The following log locations are always enabled:
-
Windows Logs -> System
-
Windows Logs -> Setup
-
Windows Logs -> Security (for startup and shutdown of the audit functions and of the OS and kernel, and clearing the audit log)
The following TechNet topic describes the categories of audits in the Windows Logs -> Security log:
-
Advanced Audit Policy Configuration: http://technet.microsoft.com/en-us/library/jj852202(v=ws.10).aspx
The following TechNet topic describes how to select audit policies by category, user and audit success or failure in the Windows Logs -> Security log:
-
Auditpol set: https://technet.microsoft.com/en-us/library/cc755264.aspx
For example, to enable all audits in the given subcategories of the Windows Logs -> Security log run the following commands at an elevated command prompt:
auditpol /set /subcategory:”Logon” /success:enable /failure:enable
auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:”IPsec Main Mode” /success:enable /failure:enable
auditpol /set /subcategory: “IPsec Quick Mode” /success:enable /failure:enable
-
Configuring IKEv1 and IKEv2 connection properties:
auditpol /set /subcategory:" Filtering Platform Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"Other Policy Change Events" /success:enable /failure:enable
-
registry changes (modifying TLS Cipher Suite priority):
auditpol /set /subcategory:"Registry" /success:enable /failure:enable
In addition to enabling audit policy as noted above, each registry key to be audited must also have its auditing permissions enabled. This is done as follows:
-
Start the registry editor tool by executing the command regedit.exe as an administrator
-
Navigate to the registry path for the key that should be audited, right-click the key’s node and select Permissions… on the key’s context menu to open the Permissions dialog
-
Click the Advanced button to open the Advanced Security Settings dialog, click on the Auditing tab and click the Add button to open the Auditing Entry dialog
-
Click the Select a principal to open the Select User or Group dialog to select a user (e.g. Administrator) and click the OK button.
-
Choose the desired audits using the Type, Applies to and Basic Permissions attributes and click OK
-
Click OK on the Advanced Security Settings dialog
-
Click OK on the Permissions dialog
The following is the list of registry keys that must be audited:
-
HKEY_LOCAL_MACHINE/Software/Microsoft/PolicyManager
-
HKEY_LOCAL_MACHINE /Software/Policies/Microsoft/Windows/DeviceInstall/Restrictions
-
HKEY_LOCAL_MACHINE /Software/Policies/Microsoft/Windows/SettingSync/DisableSettingSync
-
HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Policies/System
To enable/disable TLS event logging in the System Event Log, see the following link:
-
https://technet.microsoft.com/en-us/library/Dn786445.aspx#BKMK_HowToEnableSchannelEventLogging
To enable/disable event logging in the Application and Services Logs, see the following link describing how to enumerate the log names3 and set their enabled state:
-
Wevtutil: http://technet.microsoft.com/en-us/library/cc732848.aspx
To view audit logs, see the following link:
-
Get-EventLog: http://technet.microsoft.com/en-us/library/hh849834.aspx
4.Managing Wipe
This section contains the following Common Criteria SFRs:
-
Extended: TSF Wipe (FCS_CKM_EXT.5)
4.1IT Administrator
Windows 10 devices can be configured for wipe after exceeding a maximum number of consecutive authentication failures by the MDM administrator by using the “Number of failed logon attempts before the device is wiped” policy as described in the following TechNet topic (see “Password” heading):
-
General settings for Mobile Devices in Configuration Manager: https://technet.microsoft.com/en-us/library/dn376523.aspx#BKMK_Password
The “Password” settings are enforced only if the “Require password settings on mobile devices”policy is also set.
4.2Local Administrator Guidance
The following Windows help topic describes how to reset Windows 10 devices with removal of all user data (the “Fully clean the drive” option wipes all protected data):
-
How to refresh, reset, or restore your PC: http://windows.microsoft.com/en-us/windows-10/windows-10-recovery-options
5.Managing EAP-TLS
This section contains the following Common Criteria SFRs:
-
Extended: Trusted Channel Communication (FTP_ITC_EXT.1)
-
Extended: PAE Authentication (FIA_PAE_EXT.1)
-
Extended: Trusted Channel Communication (FTP_ITC_EXT.1)
-
Extended: Wireless Network Access (FTA_WSE_EXT.1)
-
Specifications of Management Functions (FMT_SMF_EXT.1)
5.1IT Administrator Guidance
An MDM system can be used to manage Wi-Fi profiles.
The following links specify the server certificate requirements for EAP-TLS and the procedure to create a Wi-Fi profile in System Center 2012 R2 Configuration Manager:
-
Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS: http://support.microsoft.com/kb/814394/en-us
-
Wi-Fi Profiles in Configuration Manager: https://technet.microsoft.com/en-us/library/dn261221.aspx
Steps 1 – 4 in the following link describe how to configure the IT infrastructure for EAP-TLS using WPA2-Enterprise (based on 802.1x authentication and 802.11-2012 encryption standards):
-
Creating a secure 802.1x wireless infrastructure using Microsoft Windows: http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx
Group policy can be used to specify the wireless networks (SSIDs) that a user may connect to.
-
Configure Network Permissions and Connection Preferences : https://msdn.microsoft.com/en-us/library/dd759204.aspx
Dostları ilə paylaş: |