOE client and the time service provider is protected from attacks that could compromise the integrity of the time by establishing an IPsec policy using the “Microsoft Windows 8 Microsoft Windows Server 2012 --- Supplemental Admin Guidance for IPsec VPN Clients (January 23 2014)”, where section 3 provides detailed instructions that can be used to configure the TOE client and the time service provider.

The administrator ensures the NTP server is authenticated by verifying the IP address provided by the IT administrator for the NTP Server in the main mode and quick mode security associations according to the audit trail for the FTP_ITC.1 requirement outlined in section “4.1 Audit Policy for IPsec Operations” of the IPsec VPN Client guidance. In particular, audits are provided when a trusted channel is established that includes the IP address of the channel’s local and remote endpoints. If the integrity of the trusted channel is compromised, then this is indicated by the audit Id 4960 that is also discussed in section 4.1.

15.Getting Version Information

This section contains the following Common Criteria SFRs:

Extended: Trusted Update: TSF Version Query (FPT_TUD_EXT.1)

15.1User Guidance

To determine the hardware model and operating system version:

Go to Settings -> System -> About

The following are instructions for getting the version of an app on Windows 10:

Start the app you wish to get the version of.
Once the app is opened, move your mouse cursor to the upper-right or lower-right corner of the screen to see the Charms bar. Touch screen users need to swipe-in from the right-edge of the screen to bring up the Charms bar.
Click or tap Settings charm on the Charms bar to open Settings for the app.
Click or tap Permissions to see the developer’s name and also current version of the app.

16.Locking a Device

This section contains the following Common Criteria SFRs:

Extended: TSF and User initiated Locked State (FTA_SSL_EXT.1)

16.1IT Administrator Guidance

The following TechNet topic describes the “Idle time before mobile device is locked (minutes)” MDM configuration policy setting that may be used to configure the “MaxInactivityTimeDeviceLock” MDM configuration policy settings for enrolled devices:

Compliance Settings for System Center 2012 R2 Configuration Manager: http://technet.microsoft.com/en-us/library/dn376523.aspx#bkmk_comps

16.2Local Administrator Guidance

The following Technet topics include guidance for administrators to open the Local Group Policy Editor tool or the Group Policy Management Console, respectively, that are used to configure the Windows security policy for standalone or domain-joined machines:

Local Group Policy Editor: http://technet.microsoft.com/en-us/library/dn265982.aspx
Group Policy Management Console: http://technet.microsoft.com/en-us/library/dn265969.aspx

The inactivity time period for TSF-initiated session locking is configured by the administrator via Windows security policy. The relevant security policy is “Interactive logon: Machine inactivity limit” as described in the following Technet topic in the section heading titled “New and changed functionality”:

Security Policy Settings Overview: http://technet.microsoft.com/en-us/library/2fdcbb11-8037-45b1-9015-665393268e36

16.3User Guidance

See section 12.3.2

16.4Managing Notifications Prior to Unlocking a Device

This section contains the following Common Criteria SFRs:

Default TOE Access Banners (FTA_TAB.1)

16.4.1Local Administrator Guidance

The following TechNet topics describe how to configure a message to users attempting to logon:

Interactive logon: Message title for users attempting to log on: http://technet.microsoft.com/en-us/library/cc778393(v=ws.10).aspx

Interactive logon: Message text for users attempting to log on: http://technet.microsoft.com/en-us/library/cc779661(v=WS.10).aspx

17.Managing Airplane Mode

This section contains the following Common Criteria SFRs:

Specifications of Management Functions (FMT_SMF_EXT.1)

17.1User Guidance

When airplane mode is on wireless connections, cellular voice, cellular protocols, and messaging functionality will not work on the device. The following link describes how to enable/disable airplane mode: http://windows.microsoft.com/en-us/windows-10/turn-on-airplane-mode

18.Managing Device Enrollment

This section contains the following Common Criteria SFRs:

Specifications of Management Functions (FMT_SMF_EXT.1)
Extended: Specification of Remediation Actions (FMT_SMF_EXT.2)

18.1IT Administrator

A Mobile Device Management (MDM) administrator can remotely wipe enrolled devices. The following MSDN topic describes the doWipe command supported on Windows 10 devices by the RemoteWipe Configuration Service Provider (CSP):

RemoteWipe CSP: https://msdn.microsoft.com/en-us/library/windows/hardware/dn904968(v=vs.85).aspx

18.2Local Administrator Guidance

To enroll for management do the following

Go to Settings -> Accounts -> Work access
Tap the Connect button
Fill in the user account credentials provided by your IT administrator

Unenrollment from the MDM solution performs the remediation actions of:

alert the administrator
remove Enterprise applications

To unenroll from device management do the following:

Go to Settings > Account -> Work access
Tap the Remove button that is displayed when the enrollment setting is selected, and then confirm the Remove operation

The local administrator determines if the device is enrolled or not enrolled by looking at the Work access page of the Accounts settings. On the Work access page of the Accounts settings if the device device is enrolled then the enrollment setting is indicated by the Work access name as established by your IT administrator and your account name provided by your IT administrator that was used to enroll the device – tapping the enrollment setting reveals the Sync, Info and Remove buttons that may be used to synchronize device management settings, inspect Work access enrollment settings or remove the device from enrollment.

18.3User Guidance

Users manage device enrollment like local administrators as described above.

19.Managing Updates

Windows 10 applications include metadata that is installed with the application by the Windows Installer and the Store App installer. The application metadata includes version information that prevents the Windows Installer and the Store App installer from updating an installed application with an older version.

Update packages downloaded by Windows Update for Windows 10 are signed with the Microsoft Root Certificate Authority to prove their authenticity and integrity. This signature is checked on the mobile device before installing any of the product updates contained in a given package in order to verify the updates have not been altered since they where digitally signed. If the signature is incorrect, then the update operation will fail. Otherwise, if the signature is correct then the update operation will proceed.

19.1IT Administrator

Consult MDM documentation for configuring System Updates.

19.2Local Administrator

There are two options for the local admistrator to configure System Updates:

Go to Settings -> Update & security -> Windows Update

20.Managing Health Attestation

20.1IT Administrator

The following MSDN topic describes the TOE’s HealthAttestation CSP that enables enterprise IT managers to assess the health of managed devices and take enterprise policy actions based on the generated health attestation reports: https://msdn.microsoft.com/en-us/library/windows/hardware/dn934876(v=vs.85).aspx

The health attestation log file generated by the device is processed by the MDM solution and the health report is generated for the IT Administrator’s review.

21.Managing Collection Devices

21.1IT Administrator

The following link describes how to enable/disable the camera (see Security heading) for Windows 10:

General settings for Mobile Devices in Configuration Manager: https://technet.microsoft.com/en-us/library/dn376523.aspx#bkmk_comps

21.1.1Local Aministrator Guidance

The local administrator disables/enables the camera for all users by disabling all subnodes under the “Imaging devices” node in the Device Manager.

To start the Device Manager, type “Device Manager” in the taskbar searchbox and click on the Device Manager icon.

The local administrator disables/enables the microphone for all users by the following procedure:s

On the desktop right click on the Start button and click the Control Panel menu item.
Type “Sound” and choose “Manage audio devices” from the list to open the Sound window
In the Sound window click the “Recording” tab
On the Recording tab right the Microphone item(s) and select the “Disable” menu item

Note: to reverse this step the “Show Disabled Devices” menu item should be selected.

21.1.2User Guidance

The user turns enables/disables the camera in the Settings -> Privacy -> Camera by setting the “Let apps use my camera” radio button to the On/Off state. The user enables/disables the microphone in the Settings -> Privacy -> Microphone user interface by setting the “Let apps use my microphone” radio button to the On/Off state.

22.Managing USB

22.1Local Administrator

The local administrator may also disable the USB in the Device Manager application by right-clicking the USB Root Hub child node in the Universal Serial Bus controllers node and selecting the Properties menu item to open the USB Root Hub Properties window. the local administrator then clicks the Driver tab In the USB Root Hub Properties window and clicks he Disable button.

23.Managing Backup

23.1Local Administrator

The following TechNet topic describes how to disable File History:

“Windows 8.1 and the File History”: https://technet.microsoft.com/en-us/windows/jj984238.aspx

The following TechNet topic describes how to disable OneDrive:

Use Group Policy in Windows 2012 R2 to disable OneDrive functionality in Windows 8.1 clients: https://technet.microsoft.com/en-us/library/dn921901.aspx

The following policy setting can be used to disable Sync your settings:

“Do not sync” policy located at Computer Configuration\Administrative Templates\Windows Components\Sync your settings

In addition to enabling the policy, ensure the “Allow user to turn syncing on” option is unchecked

23.2User Guidance

The following Windows 10 topic describes how to configure Backup and Restore: http://windows.microsoft.com/en-us/windows-10/getstarted-back-up-your-files

The following Windows 10 topic describes how to configure OneDrive to sync files and folders: http://windows.microsoft.com/en-us/windows-10/getstarted-onedrive

To configure OneDrive to sync settings: Settings -> Accounts -> Sync your settings.

24.Managing Developer Mode

24.1IT Administrator

Consult MDM documentation for enabling/disabling Developer mode with an MDM.

24.2Local Administrator Guidance

Developer Mode allows installation of test-signed applications. The local administrator or user configures Developer Mode in Settings -> Updates & security -> For developers by selecting the Developer Mode radio button.

25.Managing Cryptographic Algorithms

There is no global configuration for hashing algorithms. The use of required hash sizes is supported and global configuration is not needed.

There is no global configuration for key generation schemes. The use of required key generation schemes is supported and global configuration is not needed.

There is no global configuration for key establishment schemes. The use of required key establishment schemes is supported and global configuration is not needed.

Keys may be imported by apps using the Certificates.CertificateEnrollmentManager.ImportPfxDataAsync API. The following link provides the documentation for the API:

https://msdn.microsoft.com/en-us/library/windows/apps/windows.security.cryptography.certificates.certificateenrollmentmanager.importpfxdataasync.aspx

Keys are destroyed by wiping the device, see the Managing Wipe section of this document.

The Windows 10 system cryptographic engine was tested during the FIPS evaluation of the operating system. Other cryptographic engines may have been separately evaluated but were not part of this CC evaluation.

26.Managing Internet Connection Sharing (ICS)

Internet Connection Sharing provides a means to share an Internet connection to another computer.

26.1Local Administrator Guidance

The following Windows Help topic describes how to configure ICS:

Using ICS (Internet Connection Sharing): http://windows.microsoft.com/en-us/windows/using-internet-connection-sharing#1TC=windows-7

27.Managing Location Services (GPS)

27.1IT Administrator

Consult MDM documentation for configuring Location Services.

27.2Local Administrator Guidance

Configure Location Services: http://windows.microsoft.com/en-us/windows-10/location-service-privacy

Click Change.

28.Managing Wi-Fi

28.1IT Administrator

Consult MDM documentation for configuring Wi-Fi.

28.2Local Administrator Guidance

Enable/disable the wireless network adapter: http://windows.microsoft.com/en-us/windows/enable-disable-network-adapter#1TC=windows-7

29.Managing Mobile Broadband

29.1User Guidance

Settings for enabling/troubleshooting Mobile Broadband: http://windows.microsoft.com/en-us/windows-10/cellular-settings

30.Managing Health Attestation

30.1IT Administrator Guidance

MDM solutions are capable of managing Health Attestation on devices. See the MDM solution documentation for detailed configuration actions.

30.2Local Administrator Guidance

The device will create a Helath Attestation log every time the system boots. The Health Attestation logs are found in the following directory:

%windir%\Logs\MeasuredBoot

The contents of the Health Attestation logs may be viewed on or off the TOE using the “TPM Platform Crypto-Provider Toolkit” that can be downloaded from the following link:

TPM Platform Crypto-Provider Toolkit : http://research.microsoft.com/en-us/downloads/74c45746-24ad-4cb7-ba4b-0c6df2f92d5d/

31.Natively Installed Applications

The following embedded Excel file has the list of files:

1 Error 20 indicates an untrusted root in the certificate chain.

2 Error code 0x80092013 indicates “The revocation function was unable to check revocation because the revocation server was offline.

3 “Log Location” log names shown in the table above correlate with the names enumerated by Wevtutil utility (which requires a quoted name using hyphens rather than spaces).

4 This topic also applies to Windows 10

5 See: Cipher Suites in Schannel: http://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx

Yüklə 290,96 Kb.

Dostları ilə paylaş:

1 2 3 4 5 6 7 8