Root certificates can be added to and removed from devices using an MDM for enrolled devices. The following link is an example of MDM documentation for deploying root certificates:
-
How to Deploy Certificate Profiles in Configuration Manager: https://technet.microsoft.com/en-us/library/dn270540.aspx
Windows 10 can be configured to enroll for client certificates using an MDM for enrolled devices. The following link is an example of MDM documentation for configuring the enrollment of client certificates:
-
Certificate deployment with System Center 2012 R2 Configuration Manager and Windows Intune : http://blogs.technet.com/b/configmgrteam/archive/2014/04/28/certificate-deployment-with-system-center-2012-r2-configuration-manager-and-windows-intune.aspx
The following TechNet topic describes managing certificates (including the “Obtain a Certificate” sub-topic):
-
Manage Certificates : http://technet.microsoft.com/en-us/library/cc771377.aspx
-
Certutil: http://technet.microsoft.com/library/cc732443.aspx
The operational guidance for setting up a trusted channel to communicate with a CA is described in the operational guidance for FTP_ITC.1 (OS)).
The TOE comes preloaded with root certificates for various Certificate Authorities. The following TechNet topic describes how to manage trust relationships:
-
Manage Trusted Root Certificates: http://technet.microsoft.com/en-us/library/cc754841.aspx
The following TechNet topic describes how to delete a certificate:
-
Delete a Certificate: http://technet.microsoft.com/en-us/library/cc772354.aspx
Root certificates can be added to and removed from devices using an MDM for enrolled devices.
When validating a certificate with modern Windows applications the connection to a configured revocation server must be available or the validation will fail. This configuration cannot be changed.
The administrator configures certificate validation using the Set-NetFirewallSetting PowerShell cmdlet as described in the following TechNet topic:
-
Set-NetFirewallSetting: http://technet.microsoft.com/en-us/library/jj554878.aspx
The administrator configures certificate validation for network connections based on EAP-TLS using the “Set Up a Connection or Network” wizard in the “Smart Card or Other Certificate Properties” and “Configure Certificate Selection” screens as described in the following TechNet topic:
-
Extensible Authentication Protocol (EAP) Settings for Network Access (Smart Card or other Certificate Properties configuration items): https://technet.microsoft.com/en-us/library/hh945104.aspx#BKMK_LAN_SmartCard
The administrator configures certificate validation for HTTPS using the Security options checkboxes in the Advanced tab on the Internet Properties dialog for Control Panel. The “Warn about certificate address mismatch” setting configures whether the Web address must match the certificate subject field and warns the user of a mismatch. The following MSDN Blog describes the “Check for server certificate revocation” setting:
-
Understanding Certificate Revocation Checks: http://blogs.msdn.com/b/ieinternals/archive/2011/04/07/enabling-certificate-revocation-check-failure-warnings-in-internet-explorer.aspx
The administrator cannot configure certificate validation for code signing purposes.
Key lengths of keys used with certificates are configured in the certificate templates on the Certificate Authority used during enrollment and are not configured by the user or local administrator.
13.4User Guidance
The following TechNet topic describes how to manually import a certificate:
-
Import a Certificate: http://technet.microsoft.com/en-us/library/cc754489.aspx
When using HTTPS in a browsing scenario the user may choose to ignore a failed certificate validation and continue the connection.
13.5Custom Certificate Requests
Certificate requests with specific fields such as "Common Name", "Organization", "Organizational Unit", and/or "Country" can be generated by apps using the Certificates.CertificateEnrollmentManager.CreateRequestAsync API. The following link provides the documentation for the API:
https://msdn.microsoft.com/en-us/library/windows/apps/windows.security.cryptography.certificates.certificateenrollmentmanager.createrequestasync.aspx
14.Managing Time
This section contains the following Common Criteria SFRs:
-
Reliable Time Stamps (FPT_STM.1)
14.1Local Administrator Guidance
The administrator sets the time using the Set-Date PowerShell cmdlet that is documented here:
-
http://technet.microsoft.com/en-us/library/7f44d9e2-6956-4e55-baeb-df7a649fdca1
The administrator configures the time service to synchronize time from a time server using the W32tm command that is documented here:
-
http://technet.microsoft.com/en-us/library/cc773263(v=WS.10).aspx#w2k3tr_times_tools_dyax
The administrator ensures the communication path between the TOE client and the time service provider is protected from attacks that could compromise the integrity of the time by establishing an IPsec policy using the “Microsoft Windows 8 Microsoft Windows Server 2012 --- Supplemental Admin Guidance for IPsec VPN Clients (January 23 2014)”, where section 3 provides detailed instructions that can be used to configure the TOE client and the time service provider.
The administrator ensures the NTP server is authenticated by verifying the IP address provided by the IT administrator for the NTP Server in the main mode and quick mode security associations according to the audit trail for the FTP_ITC.1 requirement outlined in section “4.1 Audit Policy for IPsec Operations” of the IPsec VPN Client guidance. In particular, audits are provided when a trusted channel is established that includes the IP address of the channel’s local and remote endpoints. If the integrity of the trusted channel is compromised, then this is indicated by the audit Id 4960 that is also discussed in section 4.1.
15.Getting Version Information
This section contains the following Common Criteria SFRs:
-
Extended: Trusted Update: TSF Version Query (FPT_TUD_EXT.1)
15.1User Guidance
To determine the hardware model and operating system version:
-
Go to Settings -> System -> About
The following are instructions for getting the version of an app on Windows 10:
-
Start the app you wish to get the version of.
-
Once the app is opened, move your mouse cursor to the upper-right or lower-right corner of the screen to see the Charms bar. Touch screen users need to swipe-in from the right-edge of the screen to bring up the Charms bar.
-
Click or tap Settings charm on the Charms bar to open Settings for the app.
-
Click or tap Permissions to see the developer’s name and also current version of the app.
16.Locking a Device
This section contains the following Common Criteria SFRs:
-
Extended: TSF and User initiated Locked State (FTA_SSL_EXT.1)
16.1IT Administrator Guidance
The following TechNet topic describes the “Idle time before mobile device is locked (minutes)” MDM configuration policy setting that may be used to configure the “MaxInactivityTimeDeviceLock” MDM configuration policy settings for enrolled devices:
-
Compliance Settings for System Center 2012 R2 Configuration Manager: http://technet.microsoft.com/en-us/library/dn376523.aspx#bkmk_comps
16.2Local Administrator Guidance
The following Technet topics include guidance for administrators to open the Local Group Policy Editor tool or the Group Policy Management Console, respectively, that are used to configure the Windows security policy for standalone or domain-joined machines:
-
Local Group Policy Editor: http://technet.microsoft.com/en-us/library/dn265982.aspx
-
Group Policy Management Console: http://technet.microsoft.com/en-us/library/dn265969.aspx
The inactivity time period for TSF-initiated session locking is configured by the administrator via Windows security policy. The relevant security policy is “Interactive logon: Machine inactivity limit” as described in the following Technet topic in the section heading titled “New and changed functionality”:
-
Security Policy Settings Overview: http://technet.microsoft.com/en-us/library/2fdcbb11-8037-45b1-9015-665393268e36
16.3User Guidance
See section 12.3.2
This section contains the following Common Criteria SFRs:
-
Default TOE Access Banners (FTA_TAB.1)
16.4.1Local Administrator Guidance
The following TechNet topics describe how to configure a message to users attempting to logon:
-
Interactive logon: Message title for users attempting to log on: http://technet.microsoft.com/en-us/library/cc778393(v=ws.10).aspx
-
Interactive logon: Message text for users attempting to log on: http://technet.microsoft.com/en-us/library/cc779661(v=WS.10).aspx
17.Managing Airplane Mode
This section contains the following Common Criteria SFRs:
-
Specifications of Management Functions (FMT_SMF_EXT.1)
17.1User Guidance
When airplane mode is on wireless connections, cellular voice, cellular protocols, and messaging functionality will not work on the device. The following link describes how to enable/disable airplane mode: http://windows.microsoft.com/en-us/windows-10/turn-on-airplane-mode
18.Managing Device Enrollment
This section contains the following Common Criteria SFRs:
-
Specifications of Management Functions (FMT_SMF_EXT.1)
-
Extended: Specification of Remediation Actions (FMT_SMF_EXT.2)
A Mobile Device Management (MDM) administrator can remotely wipe enrolled devices. The following MSDN topic describes the doWipe command supported on Windows 10 devices by the RemoteWipe Configuration Service Provider (CSP):
-
RemoteWipe CSP: https://msdn.microsoft.com/en-us/library/windows/hardware/dn904968(v=vs.85).aspx
18.2Local Administrator Guidance
To enroll for management do the following
-
Go to Settings -> Accounts -> Work access
-
Tap the Connect button
-
Fill in the user account credentials provided by your IT administrator
Unenrollment from the MDM solution performs the remediation actions of:
-
alert the administrator
-
remove Enterprise applications
To unenroll from device management do the following:
-
Go to Settings > Account -> Work access
-
Tap the Remove button that is displayed when the enrollment setting is selected, and then confirm the Remove operation
The local administrator determines if the device is enrolled or not enrolled by looking at the Work access page of the Accounts settings. On the Work access page of the Accounts settings if the device device is enrolled then the enrollment setting is indicated by the Work access name as established by your IT administrator and your account name provided by your IT administrator that was used to enroll the device – tapping the enrollment setting reveals the Sync, Info and Remove buttons that may be used to synchronize device management settings, inspect Work access enrollment settings or remove the device from enrollment.
18.3User Guidance
Users manage device enrollment like local administrators as described above.
19.Managing Updates
Windows 10 applications include metadata that is installed with the application by the Windows Installer and the Store App installer. The application metadata includes version information that prevents the Windows Installer and the Store App installer from updating an installed application with an older version.
Update packages downloaded by Windows Update for Windows 10 are signed with the Microsoft Root Certificate Authority to prove their authenticity and integrity. This signature is checked on the mobile device before installing any of the product updates contained in a given package in order to verify the updates have not been altered since they where digitally signed. If the signature is incorrect, then the update operation will fail. Otherwise, if the signature is correct then the update operation will proceed.
19.1IT Administrator
Consult MDM documentation for configuring System Updates.
19.2Local Administrator
There are two options for the local admistrator to configure System Updates:
20.Managing Health Attestation 20.1IT Administrator
The following MSDN topic describes the TOE’s HealthAttestation CSP that enables enterprise IT managers to assess the health of managed devices and take enterprise policy actions based on the generated health attestation reports: https://msdn.microsoft.com/en-us/library/windows/hardware/dn934876(v=vs.85).aspx
The health attestation log file generated by the device is processed by the MDM solution and the health report is generated for the IT Administrator’s review.
21.Managing Collection Devices 21.1IT Administrator
The following link describes how to enable/disable the camera (see Security heading) for Windows 10:
-
General settings for Mobile Devices in Configuration Manager: https://technet.microsoft.com/en-us/library/dn376523.aspx#bkmk_comps
21.1.1Local Aministrator Guidance
The local administrator disables/enables the camera for all users by disabling all subnodes under the “Imaging devices” node in the Device Manager.
To start the Device Manager, type “Device Manager” in the taskbar searchbox and click on the Device Manager icon.
The local administrator disables/enables the microphone for all users by the following procedure:s
-
On the desktop right click on the Start button and click the Control Panel menu item.
-
Type “Sound” and choose “Manage audio devices” from the list to open the Sound window
-
In the Sound window click the “Recording” tab
-
On the Recording tab right the Microphone item(s) and select the “Disable” menu item
Note: to reverse this step the “Show Disabled Devices” menu item should be selected.
21.1.2User Guidance
The user turns enables/disables the camera in the Settings -> Privacy -> Camera by setting the “Let apps use my camera” radio button to the On/Off state. The user enables/disables the microphone in the Settings -> Privacy -> Microphone user interface by setting the “Let apps use my microphone” radio button to the On/Off state.
22.Managing USB 22.1Local Administrator
The local administrator may also disable the USB in the Device Manager application by right-clicking the USB Root Hub child node in the Universal Serial Bus controllers node and selecting the Properties menu item to open the USB Root Hub Properties window. the local administrator then clicks the Driver tab In the USB Root Hub Properties window and clicks he Disable button.
23.Managing Backup 23.1Local Administrator
The following TechNet topic describes how to disable File History:
-
“Windows 8.1 and the File History”: https://technet.microsoft.com/en-us/windows/jj984238.aspx
The following TechNet topic describes how to disable OneDrive:
-
Use Group Policy in Windows 2012 R2 to disable OneDrive functionality in Windows 8.1 clients: https://technet.microsoft.com/en-us/library/dn921901.aspx
The following policy setting can be used to disable Sync your settings:
-
“Do not sync” policy located at Computer Configuration\Administrative Templates\Windows Components\Sync your settings
In addition to enabling the policy, ensure the “Allow user to turn syncing on” option is unchecked
23.2User Guidance
The following Windows 10 topic describes how to configure Backup and Restore: http://windows.microsoft.com/en-us/windows-10/getstarted-back-up-your-files
The following Windows 10 topic describes how to configure OneDrive to sync files and folders: http://windows.microsoft.com/en-us/windows-10/getstarted-onedrive
To configure OneDrive to sync settings: Settings -> Accounts -> Sync your settings.
24.1IT Administrator
Consult MDM documentation for enabling/disabling Developer mode with an MDM.
24.2Local Administrator Guidance
Developer Mode allows installation of test-signed applications. The local administrator or user configures Developer Mode in Settings -> Updates & security -> For developers by selecting the Developer Mode radio button.
25.Managing Cryptographic Algorithms
There is no global configuration for hashing algorithms. The use of required hash sizes is supported and global configuration is not needed.
There is no global configuration for key generation schemes. The use of required key generation schemes is supported and global configuration is not needed.
There is no global configuration for key establishment schemes. The use of required key establishment schemes is supported and global configuration is not needed.
Keys may be imported by apps using the Certificates.CertificateEnrollmentManager.ImportPfxDataAsync API. The following link provides the documentation for the API:
-
https://msdn.microsoft.com/en-us/library/windows/apps/windows.security.cryptography.certificates.certificateenrollmentmanager.importpfxdataasync.aspx
Keys are destroyed by wiping the device, see the Managing Wipe section of this document.
The Windows 10 system cryptographic engine was tested during the FIPS evaluation of the operating system. Other cryptographic engines may have been separately evaluated but were not part of this CC evaluation.
26.Managing Internet Connection Sharing (ICS)
Internet Connection Sharing provides a means to share an Internet connection to another computer.
26.1Local Administrator Guidance
The following Windows Help topic describes how to configure ICS:
-
Using ICS (Internet Connection Sharing): http://windows.microsoft.com/en-us/windows/using-internet-connection-sharing#1TC=windows-7
27.Managing Location Services (GPS) 27.1IT Administrator
Consult MDM documentation for configuring Location Services.
27.2Local Administrator Guidance
Configure Location Services: http://windows.microsoft.com/en-us/windows-10/location-service-privacy
Click Change.
28.Managing Wi-Fi 28.1IT Administrator
Consult MDM documentation for configuring Wi-Fi.
28.2Local Administrator Guidance
Enable/disable the wireless network adapter: http://windows.microsoft.com/en-us/windows/enable-disable-network-adapter#1TC=windows-7
29.Managing Mobile Broadband 29.1User Guidance
Settings for enabling/troubleshooting Mobile Broadband: http://windows.microsoft.com/en-us/windows-10/cellular-settings
30.Managing Health Attestation 30.1IT Administrator Guidance
MDM solutions are capable of managing Health Attestation on devices. See the MDM solution documentation for detailed configuration actions.
30.2Local Administrator Guidance
The device will create a Helath Attestation log every time the system boots. The Health Attestation logs are found in the following directory:
%windir%\Logs\MeasuredBoot
The contents of the Health Attestation logs may be viewed on or off the TOE using the “TPM Platform Crypto-Provider Toolkit” that can be downloaded from the following link:
-
TPM Platform Crypto-Provider Toolkit : http://research.microsoft.com/en-us/downloads/74c45746-24ad-4cb7-ba4b-0c6df2f92d5d/
31.Natively Installed Applications
The following embedded Excel file has the list of files:
Microsoft © 2016 Page of
Dostları ilə paylaş: |