Introduction
Microsoft WindowsCommon Criteria EvaluationMicrosoft Windows 8.1Microsoft Windows Phone 8.1Common Criteria Supplemental Admin GuidanceDocument InformationVersion Number1.0Updated OnFebruary 9, 2015This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.This document?is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS plying with all applicable copyright laws is the responsibility of the user. This work is licensed under the Creative Commons Attribution-NoDerivs-NonCommercial License (which allows redistribution of the work). To view a copy of this license, visit or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred. ? 2015 Microsoft Corporation. All rights reserved.Microsoft, Active Directory, Visual Basic, Visual Studio, Windows, the Windows logo, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.The names of actual companies and products mentioned herein may be the trademarks of their respective owners.Table of Contents TOC \o "1-3" \h \z \u 1Introduction PAGEREF _Toc411238702 \h 81.1Configuration PAGEREF _Toc411238703 \h 81.1.1Evaluated Configuration PAGEREF _Toc411238704 \h 82Management Functions PAGEREF _Toc411238705 \h 83Managing Wipe PAGEREF _Toc411238711 \h 113.1Windows 8.1 PAGEREF _Toc411238712 \h 113.1.1Local Administrator Guidance PAGEREF _Toc411238713 \h 113.2Windows Phone 8.1 PAGEREF _Toc411238714 \h 113.2.1IT Administrator Guidance PAGEREF _Toc411238715 \h 113.2.2User Guidance PAGEREF _Toc411238716 \h 114Managing EAP-TLS PAGEREF _Toc411238717 \h 124.1IT Administrator Guidance PAGEREF _Toc411238718 \h 124.2Windows 8.1 PAGEREF _Toc411238719 \h 124.2.1Local Administrator Guidance PAGEREF _Toc411238720 \h 124.3Windows Phone 8.1 PAGEREF _Toc411238721 \h 134.3.1User Guidance PAGEREF _Toc411238722 \h 135Managing TLS PAGEREF _Toc411238723 \h 135.1Windows 8.1 PAGEREF _Toc411238724 \h 135.1.1Local Administrator Guidance PAGEREF _Toc411238725 \h 135.2Windows Phone 8.1 PAGEREF _Toc411238726 \h 145.2.1IT Administrator Guidance PAGEREF _Toc411238727 \h 146Managing Apps PAGEREF _Toc411238728 \h 146.1Windows 8.1 PAGEREF _Toc411238729 \h 146.1.1Local Administrator Guidance PAGEREF _Toc411238730 \h 146.1.2User Guidance PAGEREF _Toc411238731 \h 156.1.3Windows Phone 8.1 PAGEREF _Toc411238732 \h 157Managing Volume Encryption PAGEREF _Toc411238733 \h 167.1Windows 8.1 PAGEREF _Toc411238734 \h 167.1.1Local Administrator Guidance PAGEREF _Toc411238735 \h 167.2Windows Phone 8.1 PAGEREF _Toc411238736 \h 177.2.1IT Administrator Guidance PAGEREF _Toc411238737 \h 178Managing VPN PAGEREF _Toc411238738 \h 178.1IT Administrator Guidance PAGEREF _Toc411238739 \h 178.2Windows 8.1 PAGEREF _Toc411238740 \h 178.2.1Local Administrator Guidance PAGEREF _Toc411238741 \h 178.3Windows Phone 8.1 PAGEREF _Toc411238742 \h 188.3.1User Guidance PAGEREF _Toc411238743 \h 189Managing Accounts PAGEREF _Toc411238744 \h 189.1Windows 8.1 PAGEREF _Toc411238745 \h 199.1.1Local Administrator Guidance PAGEREF _Toc411238746 \h 199.2Windows Phone 8.1 PAGEREF _Toc411238747 \h 199.2.1IT Administrator Guidance PAGEREF _Toc411238748 \h 1910Managing Bluetooth PAGEREF _Toc411238749 \h 1910.1Windows 8.1 PAGEREF _Toc411238750 \h 2010.1.1Local Administrator Guidance PAGEREF _Toc411238751 \h 2010.2Windows Phone 8.1 PAGEREF _Toc411238752 \h 2010.2.1User Guidance PAGEREF _Toc411238753 \h 2011Managing Passwords PAGEREF _Toc411238754 \h 2011.1Strong Passwords PAGEREF _Toc411238755 \h 2011.1.1Windows 8.1 PAGEREF _Toc411238756 \h 2011.1.2Windows Phone 8.1 PAGEREF _Toc411238757 \h 2111.2Protecting Passwords PAGEREF _Toc411238758 \h 2111.2.1Windows 8.1 PAGEREF _Toc411238759 \h 2111.2.2Windows Phone 8.1 PAGEREF _Toc411238760 \h 2211.3Logon/Logoff Password Policy PAGEREF _Toc411238761 \h 2211.3.1Windows 8.1 PAGEREF _Toc411238762 \h 2211.3.2Windows Phone 8.1 PAGEREF _Toc411238763 \h 2312Managing Certificates PAGEREF _Toc411238764 \h 2512.1Windows 8.1 PAGEREF _Toc411238765 \h 2512.1.1Local Administrator Guidance PAGEREF _Toc411238766 \h 2512.1.2User Guidance PAGEREF _Toc411238767 \h 2612.2Windows Phone 8.1 PAGEREF _Toc411238768 \h 2612.2.1IT Administrator Guidance PAGEREF _Toc411238769 \h 2613Managing Time PAGEREF _Toc411238770 \h 2713.1Windows 8.1 PAGEREF _Toc411238771 \h 2813.1.1Local Administrator Guidance PAGEREF _Toc411238772 \h 2813.1.2Windows Phone 8.1 PAGEREF _Toc411238773 \h 2814Getting Version Information PAGEREF _Toc411238774 \h 2814.1Windows 8.1 PAGEREF _Toc411238775 \h 2914.1.1User Guidance PAGEREF _Toc411238776 \h 2914.2Windows Phone 8.1 PAGEREF _Toc411238777 \h 2914.2.1User Guidance PAGEREF _Toc411238778 \h 2915Locking a Device PAGEREF _Toc411238779 \h 3015.1Windows 8.1 PAGEREF _Toc411238780 \h 3015.1.1Local Administrator Guidance PAGEREF _Toc411238781 \h 3015.1.2User Guidance PAGEREF _Toc411238782 \h 3015.2Windows Phone 8.1 PAGEREF _Toc411238783 \h 3015.2.1User Guidance PAGEREF _Toc411238784 \h 3015.3Managing Notifications Prior to Unlocking a Device PAGEREF _Toc411238785 \h 3115.3.1Windows 8.1 PAGEREF _Toc411238786 \h 3115.3.2Windows Phone 8.1 PAGEREF _Toc411238787 \h 3216Managing Airplane Mode PAGEREF _Toc411238788 \h 3216.1Windows 8.1 PAGEREF _Toc411238789 \h 3216.1.1User Guidance PAGEREF _Toc411238790 \h 3216.2Windows Phone 8.1 PAGEREF _Toc411238791 \h 3316.2.1User Guidance PAGEREF _Toc411238792 \h 3317Device Enrollment PAGEREF _Toc411238793 \h 3317.1Windows 8.1 PAGEREF _Toc411238794 \h 3317.1.1Local Administrator Guidance PAGEREF _Toc411238795 \h 3317.2Windows Phone 8.1 PAGEREF _Toc411238796 \h 3417.2.1User Guidance PAGEREF _Toc411238797 \h 3418Managing Updates PAGEREF _Toc411238798 \h 3418.1Windows 8.1 PAGEREF _Toc411238799 \h 3418.2Windows Phone 8.1 PAGEREF _Toc411238800 \h 34IntroductionThis document provides guidance information for a Common Criteria evaluation.ConfigurationEvaluated ConfigurationThe Common Criteria evaluation includes a specific configuration of Windows, the “evaluated configuration”. To run Windows deployments using the evaluated configuration follow the deployment steps and apply the security policies and security settings indicated below. The Security Target section 1.1 describes the Windows editions and security patches included in the evaluated configuration.The operating system is pre-installed on the devices in the evaluated configuration. When the device is turned on for the first time the Out of Box Experience (OOBE) runs to complete the configuration.The following security policies are applied after completing the OOBE:Security PolicyPolicy SettingLocal Policies\Security Options\System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithmEnabledAdministrative Template\Windows Components\Credentials User Interface\Do not display the password reveal buttonEnabledThe following security settings are applied:Cipher suite selection is configured according to section 5 Managing TLSVolume encryption is enabled according to section 7 Managing Volume EncryptionVPN connections route all traffic through the VPN tunnel as described section 8 Managing VPNPasswords use a minimum of six alphanumeric characters and symbols according to section 11.3 Password PolicyRSA machine certificates are configured according to section 12 Managing Certificates to use a minimum 2048 bit key lengthSession locking is enabled according to section 15 Locking a DeviceDevices are enrolled for device management according to section 17 Device EnrollmentManagement FunctionsThe following table maps management functions to roles:ActivityUser GuidanceLocal Administrator GuidanceIT Administrator GuidanceConfigure password policyWindows 8.1Windows Phone 8.1Configure session locking policyWindows 8.1Windows Phone 8.1Enable/disable the VPN protectionWindows 8.1duWindows Phone 8.1Windows 8.1Windows Phone 8.1Enable/disable [Wi-Fi, mobile broadband radios, Bluetooth]Windows 8.1Windows Phone 8.1Windows 8.1Windows Phone 8.1Windows 8.1Windows Phone 8.1Enable/disable [camera, microphone]Windows 8.1Windows Phone 8.1Windows 8.1Windows Phone 8.1Specify wireless networks (SSIDs) to which the TSF may connectWindows 8.1Windows Phone 8.1Configure security policy for connecting to wireless networksWindows 8.1Windows Phone 8.1Transition to the locked stateWindows 8.1Windows Phone 8.1Windows 8.1Windows Phone 8.1Full wipe of protected dataWindows Phone 8.1Windows 8.1Windows Phone 8.1Configure application installation policyWindows 8.1Windows Phone 8.1Import keys/secrets into the secure key storageWindows 8.1Windows Phone 8.1Windows 8.1Windows Phone 8.1Destroy imported keys/secrets and any other keys/secrets in the secure key storageWindows Phone 8.1Windows 8.1Windows Phone 8.1Import X.509v3 certificates into the Trust Anchor DatabaseWindows 8.1Windows Phone 8.1Remove imported X.509v3 certificates and any other X.509v3 certificates in the Trust Anchor DatabaseWindows 8.1Windows Phone 8.1Enroll the TOE in managementWindows 8.1Windows Phone 8.1Windows 8.1Windows Phone 8.1Remove applicationsWindows 8.1Windows Phone 8.1Update system softwareWindows 8.1Windows Phone 8.1Install applications? Windows 8.1Windows Phone 8.1Enable/disable data transfer capabilities over USB port for Windows 8.1, BluetoothWindows Phone 8.1Windows 8.1Windows Phone 8.1Enable/disable [wireless remote access connections except for personal Hotspot service, personal Hotspot connections, tethered connectionsWindows 8.1Windows Phone 8.1Windows 8.1Windows Phone 8.1Enable data-at rest protectionWindows 8.1Windows Phone 8.1Enable removable media’s data at restWindows 8.1Windows 8.1Configure the Access Point Name and proxy used for communications between the cellular network and other networksWindows 8.1Windows Phone 8.1Windows 8.1Windows Phone 8.1Enable/disable display notification in the locked stateWindows 8.1Windows Phone 8.1Windows 8.1Windows Phone 8.1Wipe sensitive dataWindows Phone 8.1Windows 8.1Windows Phone 8.1Windows Phone 8.1Alert the administratorWindows 8.1Windows Phone 8.1Remove Enterprise applicationsWindows 8.1Windows Phone 8.1Enable/disable cellular voice functionalityWindows Phone 8.1Windows Phone 8.1Enable/disable device messaging capabilitiesWindows Phone 8.1Windows Phone 8.1Enable/disable the cellular protocols used to connect to cellular network base stationsWindows Phone 8.1Windows Phone 8.1Configure the unlock bannerWindows Phone 8.1Windows 8.1Windows Phone 8.1Enable/disable location servicesWindows 8.1Windows Phone 8.1Windows 8.1Windows Phone 8.1Managing WipeThis section contains the following Common Criteria SFRs:Extended: TSF Wipe (FCS_CKM_EXT.5)Labels: {FMT_SMF.1:A:8}Windows 8.1Local Administrator GuidanceThe following Windows help topic describes how to reset Windows 8.1 devices with removal of all user data (the “Fully clean the drive” option wipes all protected data):How to refresh, reset, or restore your PC: Phone 8.1IT Administrator GuidanceAn MDM system may be used to remotely wipe enrolled phones.User GuidanceThe following Windows Phone help topic describes how to reset Windows Phone 8.1 devices with removal of all user data:Settings + Personalization Reset my phone: EAP-TLSThis section contains the following Common Criteria SFRs:Extended: Trusted Channel Communication (FTP_ITC_EXT.1)Extended: PAE Authentication (FIA_PAE_EXT.1)Extended: Trusted Channel Communication (FTP_ITC_EXT.1)Extended: Wireless Network Access (FTA_WSE_EXT.1)Specifications of Management Functions (FMT_SMF.1)Labels: {FTP_ITC_EXT.1:D:1}IT Administrator GuidanceAn MDM system can be used to manage Wi-Fi profiles.The following link specifies the server certificate requirements for EAP-TLS: 8.1Local Administrator GuidanceThe following topics describe how to configure EAP-TLS on Windows 8.1:Extensible Authentication Protocol (EAP) Settings for Network Access: TOE comes preloaded with root certificates for various Certificate Authorities. The following TechNet topic describes how to manage trust relationships:Manage Trusted Root Certificates: Windows Phone 8.1User GuidanceThe following topic describes how to configure EAP-TLS on Windows Phone 8.1: TLSThis section contains the following Common Criteria SFRs:Extended: EAP TLS Protocol (FCS_TLS_EXT.1)Extended: TLS Protocol (FCS_TLS_EXT.2)Labels: {FCS_TLS_EXT.2:A:1} {FCS_TLS_EXT.2:A:2}Windows 8.1Local Administrator GuidanceThe mandatory cipher suites listed in the Security Target correlate with those available in the TOE as follows:Mandatory Cipher Suites (per Security Target)Available Cipher Suites in TOETLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246 TLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_ SHA256 as defined in RFC 5246 TLS_RSA_WITH_AES_256_CBC_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 as defined in RFC 6460TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 as defined in RFC 6460TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384The following MSDN article describes how the administrator modifies the set of TLS cipher suites for priority and availability:Prioritizing Schannel Cipher Suites: (v=vs.85).aspxHow to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll: DN in the certificate is automatically compared to the expected DN and does not require additional configuration of the expected DN for the connection.The TOE comes preloaded with root certificates for various Certificate Authorities. The following TechNet topic describes how to manage trust relationships:Manage Trusted Root Certificates: Windows Phone 8.1IT Administrator GuidanceThe cipher suite selection and priority may be configured on the server side of a connection. Cipher suite selection and priority cannot be configured in Windows Phone 8.1. Cipher suite selection is made according to the default order as described in the previous section for Windows 8.1. The DN in the certificate is automatically compared to the expected DN and does not require additional configuration of the expected DN for the connection.Windows Phone 8.1 may be configured to trust a Certificate Authority by using policy pushed to the phone by a MDM. The TOE comes preloaded with root certificates for various Certificate Authorities. Additional Certificate Authorities are managed on the Windows Phone 8.1 device using workplace enrollment and an MDM.Restricting ApplicationsManaging AppsThis section contains the following Common Criteria SFRs:Extended: Security Attribute Based Access Control (FDP_ACF_EXT.1)Labels: {FMT_SMF.1:A:2} {FMT_SMF.1:A:5} {FMT_SMF.1:A:10}Windows 8.1Local Administrator GuidanceThe ability for users to run the Store app may be removed using a registry value on Windows 8.1 by performing the following steps:Start the registry editor tool by executing the command regedit.exe as an administratorNavigate to the registry path HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsStore. Note that the WindowsStore registry key may need to be created.Create a DWORD (32 bit) registry value with the name RemoveWindowsStore under the WindowsStore registry key. Set the registry value to 1.User GuidanceThe following Windows help topic describes how to remove app and any information the the app contained:Uninstall, change or repair a program: The following Windows help topic describes how to remove app and any information the the app contained:Uninstall, change or repair a program: Note: If the system administrator has disabled uninstalling Enterprise apps from the device then those Enterprise apps cannot be uninstalled.Windows Phone 8.1User GuidanceThe following TechNet topic describes how to restrict particular applications, sources of applications, or application installation:Try It Out: Restrict Windows Phone 8.1 Apps: following Windows Phone help topic describes the procedure to remove app and any information the app contained:Delete or reinstall apps: following Windows Phone help topic describes how to remove apps:Deleting or reinstalling apps: Volume EncryptionThis section contains the following Common Criteria SFRs:Extended: Data at Rest Protection (FDP_DAR_EXT.1)Labels: {FDP_DAR_EXT.1:A:2}{FDP_DAR_EXT.1A:1}, {FMT_SMF.1:A:6}The following TechNet topic describes the BitLocker feature, including its use to encrypt the entire operation system volume or removable volumes:BitLocker Overview: 8.1Local Administrator GuidanceThe following TechNet topic describes the manage-bde command that should be executed in a command shell while running as an administrator to configure DAR protection:Manage-bde: (v=ws.10).aspxBy default AES128 encrypion is used by the manage-bde command when enabling BitLocker for Windows 8.1 – the AES256 algorithm should be used instead. In addition, the TPM and PIN authorization factor must be used in the evaluated configuration. The Enhanced PIN capabilities must be used in the evaluated configuration.To enable the TPM and Enhanced PIN authorization factors execute the following command:Manage-bde –on <operating system disk volume letter>: -tpmandpin -encryptionMethod aes256Administrators must create an Enhanced PIN value with a minimum of four and a maximum of 20 numeric characters, but can also include uppercase and lowercase English letters, symbols on an EN-US keyboard, numbers, and spaces. To enable the Enhanced PIN capabilities start the gpedit.msc MMC snap-in as an administrator and enable the following local or group policy:Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drives\Allow enhanced PINs for startupWindows Phone 8.1IT Administrator GuidanceWindows Phone 8.1 supports device encryption with a TPM authorization factor that can be turned on using a Mobile Device Management (MDM) configuration policy setting. MDM policy settings are managed by a Mobile Device Management system and cannot be directly configured by users on their Windows Phone 8.1. If this device configuration policy setting is configured , then the TPM authorization factor is enabled. The following technical paper explains the “RequireDeviceEncryption” MDM configuration policy setting:Windows Phone 8.1 MDM protocol documentation: Phone supports internal storage encryption. The enterprise management server can enable the encryption. The removable storage card is not encrypted.The following TechNet topic describes the “File encryption on mobile device” compliance policy that may be used to configure “RequireDeviceEncryption” MDM configuration policy setting for enrolled devices:Compliance Settings for System Center 2012 R2 Configuration Manager: encryption algorithm used for disk volume encryption on Windows Phone 8.1 is not configurable and is set to AES-128.Managing VPNThis section contains the following Common Criteria SFRs:Cryptographic Operation for Hashing (FCS_COP.1(HASH))Extended: Subset Information Flow Control (FDP_IFC_EXT.1)Labels: {FDP_IFC_EXT.1:A:1} {FCS_COP.1:A:1}IT Administrator GuidanceAn MDM system may be used to administer VPN profiles.Windows 8.1Local Administrator GuidanceThe following TechNet topic describes how to create a VPN connection: evaluated configuration requires that all network traffic other than traffic necessary to establish the VPN connection go through the VPN tunnel. To do this verify that the following configuration is set:Navigate to View Available Networks by clicking on the network icon in taskbar and select the VPN connectionRight-click the VPN connection and select Properties from the context menuNavigate to Networking tab; select Internet Protocol Version 6 (TCP/IPv6) or Internet Protocol Version 4 (TCP/IPv4) and click Properties.In Properties click Advanced.Under General in Advanced TCP/IP settings, make sure the option Use default gateway on remote network to enable split-tunneling is selected.The following TechNet topics describe the commands for configuring the hash parameter in a new or existing main mode cryptographic proposal: New-NetIPsecMainModeCryptoProposal: : in the TLS protocol are configured in association with cipher suite selection. The administrator configures the cipher suites used on a machine by following the configuration instructions at the following link: (v=vs.85).aspxWindows Phone 8.1User GuidanceThe following MSDN topic describes how to configure VPN on Windows Phone 8.1:Try It Out: Windows Phone 8.1 VPN: configuring the VPN connection the Send all traffic MUST be set to ON. Managing AccountsThis section contains the following Common Criteria SFRs:Extended: Authorization Failure Handling (FIA_AFL_EXT.1)Labels: {FIA_AFL_EXT.1:A:1} {FIA_AFL_EXT.1:A:2}Windows 8.1Local Administrator GuidanceThe following TechNet topic explains the net accounts command line utility for standalone computers (followed by command line options for managing account lockout policy): Net Accounts: addition to the parameters given in the referenced article the following are also valid options:/lockoutthreshold: number ? : Sets the number of times a bad password may be entered until the account is locked out. If set to 0 then the account is never locked out. /lockoutwindow: minutes ? : Sets the number of minutes of the lockout window./lockoutduration: minutes ? : Sets the number of minutes the account will be locked out for.Windows Phone 8.1IT Administrator GuidanceThe maximum number of unsuccessful authentication attempts and associated remediation action is a Mobile Device Management (MDM) configuration policy setting that may only be managed by a Mobile Device Management system and cannot be directly configured by users on their Windows Phone 8.1. If this device configuration policy setting is configured, then the remediation action wipes the device and restores factory default settings. The following technical paper explains the “MaxDevicePasswordFailedAttempts” MDM configuration policy setting:Windows Phone 8.1 MDM protocol documentation: BluetoothThis section contains the following Common Criteria SFRs:Extended: Bluetooth Authentication (FIA_BLT_EXT.1)Specifications of Management Functions (FMT_SMF.1)Labels: {FMT_SMF.1}Windows 8.1Local Administrator GuidanceThe following link describes how to enable/disable Bluetooth: Phone 8.1User GuidanceThe following link describes how to enable/disable Bluetooth: PasswordsStrong PasswordsThis section contains the following Common Criteria SFRs:Extended: Password Management (FIA_PMG_EXT.1)Labels: {FIA_PMG_EXT.1:A:1}Windows 8.1IT Administrator GuidanceAn MDM system may be used to enforce use of strong passwords.Local Administrator GuidanceThe following TechNet topics describe the characteristics for passwords that are available, instructions for setting the enforcement mechanism and a discussion of strong passwords and recommended minimum settings:Enforcing Strong Password Usage Throughout Your Organization: Strong Password: (v=ws.10).aspx Password Best practices: (v=ws.10).aspx Windows Phone 8.1IT Administrator GuidanceThe composition of strong passwords and minimum password length policy settings may only be managed by a Mobile Device Management (MDM) system and cannot be directly configured by users on their Windows Phone 8.1. The following technical paper explains the “AlphanumericDevicePasswordRequired”, “MinDevicePasswordLength“ and “DevicePasswordExpiration” MDM configuration policy settings:Windows Phone 8.1 MDM protocol documentation: following TechNet topics describe the characteristics for passwords that are available, instructions for setting the enforcement mechanism and a discussion of strong passwords and recommended minimum settings:Strong Password: (v=ws.10).aspx Password Best practices: (v=ws.10).aspx Protecting PasswordsThis section contains the following Common Criteria SFRs:Protected Authorization Feedback (FIA_UAU.7)Labels: {FIA_UAU.7:A:1}Windows 8.1User GuidanceThe following Windows Help topic describes how to conduct initial logon authentication for users: Sign in to or out of Windows: 8.1 do not require any configuration to ensure the password is obscured by default. The following best practices should be observed:As with all forms of authentication, when entering your password, avoid allowing other people to watch you as you sign in.Keep your device in a secure location where unauthorized people do not have physical access to it. As with any password entry, be aware of line of sight and potential recording devices that intrude on your screen.Windows Phone 8.1User GuidanceWindows Phone 8.1 does not require any configuration to ensure the password is obscured by default. The following best practices should be observed:As with all forms of authentication, when entering your password, avoid allowing other people to watch you as you sign in.Keep your phone device in a secure location where unauthorized people do not have physical access to it. As with any password entry, be aware of line of sight and potential recording devices that intrude on your screen.Logon/Logoff Password PolicyThis section contains the following Common Criteria SFRs:Extended: Authentication for Cryptographic Operation (FIA_UAU_EXT.1)Extended: Timing of Authentication (FIA_UAU_EXT.2)Extended: Re-Authorizing (FIA_UAU_EXT.3)Specifications of Management Functions (FMT_SMF.1)Labels: {FIA_UAU_EXT.3:A:1} {FIA_UAU_EXT.3:A:2} {FIA_UAU_EXT.3:A:3} {FIA_UAU_EXT.3:A:4} {FMT_SMF.1:A:7}Windows 8.1Local Administrator GuidanceThe out of box experience requires that when user accounts are created a password is assigned to the account.The following Windows Help topics describe how to change a user password: FIA_UAU.5.A3Change your password: inactivity time period for TSF-initiated session locking is configured by the administrator via Windows security policy. The relevant security policy is “Interactive logon: Machine inactivity limit” as described in the following Technet topic in the section heading titled “New and changed functionality”: Security Policy Settings Overview: following Technet topics include guidance for administrators to open the Local Group Policy Editor tool or the Group Policy Management Console, respectively, that are used to configure the Windows security policy for standalone or domain-joined machines:Local Group Policy Editor: Policy Management Console: GuidanceThe following Windows topic describes how to configure screen savers: How to use screen savers: following Windows topic describes how users can initiate a session lock:How do I lock or unlock my PC?: following Windows help topic describes how to enable or disable notifications in action center and application status on the lock screen:How to manage notifications for Mail, Calendar, and People: Phone 8.1IT Administrator GuidanceIn the case of enrolled phones the TSF may also be configured to use the Password Authentication Factor by the Mobile Device Management (MDM) configuration policy setting described in the following technical paper for “DevicePasswordEnabled”: Windows Phone 8.1 MDM protocol documentation: following TechNet topic describes the “Require password settings on mobile devices” MDM configuration policy setting that may be used to configure the “DevicePasswordEnabled” MDM configuration policy settings for enrolled devices:Compliance Settings for System Center 2012 R2 Configuration Manager: GuidanceThe following Windows Phone 8.1 help topic describes how to configure the TSF to use (set or change) a Password Authentication Factor: How do I set or change a password on my phone?: , the Require a password after setting must be configured with the value each time. To enable or disable showing detailed status for applications on the lock screen:Go to Settings -> systemTap lock screenUnder notfications tap Choose an app to show detailed status and choose none from the list to receive disable receiving detailed status information, or choose an application to show its detailed status on the lock screenTo disable showing quick status for applications on the lock screen:Go to Settings -> systemTap lock screenUnder notfications tap each of the boxes under Choose apps to show quick status and then choose none in the CHOOSE AN APP screen to receive no quick status information on the lock screen, or tap a box and choose a desired application in the CHOOSE AN APP screen to receive quick status for that application on the lock screenTo disable receiving email, calendar or text message notifications in action center:Go to Settings -> systemTap notifications+settingsUncheck Show notifications in action center when my phone is lockedManaging CertificatesThis section contains the following Common Criteria SFRs:Extended: Validation of Certificates (FIA_X509_EXT.1)Extended: Certificate Authentication (FIA_X509_EXT.2)Extended: Cryptographic Key Storage (FCS_STG_EXT.1)Labels: {FIA_PK_EXT.1.:A:1} {FIA_PK_EXT.1.A2} {FIA_PK_EXT.1.A3} {FMT_SMF.1:A:3} {FIA_PK_EXT.1.A4} {FMT_SMF.1:A:4} {FIA_X509_EXT.2:A:1} {FIA_X509_EXT.2:A:2} {FIA_X509_EXT.2:A:3} {FIA_X509_EXT.2:A:4} {FIA_X509_EXT.2:A:5} {FCS_STG_EXT.1:A:1}Windows 8.1Local Administrator GuidanceThe following TechNet topic describes managing certificates (including the “Obtain a Certificate” sub-topic):Manage Certificates : Certutil: The operational guidance for setting up a trusted channel to communicate with a CA is described in the operational guidance for FTP_ITC.1 (OS)) – IPSEC. The TOE comes preloaded with root certificates for various Certificate Authorities. The following TechNet topic describes how to manage trust relationships:Manage Trusted Root Certificates: following TechNet topic describes how to delete a certificate: Delete a Certificate: certificates can be added to and removed from devices using an MDM for enrolled devices.When validating a certificate with modern Windows applications the connection to a configured revocation server must be available or the validation will fail. This configuration cannot be changed.The administrator configures certificate validation for IPsec authentication using the Set-NetFirewallSetting PowerShell cmdlet as described in the following TechNet topic:Set-NetFirewallSetting: administrator configures certificate validation for network connections based on EAP-TLS using the “Set Up a Connection or Network” wizard in the “Smart Card or Other Certificate Properties” and “Configure Certificate Selection” screens as described in the following TechNet topic:Extensible Authentication Protocol (EAP) Settings for Network Access (Smart Card or other Certificate Properties configuration items): administrator configures certificate validation for HTTPS using the Security options checkboxes in the Advanced tab on the Internet Properties dialog for Control Panel. The “Warn about certificate address mismatch” setting configures whether the Web address must match the certificate subject field and warns the user of a mismatch. The following MSDN Blog describes the “Check for server certificate revocation” setting:Understanding Certificate Revocation Checks: administrator cannot configure certificate validation for code signing purposes.User GuidanceThe following TechNet topic describes how to manually import a certificate: Import a Certificate: When using HTTPS in a browsing scenario the user may choose to ignore a failed certificate validation and continue the connection. Windows Phone 8.1IT Administrator GuidanceRoot certificates can be added to and removed from phones using an MDM for enrolled devices.The TOE comes preloaded with root certificates for various Certificate Authorities. The following TechNet topic describes how to manage trust relationships:Manage Trusted Root Certificates: validating a certificate with modern Windows applications the connection to a configured revocation server must be available or the validation will fail. This configuration cannot be changed.Certificate validation for wireless network connections based on EAP-TLS is performed on Windows Phone 8.1 using policy pushed to the phone by a MDM. The following link is an example of MDM documentation for certificate validation on Windows Phone 8.1:How to Create Wi-Fi Profiles in Configuration Manager (Step 4: Configure security for the Wi-Fi profile): validation for VPN connections based on IPsec is performed on Windows Phone 8.1 using policy pushed to the phone by a MDM. The following link is an example of MDM documentation on certificate validation for VPN connections on Windows Phone 8.1:How to Create VPN Profiles in Configuration Manager (Step 4: Configure the Authentication Method for the VPN Profile): validation cannot be configured for code signing purposes.Certificate enrollment is performed on the Windows Phone 8.1 using policy pushed to the phone by a MDM. The following link is an example of MDM documentation for certificate enrollment on Windows Phone 8.1:Certificate Profiles in Configuration Manager: TimeThis section contains the following Common Criteria SFRs:Reliable Time Stamps (FPT_STM.1)Labels: {FPT_STM.1:A:1} {FPT_STM.1:A:2} {FPT_STM.1.A3} {FPT_STM.1.A4} {FPT_STM.1.A5}Windows 8.1Local Administrator GuidanceThe administrator sets the time using the Set-Date PowerShell cmdlet that is documented here: administrator configures the time service to synchronize time from a time server using the W32tm command that is documented here:(v=WS.10).aspx#w2k3tr_times_tools_dyaxThe administrator ensures the communication path between the TOE client and the time service provider is protected from attacks that could compromise the integrity of the time by establishing an IPsec policy using the “Microsoft Windows 8 Microsoft Windows Server 2012 --- Supplemental Admin Guidance for IPsec VPN Clients (January 23 2014)”, where section 3 provides detailed instructions that can be used to configure the TOE client and the time service provider. The administrator ensures the NTP server is authenticated by verifying the IP address provided by the IT administrator for the NTP Server in the main mode and quick mode security associations according to the audit trail for the FTP_ITC.1 requirement outlined in section “4.1 Audit Policy for IPsec Operations” of the IPsec VPN Client guidance.Windows Phone 8.1User GuidanceThe following Windows Phone help topic describes how to manually configure the date and time:Correct my date and time to update my phone: Phone 8.1 also supports automatically setting the date and time by the mobile operator via Network Identity and Time Zone (NITZ). Otherwise if the mobile operator does not support NITZ, then the user can only configure the date and time manually. The data + time settings screen described in the above Windows Help topic describes the Set automatically setting.Windows Phone 8.1 devices do not support NTP.Getting Version InformationThis section contains the following Common Criteria SFRs:Extended: Trusted Update: TSF Version Query (FPT_TUD_EXT.1)Windows 8.1User GuidanceThe following Windows topic describes how to determine the hardware model and operating system version: following are instructions for getting the version of an app on Windows 8.1:Start the app you wish to get the version of.Once the app is opened, move your mouse cursor to the upper-right or lower-right corner of the screen to see the Charms bar. Touch screen users need to swipe-in from the right-edge of the screen to bring up the Charms bar.Click or tap Settings charm on the Charms bar to open Settings for the app.Click or tap Permissions to see the developer’s name and also current version of the app. Windows Phone 8.1User GuidanceThe following Windows topic describes how to determine the hardware model and operating system version: following steps describe how to determine the version of apps on the phone: In the App list, tap Store .Tap More , then tap Downloads.Slide over to history. This will list the apps on the phone and the version of each app.Locking a DeviceThis section contains the following Common Criteria SFRs:Extended: TSF and User initiated Locked State (FTA_SSL_EXT.1)Labels: {FTA_SSL_EXT.1:A:1} {FTA_SSL_EXT.1:A:2} {FTA_SSL_EXT.1:A:3}Windows 8.1Local Administrator GuidanceThe following Technet topics include guidance for administrators to open the Local Group Policy Editor tool or the Group Policy Management Console, respectively, that are used to configure the Windows security policy for standalone or domain-joined machines:Local Group Policy Editor: Policy Management Console: inactivity time period for TSF-initiated session locking is configured by the administrator via Windows security policy. The relevant security policy is “Interactive logon: Machine inactivity limit” as described in the following Technet topic in the section heading titled “New and changed functionality”: Security Policy Settings Overview: GuidanceThe following Windows topic describes how to configure screen savers: How to use screen savers: following Windows topic describes how users can initiate a session lock:How do I lock or unlock my PC?: Phone 8.1User GuidanceThe evaluation shall verify that the AGD guidance describes the method of setting the inactivity interval and of commanding a lock .The following Windows Phone topic describes how to configure the inactivity interval by first creating a password that must be presented to unlock the phone: Lock screen FAQ: inactivity interval is then configured by choosing a time option (other than never) in the Screen times out after dropdown listbox and then also choosing the each time option in the Require a password after dropdown listbox. The phone may be commanded to transition to the locked state by configuring the inactivity interval as above and then pressing the button to power off the phone such that the lock screen will be presented and the password will be required when the button is pressed to turn the phone back on. In the case of enrolled phones the inactivity interval may also be configured by the Mobile Device Management (MDM) configuration policy setting described in the following technical paper for “MaxInactivityTimeDeviceLock”: Windows Phone 8.1 MDM protocol documentation: following TechNet topic describes the “Idle time before mobile device is locked (minutes)” MDM configuration policy setting that may be used to configure the “MaxInactivityTimeDeviceLock” MDM configuration policy settings for enrolled devices:Compliance Settings for System Center 2012 R2 Configuration Manager: Notifications Prior to Unlocking a DeviceThis section contains the following Common Criteria SFRs:Default TOE Access Banners (FTA_TAB.1)Labels: {FTA_TAB.1:A:1}Windows 8.1Local Administrator GuidanceThe following TechNet topics describe how to configure a message to users attempting to logon:Interactive logon: Message title for users attempting to log on: (v=ws.10).aspxInteractive logon: Message text for users attempting to log on: (v=WS.10).aspxWindows Phone 8.1User GuidanceFor Windows Phone 8.1 the following procedure may be followed to support this requirement.{FTA_TAB.1:A:1}Distribute a photo to all users with phones that has a picture with the notice and consent warning message.Each user then does the following on the phone:In the App list, tap Settings.In the Settings list tap lock screen.Under Background tap choose background.Tap photo.Tap change photo.Select and tap the photo distributed by the administrator and tap the check mark at the bottom of the photo.The phone with the notice and consent warning is now displayed before unlocking the phone.Managing Airplane ModeThis section contains the following Common Criteria SFRs:Specifications of Management Functions (FMT_SMF.1)Labels: {FMT_SMF.1:A:1} {FMT_SMF.1:A:11} {FMT_SMF.1:A:12} {FMT_SMF.1:A:13} Windows 8.1User GuidanceWhen airplane mode is on wireless connections, cellular voice, cellular protocols, and messaging functionality will not work on the device. The following link describes how to enable/disable airplane mode: Windows Phone 8.1User GuidanceWhen airplane mode is on wireless connections, cellular voice, cellular protocols and messaging functionality will not work on the phone. The following link describes how to enable/disable airplane mode: and Bluetooth can be turned on while airplane mode is on to prevent voice and messaging from being used but allowing wireless and Bluetooth data to continue to work. The following links describe how to enable/disable Wi-Fi and Bluetooth: EnrollmentThis section contains the following Common Criteria SFRs:Extended: Specification of Remediation Actions (FMT_SMF_EXT.1)Labels: {FMT_SMF.1:A:9}Windows 8.1Local Administrator GuidanceThe following link describes how to enroll for device management with an MDM (see the table under the subheading “Mobile Device Enrollment” for the “Windows 8.1 and Windows RT 8.1”): unenroll from device management do the following:Go to Settings > PC Settings > Network > WorkplaceClick Turn offThe administrator of the MDM can determine when a device is enrolled, unenrolled and policy is applied or not applied. Thus the administrator is alerted.Windows Phone 8.1User GuidanceThe following link describes how to enroll and unenroll with an MDM. A MDM can wipe a device during unenroll. UpdatesThis section contains the following Common Criteria SFRs:Operational User Guidance (AGD_OPE)Windows 8.1 and Windows Phone 8.1 applications include metadata that is installed with the application by the Windows Installer and the Store App installer. The application metadata includes version information that prevents the Windows Installer and the Store App installer from updating an installed application with an older version.Update packages downloaded by Windows Update for Windows 8.1 and by Windows Phone update central for Windows Phone 8.1 are signed with the Microsoft Root Certificate Authority to prove their authenticity and integrity. This signature is checked on the mobile device before installing any of the product updates contained in a given package in order to verify the updates have not been altered since they where digitally signed. If the signature is incorrect, then the update operation will fail. Otherwise, if the signature is correct then the update operation will proceed. The user guidance indicated in the links below tell how to determine if an update operation was successful or unsuccessful.Windows 8.1The following link describes Windows Update on Windows 8.1: Phone 8.1The following link describes how to get updates on Windows Phone 8.1: ................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.