Introductiondownload.microsoft.com/download/B/E/3/BE365594-D… · Web viewManage-bde –on :...

Surface Pro 3 Mobile Operational Guidance

Microsoft Windows

Common Criteria EvaluationMicrosoft Windows 8.1

Microsoft Surface Pro 3

Common Criteria Supplemental Admin Guidance

Document InformationVersion Number 0.01Updated On February 6, 2015

Microsoft © 2015 of 35


This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. This work is licensed under the Creative Commons Attribution-NoDerivs-NonCommercial

License (which allows redistribution of the work). To view a copy of this license, visit http://creativecommons.org/licenses/by-nd-nc/1.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or

event is intended or should be inferred.

© 2015 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Visual Basic, Visual Studio, Windows, the Windows logo, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.


http://creativecommons.org/licenses/by-nd-nc/1.0/


TABLE OF CONTENTS

1 INTRODUCTION ........................................................................................................................................................................................................................................................... 7

1.1 CONFIGURATION..............................................................................................................................................................................................................................................................71.1.1 EVALUATED CONFIGURATION........................................................................................................................................................................................................................................................... 7

2 MANAGEMENT FUNCTIONS ......................................................................................................................................................................................................................................... 8

3 MANAGING AUDITS .................................................................................................................................................................................................................................................... 9

3.1 AUDIT EVENTS................................................................................................................................................................................................................................................................93.2 MANAGING AUDIT POLICY...............................................................................................................................................................................................................................................193.2.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 19

4 MANAGING WIPE ...................................................................................................................................................................................................................................................... 21

4.1 LOCAL ADMINISTRATOR GUIDANCE....................................................................................................................................................................................................................................21

5 MANAGING EAP-TLS .................................................................................................................................................................................................................................................. 21

5.1 IT ADMINISTRATOR GUIDANCE.........................................................................................................................................................................................................................................225.2 LOCAL ADMINISTRATOR GUIDANCE....................................................................................................................................................................................................................................22

6 MANAGING TLS ......................................................................................................................................................................................................................................................... 22




7 MANAGING APPS ...................................................................................................................................................................................................................................................... 23

7.1 LOCAL ADMINISTRATOR GUIDANCE....................................................................................................................................................................................................................................237.2 USER GUIDANCE............................................................................................................................................................................................................................................................23

8 MANAGING VOLUME ENCRYPTION ........................................................................................................................................................................................................................... 24


9 ADMINISTRATIVE TEMPLATES\WINDOWS COMPONENTS\BITLOCKER DRIVE ENCRYPTION\OPERATING SYSTEM DRIVES\ALLOW ENHANCED PINS FOR STARTUP MANAGING VPN . . 25

9.1 IT ADMINISTRATOR GUIDANCE.........................................................................................................................................................................................................................................259.2 LOCAL ADMINISTRATOR GUIDANCE....................................................................................................................................................................................................................................25

10 MANAGING ACCOUNTS ............................................................................................................................................................................................................................................. 26


11 MANAGING BLUETOOTH ........................................................................................................................................................................................................................................... 26


12 MANAGING PASSWORDS .......................................................................................................................................................................................................................................... 27

12.1 STRONG PASSWORDS......................................................................................................................................................................................................................................................2712.1.1 IT ADMINISTRATOR GUIDANCE....................................................................................................................................................................................................................................................... 2712.1.2 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 2712.2 PROTECTING PASSWORDS................................................................................................................................................................................................................................................27



12.2.1 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 2712.3 LOGON/LOGOFF PASSWORD POLICY..................................................................................................................................................................................................................................2812.3.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 2812.3.2 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 28

13 MANAGING CERTIFICATES ......................................................................................................................................................................................................................................... 29

13.1 LOCAL ADMINISTRATOR GUIDANCE....................................................................................................................................................................................................................................2913.2 USER GUIDANCE............................................................................................................................................................................................................................................................30

14 MANAGING TIME ...................................................................................................................................................................................................................................................... 31


15 GETTING VERSION INFORMATION ............................................................................................................................................................................................................................. 31

15.1 USER GUIDANCE............................................................................................................................................................................................................................................................31

16 LOCKING A DEVICE .................................................................................................................................................................................................................................................... 32

16.1 LOCAL ADMINISTRATOR GUIDANCE....................................................................................................................................................................................................................................3216.1.1 USER GUIDANCE.......................................................................................................................................................................................................................................................................... 3216.2 MANAGING NOTIFICATIONS PRIOR TO UNLOCKING A DEVICE...................................................................................................................................................................................................3316.2.1 LOCAL ADMINISTRATOR GUIDANCE................................................................................................................................................................................................................................................. 33

17 MANAGING AIRPLANE MODE .................................................................................................................................................................................................................................... 33

17.1 USER GUIDANCE............................................................................................................................................................................................................................................................33



18 DEVICE ENROLLMENT ................................................................................................................................................................................................................................................ 33


19 MANAGING UPDATES ................................................................................................................................................................................................................................................ 34



1 IntroductionThis document provides guidance information for a Common Criteria evaluation.

1.1 Configuration

1.1.1 Evaluated ConfigurationThe Common Criteria evaluation includes a specific configuration of Windows, the “evaluated configuration”. To run Windows deployments using the evaluated configuration follow the deployment steps and apply the security policies and security settings indicated below. The Security Target section 1.1 describes the Windows editions and security patches included in the evaluated configuration.

The operating system is pre-installed on the devices in the evaluated configuration. When the device is turned on for the first time the Out of Box Experience (OOBE) runs to complete the configuration.

The following security policies are applied after completing the OOBE:

Security Policy Policy SettingLocal Policies\Security Options\System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithm EnabledAdministrative Template\Windows Components\Credentials User Interface\Do not display the password reveal button Enabled

The following security settings are applied:

Cipher suite selection is configured according to section 6 Managing TLS Volume encryption is enabled according to section 8 Managing Volume Encryption VPN connections route all traffic through the VPN tunnel as described section 9 Managing VPN Passwords use a minimum of six alphanumeric characters and symbols according to section 12.3 Password Policy RSA machine certificates are configured according to section 13 Managing Certificates to use a minimum 2048 bit key length Session locking is enabled according to section 16 Locking a Device Devices are enrolled for device management according to section 18 Device Enrollment



2 Management FunctionsThe following table maps management functions to roles:

Activity User GuidanceLocal Administrator Guidance

IT Administrator Guidance

Configure password policy Windows 8.1

Configure session locking policy Windows 8.1

Enable/disable the VPN protection Windows 8.1 Windows 8.1

Enable/disable [Wi-Fi, Bluetooth] Windows 8.1 Windows 8.1 Windows 8.1

Enable/disable [camera, microphone] Windows 8.1 Windows 8.1

Specify wireless networks (SSIDs) to which the TSF may connect Windows 8.1

Configure security policy for connecting to wireless networks Windows 8.1

Transition to the locked state Windows 8.1 Windows 8.1

Full wipe of protected data Windows 8.1

Configure application installation policy Windows 8.1

Import keys/secrets into the secure key storage Windows 8.1 Windows 8.1

Destroy imported keys/secrets and any other keys/secrets in the secure key storage Windows 8.1

Import X.509v3 certificates into the Trust Anchor Database Windows 8.1



Remove imported X.509v3 certificates and any other X.509v3 certificates in the Trust Anchor Database

Windows 8.1

Enroll the TOE in management Windows 8.1 Windows 8.1

Remove applications Windows 8.1

Update system software Windows 8.1

Install applications Windows 8.1

Enable/disable data transfer capabilities over USB port, Bluetooth Windows 8.1

Enable/disable [wireless remote access connections except for personal Hotspot service, personal Hotspot connections, tethered connections

Windows 8.1 Windows 8.1

Enable data-at rest protection Windows 8.1

Enable removable media’s data at rest protection Windows 8.1 Windows 8.1

Configure the Access Point Name and proxy used for communications between the cellular network and other networks


Enable/disable display notification in the locked state protection Windows 8.1 Windows 8.1

Wipe sensitive data Windows 8.1

Alert the administrator Windows 8.1

Remove Enterprise applications Windows 8.1

Approve import and removal by applications of X.509v3 certificates in the Trust Anchor Database




Enable/disable cellular voice functionality Windows 8.1 Windows 8.1

Enable/disable device messaging capabilities Windows 8.1 Windows 8.1

Enable/disable the cellular protocols used to connect to cellular network base stations Windows 8.1 Windows 8.1

Read audit logs kept by the TSF Windows 8.1 Windows 8.1

Configure the unlock banner Windows 8.1

Enable/disable location services Windows 8.1 Windows 8.1

3 Managing AuditsThis section contains the following Common Criteria SFRs:

Audit Data Generation (FAU_GEN.1), Security Audit Event Selection (FAU_SEL.1) Extended: Audit Storage Protection (FAU_STG_EXT.1) Specifications of Management Functions (FMT_SMF.1)

3.1 Audit EventsDescription IdStart-up and shutdown of the audit functions 4608, 1100All administrative actions <see table below>

User authentication attempts and success/failure of the attempt 4624, 46254739, 4801

Startup and shutdown of the OS and kernel 4608, 1100Failures of security functions 20Integrity verification failures 5038, 3004Software updates 1, 2, 3Insertion or removal of removable media 410

Establishment of a trusted channel IPsec: 4651, 5451TLS: 36880, 11, 81



Audit records reaching an administrator-configurable percentage of audit capacity, [assignment: other auditable events derived from this profile ]]. 1103, 1104

The following table correlates the set of administrative operations described in this document with their associated audits:

Administrative Action Idshutdown of the audit functions 1100configure password policy: 4739configure session locking policy 46561

enable/disable the VPN protection 4650,4651,54514655, 5452

enable/disable [assignment: Wi-Fi, Bluetooth] 1015 (Wi-Fi, broadband)<none> (Bluetooth)

enable/disable [camera, microphone] <none>transition to the locked state 4800import keys/secrets into the secure key storage, 1006destroy imported keys/secrets and [ [any other keys/secrets]] in the secure key storage, 1004import X.509v3 certificates into the Trust Anchor Database, 90remove imported X.509v3 certificates and [[any other X.509v3 certificates]] in the Trust Anchor Database, 1004enroll the TOE in management 510remove applications 472update system software 19install applications 400enable data-at rest protection, 24579enable removable media‘s data-at-rest protection, 24579remove Enterprise applications 472approve import and removal by applications of X509v3 certificates in the trust anchor database 90, 1004enable/disable device messaging capabilities, 1015enable/disable the cellular protocols used to connect to cellular network base stations, 1015read audit logs kept by the TSF, 4673

1 Audit for registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs (see http://technet.microsoft.com/en-us/library/cc757250(v=ws.10).aspx for configuring registryaccess audits)



configure the unlock banner using the text as specified in the administrative guidance when following the DoD access, 46562

Id Log location Message Fields4608 Windows Logs -> Security

Subcategory: Security State Change

Startup of audit functions Logged: <Date and time of event>Task category: <type of event>Keywords: <Outcome as Success or Failure>

1100 Windows Logs -> Security

Subcategory: Security State Change

The event logging service has shut down Logged: <Date and time of event>Keywords: <Outcome as Success>


Subcategory: Authentication Policy Change

Domain Policy was changed. Logged: <Date and time of event>Security ID: <SID of user account making audit policy change>Account Name: <name of user account making audit policy change >Account Domain: <domain of user account making audit policy change if applicable, otherwise computer>Category: <Audit category that was changed.>Subcategory: <Audit subcategory that was changed.>Changes: <Change to audit policy.>


Subcategory: Registry

A handle to an object was requested. Logged: <Date and time of event>Security ID: <SID of locked account>Object Name: <Name of the object changed>Accesses: <Access granted>Access Mask: <Access requested>


Subcategory: IPsec Main Mode

Ipsec main mode security association was established. A certificate was used for authentication.

Logged: <Date and time of event>Task category: <type of event>Local Endpoint: <Subject identity as IP address>Remote Endpoint: <Subject identity as IP address of non-TOE endpoint of connection >Keying Module Name: <Transport layer protocol as IKEv1 or IKEv2>Local Certificate: <The entry in the SPD that applied to the decision as certificate SHA Thumbprint>Remote Certificate: <The entry in the SPD that applied to the decision as certificate SHA Thumbprint>

2 Audit for registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText. (see http://technet.microsoft.com/en-us/library/cc757250(v=ws.10).aspx for configuring registry access audits)



Cryptographic Information: <The entry in the SPD that applied to the decision as MM SA Id and cryptographic parameters established in the SA>Keywords: <Outcome as Success>


Subcategory: IPsec Quick Mode

IPsec quick mode security association was established

Logged: <Date and time of event>Task category: <type of event>Local Endpoint: <Subject identity as IP address/port>Remote Endpoint: <Subject identity as IP address/port of non-TOE endpoint of connection >Keying Module Name: <Transport layer protocol as IKEv1 or IKEv2>Cryptographic Information: <The entry in the SPD that applied to the decision as MM SA Id, QM SA Id, Inbound SPI, Outbound SPI and cryptographic parameters established in the SA >Keywords: <Outcome as Success>


Subcategory: IPsec Main Mode

IPsec main mode security association ended

Logged: <Date and time of event>Task category: <type of event>Local Endpoint: <Subject identity as IP address/port >Remote Endpoint: <Subject identity as IP address/port of non-TOE endpoint of connection/channel >Keying Module Name: <Transport layer protocol as IKEv1 or IKEv2>Keywords: <Outcome as Success>


Subcategory: IPsec Quick Mode

IPsec quick mode security association ended

Logged: <Date and time of event>Task category: <type of event>Local Endpoint: <Subject identity as IP address/port>Remote Endpoint: <Subject identity as IP address/port of non-TOE endpoint of connection >Cryptographic Information: <The entry in the SPD that applied to the decision as the QM SA Id, Tunnel Id, Traffic Selector Id>Keywords: <Outcome as Success>

1015 Applications and Services Logs -> Microsoft -> Windows -> Wcmsvc -> Operational

Interface token applied Logged: <Date and time of event>Security ID: <SID of user account that deleted the certificate/secrets>Media type: <indication of broadband (Wwan) or WiFi (Wlan)>AutoProfiles: <indication of added or removed action (blank if removed, else name of Wwan or Wlan profile)>


Subcategory: Logoff

The workstation was locked. Logged: <Date and time of event>Security UserID: <SID of logon user>Account Name: <name of logon account>Account Domain: <domain of logon account>



90 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational

<un-named> Logged: <Date and time of event>Security UserID: <SID of user account that imported the certificate/secrets>Subject: <Certificate subject name, CN, etc.>

1006 Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-System -> Operational

A new certificate has been installed. Logged: <Date and time of event>Security UserID: <SID of user account that deleted the certificate/secrets>Subject: <Certificate subject name, CN, etc.>Thumbprint: <Certificate thumbprint>

1004 Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-System -> Operational

A certificate has been deleted. Logged: <Date and time of event>Security ID: <SID of user account that deleted the certificate/secrets>Subject: <Certificate subject name, CN, etc.>Thumbprint: <Certificate thumbprint>

19 Windows Logs -> System Installation Successful: Windows successfully installed the following update: <app/update name>

Logged: <Date and time of event>Security ID: <SID of user account that installed the app>updateTitle: <app/update name>updateGuid: <app/update Guid>serviceGuid: <app/service GUID>updateRevisionNumber: <app version>

510 Applications and Services Logs -> Microsoft -> Windows -> SystemSettings -> Operational

Attempted to turn on workplace device management. Result is <status code> ending at phase 3

Logged: <Date and time of event>Security UserID: <SID of user account that initiated enrolling TOE in management>ResultCode: <status code>CorpDeviceOperationPhase: 3

472 Applications and Services Logs -> Microsoft -> Windows -> AppXDeployment-Server -> Microsoft-Windows-AppXDeployment-Server /Operational

Moving package folder <%program files location%\<package Id> to <%deleted program files location%\<package Id>. Result: <status code>

Logged: <Date and time of event>Security ID: <SID of user account that installed the app>SourceFolderPath: <%program files location%\<package Id>DestinationFolderPath: <%deleted program files location%\<package Id>

400 Applications and Services Logs -> Microsoft -> Windows -> AppXDeployment-Server -> Microsoft-Windows-AppXDeployment-Server/Operational

Deployment Add operation on Package <package Id> from: (<.appx pathname> ) finished successfully

Logged: <Date and time of event>Security ID: <SID of user account that installed the app>PackageFullName: <package Id>Path: <.appx pathname>

24579 Windows Logs -> System Encryption of volume <drive letter>: Logged: <Date and time of event>



completed Security UserID: <SID of user account that installed the app>Volume: <encrypted volume letter>

11010 Applications and Services Logs -> Microsoft -> Windows -> WLAN-AutoConfig -> Operational

Wireless Security Started Logged: <Date and time of event>Network Adapter: <enabled adapter name>Local MAC Address: <enabled adapter MAC address>

1006 Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-User -> Operational

Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-System -> Operational

A new certificate has been installed Logged: <Date and time of event>SubjectNames: <New certificate subject name>Thumbprint: <New certificate thumbprint>EKUs: <New certificate EKUs>NotValidAfter: :<New certificate expiration date>

1004 Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-User -> Operational

Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-System -> Operational

A certificate has been deleted Logged: <Date and time of event>SubjectNames: <Deleted certificate subject name>Thumbprint: <Deleted certificate thumbprint>EKUs: <Deleted certificate EKUs>NotValidAfter: :<Deleted certificate expiration date>

5446 Windows Logs -> SecuritySubcategory: Filtering Platform Policy Change

Windows Filtering Platform callout has been changed

Logged: <Date and time of event>Task category: <type of event>Change type: <Operation as add, change or delete>Callout ID: <Callout identifier as GUID>Callout Name: <Callout identifier as text-based name>Layer ID: <Layer identifier as GUID>Layer Name: <Layer identifier as text-based name>Keywords: <Outcome as Success or Failure>

5447 Windows Logs -> SecuritySubcategory: Other Policy Change Events

Windows Filtering Platform filter has been changed

Logged: <Date and time of event>Task category: <type of event>Change type: <Operation as add, change or delete>



Filter ID: <Filter Id as GUID>Filter Name: <Filter identifier as text-based name> Layer ID: <Layer Id as GUID>Layer Name: <Layer identifier as text-based name>Additional Information: <Filter conditions>


Windows Filtering Platform sub-layer has been changed

Logged: <Date and time of event>Task category: <type of event>Change type: <Operation as add, change or delete>Sub-layer ID: <Sub-layer Id as GUID>Sub-layer Name: <Sub-layer identifier as text-based name>

4657 Windows Logs -> SecuritySubcategory: Registry

Registry entry change Logged: <Date and time of event>Task category: <type of event>Security ID: <user identity>Object name: <key path>Changes: <old and new registry values>Keywords: <Outcome as Success or Failure>

4801 Windows Logs -> SecuritySubcategory: Logon

The workstation was unlocked. Logged: <Date and time of event>Security ID: <SID of logon user>Account Name: <name of logon account>Account Domain: <domain of logon account>


An account was successfully logged on. Logged: <Date and time of event>Security ID: <SID of enabled user account>Account Name: <name of enabled account>Account Domain: <domain of enabled account if applicable, otherwise computer>Workstation Name: <name of computer user logged on>Logon Type: <type of logon (e.g. interactive)>LogonID: <unique logon identification>Source Network Address: <IP address of computer logged on>


An account failed to log on. Logged: <Date and time of event>Security ID: <SID of user account that failed to logon>Account Name: <name of account that failed to logon>Account Domain: <account domain that failed to logon if applicable, otherwise computer>Logon Type: <type of logon (e.g. interactive)>

20 Windows Logs -> System The last boot’s success was Logged: <Date and time of event>



<LastBootGood event data>. LastBootGood: <Outcome as true or false indicating if the kernel-mode cryptographic self-tests and RNG initialization succeeded or failed>

5038 Windows Logs -> SecuritySubcategory: System Integrity

Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

Logged: <Date and time of event>Task category: <type of event>File Name: < file failing integrity check>

3004 Windows Logs -> System Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

Logged: <Date and time of event>Level: <error level>Task category: <type of event>User: <User performing the check>Machine: <Machine check was performed on>General Description: <Contains the filename that caused the integrity violation>


The workstation was unlocked. Logged: <Date and time of event>Security ID: <SID of logon user>Account Name: <name of logon account>Account Domain: <domain of logon account>

4719 Windows Logs -> SecuritySubcategory: Audit Policy Change

System audit policy was changed Logged: <Date and time of event>Task category: <category of audit>Task Subcategory: <subcategory of audit>Subcategory GUID: <subcategory GUID name>Security ID: <user identity>Account Name: <account name>Account Domain: <account domain>Login ID: <login Id>Changes: <Success/Failure changes>Keywords: <Outcome as Success or Failure>

1 Windows Logs -> Setup Initiating changes for package Logged: <Date and time of event>PackageIdentifier: <KB package Id>InitialPackageState: ResolvedIntendedPackageState: InstalledErrorCode: <success outcome indicated by 0x0>

2 Windows Logs -> Setup Package was successfully changed to the Installed state

Logged: <Date and time of event>PackageIdentifier: <KB package Id>



IntendedPackageState: InstalledErrorCode: <success outcome indicated by 0x0>

3 Windows Logs -> Setup Windows update could not be installed because … “The data is invalid”

Logged: <Date and time of event>Commandline: <KB package Id>ErrorCode: <install failure indicated by 0x800700D (2147942413)>

410 Applications and Services Logs -> Microsoft -> Windows -> Kernel-PnP -> Device Configuration

Device < DeviceInstanceId> was started Logged: <Date and time of event> Security ID: <user identity>DeviceInstanceId: <Device path and volume GUID of inserted removable media>

36880 Windows Logs -> System An SSL server handshake completed successfully. The negotiated cryptographic parameters are as follows:

Logged: <Date and time of event>Protocol: <protocol designator>CipherSuite: <hexadecimal designator for cipher suite>Exchange strength: <key length of exchange key in bits>

In the Details view of the event:System -> TimeCreated -> SystemTime: <Date and time of event>System -> Execution -> ProcessID: <process ID of the process that created the event>System -> Execution -> ThreadID: <thread ID of the thread that created the event>


Build Chain In the Details view of the event:System -> TimeCreated -> SystemTime: <Date and time of event>System -> Execution -> ProcessID: <process ID of the process that created the event>System -> Execution -> ThreadID: <thread ID of the thread that created the event>UserData -> CertGetCertificateChain -> Certificate -> subjectName : <name in client certificate>

This event is relevant on the server side of the channel when client authentication is performed. For successful connections this event provides the subject name of the client’s certificate.


Verify Trust In the Details view of the event:System -> TimeCreated -> SystemTime: <Date and time of event>System -> Execution -> ProcessID: <process ID of the process that created the event>System -> Execution -> ThreadID: <thread ID of the thread that created the event>UserData -> WinVerifyTrust -> CertificateInfo -> displayName : <name in server certificate>

This event is relevant on the client side of the channel. This provides the servers certificate name. Note that this name must match the first part of the server’s URL in the HTTPS case.




Windows Filtering Platform callout has been changed

Logged: <Date and time of event>Task category: <type of event>Change type: <Operation as add, change or delete>Callout ID: <Callout identifier as GUID>Callout Name: <Callout identifier as text-based name>Layer ID: <Layer identifier as GUID>Layer Name: <Layer identifier as text-based name>Keywords: <Outcome as Success or Failure>

5447 Windows Logs -> SecuritySubcategory: Other Policy Change Events

Windows Filtering Platform filter has been changed

Logged: <Date and time of event>Task category: <type of event>Change type: <Operation as add, change or delete>Filter ID: <Filter Id as GUID>Filter Name: <Filter identifier as text-based name> Layer ID: <Layer Id as GUID>Layer Name: <Layer identifier as text-based name>Additional Information: <Filter conditions>


Windows Filtering Platform sub-layer has been changed

Logged: <Date and time of event>Task category: <type of event>Change type: <Operation as add, change or delete>Sub-layer ID: <Sub-layer Id as GUID>Sub-layer Name: <Sub-layer identifier as text-based name>

4657 Windows Logs -> SecuritySubcategory: Registry

Registry entry change Logged: <Date and time of event>Task category: <type of event>Security ID: <user identity>Object name: <key path>Changes: <old and new registry values>Keywords: <Outcome as Success or Failure>

1103 Windows Logs -> System The security audit log is now <the configured value > percent full.

Logged: <Date and time of event>Keywords: <Outcome as Success>

1104 Windows Logs -> System The security audit log is full. Logged: <Date and time of event>Keywords: <Outcome as Success>

4673 Windows Logs -> SecuritySubcategory: Sensitive Privilege

A privileged service was called. Logged: <Date and time of event>Security ID: <SID of user account that viewed the log>



Use / Non Sensitive Privilege Use Account Name: <user account name that viewed the log>Account Domain: <domain of user accout that viewed the log>Keywords: <Outcome as Success>

3.2 Managing Audit Policy

3.2.1 Local Administrator GuidanceThe following log locations are always enabled:

Windows Logs -> System Windows Logs -> Setup Windows Logs -> Security (Startup and shutdown of the audit functions, startup and shutdown of the OS and kernel)

The following TechNet topic describes the categories of audits:

Advanced Audit Policy Configuration: http://technet.microsoft.com/en-us/library/jj852202(v=ws.10).aspx

To enable audit policy subcategories run the following commands at an elevated command prompt:

Logon operations: auditpol /set /subcategory:”Logon” /success:enable /failure:enable

audit policy changes: auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable

IPsec operations:auditpol /set /subcategory:”IPsec Main Mode” /success:enable /failure:enable auditpol /set /subcategory: “IPsec Quick Mode” /success:enable /failure:enable

Configuring IKEv1 and IKEv2 connection properties:auditpol /set /subcategory:" Filtering Platform Policy Change" /success:enable /failure:enableauditpol /set /subcategory:"Other Policy Change Events" /success:enable /failure:enable



registry changes (modifying TLS Cipher Suite priority):auditpol /set /subcategory:"Registry" /success:enable /failure:enable

In addition to enabling audit policy as noted above, each registry key to be audited must also have its auditing permissions enabled. This is done as follows:

1. Start the registry editor tool by executing the command regedit.exe as an administrator2. Navigate to the registry path for the key that should be audited, right-click the key’s node and select Permissions… on the key’s context menu to open the Permissions dialog3. Click the Advanced button to open the Advanced Security Settings dialog, click on the Auditing tab and click the Add button to open the Auditing Entry dialog4. Click the Select a principal to open the Select User or Group dialog to select a user (e.g. Administrator) and click the OK button.5. Choose the desired audits using the Type, Applies to and Basic Permissions attributes and click OK6. Click OK on the Advanced Security Settings dialog7. Click OK on the Permissions dialog

To enable TLS event logging in the System Event Log, see the following link:

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q260729

To enable event logging in the Application and Services Logs, see the following link describing how to enumerate the log names 3 and set their enabled state:

Wevtutil: http://technet.microsoft.com/en-us/library/cc732848.aspx

Audits for failure of security functions are logged by default in the “Windows Logs\Setup” log. All other audits that are always recorded are indicated by the value “N/A” present in the “Policy Subcategory” column in the above audit table.

To view audit logs, see the following links:

Get-EventLog: http://technet.microsoft.com/en-us/library/hh849834.aspx

4 Managing WipeThis section contains the following Common Criteria SFRs:

3 “Log Location” log names shown in the table above correlate with the names enumerated by Wevtutil utility (which requires a quoted name using hyphens rather than spaces).



Extended: TSF Wipe (FCS_CKM_EXT.5)

4.1 Local Administrator GuidanceThe following Windows help topic describes how to reset Windows 8.1 devices with removal of all user data (the “Fully clean the drive” option wipes all protected data):

How to refresh, reset, or restore your PC: http://windows.microsoft.com/en-US/windows-8/restore-refresh-reset-pc

5 Managing EAP-TLSThis section contains the following Common Criteria SFRs:

Extended: Trusted Channel Communication (FTP_ITC_EXT.1) Extended: PAE Authentication (FIA_PAE_EXT.1) Extended: Trusted Channel Communication (FTP_ITC_EXT.1) Extended: Wireless Network Access (FTA_WSE_EXT.1) Specifications of Management Functions (FMT_SMF.1)

5.1 IT Administrator GuidanceAn MDM system can be used to manage Wi-Fi profiles.

The following link specifies the server certificate requirements for EAP-TLS:

- http://support.microsoft.com/kb/814394/en-us

5.2 Local Administrator GuidanceThe following topics describe how to configure EAP-TLS on Windows 8.1:

- Extensible Authentication Protocol (EAP) Settings for Network Access: http://technet.microsoft.com/en-us/library/hh945104.aspx 4

The TOE comes preloaded with root certificates for various Certificate Authorities. The following TechNet topic describes how to manage trust relationships:

4 This topic also applies to Windows 8.1


http://technet.microsoft.com/en-us/library/hh945104.aspx

http://windows.microsoft.com/en-US/windows-8/restore-refresh-reset-pc


Manage Trusted Root Certificates: http://technet.microsoft.com/en-us/library/cc754841.aspx5

6 Managing TLSThis section contains the following Common Criteria SFRs:

Extended: EAP TLS Protocol (FCS_TLS_EXT.1) Extended: TLS Protocol (FCS_TLS_EXT.2)

6.1 Local Administrator GuidanceThe mandatory cipher suites listed in the Security Target correlate with those available in the TOE as follows:

Mandatory Cipher Suites (per Security Target) Available Cipher Suites in TOE6

TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246 TLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_ SHA256 as defined in RFC 5246 TLS_RSA_WITH_AES_256_CBC_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 as defined in RFC 6460 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 as defined in RFC 6460 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384

The following MSDN article describes how the administrator modifies the set of TLS cipher suites for priority and availability:

- Prioritizing Schannel Cipher Suites: http://msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx- How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll: http://support.microsoft.com/kb/245030

The DN in the certificate is automatically compared to the expected DN and does not require additional configuration of the expected DN for the connection.


Manage Trusted Root Certificates: http://technet.microsoft.com/en-us/library/cc754841.aspx 5 This topic also applies to Windows 8.16 See: Cipher Suites in Schannel: http://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx



7 Managing AppsThis section contains the following Common Criteria SFRs:

Extended: Security Attribute Based Access Control (FDP_ACF_EXT.1)

7.1 Local Administrator GuidanceThe ability for users to run the Store app may be removed using a registry value on Windows 8.1 by performing the following steps:

1. Start the registry editor tool by executing the command regedit.exe as an administrator2. Navigate to the registry path HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsStore. Note that the WindowsStore registry key may need to be created.3. Create a DWORD (32 bit) registry value with the name RemoveWindowsStore under the WindowsStore registry key. Set the registry value to 1.

7.2 User GuidanceThe following Windows help topic describes how to remove app and any information the the app contained:

- Uninstall, change or repair a program: http://windows.microsoft.com/en-us/windows-8/uninstall-change-program

The following Windows help topic describes how to remove app and any information the the app contained:

- Uninstall, change or repair a program: http://windows.microsoft.com/en-us/windows-8/uninstall-change-program

Note: If the system administrator has disabled uninstalling Enterprise apps from the device then those Enterprise apps cannot be uninstalled.

8 Managing Volume EncryptionThis section contains the following Common Criteria SFRs:

Extended: Data at Rest Protection (FDP_DAR_EXT.1)

The following TechNet topic describes the BitLocker feature, including its use to encrypt the entire operation system volume or removable volumes:

- BitLocker Overview: http://technet.microsoft.com/en-US/library/hh831713.aspx


http://technet.microsoft.com/en-US/library/hh831713.aspx


8.1 Local Administrator GuidanceThe following TechNet topic describes the manage-bde command that should be executed in a command shell while running as an administrator to configure DAR protection:

- Manage-bde: http://technet.microsoft.com/en-us/library/ff829849(v=ws.10).aspx

By default AES128 encrypion is used by the manage-bde command when enabling BitLocker for Windows 8.1 – the AES256 algorithm should be used instead. . In addition, the TPM and PIN authorization factor must be used in the evaluated configuration. The Enhanced PIN capabilities must be used in the evaluated configuration.

To enable the TPM and Enhanced PIN authorization factors execute the following command:

Manage-bde –on <operating system disk volume letter>: -tpmandpin -encryptionMethod aes256

Administrators must create an Enhanced PIN value with a minimum of four and a maximum of 20 numeric characters, but can also include uppercase and lowercase English letters, symbols on an EN-US keyboard, numbers, and spaces. To enable the Enhanced PIN capabilities start the gpedit.msc MMC snap-in as an administrator and enable the following local or group policy:

9 Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drives\Allow enhanced PINs for startup Managing VPN

This section contains the following Common Criteria SFRs:

Cryptographic Operation for Hashing (FCS_COP.1(HASH)) Extended: Subset Information Flow Control (FDP_IFC_EXT.1)

9.1 IT Administrator GuidanceAn MDM system may be used to administer VPN profiles.

9.2 Local Administrator GuidanceThe following TechNet topic describes how to create a VPN connection:

http://technet.microsoft.com/en-us/library/jj900206.aspx

The evaluated configuration requires that all network traffic other than traffic necessary to establish the VPN connection go through the VPN tunnel. To do this verify that the following configuration is set:



http://technet.microsoft.com/en-us/library/ff829849(v=ws.10).aspx


1. Navigate to View Available Networks by clicking on the network icon in taskbar and select the VPN connection2. Right-click the VPN connection and select Properties from the context menu3. Navigate to Networking tab; select Internet Protocol Version 6 (TCP/IPv6) or Internet Protocol Version 4 (TCP/IPv4) and click Properties.4. In Properties click Advanced.

Under General in Advanced TCP/IP settings, make sure the option Use default gateway on remote network to enable split-tunneling is selected.

The following TechNet topics describe the commands for configuring the hash parameter in a new or existing main mode cryptographic proposal:

New-NetIPsecMainModeCryptoProposal: http://technet.microsoft.com/en-us/library/jj573824.aspx Set-NetIPsecMainModeCryptoSet: http://technet.microsoft.com/en-us/library/jj554872.aspx

Hashes in the TLS protocol are configured in association with cipher suite selection. The administrator configures the cipher suites used on a machine by following the configuration instructions at the following link: http://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx

10 Managing AccountsThis section contains the following Common Criteria SFRs:

Extended: Authorization Failure Handling (FIA_AFL_EXT.1)

10.1 Local Administrator GuidanceThe following TechNet topic explains the net accounts command line utility for standalone computers (followed by command line options for managing account lockout policy):

- Net Accounts: http://technet.microsoft.com/en-us/library/bb490698.aspx

In addition to the parameters given in the referenced article the following are also valid options:

/lockoutthreshold: number : Sets the number of times a bad password may be entered until the account is locked out. If set to 0 then the account is never locked out.

/lockoutwindow: minutes : Sets the number of minutes of the lockout window.

/lockoutduration: minutes : Sets the number of minutes the account will be locked out for.



11 Managing BluetoothThis section contains the following Common Criteria SFRs:

Extended: Bluetooth Authentication (FIA_BLT_EXT.1) Specifications of Management Functions (FMT_SMF.1)

11.1 Local Administrator GuidanceThe following link describes how to enable/disable Bluetooth:

http://windows.microsoft.com/en-US/windows-8/install-view-manage-devices-printers

12 Managing Passwords

12.1 Strong PasswordsThis section contains the following Common Criteria SFRs:

Extended: Password Management (FIA_PMG_EXT.1)

12.1.1 IT Administrator GuidanceAn MDM system may be used to enforce use of strong passwords.

12.1.2 Local Administrator GuidanceThe following TechNet topics describe the characteristics for passwords that are available, instructions for setting the enforcement mechanism and a discussion of strong passwords and recommended minimum settings:

Enforcing Strong Password Usage Throughout Your Organization: http://technet.microsoft.com/en-us/library/cc875814.aspx7 Strong Password: http://technet.microsoft.com/en-us/library/cc756109(v=ws.10).aspx Password Best practices: http://technet.microsoft.com/en-us/library/cc784090(v=ws.10).aspx

7 This topic also applies to Windows 8.1



12.2 Protecting PasswordsThis section contains the following Common Criteria SFRs:

Protected Authorization Feedback (FIA_UAU.7)

12.2.1 User GuidanceThe following Windows Help topic describes how to conduct initial logon authentication for users:

Sign in to or out of Windows: http://windows.microsoft.com/en-us/windows-8/sign-in-out-of-windows

Windows 8.1 does not require any configuration to ensure the password is obscured by default. The following best practices should be observed:

As with all forms of authentication, when entering your password, avoid allowing other people to watch you as you sign in.

Keep your device in a secure location where unauthorized people do not have physical access to it. As with any password entry, be aware of line of sight and potential recording devices that intrude on your screen.

12.3 Logon/Logoff Password PolicyThis section contains the following Common Criteria SFRs:

Extended: Authentication for Cryptographic Operation (FIA_UAU_EXT.1) Extended: Timing of Authentication (FIA_UAU_EXT.2) Extended: Re-Authorizing (FIA_UAU_EXT.3) Specifications of Management Functions (FMT_SMF.1)

12.3.1 Local Administrator GuidanceThe out of box experience requires that when user accounts are created a password is assigned to the account.

The following Windows Help topics describe how to change a user password: FIA_UAU.5.A3

Change your password: http://windows.microsoft.com/en-us/windows-8/change-your-password

The inactivity time period for TSF-initiated session locking is configured by the administrator via Windows security policy. The relevant security policy is “Interactive logon: Machine inactivity limit” as described in the following Technet topic in the section heading titled “New and changed functionality”:


http://windows.microsoft.com/en-us/windows-8/sign-in-out-of-windows


Security Policy Settings Overview: http://technet.microsoft.com/en-us/library/2fdcbb11-8037-45b1-9015-665393268e36

The following Technet topics include guidance for administrators to open the Local Group Policy Editor tool or the Group Policy Management Console, respectively, that are used to configure the Windows security policy for standalone or domain-joined machines:

Local Group Policy Editor: http://technet.microsoft.com/en-us/library/dn265982.aspx Group Policy Management Console: http://technet.microsoft.com/en-us/library/dn265969.aspx

12.3.2 User GuidanceThe following Windows topic describes how to configure screen savers:

How to use screen savers: http://windows.microsoft.com/en-us/windows-8/using-screen-savers

The following Windows topic describes how users can initiate a session lock:

How do I lock or unlock my PC?: http://windows.microsoft.com/en-us/windows-8/lock-unlock-pc

The following Windows help topic describes how to enable or disable notifications in action center and application status on the lock screen:

- How to manage notifications for Mail, Calendar, and People: http://windows.microsoft.com/en-US/windows-8/how-manage-notifications

13 Managing CertificatesThis section contains the following Common Criteria SFRs:

Extended: Validation of Certificates (FIA_X509_EXT.1) Extended: Certificate Authentication (FIA_X509_EXT.2) Extended: Cryptographic Key Storage (FCS_STG_EXT.1)

13.1 Local Administrator GuidanceThe following TechNet topic describes managing certificates (including the “Obtain a Certificate” sub-topic):

Manage Certificates : http://technet.microsoft.com/en-us/library/cc771377.aspx8 8 This topic also applies to Windows 8.1



Certutil: http://technet.microsoft.com/library/cc732443.aspx9

The operational guidance for setting up a trusted channel to communicate with a CA is described in the operational guidance for FTP_ITC.1 (OS)) – IPSEC.


Manage Trusted Root Certificates: http://technet.microsoft.com/en-us/library/cc754841.aspx

The following TechNet topic describes how to delete a certificate:

- Delete a Certificate: http://technet.microsoft.com/en-us/library/cc772354.aspx10

Root certificates can be added to and removed from devices using an MDM for enrolled devices.

When validating a certificate with modern Windows applications the connection to a configured revocation server must be available or the validation will fail. This configuration cannot be changed.

The administrator configures certificate validation for IPsec authentication using the Set-NetFirewallSetting PowerShell cmdlet as described in the following TechNet topic:

- Set-NetFirewallSetting: http://technet.microsoft.com/en-us/library/jj554878.aspx

The administrator configures certificate validation for network connections based on EAP-TLS using the “Set Up a Connection or Network” wizard in the “Smart Card or Other Certificate Properties” and “Configure Certificate Selection” screens as described in the following TechNet topic:

- Extensible Authentication Protocol (EAP) Settings for Network Access (Smart Card or other Certificate Properties configuration items): https://technet.microsoft.com/en-us/library/hh945104.aspx#BKMK_LAN_SmartCard

The administrator configures certificate validation for HTTPS using the Security options checkboxes in the Advanced tab on the Internet Properties dialog for Control Panel. The “Warn about certificate address mismatch” setting configures whether the Web address must match the certificate subject field and warns the user of a mismatch. The following MSDN Blog describes the “Check for server certificate revocation” setting:

- Understanding Certificate Revocation Checks: http://blogs.msdn.com/b/ieinternals/archive/2011/04/07/enabling-certificate-revocation-check-failure-warnings-in-internet-explorer.aspx

9 This topic also applies to Windows 8.110 This topic also applies to Windows 8.1


https://technet.microsoft.com/en-us/library/hh945104.aspx#BKMK_LAN_SmartCard



The administrator cannot configure certificate validation for code signing purposes.

13.2 User GuidanceThe following TechNet topic describes how to manually import a certificate:

Import a Certificate: http://technet.microsoft.com/en-us/library/cc754489.aspx

When using HTTPS in a browsing scenario the user may choose to ignore a failed certificate validation and continue the connection.

14 Managing TimeThis section contains the following Common Criteria SFRs:

Reliable Time Stamps (FPT_STM.1)

14.1 Local Administrator GuidanceThe administrator sets the time using the Set-Date PowerShell cmdlet that is documented here:

http://technet.microsoft.com/en-us/library/7f44d9e2-6956-4e55-baeb-df7a649fdca1

The administrator configures the time service to synchronize time from a time server using the W32tm command that is documented here:

http://technet.microsoft.com/en-us/library/cc773263(v=WS.10).aspx#w2k3tr_times_tools_dyax

The administrator ensures the communication path between the TOE client and the time service provider is protected from attacks that could compromise the integrity of the time by establishing an IPsec policy using the “Microsoft Windows 8 Microsoft Windows Server 2012 --- Supplemental Admin Guidance for IPsec VPN Clients (January 23 2014)”, where section 3 provides detailed instructions that can be used to configure the TOE client and the time service provider.

The administrator ensures the NTP server is authenticated by verifying the IP address provided by the IT administrator for the NTP Server in the main mode and quick mode security associations according to the audit trail for the FTP_ITC.1 requirement outlined in section “4.1 Audit Policy for IPsec Operations” of the IPsec VPN Client guidance. In particular, audits are provided when a trusted channel is established that includes the IP address of the channel’s local and remote endpoints. If the integrity of the trusted channel is compromised, then this is indicated by the audit Id 4960 that is also discussed in section 4.1.



15 Getting Version InformationThis section contains the following Common Criteria SFRs:

Extended: Trusted Update: TSF Version Query (FPT_TUD_EXT.1)

15.1 User GuidanceThe following Windows topic describes how to determine the hardware model and operating system version:

http://windows.microsoft.com/en-us/windows-8/view-system-information

The following are instructions for getting the version of an app on Windows 8.1:

1. Start the app you wish to get the version of.2. Once the app is opened, move your mouse cursor to the upper-right or lower-right corner of the screen to see the Charms bar. Touch screen users need to swipe-in from the right-edge

of the screen to bring up the Charms bar.3. Click or tap Settings charm on the Charms bar to open Settings for the app.4. Click or tap Permissions to see the developer’s name and also current version of the app.

16 Locking a DeviceThis section contains the following Common Criteria SFRs:

Extended: TSF and User initiated Locked State (FTA_SSL_EXT.1)

16.1 Local Administrator GuidanceThe following Technet topics include guidance for administrators to open the Local Group Policy Editor tool or the Group Policy Management Console, respectively, that are used to configure the Windows security policy for standalone or domain-joined machines:

Local Group Policy Editor: http://technet.microsoft.com/en-us/library/dn265982.aspx Group Policy Management Console: http://technet.microsoft.com/en-us/library/dn265969.aspx

The inactivity time period for TSF-initiated session locking is configured by the administrator via Windows security policy. The relevant security policy is “Interactive logon: Machine inactivity limit” as described in the following Technet topic in the section heading titled “New and changed functionality”:



Security Policy Settings Overview: http://technet.microsoft.com/en-us/library/2fdcbb11-8037-45b1-9015-665393268e36

16.1.1 User GuidanceThe following Windows topic describes how to configure screen savers:

How to use screen savers: http://windows.microsoft.com/en-us/windows-8/using-screen-savers

The following Windows topic describes how users can initiate a session lock:

How do I lock or unlock my PC?: http://windows.microsoft.com/en-us/windows-8/lock-unlock-pc

16.2 Managing Notifications Prior to Unlocking a DeviceThis section contains the following Common Criteria SFRs:

Default TOE Access Banners (FTA_TAB.1)

16.2.1 Local Administrator GuidanceThe following TechNet topics describe how to configure a message to users attempting to logon:

Interactive logon: Message title for users attempting to log on: http://technet.microsoft.com/en-us/library/cc778393(v=ws.10).aspx Interactive logon: Message text for users attempting to log on: http://technet.microsoft.com/en-us/library/cc779661(v=WS.10).aspx

17 Managing Airplane ModeThis section contains the following Common Criteria SFRs:

Specifications of Management Functions (FMT_SMF.1)

17.1 User GuidanceWhen airplane mode is on wireless connections, cellular voice, cellular protocols, and messaging functionality will not work on the device. The following link describes how to enable/disable airplane mode:

http://windows.microsoft.com/en-US/windows-8/what-is-airplane-mode


http://windows.microsoft.com/en-US/windows-8/what-is-airplane-mode


18 Device EnrollmentThis section contains the following Common Criteria SFRs:

Extended: Specification of Remediation Actions (FMT_SMF_EXT.1)

18.1 Local Administrator GuidanceThe following link describes how to enroll for device management with an MDM (see the table under the subheading “Mobile Device Enrollment” for the “Windows 8.1 and Windows RT 8.1”):


To unenroll from device management do the following:

Go to Settings > PC Settings > Network > Workplace Click Turn off

The administrator of the MDM can determine when a device is enrolled, unenrolled and policy is applied or not applied. Thus the administrator is alerted.

19 Managing UpdatesThis section contains the following Common Criteria SFRs:

Operational User Guidance (AGD_OPE)

Windows 8.1 applications include metadata that is installed with the application by the Windows Installer and the Store App installer. The application metadata includes version information that prevents the Windows Installer and the Store App installer from updating an installed application with an older version.

Update packages downloaded by Windows Update for Windows 8.1 are signed with the Microsoft Root Certificate Authority to prove their authenticity and integrity. This signature is checked on the mobile device before installing any of the product updates contained in a given package in order to verify the updates have not been altered since they where digitally signed. If the signature is incorrect, then the update operation will fail. Otherwise, if the signature is correct then the update operation will proceed. The user guidance indicated in the links below tell how to determine if an update operation was successful or unsuccessful.

The following link describes Windows Update on Windows 8.1:

http://windows.microsoft.com/en-us/windows/windows-update


Introductiondownload.microsoft.com/download/B/E/3/BE365594-D… · Web viewManage-bde –on :...

Documents

Transcript of Introductiondownload.microsoft.com/download/B/E/3/BE365594-D… · Web viewManage-bde –on :...