Introduction



Microsoft WindowsCommon Criteria EvaluationMicrosoft Windows 8.1Microsoft Surface Pro 3Common Criteria Supplemental Admin GuidanceDocument InformationVersion Number0.01Updated OnFebruary 6, 2015This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.This document?is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS plying with all applicable copyright laws is the responsibility of the user. This work is licensed under the Creative Commons Attribution-NoDerivs-NonCommercial License (which allows redistribution of the work). To view a copy of this license, visit or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred. ? 2015 Microsoft Corporation. All rights reserved.Microsoft, Active Directory, Visual Basic, Visual Studio, Windows, the Windows logo, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.The names of actual companies and products mentioned herein may be the trademarks of their respective owners.Table of Contents TOC \o "1-3" \h \z \u 1Introduction PAGEREF _Toc416765649 \h 71.1Configuration PAGEREF _Toc416765650 \h 71.1.1Evaluated Configuration PAGEREF _Toc416765651 \h 72Management Functions PAGEREF _Toc416765652 \h 83Managing Audits PAGEREF _Toc416765653 \h 93.1Audit Events PAGEREF _Toc416765654 \h 93.2Managing Audit Policy PAGEREF _Toc416765655 \h 193.2.1Local Administrator Guidance PAGEREF _Toc416765656 \h 194Managing Wipe PAGEREF _Toc416765657 \h 214.1Local Administrator Guidance PAGEREF _Toc416765658 \h 215Managing EAP-TLS PAGEREF _Toc416765659 \h 215.1IT Administrator Guidance PAGEREF _Toc416765660 \h 225.2Local Administrator Guidance PAGEREF _Toc416765661 \h 226Managing TLS PAGEREF _Toc416765662 \h 226.1Local Administrator Guidance PAGEREF _Toc416765663 \h 227Managing Apps PAGEREF _Toc416765664 \h 237.1Local Administrator Guidance PAGEREF _Toc416765665 \h 237.2User Guidance PAGEREF _Toc416765666 \h 238Managing Volume Encryption PAGEREF _Toc416765667 \h 248.1Local Administrator Guidance PAGEREF _Toc416765668 \h 249Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drives\Allow enhanced PINs for startup Managing VPN PAGEREF _Toc416765669 \h 259.1IT Administrator Guidance PAGEREF _Toc416765670 \h 259.2Local Administrator Guidance PAGEREF _Toc416765671 \h 2510Managing Accounts PAGEREF _Toc416765672 \h 2610.1Local Administrator Guidance PAGEREF _Toc416765673 \h 2611Managing Bluetooth PAGEREF _Toc416765674 \h 2611.1Local Administrator Guidance PAGEREF _Toc416765675 \h 2612Managing Passwords PAGEREF _Toc416765676 \h 2712.1Strong Passwords PAGEREF _Toc416765677 \h 2712.1.1IT Administrator Guidance PAGEREF _Toc416765678 \h 2712.1.2Local Administrator Guidance PAGEREF _Toc416765679 \h 2712.2Protecting Passwords PAGEREF _Toc416765680 \h 2712.2.1User Guidance PAGEREF _Toc416765681 \h 2712.3Logon/Logoff Password Policy PAGEREF _Toc416765682 \h 2812.3.1Local Administrator Guidance PAGEREF _Toc416765683 \h 2812.3.2User Guidance PAGEREF _Toc416765684 \h 2813Managing Certificates PAGEREF _Toc416765685 \h 2913.1Local Administrator Guidance PAGEREF _Toc416765686 \h 2913.2User Guidance PAGEREF _Toc416765687 \h 3014Managing Time PAGEREF _Toc416765688 \h 3114.1Local Administrator Guidance PAGEREF _Toc416765689 \h 3115Getting Version Information PAGEREF _Toc416765690 \h 3115.1User Guidance PAGEREF _Toc416765691 \h 3116Locking a Device PAGEREF _Toc416765692 \h 3216.1Local Administrator Guidance PAGEREF _Toc416765693 \h 3216.1.1User Guidance PAGEREF _Toc416765694 \h 3216.2Managing Notifications Prior to Unlocking a Device PAGEREF _Toc416765695 \h 3316.2.1Local Administrator Guidance PAGEREF _Toc416765696 \h 3317Managing Airplane Mode PAGEREF _Toc416765697 \h 3317.1User Guidance PAGEREF _Toc416765698 \h 3318Device Enrollment PAGEREF _Toc416765699 \h 3318.1Local Administrator Guidance PAGEREF _Toc416765700 \h 3419Managing Updates PAGEREF _Toc416765701 \h 34IntroductionThis document provides guidance information for a Common Criteria evaluation.ConfigurationEvaluated ConfigurationThe Common Criteria evaluation includes a specific configuration of Windows, the “evaluated configuration”. To run Windows deployments using the evaluated configuration follow the deployment steps and apply the security policies and security settings indicated below. The Security Target section 1.1 describes the Windows editions and security patches included in the evaluated configuration.The operating system is pre-installed on the devices in the evaluated configuration. When the device is turned on for the first time the Out of Box Experience (OOBE) runs to complete the configuration.The following security policies are applied after completing the OOBE:Security PolicyPolicy SettingLocal Policies\Security Options\System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithmEnabledAdministrative Template\Windows Components\Credentials User Interface\Do not display the password reveal buttonEnabledThe following security settings are applied:Cipher suite selection is configured according to section 6 Managing TLSVolume encryption is enabled according to section 8 Managing Volume EncryptionVPN connections route all traffic through the VPN tunnel as described section 9 Managing VPNPasswords use a minimum of six alphanumeric characters and symbols according to section 12.3 Password PolicyRSA machine certificates are configured according to section 13 Managing Certificates to use a minimum 2048 bit key lengthSession locking is enabled according to section 16 Locking a DeviceDevices are enrolled for device management according to section 18 Device EnrollmentManagement FunctionsThe following table maps management functions to roles:ActivityUser GuidanceLocal Administrator GuidanceIT Administrator GuidanceConfigure password policyWindows 8.1Configure session locking policyWindows 8.1Enable/disable the VPN protectionWindows 8.1Windows 8.1Enable/disable [Wi-Fi, Bluetooth]Windows 8.1Windows 8.1Windows 8.1Enable/disable [camera, microphone]Windows 8.1Windows 8.1Specify wireless networks (SSIDs) to which the TSF may connectWindows 8.1Configure security policy for connecting to wireless networksWindows 8.1Transition to the locked stateWindows 8.1Windows 8.1Full wipe of protected dataWindows 8.1Configure application installation policyWindows 8.1Import keys/secrets into the secure key storageWindows 8.1Windows 8.1Destroy imported keys/secrets and any other keys/secrets in the secure key storageWindows 8.1Import X.509v3 certificates into the Trust Anchor DatabaseWindows 8.1Remove imported X.509v3 certificates and any other X.509v3 certificates in the Trust Anchor DatabaseWindows 8.1Enroll the TOE in managementWindows 8.1Windows 8.1Remove applicationsWindows 8.1Update system softwareWindows 8.1Install applications? Windows 8.1Enable/disable data transfer capabilities over USB port, BluetoothWindows 8.1Enable/disable [wireless remote access connections except for personal Hotspot service, personal Hotspot connections, tethered connectionsWindows 8.1Windows 8.1Enable data-at rest protectionWindows 8.1Enable removable media’s data at rest protectionWindows 8.1Windows 8.1Configure the Access Point Name and proxy used for communications between the cellular network and other networksWindows 8.1Windows 8.1Enable/disable display notification in the locked state protectionWindows 8.1Windows 8.1Wipe sensitive dataWindows 8.1Alert the administratorWindows 8.1Remove Enterprise applicationsWindows 8.1Approve import and removal by applications of X.509v3 certificates in the Trust Anchor DatabaseWindows 8.1Windows 8.1Enable/disable cellular voice functionalityWindows 8.1Windows 8.1Enable/disable device messaging capabilitiesWindows 8.1Windows 8.1Enable/disable the cellular protocols used to connect to cellular network base stationsWindows 8.1Windows 8.1Read audit logs kept by the TSFWindows 8.1Windows 8.1Configure the unlock bannerWindows 8.1Enable/disable location servicesWindows 8.1Windows 8.1Managing AuditsThis section contains the following Common Criteria SFRs:Audit Data Generation (FAU_GEN.1), Security Audit Event Selection (FAU_SEL.1)Extended: Audit Storage Protection (FAU_STG_EXT.1)Specifications of Management Functions (FMT_SMF.1)Audit EventsDescriptionIdStart-up and shutdown of the audit functions4608, 1100All administrative actions<see table below>User authentication attempts and success/failure of the attempt4624, 46254739, 4801Startup and shutdown of the OS and kernel4608, 1100Failures of security functions20Integrity verification failures5038, 3004Software updates1, 2, 3Insertion or removal of removable media410Establishment of a trusted channelIPsec: 4651, 5451TLS: 36880, 11, 81Audit records reaching an administrator-configurable percentage of audit capacity, [assignment: other auditable events derived from this profile]].1103, 1104The following table correlates the set of administrative operations described in this document with their associated audits:Administrative ActionIdshutdown of the audit functions 1100configure password policy:4739configure session locking policy4656enable/disable the VPN protection 4650,4651,54514655, 5452enable/disable [assignment: Wi-Fi, Bluetooth] 1015 (Wi-Fi, broadband)<none> (Bluetooth)enable/disable [camera, microphone] <none>transition to the locked state 4800import keys/secrets into the secure key storage, 1006destroy imported keys/secrets and [ [any other keys/secrets]] in the secure key storage, 1004import X.509v3 certificates into the Trust Anchor Database, 90remove imported X.509v3 certificates and [[any other X.509v3 certificates]] in the Trust Anchor Database, 1004enroll the TOE in management 510remove applications 472update system software 19install applications 400enable data-at rest protection, 24579enable removable media‘s data-at-rest protection, 24579remove Enterprise applications472approve import and removal by applications of X509v3 certificates in the trust anchor database90, 1004enable/disable device messaging capabilities, 1015enable/disable the cellular protocols used to connect to cellular network base stations, 1015read audit logs kept by the TSF, 4673configure the unlock banner using the text as specified in the administrative guidance when following the DoD access, 4656IdLog locationMessageFields4608Windows Logs -> SecuritySubcategory: Security State ChangeStartup of audit functionsLogged: <Date and time of event>Task category: <type of event>Keywords: <Outcome as Success or Failure>1100Windows Logs -> SecuritySubcategory: Security State ChangeThe event logging service has shut downLogged: <Date and time of event>Keywords: <Outcome as Success>4739Windows Logs -> SecuritySubcategory: Authentication Policy ChangeDomain Policy was changed.Logged: <Date and time of event>Security ID: <SID of user account making audit policy change>Account Name: <name of user account making audit policy change >Account Domain: <domain of user account making audit policy change if applicable, otherwise computer>Category: <Audit category that was changed.>Subcategory: <Audit subcategory that was changed.>Changes: <Change to audit policy.>4656Windows Logs -> SecuritySubcategory: RegistryA handle to an object was requested.Logged: <Date and time of event>Security ID: <SID of locked account>Object Name: <Name of the object changed>Accesses: <Access granted>Access Mask: <Access requested>4651Windows Logs -> Security Subcategory: IPsec Main ModeIpsec main mode security association was established. A certificate was used for authentication.Logged: <Date and time of event>Task category: <type of event>Local Endpoint: <Subject identity as IP address>Remote Endpoint: <Subject identity as IP address of non-TOE endpoint of connection >Keying Module Name: <Transport layer protocol as IKEv1 or IKEv2>Local Certificate: <The entry in the SPD that applied to the decision as certificate SHA Thumbprint>Remote Certificate: <The entry in the SPD that applied to the decision as certificate SHA Thumbprint>Cryptographic Information: <The entry in the SPD that applied to the decision as MM SA Id and cryptographic parameters established in the SA>Keywords: <Outcome as Success>5451Windows Logs -> Security Subcategory: IPsec Quick ModeIPsec quick mode security association was establishedLogged: <Date and time of event>Task category: <type of event>Local Endpoint: <Subject identity as IP address/port>Remote Endpoint: <Subject identity as IP address/port of non-TOE endpoint of connection >Keying Module Name: <Transport layer protocol as IKEv1 or IKEv2>Cryptographic Information: <The entry in the SPD that applied to the decision as MM SA Id, QM SA Id, Inbound SPI, Outbound SPI and cryptographic parameters established in the SA >Keywords: <Outcome as Success>4655Windows Logs -> Security Subcategory: IPsec Main ModeIPsec main mode security association endedLogged: <Date and time of event>Task category: <type of event>Local Endpoint: <Subject identity as IP address/port >Remote Endpoint: <Subject identity as IP address/port of non-TOE endpoint of connection/channel >Keying Module Name: <Transport layer protocol as IKEv1 or IKEv2>Keywords: <Outcome as Success>5452Windows Logs -> Security Subcategory: IPsec Quick ModeIPsec quick mode security association endedLogged: <Date and time of event>Task category: <type of event>Local Endpoint: <Subject identity as IP address/port>Remote Endpoint: <Subject identity as IP address/port of non-TOE endpoint of connection >Cryptographic Information: <The entry in the SPD that applied to the decision as the QM SA Id, Tunnel Id, Traffic Selector Id>Keywords: <Outcome as Success>1015Applications and Services Logs -> Microsoft -> Windows -> Wcmsvc -> OperationalInterface token appliedLogged: <Date and time of event>Security ID: <SID of user account that deleted the certificate/secrets>Media type: <indication of broadband (Wwan) or WiFi (Wlan)>AutoProfiles: <indication of added or removed action (blank if removed, else name of Wwan or Wlan profile)>4800Windows Logs -> Security Subcategory: LogoffThe workstation was locked.Logged: <Date and time of event>Security UserID: <SID of logon user>Account Name: <name of logon account>Account Domain: <domain of logon account>90Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational<un-named>Logged: <Date and time of event>Security UserID: <SID of user account that imported the certificate/secrets>Subject: <Certificate subject name, CN, etc.>1006Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-System -> OperationalA new certificate has been installed.Logged: <Date and time of event>Security UserID: <SID of user account that deleted the certificate/secrets>Subject: <Certificate subject name, CN, etc.>Thumbprint: <Certificate thumbprint>1004Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-System -> OperationalA certificate has been deleted.Logged: <Date and time of event>Security ID: <SID of user account that deleted the certificate/secrets>Subject: <Certificate subject name, CN, etc.>Thumbprint: <Certificate thumbprint>19Windows Logs -> SystemInstallation Successful: Windows successfully installed the following update: <app/update name>Logged: <Date and time of event>Security ID: <SID of user account that installed the app>updateTitle: <app/update name>updateGuid: <app/update Guid>serviceGuid: <app/service GUID>updateRevisionNumber: <app version>510Applications and Services Logs -> Microsoft -> Windows -> SystemSettings -> OperationalAttempted to turn on workplace device management. Result is <status code> ending at phase 3Logged: <Date and time of event>Security UserID: <SID of user account that initiated enrolling TOE in management>ResultCode: <status code>CorpDeviceOperationPhase: 3472Applications and Services Logs -> Microsoft -> Windows -> AppXDeployment-Server -> Microsoft-Windows-AppXDeployment-Server /OperationalMoving package folder <%program files location%\<package Id> to <%deleted program files location%\<package Id>. Result: <status code>Logged: <Date and time of event>Security ID: <SID of user account that installed the app>SourceFolderPath: <%program files location%\<package Id>DestinationFolderPath: <%deleted program files location%\<package Id>400Applications and Services Logs -> Microsoft -> Windows -> AppXDeployment-Server -> Microsoft-Windows-AppXDeployment-Server/OperationalDeployment Add operation on Package <package Id> from: (<.appx pathname> ) finished successfullyLogged: <Date and time of event>Security ID: <SID of user account that installed the app>PackageFullName: <package Id>Path: <.appx pathname>24579Windows Logs -> SystemEncryption of volume <drive letter>: completedLogged: <Date and time of event>Security UserID: <SID of user account that installed the app>Volume: <encrypted volume letter>11010Applications and Services Logs -> Microsoft -> Windows -> WLAN-AutoConfig -> OperationalWireless Security StartedLogged: <Date and time of event>Network Adapter: <enabled adapter name>Local MAC Address: <enabled adapter MAC address>1006Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-User -> OperationalApplications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-System -> OperationalA new certificate has been installedLogged: <Date and time of event>SubjectNames: <New certificate subject name>Thumbprint: <New certificate thumbprint>EKUs: <New certificate EKUs>NotValidAfter: :<New certificate expiration date>1004Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-User -> OperationalApplications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-System -> OperationalA certificate has been deletedLogged: <Date and time of event>SubjectNames: <Deleted certificate subject name>Thumbprint: <Deleted certificate thumbprint>EKUs: <Deleted certificate EKUs>NotValidAfter: :<Deleted certificate expiration date>5446Windows Logs -> SecuritySubcategory: Filtering Platform Policy ChangeWindows Filtering Platform callout has been changedLogged: <Date and time of event>Task category: <type of event>Change type: <Operation as add, change or delete>Callout ID: <Callout identifier as GUID>Callout Name: <Callout identifier as text-based name>Layer ID: <Layer identifier as GUID>Layer Name: <Layer identifier as text-based name>Keywords: <Outcome as Success or Failure>5447Windows Logs -> SecuritySubcategory: Other Policy Change EventsWindows Filtering Platform filter has been changedLogged: <Date and time of event>Task category: <type of event>Change type: <Operation as add, change or delete>Filter ID: <Filter Id as GUID>Filter Name: <Filter identifier as text-based name> Layer ID: <Layer Id as GUID>Layer Name: <Layer identifier as text-based name>Additional Information: <Filter conditions>5450Windows Logs -> SecuritySubcategory: Filtering Platform Policy ChangeWindows Filtering Platform sub-layer has been changedLogged: <Date and time of event>Task category: <type of event>Change type: <Operation as add, change or delete>Sub-layer ID: <Sub-layer Id as GUID>Sub-layer Name: <Sub-layer identifier as text-based name>4657Windows Logs -> SecuritySubcategory: RegistryRegistry entry changeLogged: <Date and time of event>Task category: <type of event>Security ID: <user identity>Object name: <key path>Changes: <old and new registry values>Keywords: <Outcome as Success or Failure>4801Windows Logs -> SecuritySubcategory: LogonThe workstation was unlocked.Logged: <Date and time of event>Security ID: <SID of logon user>Account Name: <name of logon account>Account Domain: <domain of logon account>4624Windows Logs -> SecuritySubcategory: LogonAn account was successfully logged on.Logged: <Date and time of event>Security ID: <SID of enabled user account>Account Name: <name of enabled account>Account Domain: <domain of enabled account if applicable, otherwise computer>Workstation Name: <name of computer user logged on>Logon Type: <type of logon (e.g. interactive)>LogonID: <unique logon identification>Source Network Address: <IP address of computer logged on>4625Windows Logs -> SecuritySubcategory: LogonAn account failed to log on.Logged: <Date and time of event>Security ID: <SID of user account that failed to logon>Account Name: <name of account that failed to logon>Account Domain: <account domain that failed to logon if applicable, otherwise computer>Logon Type: <type of logon (e.g. interactive)>20Windows Logs -> SystemThe last boot’s success was <LastBootGood event data>.Logged: <Date and time of event>LastBootGood: <Outcome as true or false indicating if the kernel-mode cryptographic self-tests and RNG initialization succeeded or failed>5038Windows Logs -> SecuritySubcategory: System IntegrityCode integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.Logged: <Date and time of event>Task category: <type of event>File Name: < file failing integrity check>3004Windows Logs -> SystemCode integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.Logged: <Date and time of event>Level: <error level>Task category: <type of event>User: <User performing the check>Machine: <Machine check was performed on>General Description: <Contains the filename that caused the integrity violation>4801Windows Logs -> SecuritySubcategory: LogonThe workstation was unlocked.Logged: <Date and time of event>Security ID: <SID of logon user>Account Name: <name of logon account>Account Domain: <domain of logon account>4719Windows Logs -> SecuritySubcategory: Audit Policy ChangeSystem audit policy was changedLogged: <Date and time of event>Task category: <category of audit>Task Subcategory: <subcategory of audit>Subcategory GUID: <subcategory GUID name>Security ID: <user identity>Account Name: <account name>Account Domain: <account domain>Login ID: <login Id>Changes: <Success/Failure changes>Keywords: <Outcome as Success or Failure>1Windows Logs -> SetupInitiating changes for packageLogged: <Date and time of event>PackageIdentifier: <KB package Id>InitialPackageState: ResolvedIntendedPackageState: InstalledErrorCode: <success outcome indicated by 0x0>2Windows Logs -> SetupPackage was successfully changed to the Installed stateLogged: <Date and time of event>PackageIdentifier: <KB package Id>IntendedPackageState: InstalledErrorCode: <success outcome indicated by 0x0>3Windows Logs -> SetupWindows update could not be installed because … “The data is invalid”Logged: <Date and time of event>Commandline: <KB package Id>ErrorCode: <install failure indicated by 0x800700D (2147942413)>410Applications and Services Logs -> Microsoft -> Windows -> Kernel-PnP -> Device ConfigurationDevice < DeviceInstanceId> was startedLogged: <Date and time of event> Security ID: <user identity>DeviceInstanceId: <Device path and volume GUID of inserted removable media>36880Windows Logs -> SystemAn SSL server handshake completed successfully. The negotiated cryptographic parameters are as follows:Logged: <Date and time of event>Protocol: <protocol designator>CipherSuite: <hexadecimal designator for cipher suite>Exchange strength: <key length of exchange key in bits>In the Details view of the event:System -> TimeCreated -> SystemTime: <Date and time of event>System -> Execution -> ProcessID: <process ID of the process that created the event>System -> Execution -> ThreadID: <thread ID of the thread that created the event>11Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> OperationalBuild ChainIn the Details view of the event:System -> TimeCreated -> SystemTime: <Date and time of event>System -> Execution -> ProcessID: <process ID of the process that created the event>System -> Execution -> ThreadID: <thread ID of the thread that created the event>UserData -> CertGetCertificateChain -> Certificate -> subjectName : <name in client certificate>This event is relevant on the server side of the channel when client authentication is performed. For successful connections this event provides the subject name of the client’s certificate.81Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational Verify TrustIn the Details view of the event:System -> TimeCreated -> SystemTime: <Date and time of event>System -> Execution -> ProcessID: <process ID of the process that created the event>System -> Execution -> ThreadID: <thread ID of the thread that created the event>UserData -> WinVerifyTrust -> CertificateInfo -> displayName : <name in server certificate> This event is relevant on the client side of the channel. This provides the servers certificate name. Note that this name must match the first part of the server’s URL in the HTTPS case.5446Windows Logs -> SecuritySubcategory: Filtering Platform Policy ChangeWindows Filtering Platform callout has been changedLogged: <Date and time of event>Task category: <type of event>Change type: <Operation as add, change or delete>Callout ID: <Callout identifier as GUID>Callout Name: <Callout identifier as text-based name>Layer ID: <Layer identifier as GUID>Layer Name: <Layer identifier as text-based name>Keywords: <Outcome as Success or Failure>5447Windows Logs -> SecuritySubcategory: Other Policy Change EventsWindows Filtering Platform filter has been changedLogged: <Date and time of event>Task category: <type of event>Change type: <Operation as add, change or delete>Filter ID: <Filter Id as GUID>Filter Name: <Filter identifier as text-based name> Layer ID: <Layer Id as GUID>Layer Name: <Layer identifier as text-based name>Additional Information: <Filter conditions>5450Windows Logs -> SecuritySubcategory: Filtering Platform Policy ChangeWindows Filtering Platform sub-layer has been changedLogged: <Date and time of event>Task category: <type of event>Change type: <Operation as add, change or delete>Sub-layer ID: <Sub-layer Id as GUID>Sub-layer Name: <Sub-layer identifier as text-based name>4657Windows Logs -> SecuritySubcategory: RegistryRegistry entry changeLogged: <Date and time of event>Task category: <type of event>Security ID: <user identity>Object name: <key path>Changes: <old and new registry values>Keywords: <Outcome as Success or Failure>1103Windows Logs -> SystemThe security audit log is now <the configured value > percent full.Logged: <Date and time of event>Keywords: <Outcome as Success>1104Windows Logs -> SystemThe security audit log is full.Logged: <Date and time of event>Keywords: <Outcome as Success>4673Windows Logs -> SecuritySubcategory: Sensitive Privilege Use / Non Sensitive Privilege UseA privileged service was called.Logged: <Date and time of event>Security ID: <SID of user account that viewed the log>Account Name: <user account name that viewed the log>Account Domain: <domain of user accout that viewed the log>Keywords: <Outcome as Success>Managing Audit PolicyLocal Administrator GuidanceThe following log locations are always enabled:Windows Logs -> SystemWindows Logs -> SetupWindows Logs -> Security (Startup and shutdown of the audit functions, startup and shutdown of the OS and kernel)The following TechNet topic describes the categories of audits:Advanced Audit Policy Configuration: (v=ws.10).aspxTo enable audit policy subcategories run the following commands at an elevated command prompt:Logon operations: auditpol /set /subcategory:”Logon” /success:enable /failure:enableaudit policy changes: auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enableIPsec operations:auditpol /set /subcategory:”IPsec Main Mode” /success:enable /failure:enable auditpol /set /subcategory: “IPsec Quick Mode” /success:enable /failure:enableConfiguring IKEv1 and IKEv2 connection properties:auditpol /set /subcategory:" Filtering Platform Policy Change" /success:enable /failure:enableauditpol /set /subcategory:"Other Policy Change Events" /success:enable /failure:enableregistry changes (modifying TLS Cipher Suite priority):auditpol /set /subcategory:"Registry" /success:enable /failure:enableIn addition to enabling audit policy as noted above, each registry key to be audited must also have its auditing permissions enabled. This is done as follows:Start the registry editor tool by executing the command regedit.exe as an administratorNavigate to the registry path for the key that should be audited, right-click the key’s node and select Permissions… on the key’s context menu to open the Permissions dialogClick the Advanced button to open the Advanced Security Settings dialog, click on the Auditing tab and click the Add button to open the Auditing Entry dialogClick the Select a principal to open the Select User or Group dialog to select a user (e.g. Administrator) and click the OK button.Choose the desired audits using the Type, Applies to and Basic Permissions attributes and click OKClick OK on the Advanced Security Settings dialogClick OK on the Permissions dialogTo enable TLS event logging in the System Event Log, see the following link: To enable event logging in the Application and Services Logs, see the following link describing how to enumerate the log names and set their enabled state:Wevtutil: for failure of security functions are logged by default in the “Windows Logs\Setup” log. All other audits that are always recorded are indicated by the value “N/A” present in the “Policy Subcategory” column in the above audit table.To view audit logs, see the following links:Get-EventLog: WipeThis section contains the following Common Criteria SFRs:Extended: TSF Wipe (FCS_CKM_EXT.5)Local Administrator GuidanceThe following Windows help topic describes how to reset Windows 8.1 devices with removal of all user data (the “Fully clean the drive” option wipes all protected data):How to refresh, reset, or restore your PC: EAP-TLSThis section contains the following Common Criteria SFRs:Extended: Trusted Channel Communication (FTP_ITC_EXT.1)Extended: PAE Authentication (FIA_PAE_EXT.1)Extended: Trusted Channel Communication (FTP_ITC_EXT.1)Extended: Wireless Network Access (FTA_WSE_EXT.1)Specifications of Management Functions (FMT_SMF.1)IT Administrator GuidanceAn MDM system can be used to manage Wi-Fi profiles.The following link specifies the server certificate requirements for EAP-TLS: Administrator GuidanceThe following topics describe how to configure EAP-TLS on Windows 8.1:Extensible Authentication Protocol (EAP) Settings for Network Access: TOE comes preloaded with root certificates for various Certificate Authorities. The following TechNet topic describes how to manage trust relationships:Manage Trusted Root Certificates: Managing TLSThis section contains the following Common Criteria SFRs:Extended: EAP TLS Protocol (FCS_TLS_EXT.1)Extended: TLS Protocol (FCS_TLS_EXT.2)Local Administrator GuidanceThe mandatory cipher suites listed in the Security Target correlate with those available in the TOE as follows:Mandatory Cipher Suites (per Security Target)Available Cipher Suites in TOETLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246 TLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_ SHA256 as defined in RFC 5246 TLS_RSA_WITH_AES_256_CBC_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 as defined in RFC 6460TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 as defined in RFC 6460TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384The following MSDN article describes how the administrator modifies the set of TLS cipher suites for priority and availability:Prioritizing Schannel Cipher Suites: (v=vs.85).aspxHow to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll: DN in the certificate is automatically compared to the expected DN and does not require additional configuration of the expected DN for the connection.The TOE comes preloaded with root certificates for various Certificate Authorities. The following TechNet topic describes how to manage trust relationships:Manage Trusted Root Certificates: Managing AppsThis section contains the following Common Criteria SFRs:Extended: Security Attribute Based Access Control (FDP_ACF_EXT.1)Local Administrator GuidanceThe ability for users to run the Store app may be removed using a registry value on Windows 8.1 by performing the following steps:Start the registry editor tool by executing the command regedit.exe as an administratorNavigate to the registry path HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsStore. Note that the WindowsStore registry key may need to be created.Create a DWORD (32 bit) registry value with the name RemoveWindowsStore under the WindowsStore registry key. Set the registry value to 1.User GuidanceThe following Windows help topic describes how to remove app and any information the the app contained:Uninstall, change or repair a program: The following Windows help topic describes how to remove app and any information the the app contained:Uninstall, change or repair a program: Note: If the system administrator has disabled uninstalling Enterprise apps from the device then those Enterprise apps cannot be uninstalled.Managing Volume EncryptionThis section contains the following Common Criteria SFRs:Extended: Data at Rest Protection (FDP_DAR_EXT.1)The following TechNet topic describes the BitLocker feature, including its use to encrypt the entire operation system volume or removable volumes:BitLocker Overview: Administrator GuidanceThe following TechNet topic describes the manage-bde command that should be executed in a command shell while running as an administrator to configure DAR protection:Manage-bde: (v=ws.10).aspxBy default AES128 encrypion is used by the manage-bde command when enabling BitLocker for Windows 8.1 – the AES256 algorithm should be used instead. . In addition, the TPM and PIN authorization factor must be used in the evaluated configuration. The Enhanced PIN capabilities must be used in the evaluated configuration.To enable the TPM and Enhanced PIN authorization factors execute the following command:Manage-bde –on <operating system disk volume letter>: -tpmandpin -encryptionMethod aes256Administrators must create an Enhanced PIN value with a minimum of four and a maximum of 20 numeric characters, but can also include uppercase and lowercase English letters, symbols on an EN-US keyboard, numbers, and spaces. To enable the Enhanced PIN capabilities start the gpedit.msc MMC snap-in as an administrator and enable the following local or group policy:Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drives\Allow enhanced PINs for startup Managing VPNThis section contains the following Common Criteria SFRs:Cryptographic Operation for Hashing (FCS_COP.1(HASH))Extended: Subset Information Flow Control (FDP_IFC_EXT.1)IT Administrator GuidanceAn MDM system may be used to administer VPN profiles.Local Administrator GuidanceThe following TechNet topic describes how to create a VPN connection: evaluated configuration requires that all network traffic other than traffic necessary to establish the VPN connection go through the VPN tunnel. To do this verify that the following configuration is set:Navigate to View Available Networks by clicking on the network icon in taskbar and select the VPN connectionRight-click the VPN connection and select Properties from the context menuNavigate to Networking tab; select Internet Protocol Version 6 (TCP/IPv6) or Internet Protocol Version 4 (TCP/IPv4) and click Properties.In Properties click Advanced.Under General in Advanced TCP/IP settings, make sure the option Use default gateway on remote network to enable split-tunneling is selected.The following TechNet topics describe the commands for configuring the hash parameter in a new or existing main mode cryptographic proposal: New-NetIPsecMainModeCryptoProposal: : in the TLS protocol are configured in association with cipher suite selection. The administrator configures the cipher suites used on a machine by following the configuration instructions at the following link: (v=vs.85).aspxManaging AccountsThis section contains the following Common Criteria SFRs:Extended: Authorization Failure Handling (FIA_AFL_EXT.1)Local Administrator GuidanceThe following TechNet topic explains the net accounts command line utility for standalone computers (followed by command line options for managing account lockout policy): Net Accounts: addition to the parameters given in the referenced article the following are also valid options:/lockoutthreshold: number ? : Sets the number of times a bad password may be entered until the account is locked out. If set to 0 then the account is never locked out. /lockoutwindow: minutes ? : Sets the number of minutes of the lockout window./lockoutduration: minutes ? : Sets the number of minutes the account will be locked out for.Managing BluetoothThis section contains the following Common Criteria SFRs:Extended: Bluetooth Authentication (FIA_BLT_EXT.1)Specifications of Management Functions (FMT_SMF.1)Local Administrator GuidanceThe following link describes how to enable/disable Bluetooth: PasswordsStrong PasswordsThis section contains the following Common Criteria SFRs:Extended: Password Management (FIA_PMG_EXT.1)IT Administrator GuidanceAn MDM system may be used to enforce use of strong passwords.Local Administrator GuidanceThe following TechNet topics describe the characteristics for passwords that are available, instructions for setting the enforcement mechanism and a discussion of strong passwords and recommended minimum settings:Enforcing Strong Password Usage Throughout Your Organization: Strong Password: (v=ws.10).aspx Password Best practices: (v=ws.10).aspx Protecting PasswordsThis section contains the following Common Criteria SFRs:Protected Authorization Feedback (FIA_UAU.7)User GuidanceThe following Windows Help topic describes how to conduct initial logon authentication for users: Sign in to or out of Windows: 8.1 does not require any configuration to ensure the password is obscured by default. The following best practices should be observed:As with all forms of authentication, when entering your password, avoid allowing other people to watch you as you sign in.Keep your device in a secure location where unauthorized people do not have physical access to it. As with any password entry, be aware of line of sight and potential recording devices that intrude on your screen.Logon/Logoff Password PolicyThis section contains the following Common Criteria SFRs:Extended: Authentication for Cryptographic Operation (FIA_UAU_EXT.1)Extended: Timing of Authentication (FIA_UAU_EXT.2)Extended: Re-Authorizing (FIA_UAU_EXT.3)Specifications of Management Functions (FMT_SMF.1)Local Administrator GuidanceThe out of box experience requires that when user accounts are created a password is assigned to the account.The following Windows Help topics describe how to change a user password: FIA_UAU.5.A3Change your password: inactivity time period for TSF-initiated session locking is configured by the administrator via Windows security policy. The relevant security policy is “Interactive logon: Machine inactivity limit” as described in the following Technet topic in the section heading titled “New and changed functionality”: Security Policy Settings Overview: following Technet topics include guidance for administrators to open the Local Group Policy Editor tool or the Group Policy Management Console, respectively, that are used to configure the Windows security policy for standalone or domain-joined machines:Local Group Policy Editor: Policy Management Console: GuidanceThe following Windows topic describes how to configure screen savers: How to use screen savers: following Windows topic describes how users can initiate a session lock:How do I lock or unlock my PC?: following Windows help topic describes how to enable or disable notifications in action center and application status on the lock screen:How to manage notifications for Mail, Calendar, and People: CertificatesThis section contains the following Common Criteria SFRs:Extended: Validation of Certificates (FIA_X509_EXT.1)Extended: Certificate Authentication (FIA_X509_EXT.2)Extended: Cryptographic Key Storage (FCS_STG_EXT.1)Local Administrator GuidanceThe following TechNet topic describes managing certificates (including the “Obtain a Certificate” sub-topic):Manage Certificates : Certutil: The operational guidance for setting up a trusted channel to communicate with a CA is described in the operational guidance for FTP_ITC.1 (OS)) – IPSEC. The TOE comes preloaded with root certificates for various Certificate Authorities. The following TechNet topic describes how to manage trust relationships:Manage Trusted Root Certificates: following TechNet topic describes how to delete a certificate: Delete a Certificate: certificates can be added to and removed from devices using an MDM for enrolled devices.When validating a certificate with modern Windows applications the connection to a configured revocation server must be available or the validation will fail. This configuration cannot be changed.The administrator configures certificate validation for IPsec authentication using the Set-NetFirewallSetting PowerShell cmdlet as described in the following TechNet topic:Set-NetFirewallSetting: administrator configures certificate validation for network connections based on EAP-TLS using the “Set Up a Connection or Network” wizard in the “Smart Card or Other Certificate Properties” and “Configure Certificate Selection” screens as described in the following TechNet topic:Extensible Authentication Protocol (EAP) Settings for Network Access (Smart Card or other Certificate Properties configuration items): administrator configures certificate validation for HTTPS using the Security options checkboxes in the Advanced tab on the Internet Properties dialog for Control Panel. The “Warn about certificate address mismatch” setting configures whether the Web address must match the certificate subject field and warns the user of a mismatch. The following MSDN Blog describes the “Check for server certificate revocation” setting:Understanding Certificate Revocation Checks: administrator cannot configure certificate validation for code signing purposes.User GuidanceThe following TechNet topic describes how to manually import a certificate: Import a Certificate: When using HTTPS in a browsing scenario the user may choose to ignore a failed certificate validation and continue the connection. Managing TimeThis section contains the following Common Criteria SFRs:Reliable Time Stamps (FPT_STM.1)Local Administrator GuidanceThe administrator sets the time using the Set-Date PowerShell cmdlet that is documented here: administrator configures the time service to synchronize time from a time server using the W32tm command that is documented here:(v=WS.10).aspx#w2k3tr_times_tools_dyaxThe administrator ensures the communication path between the TOE client and the time service provider is protected from attacks that could compromise the integrity of the time by establishing an IPsec policy using the “Microsoft Windows 8 Microsoft Windows Server 2012 --- Supplemental Admin Guidance for IPsec VPN Clients (January 23 2014)”, where section 3 provides detailed instructions that can be used to configure the TOE client and the time service provider. The administrator ensures the NTP server is authenticated by verifying the IP address provided by the IT administrator for the NTP Server in the main mode and quick mode security associations according to the audit trail for the FTP_ITC.1 requirement outlined in section “4.1 Audit Policy for IPsec Operations” of the IPsec VPN Client guidance. In particular, audits are provided when a trusted channel is established that includes the IP address of the channel’s local and remote endpoints. If the integrity of the trusted channel is compromised, then this is indicated by the audit Id 4960 that is also discussed in section 4.1.Getting Version InformationThis section contains the following Common Criteria SFRs:Extended: Trusted Update: TSF Version Query (FPT_TUD_EXT.1)User GuidanceThe following Windows topic describes how to determine the hardware model and operating system version: following are instructions for getting the version of an app on Windows 8.1:Start the app you wish to get the version of.Once the app is opened, move your mouse cursor to the upper-right or lower-right corner of the screen to see the Charms bar. Touch screen users need to swipe-in from the right-edge of the screen to bring up the Charms bar.Click or tap Settings charm on the Charms bar to open Settings for the app.Click or tap Permissions to see the developer’s name and also current version of the app. Locking a DeviceThis section contains the following Common Criteria SFRs:Extended: TSF and User initiated Locked State (FTA_SSL_EXT.1)Local Administrator GuidanceThe following Technet topics include guidance for administrators to open the Local Group Policy Editor tool or the Group Policy Management Console, respectively, that are used to configure the Windows security policy for standalone or domain-joined machines:Local Group Policy Editor: Policy Management Console: inactivity time period for TSF-initiated session locking is configured by the administrator via Windows security policy. The relevant security policy is “Interactive logon: Machine inactivity limit” as described in the following Technet topic in the section heading titled “New and changed functionality”: Security Policy Settings Overview: GuidanceThe following Windows topic describes how to configure screen savers: How to use screen savers: following Windows topic describes how users can initiate a session lock:How do I lock or unlock my PC?: Notifications Prior to Unlocking a DeviceThis section contains the following Common Criteria SFRs:Default TOE Access Banners (FTA_TAB.1)Local Administrator GuidanceThe following TechNet topics describe how to configure a message to users attempting to logon:Interactive logon: Message title for users attempting to log on: (v=ws.10).aspxInteractive logon: Message text for users attempting to log on: (v=WS.10).aspxManaging Airplane ModeThis section contains the following Common Criteria SFRs:Specifications of Management Functions (FMT_SMF.1)User GuidanceWhen airplane mode is on wireless connections, cellular voice, cellular protocols, and messaging functionality will not work on the device. The following link describes how to enable/disable airplane mode: Device EnrollmentThis section contains the following Common Criteria SFRs:Extended: Specification of Remediation Actions (FMT_SMF_EXT.1)Local Administrator GuidanceThe following link describes how to enroll for device management with an MDM (see the table under the subheading “Mobile Device Enrollment” for the “Windows 8.1 and Windows RT 8.1”): unenroll from device management do the following:Go to Settings > PC Settings > Network > WorkplaceClick Turn offThe administrator of the MDM can determine when a device is enrolled, unenrolled and policy is applied or not applied. Thus the administrator is alerted.Managing UpdatesThis section contains the following Common Criteria SFRs:Operational User Guidance (AGD_OPE)Windows 8.1 applications include metadata that is installed with the application by the Windows Installer and the Store App installer. The application metadata includes version information that prevents the Windows Installer and the Store App installer from updating an installed application with an older version.Update packages downloaded by Windows Update for Windows 8.1 are signed with the Microsoft Root Certificate Authority to prove their authenticity and integrity. This signature is checked on the mobile device before installing any of the product updates contained in a given package in order to verify the updates have not been altered since they where digitally signed. If the signature is incorrect, then the update operation will fail. Otherwise, if the signature is correct then the update operation will proceed. The user guidance indicated in the links below tell how to determine if an update operation was successful or unsuccessful.The following link describes Windows Update on Windows 8.1: ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download