Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Microsoft Windows RT

Windows 8, Windows RT
Supplemental Admin Guidance
Microsoft Windows
Common Criteria Evaluation
Microsoft Windows 8
Microsoft Windows RT
Microsoft Windows 8 Microsoft Windows RT Common
Criteria Supplemental Admin Guidance
Document Information
Version Number
Updated On
Microsoft © 2014
1.0
December 23, 2014
Page 1 of 25
Windows 8, Windows RT
Supplemental Admin Guidance
This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft
must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any
information presented after the date of publication.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. This work is licensed under the Creative Commons Attribution-NoDerivs-NonCommercial
License (which allows redistribution of the work). To view a copy of this license, visit http://creativecommons.org/licenses/by-nd-nc/1.0/ or send a letter to Creative Commons,
559 Nathan Abbott Way, Stanford, California 94305, USA.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly
provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other
intellectual property.
The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or
event is intended or should be inferred.
© 2014 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Visual Basic, Visual Studio, Windows, the Windows logo, Windows NT, and Windows Server are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Microsoft © 2014
Page 2 of 25
Windows 8, Windows RT
Supplemental Admin Guidance
TABLE OF CONTENTS
1
INTRODUCTION .......................................................................................................................................................................................................................................................5
1.1
1.1.1
1.2
CONFIGURATION .........................................................................................................................................................................................................................................................5
EVALUATED CONFIGURATION ............................................................................................................................................................................................................................................................. 5
TERMS FOR REGULAR USER ............................................................................................................................................................................................................................................6
2
MANAGING ACCESS CONROL ...................................................................................................................................................................................................................................6
2.1
2.2
2.3
MANAGING DISCRETIONARY ACCESS CONTROL...................................................................................................................................................................................................................6
MANAGING MANDATORY INTEGRITY CONTROL ..................................................................................................................................................................................................................7
MANAGING THE FIREWALL.............................................................................................................................................................................................................................................8
3
MANAGING IDENTIFICATION AND AUTHENTICATION ...............................................................................................................................................................................................9
3.1
3.1.1
3.1.2
3.2
3.3
3.4
3.4.1
3.4.2
3.5
3.6
MANAGING USER LOCKOUT ...........................................................................................................................................................................................................................................9
MANAGING ACCOUNT LOCKOUT THRESHOLD ........................................................................................................................................................................................................................................ 9
MANAGING LOCKED USER ACCOUNTS ............................................................................................................................................................................................................................................... 10
MANAGING USERS AND GROUPS .................................................................................................................................................................................................................................. 10
MANAGING IPSEC ..................................................................................................................................................................................................................................................... 11
MANAGING AUTHENTICATION ...................................................................................................................................................................................................................................... 12
MANAGING LOGON ........................................................................................................................................................................................................................................................................ 12
MANAGING PASSWORD COMPLEXITY ................................................................................................................................................................................................................................................ 12
MANAGING USER ACCOUNT INFORMATION ..................................................................................................................................................................................................................... 13
MANAGING PKI ........................................................................................................................................................................................................................................................ 13
4
MANAGING TIME .................................................................................................................................................................................................................................................. 14
Microsoft © 2014
Page 3 of 25
Windows 8, Windows RT
Supplemental Admin Guidance
5
MANAGING SECURE CONNECTION PROTOCOLS ..................................................................................................................................................................................................... 15
5.1
5.2
MANAGING IPSEC ALGORITHMS ................................................................................................................................................................................................................................... 15
MANAGING TLS........................................................................................................................................................................................................................................................ 16
6
MANAGING LOCKING ............................................................................................................................................................................................................................................ 17
7
MANAGING AUDITING .......................................................................................................................................................................................................................................... 18
7.1
7.2
7.3
7.4
7.5
7.6
AUDITS ................................................................................................................................................................................................................................................................... 18
USER IDENTITY IN AUDITS ............................................................................................................................................................................................................................................ 21
AUDIT LOG PROTECTION ............................................................................................................................................................................................................................................. 22
MANAGING AUDIT POLICY........................................................................................................................................................................................................................................... 22
MANAGING AUDIT LOG SIZE ........................................................................................................................................................................................................................................ 23
OTHER EVENT LOGS ................................................................................................................................................................................................................................................... 24
8
CRYPTOGRAPHIC APIS ........................................................................................................................................................................................................................................... 24
Microsoft © 2014
Page 4 of 25
Windows 8, Windows RT
Supplemental Admin Guidance
1 Introduction
This document provides Administrator guidance for the following Windows operating systems as evaluated for Common Criteria based on the Windows 8 Windows RT Security Target:
-
Microsoft Windows 8 Edition (32-bit and 64-bit versions)
Microsoft Windows RT
1.1 Configuration
1.1.1 Evaluated Configuration
The Common Criteria evaluation includes a specific configuration of Windows, the “evaluated configuration”. To run Windows deployments using the evaluated configuration follow the
deployment steps described here and ensure the security policy settings in the table below are set as indicated. The Security Target section 1.1 describes the Windows editions and security
patches included in the evaluated configuration.
The following TechNet articles describe how to install Windows 8:
-
Install, Deploy, and Migrate to Windows 8: http://technet.microsoft.com/en-us/library/hh832022.aspx1
The operating system is pre-installed on Windows RT devices. When the device is turned on for the first time the Out of Box Experience runs to complete the default configuration. Afterwards
the computer’s administrator must apply the following security policies to match the configuration used during the evaluation; instructions for using the Local Group Policy Editor tool are at
http://technet.microsoft.com/en-us/library/cc725970.aspx and apply to the versions of Windows examined in this evaluation.
Security Policy
Local Policies\Security Options\Audit: Shut down system immediately if unable to log security audits
Local Policies\Security Options\System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithm
Administrative Templates\System\Internet Communication Management\Internet Communication Settings: Turn off Windows Update device driver searching
Administrative Templates\System\Driver Installation: Turn off Windows Update device driver search prompt
Administrative Template\Windows Components\Credentials User Interface\Do not display the password reveal button
Policy Setting
Enabled
Enabled
Enabled
Disabled
Enabled
1
The evaluated configuration installed from media using this web page and followed the Windows Deployment Scenarios and Tools link ((http://technet.microsoft.com/en-us/library/dn744294.aspx) and then
followed the Windows 8.1 deployment scenarios link (http://technet.microsoft.com/en-us/library/dn744294.aspx#sec01) to the New Computer section.
Microsoft © 2014
Page 5 of 25
Windows 8, Windows RT
Supplemental Admin Guidance
1.2 Terms for regular user
The terms regular user, standard user, normal user and non-adminstrative user are all used to refer to a regular user.
2 Managing Access Conrol
2.1 Managing Discretionary Access Control
This section contains the following Common Criteria SFRs:






Complete Access Control for Discretionary Access (FDP_ACC.1(DAC))
Security Attribute Based Access Control for Discretionary Access (FDP_ACF.1(DAC))
Management of Security Attributes for Discretionary Access Control (FMT_MSA.1(DAC))
Static Attribute Initialization for Discretionary Access Control Policy (FMT_MSA.3(DAC))
Static Attribute Value Inheritance for Discretionary Access (FMT_MSA.4)
Revocation for Object Access for DAC (FMT_REV.1(DAC))
The information provided in this section and the referenced articles is applicable to all Windows editions in the evaluated.
The Discretionary Access Control (DAC) policy determines if access is allowed in accordance with a standard access check. The access check algorithm is described by the Security Target in
section 6.2.2.1.3 DAC Enforcement Algorithm.
The DAC enforcement algorithm determines if subjects can access objects by applying a set of rules based upon their respective security attributes that are described in sections 6.2.2.1.1
Subject DAC Attributes and 6.2.2.1.2 Object DAC Attributes.
Users can manage the security attributes of all types of objects covered by the Discretionary Access Control (DAC) policy subject to the controls identified in section 6.2.2.1.2 Object DAC
Attributes of the Security Target.
Subject security attributes are managed through users, groups and group memberships as described in section 3.2 of this document. Object security attributes are stored and managed by their
security descriptors. Some objects are created and managed by the system and cannot be directly managed by users, while other objects are created and managed by third party applications
that may or may not expose mechanisms for users to manage their security attributes. The following objects named in the Security Target table 6-3 Named Objects may be directly managed by
users via the indicated operating system utilities described on TechNet:
Microsoft © 2014
Page 6 of 25
Windows 8, Windows RT
-
Registry keys
Registry Editor: http://technet.microsoft.com/en-us/library/cc755256.aspx
-
NTFS files and folders
File and Folder Permissions: http://technet.microsoft.com/en-us/library/bb727008.aspx
-
Printers
Managing Printers and Print Servers: http://technet.microsoft.com/en-us/library/cc754769.aspx
Supplemental Admin Guidance
Users can only manage the default security descriptor for Registry keys and NTFS files and folders, and then only in the case a new object’s security descriptor is based upon its parent object’s
inheritable ACEs as described in section 6.2.2.1.5 Default DAC Protection in the Security Target. Users may do so by modifying the permissions granted by inheritable ACEs of the suitable parent
or container objects.
The following TechNet topic describes best practices for managing DAC policy and to determine the current status of the subject and object security attributes:
-
Access Control: http://technet.microsoft.com/en-us/library/cc780807(v=ws.10).aspx
The DAC policy does not require or allow users to manage its initialization or activation.
Modifications of object security attributes are applied by the DAC policy on the next access control decision for the given object. Modifications of subject security attributes are applied by the
DAC policy on subjects that are created after the modification takes place – for users this occurs the next time they are logged on and for processes the next time a given process is created.
The following TechNet topic describes how object owners may control management of object security attributes:
-
Managing Object Ownership: http://technet.microsoft.com/en-us/library/cc732983.aspx
Object security attributes may be revoked by making DACL changes as described in section 6.2.2.1.6 DAC Management of the Security Target.
2.2 Managing Mandatory Integrity Control
This section contains the following Common Criteria SFRs:


Mandatory Integrity Control Functions (FDP_ACC.1(MIC))
Mandatory Integrity Control Functions (FDP_ACF.1(MIC)
Microsoft © 2014
Page 7 of 25
Windows 8, Windows RT



Supplemental Admin Guidance
Management of Security Attributes for Mandatory Integrity Control (FMT_MSA.1(MIC))
Static Attribute Initialization for Mandatory Integrity Control Policies (FMT_MSA.3(MIC))
Revocation for Object Access (FMT_REV.1(OBJ))
The information provided in this section and the referenced articles is applicable to all Windows editions in the evaluated configuration.
The MIC access control algorithm is used to determine if access to objects by a given subject is allowed. The MIC access control algorithm is described in the Security Target section 6.2.2.3
Mandatory Integrity Control.
The MIC policy does not require activation or management to ensure it is secure and users cannot manage the default security attributes used to enforce the MIC policy.
The MIC architecture is described in the following TechNet article:
-
Mandatory Integrity Control: http://msdn.microsoft.com/en-us/library/windows/desktop/bb648648(v=vs.85).aspx
Administrators can manage the MIC security attributes used in the MIC policy for file and directory objects by use of the icacls.exe utility according to the following TechNet topic (see the
/setintegritylevel parameter):
-
Icacls: http://technet.microsoft.com/en-us/library/cc753525.aspx
Modifications of object security attributes are applied by the MIC policy on the next access control decision for the given object.
2.3 Managing the Firewall
This section contains the following Common Criteria SFRs:




Subset Information Flow Control (FDP_IFC.1(OSPP))
Simple Security Attributes for Network Information Flow Control Policy (FDP_IFF.1(OSPP))
Static Attribute Initialization for Network Information Flow Control (FMT_MSA.3(OSPP))
Management of TSF Data for Network Information Flow Control (FMT_MTD.1(OSPP))
The information provided in this section and the referenced articles is applicable to all Windows editions in the evaluated configuration.
Only the administrator user can access the firewall management interfaces listed in the Error! Reference source not found. of the Security Target in section 9.2.5.1 Interfaces.
Microsoft © 2014
Page 8 of 25
Windows 8, Windows RT
Supplemental Admin Guidance
The following TechNet topic includes and explanation of the firewall rule priority:
-
Understanding the Firewall: http://technet.microsoft.com/en-us/library/dd421709(v=ws.10).aspx
Only the administrator may modify the firewall’s enabled state or modify other firewall settings. The following TechNet topic describes the PowerShell cmdlet to modify the firewall’s enabled
state by use of the Enabled parameter or to enable the administrator to modify the Inbound or Outbound firewall filtering rules via other parameters:
-
Set-NetFirewallProfile: http://technet.microsoft.com/en-us/library/jj554896.aspx
Like all the PowerShell cmdlet interfaces identified for configuring the firewall, the Set-NetFirewallProfile PowerShell cmdlet includes the -Profile parameter that is used to indicate which
firewall profile the command is relevant to, including one or more of Domain, Public, or Private. The following TechNet topic describes the firewall protection that is provided by each profile
setting:
- Windows Firewall Profiles: http://msdn.microsoft.com/en-us/library/windows/desktop/bb736287(v=vs.85).aspx
3 Managing Identification and Authentication
3.1 Managing User Lockout
This section contains the following Common Criteria SFRs:



Authentication Failure Handling (FIA_AFL.1)
Management of TSF Data for Authentication Failure Handling (FMT_MTD.1(Threshold))
Management of TSF Data for Authentication Failure Handling (FMT_MTD.1(Re-enable))
The operational procedures require a local administrator.
The information provided in this section and subsections is applicable to all Windows editions in the evaluated configuration. The remaining information and referenced articles applies to local
users and is applicable to all Windows editions in the evaluated configuration.
3.1.1 Managing Account Lockout Threshold
The following TechNet topic explains the net accounts command line utility for standalone computers (followed by command line options for managing account lockout policy):
Microsoft © 2014
Page 9 of 25
Windows 8, Windows RT
-
Supplemental Admin Guidance
Net Accounts: http://technet.microsoft.com/en-us/library/bb490698.aspx
In addition to the parameters given in the referenced article, the following are also valid options:
/lockoutthreshold: number : Sets the number of times a bad password may be entered until the account is locked out. If set to 0 then the account is never locked out.
/lockoutwindow: minutes
: Sets the number of minutes of the lockout window.
/lockoutduration: minutes : Sets the number of minutes the account will be locked out for.
3.1.2 Managing Locked User Accounts
The following TechNet topic describes the Properties dialog for managing local user accounts for the case of enabling a disabled account – the case of unlocking a locked account is very similar
where the “Account is locked out” checkbox must be changed from the checked to the unchecked state:
-
Disable or activate a local user account: http://technet.microsoft.com/en-us/library/cc781924(v=ws.10).aspx
3.2 Managing Users and Groups
This section contains the following Common Criteria SFRs:





User Attribute Definition for Individual Users (FIA_ATD.1(USR))
Revocation for Authorized Administrators (FMT_REV.1(Admin)
Management of TSF Data for Initialization of User Security Attributes (FMT_MTD.1(Init-Attr))
Management of TSF Data for Modification of User Security Attributes Other Than Authentication Data (FMT_MTD.1(Mod-Attr))
Management of TSF Data for Modification of Authentication Data (FMT_MTD.1(Mod-Auth)), Security Roles (FMT_SMR.1)
The information provided in this section is applicable to all Windows editions in the evaluated configuration.
The terms regular user, standard user, normal user and non-adminstrative user are all used to refer to a regular user.
The following TechNet topics include instructions to create or delete local users:
-
Net User: http://technet.microsoft.com/en-us/library/cc771865.aspx
The following TechNet topics include instructions for an administrator to create or delete local groups, and add or remove members:
Microsoft © 2014
Page 10 of 25
Windows 8, Windows RT
-
Supplemental Admin Guidance
Create a local group: http://technet.microsoft.com/en-us/library/cc737998(v=ws.10).aspx
Delete a local group: http://technet.microsoft.com/en-us/library/cc778278(v=ws.10).aspx
Add a member to a local group: http://technet.microsoft.com/en-us/library/cc739265(v=ws.10).aspx
Remove a member from a local group: http://technet.microsoft.com/en-us/library/cc739265(v=ws.10).aspx
- Notice the “Additional considerations” heading modifies the instructions to accommodate removing a member from a local group in the user interface method. For the
command-line method the same command is used as for adding a member with the exception of replacing the “/add” parameter with “/delete” (see the following TechNet topic
for the syntax for the command line option: Net localgroup: http://technet.microsoft.com/en-us/library/bb490706.aspx).
The following Windows Help topic includes instructions for a user to change their own local password or for an administrator to reset local passwords and is applicable to all Windows editions in
the evaluated configuration:
-
Change Password: http://windows.microsoft.com/en-us/windows-8/change-your-password
Private/public keys are associated with a user account when the account is enrolled for a user certificate. Section 3.6 of this document includes information about how users enroll for
certificates.
Privileges allowing a local user account to perform various system-related operations on the local computer are automatically assigned based on group membership (e.g. local administrators).
3.3 Managing IPsec
This section contains the following Common Criteria SFRs:

Timing of Authentication for OS Logon (FIA_UAU.1(RITE))
The information provided in this section and the referenced articles is applicable to all Windows editions in the evaluated configuration.
The guidance for FTP_ITC.1 includes instructions to configure IPsec for endpoint authentication of remote IT entities in section Error! Reference source not found. of this document. The
referenced guidance includes information about configuring the remote authentication using machine certificates. Explicit instructions to configure the machine certificate authentication
method is provided, including how to verify if authentication was successful.
The Windows Firewall is used to configure the Network Flow Control Policy in order to allow specific types of network traffic between endpoints that need not be authenticated. Firewall Rules
allow or block network traffic based on various criteria. The TOE then processes allowed network traffic. For example a rule allowing ICMP network protocol traffic results in the TOE processing
that traffic according to the ICMP standard. Connection Security Rules configure the authentication of two computers before they begin communications using the IPsec protocol. The TOE then
Microsoft © 2014
Page 11 of 25
Windows 8, Windows RT
Supplemental Admin Guidance
processes IKE traffic to authenticate the two computers according to the IKE protocol. The following two TechNet topics explain the Windows Firewall Rules and Connection Security Rules in
more detail:
-
Understanding Firewall Rules: http://technet.microsoft.com/en-us/library/dd421709(v=ws.10).aspx
Understanding Connection Security Rules: http://technet.microsoft.com/en-us/library/dd448591(v=ws.10).aspx
3.4 Managing Authentication
3.4.1 Managing Logon
This section contains the following Common Criteria SFRs:

Multiple Authentication Mechanisms (FIA_UAU.5)
The information provided in this section is applicable to all Windows editions in the evaluated configuration.
The following Windows Help topic describes how to conduct initial logon authentication for users:
-
Sign in to or out of Windows: http://windows.microsoft.com/en-us/windows-8/sign-in-out-of-windows
The following Windows Help topics describe how to change a user password:
-
Change your password: http://windows.microsoft.com/en-us/windows-8/change-your-password
The following TechNet topic describes how to set maximum password age for local user accounts:
-
Net accounts: http://technet.microsoft.com/en-us/library/bb490698.aspx
3.4.2 Managing Password Complexity
This section contains the following Common Criteria SFRs:

Management of Security Functions Behavior for Password Management (FMT_MOF.1(Pass))
The information provided in this section and the referenced articles is applicable to all Windows editions in the evaluated configuration.
Microsoft © 2014
Page 12 of 25
Windows 8, Windows RT
Supplemental Admin Guidance
The following TechNet topics describe the characteristics for passwords that are available, instructions for setting the enforcement mechanism and a discussion of strong passwords and
recommended minimum settings:
-
Enforcing Strong Password Usage Throughout Your Organization: http://technet.microsoft.com/en-us/library/cc875814.aspx
Strong Password: http://technet.microsoft.com/en-us/library/cc756109(v=ws.10).aspx
Password Best practices: http://technet.microsoft.com/en-us/library/cc784090(v=ws.10).aspx
3.5 Managing User Account Information
This section contains the following Common Criteria SFRs:

Subject Binding for Individual Users (FIA_USB.1(USR))
The information provided in this section and the referenced articles is applicable to all Windows editions in the evaluated configuration.
The following Windows Help topic describes how to sign in to Windows:
-
How do I run an application once with a full administrator access token? http://windows.microsoft.com/en-us/windows7/how-do-i-run-an-application-once-with-a-full-administratoraccess-token
The following Windows Help topic describes the default User Account Control setting providing restrictive defaults for security attributes of subjects created by administrator users in the
evaluated configuration (see the “Notify me only when apps try to make changes to my computer (default)” setting):
-
What are User Account Control settings? http://windows.microsoft.com/en-us/windows-8/what-are-uac-settings
The following Windows Help topic describes how an authorized administrator can disable or enable User Account Control Settings to take effect at the next user logon:
-
Turn User Account Control on or off: http://windows.microsoft.com/en-US/windows7/turn-user-account-control-on-or-off2
3.6 Managing PKI
This section contains the following Common Criteria SFRs:
2
Swipe from the right-edge, select Search, select Settings and enter “uac”, and then select “Change User Account Controls settings”
Microsoft © 2014
Page 13 of 25
Windows 8, Windows RT

Supplemental Admin Guidance
Public Key Based Authentication (FIA_PK_EXT.1)
The information provided in this section and the referenced articles is applicable to all Windows editions in the evaluated configuration.
The following TechNet topic describes managing certificates (including the “Obtain a Certificate” sub-topic):
-
Manage Certificates : http://technet.microsoft.com/en-us/library/cc771377.aspx
Certutil: http://technet.microsoft.com/library/cc732443.aspx
The guidance for setting up a trusted channel to communicate with a CA is described in the guidance for FTP_ITC.1 (OS)) – IPSEC.
The following TechNet topic describes how to manually import a certificate:
-
Import a Certificate: http://technet.microsoft.com/en-us/library/cc754489.aspx
The TOE comes preloaded with root certificates for various Certificate Authorities. The following TechNet topic describes how to manage trust relationships:
-
Manage Trusted Root Certificates: http://technet.microsoft.com/en-us/library/cc754841.aspx
4 Managing Time
This section contains the following Common Criteria SFRs:

Reliable Time Stamps (FPT_STM.1)
The information provided in this section and the referenced articles is applicable to all Windows editions in the evaluated configuration.
The administrator sets the time using the Set-Date PowerShell cmdlet that is documented here:
-
http://technet.microsoft.com/en-us/library/7f44d9e2-6956-4e55-baeb-df7a649fdca1
The administrator configures the time service to synchronize time from a time server using the W32tm command that is documented here:
-
http://technet.microsoft.com/en-us/library/cc773263(v=WS.10).aspx#w2k3tr_times_tools_dyax
Microsoft © 2014
Page 14 of 25
Windows 8, Windows RT
Supplemental Admin Guidance
The administrator ensures the communication path between the TOE client and the time service provider is protected from attacks that could compromise the integrity of the time by
establishing an IPsec policy using the “Microsoft Windows 8 Microsoft Windows Server 2012 --- Supplemental Admin Guidance for IPsec VPN Clients (January 23 2014)”, where section 3
provides detailed instructions that can be used to configure the TOE client and the time service provider.
The administrator ensures the NTP server is authenticated by verifying the IP address provided by the IT administrator for the NTP Server in the main mode and quick mode security associations
according to the audit trail for the FTP_ITC.1 requirement outlined in section “4.1 Audit Policy for IPsec Operations” of the IPsec VPN Client guidance. In particular, audits are provided when a
trusted channel is established that includes the IP address of the channel’s local and remote endpoints. If the integrity of the trusted channel is compromised, then this is indicated by the audit
Id 4960 that is also discussed in section 4.1.
5 Managing Secure Connection Protocols
5.1 Managing IPsec Algorithms
This section contains the following Common Criteria SFRs:



Inter-TSF Trusted Channel (FTP_ITC.1 (OS)) – IPSEC
Basic Internal TSF Data Transfer Protection (FPT_ITT.1)
Remote Management Capabilities (FMT_SMF_RMT.1)
The information provided in this section and the referenced articles is applicable to all Windows editions in the evaluated configuration.
The administrator ensures IPSEC is being used to establish a trusted channel by following the guidance in the links below.
The following are links to Powershell cmdlets used to manage the IPSEC rules for establishing trusted channels (this includes how to configure IPSEC rules that use certificate authentication as
well as those that use Pre-Shared Secrets):
New-NetIPsecAuthProposal,
http://technet.microsoft.com/en-us/library/jj554847.aspx
New-NetIPsecPhase1AuthSet,
http://technet.microsoft.com/en-us/library/jj554862.aspx
New-NetIPsecMainModeCryptoProposal,
Microsoft © 2014
Page 15 of 25
Windows 8, Windows RT
Supplemental Admin Guidance
http://technet.microsoft.com/en-us/library/jj573824.aspx
New-NetIPsecMainModeCryptoSet,
http://technet.microsoft.com/en-us/library/jj554882.aspx
New-NetIPsecMainModeRule,
http://technet.microsoft.com/en-us/library/jj554867.aspx
New-NetIpsecQuickModeCryptoProposal,
http://technet.microsoft.com/en-us/library/jj554875.aspx
New-NetIpsecQuickModeCryptoSet,
http://technet.microsoft.com/en-us/library/jj573823.aspx
New-NetIPsecRule,
http://technet.microsoft.com/en-us/library/jj554889.aspx
Any machines being remotely managed must have IPsec configured to protect the network channels between the machines (FMT_SMF_RMT.1).
5.2 Managing TLS
This section contains the following Common Criteria SFRs:


Inter-TSF Trusted Channel (FTP_ITC.1 (OS)) – TLS
Remote Management Capabilities (FMT_SMF_RMT.1)
The information provided in this section and the referenced articles on configuring TLS is applicable to all Windows editions in the evaluated configuration.
The following ciphersuites are supported in the evaluated configuration:
-
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
Microsoft © 2014
Page 16 of 25
Windows 8, Windows RT
-
Supplemental Admin Guidance
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
The following link in the How to Control the Use of TLS section specifies how to configure the web browser to use TLS 1.2:
http://technet.microsoft.com/en-us/library/dd560644(v=WS.10).aspx
The administrator configures the protocols by following the instructions at the following link:
http://support.microsoft.com/kb/245030
The administrator configures the cipher suites by following the instructions at the following link:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx
The following link specifies how enabling FIPS policy affects TLS:
http://support.microsoft.com/kb/811833
6 Managing Locking
This section contains the following Common Criteria SFRs:


TSF-initiated Session Locking (FTA_SSL.1)
User-initiated Locking (FTA_SSL.2)
The information provided in this section and the referenced articles is applicable to all Windows editions in the evaluated configuration.
Microsoft © 2014
Page 17 of 25
Windows 8, Windows RT
Supplemental Admin Guidance
The inactivity time period for TSF-initiated session locking is configured by the administrator via Windows security policy. The relevant security policy is “Interactive logon: Machine inactivity
limit” as described in the following Technet topic in the section heading titled “New and changed functionality”:
-
Security Policy Settings Overview: http://technet.microsoft.com/en-us/library/2fdcbb11-8037-45b1-9015-665393268e36
The following Technet topics include guidance for administrators to open the Local Group Policy Editor tool used to configure the Windows security policy:
-
Local Group Policy Editor: http://technet.microsoft.com/en-us/library/dn265982.aspx
The following Windows topic describes how to configure screen savers3:
-
How to use screen savers: http://windows.microsoft.com/en-us/windows-8/using-screen-savers
The following Windows topic describes how users can initiate a session lock:
-
How do I lock or unlock my PC?: http://windows.microsoft.com/en-us/windows-8/lock-unlock-pc
7 Managing Auditing
7.1 Audits
This section contains the following Common Criteria SFRs:

Audit Data Generation (FAU_GEN.1(OSPP))
The information provided in this section and the referenced articles is applicable to all Windows editions in the evaluated configuration.
Audit events and the associated audit subcategories are listed in Error! Reference source not found. of the Security Target.
3
Note selecting the “On resume display logon screen” checkbox shown below the Screen saver list discussed in the topic requires authentication in order to resume the session in response to user activity dismissing
the screensaver
Microsoft © 2014
Page 18 of 25
Windows 8, Windows RT
Supplemental Admin Guidance
The authorized administrator may review the audit log by use of the Get-EventLog PowerShell cmdlet. The following TechNet topic describes the syntax for using this cmdlet and also includes
several examples demonstrating how to extract individual information from the audit records in order to verify that all records expected have been generated and that the audit records contain
the expected information:
-
Get-EventLog: http://technet.microsoft.com/en-us/library/hh849834.aspx
Event records displayed to the console by Get-EventLog utilze a numeric value for the audit category that can be correlated to a subcategory text value using the following table:
Subcategory Name
Security State Change
Security System Extension
System Integrity
IPsec Driver
Other System Events
Logon
Logoff
Account Lockout
IPsec Main Mode
Special Logon
IPsec Quick Mode
IPsec Extended Mode
Other Logon/Logoff Events
Network Policy Server
User / Device Claims
File System
Registry
Kernel Object
SAM
Other Object Access Events
Certification Services
Microsoft © 2014
Hex category number
0x00003000
0x00003001
0x00003002
0x00003003
0x00003004
0x00003100
0x00003101
0x00003102
0x00003103
0x00003104
0x00003105
0x00003106
0x00003107
0x00003108
0x00003109
0x00003200
0x00003201
0x00003202
0x00003203
0x00003204
0x00003205
Decimal category number
12288
12289
12290
12291
12292
12544
12545
12546
12547
12548
12549
12550
12551
12552
12553
12800
12801
12802
12803
12804
12805
Page 19 of 25
Windows 8, Windows RT
Application Generated
Handle Manipulation
File Share
Filtering Platform Packet Drop
Filtering Platform Connection
Detailed File Share
Removable Storage
Central Policy Staging
Sensitive Privilege Use
Non Sensitive Privilege Use
Other Privilege Use Events
Process Creation
Process Terminati
DPAPI Activity
RPC Events
Audit Policy Change
Authentication Policy Change
Authorization Policy Change
MPSSVC Rule-Level Policy Change
Filtering Platform Policy Change
Other Policy Change Events
User Account Management
Computer Account Management
Security Group Management
Distribution Group Management
Application Group Management
Other Account Management Events
Directory Service Access
Directory Service Changes
Microsoft © 2014
Supplemental Admin Guidance
0x00003206
0x00003207
0x00003208
0x00003209
0x0000320A
0x0000320B
0x0000320C
0x0000320D
0x00003300
0x00003301
0x00003302
0x00003400
0x00003401
0x00003402
0x00003403
0x00003500
0x00003501
0x00003502
0x00003503
0x00003504
0x00003505
0x00003600
0x00003601
0x00003602
0x00003603
0x00003604
0x00003605
0x00003700
0x00003701
12806
12807
12808
12809
12810
12811
12812
12813
13056
13057
13058
13312
13313
13314
13315
13568
13569
13570
13571
13572
13573
13824
13825
13826
13827
13828
13829
14080
14081
Page 20 of 25
Windows 8, Windows RT
Directory Service Replication
Detailed Directory Service Replication
Credential Validation
Kerberos Service Ticket Operations
Other Account Logon Events
Kerberos Authentication Service
Supplemental Admin Guidance
0x00003702
0x00003703
0x00003802
0x00003801
0x00003802
0x00003803
14082
14083
14336
14337
14338
14339
The Event Viewer administrator tool also provides a mechanism to review the audit trail as described in this TechNet topic that also includes information on creating custom views that filter the
audit trail according to various criteria based on the individual information in the audit records:
-
Event Viewer How To…: http://technet.microsoft.com/en-us/library/cc749408.aspx
With the “Fast Logon Optimization” feature a Windows 8 computer enters hibernate state when a shutdown operation is conducted through the graphical user interface presented by the
power icon in the lower right corner of the screen (e.g. by pressing Ctrl-Alt-Del). When enabled the feature skips the shutdown audit. In order to ensure the shutdown audit is conducted on
those editions the administrator must disable this feature as follows:
-
Open the Control Panel and choose Hardware and Sound / Power Options
Click on Choose what the power buttons do
Click on Change settings that are currently unavailable
Uncheck the Turn on fast startup (recommended) option under the Shutdown settings label
Click the Save Changes button and exit the Control Panel.
7.2 User Identity in Audits
This section contains the following Common Criteria SFRs:

User Identity Association (FAU_GEN.2)
The information provided in this section and the referenced articles is applicable to all Windows editions in the evaluated configuration.
As described in the Security Target section 6.2.1.1 Audit Collection the security identifier that represents the user on whose behalf the event occurred is recorded with all audit events – this
occurs by default and cannot be configured.
Microsoft © 2014
Page 21 of 25
Windows 8, Windows RT
Supplemental Admin Guidance
7.3 Audit Log Protection
This section contains the following Common Criteria SFRs:


Audit Review (FAU_SAR.1)
Restricted Audit Review (FAU_SAR.2)
The information provided in this section and the referenced articles is applicable to all Windows editions in the evaluated configuration.
The Security Target section 6.2.1.5 Audit Log Restricted Access Protection describes how the security event log file is restricted such that only the system may open the security event log file and
it opens it exclusively at boot so that no other process may open the file. The Security Target section 6.2.1.1 Audit Collection explains the audit records format.
7.4 Managing Audit Policy
This section contains the following Common Criteria SFRs:





Selective Audit (FAU_SEL.1)
Protected Audit Trail Storage (FAU_STG.1)
Management of TSF Data for Audit Selection (FMT_MTD.1(Audit Sel))
Management of TSF Data for Audit Data (FMT_MTD.1(Audit))
Management of TSF Data for Audit Storage Threshold (FMT_MTD.1(AuditStg))
The information provided in this section and the referenced articles is applicable to all Windows editions in the evaluated configuration.
Only the administrator has access to the commands that may be used to manage the audit trail storage object, including the storage threshold configuration.
Only the administrator for a given host identity has access to the commands that may be used to select the set of events to be audited for that host.
Audits are generated on a given computer based upon operations that occur on that computer and record the computer name (“host identity”) as part of the audit data. Thus, selecting the set
of audits on a given computer based upon the host identity is equivalent to enabling or disabling all audit event types on that computer.
-
Audits for specific file system and registry named object identities are configured using the Explorer and Registry Editor. These system utilities provide an administrator interface to
modify the system access control list (SACL) of any file or registry key in order to include or exclude it for auditing. All named object types in the system are audited based upon the same
SACL mechanism, however the system does not provide administrator management interfaces for other object types. The following topics describe how to select audits for file or
registry key objects: Apply or Modify Auditing Policy Settings for a Local File or Folder: http://technet.microsoft.com/en-us/library/cc771070.aspx
Microsoft © 2014
Page 22 of 25
Windows 8, Windows RT
-
Supplemental Admin Guidance
Audit activity on a registry key: http://technet.microsoft.com/en-us/library/cc757250(v=ws.10).aspx
Audits may be included or excluded for specific user identities by use of the auditpol.exe utility as described by the following topic: Auditpol set: http://technet.microsoft.com/enus/library/cc755264.aspx. As noted in the topic the administrator may not be excluded from audit policy. Audits for specific user identities are also selected by managing the SACL of named
objects, and thus is also configured using the Explorer and Registry Editor administrator interfaces as described above.
Only the administrator has access to the commands that may be used to clear audit log of all audit records. It is not possible to delete individual audit records.
7.5 Managing Audit Log Size
This section contains the following Common Criteria SFRs:



Action in Case of Possible Audit Data Loss (FAU_STG.3)
Prevention of Audit Data Loss (FAU_STG.4(SL))
Prevention of Audit Data Loss (FAU_STG.4(OL))
The information provided in this section and the referenced articles is applicable to all Windows editions in the evaluated configuration.
The TOE can be configured to preserve the audit trail and shutdown immediately when the audit log fills. When this condition occurs, then only allow the administrator can log on the computer
until the audit trail is cleared. The following interfaces that are described in the Error! Reference source not found. of the Security Target describe how to configure this capability:
-
Control Event Log behavior when the log reaches its maximum size
Setting CrashOnAuditFial for the Audit Log
The following TechNet topic includes guidance on the use of group policy settings regarding options to configure the audit log in order to avoid gettinginto a situation where the audit records
are lost:
-
Planning and Deploying Advanced Security Audit Policies: http://technet.microsoft.com/en-us/library/dn319115.aspx
A warning to the administrator may be generated when a configurable threshold is reached in the audit log. To enable this capability create a REG_DWORD value named “WarningLevel” under
the HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\Eventlog\Security registry key. The value that is entered for the WarningLevel is a percentage full condition, for example the
value “90” sets a 90% threshold such that then the audit log reaches 90% of its specified maximum capacity it will generate audit Id 1103. The registry value can be anywhere in the range [1 –
99]. To disable the threshold warning the registry value may be set to any value outside the [1 – 99] range or remove the registry value. Only administrators are able to manage the
HKEY_LOCAL_MACHINE node of the registry.
Microsoft © 2014
Page 23 of 25
Windows 8, Windows RT
Supplemental Admin Guidance
7.6 Other Event Logs
The other event logs referenced in this section are applicable to all Windows editions in the evaluated configuration.
In some cases event records in other event logs are useful, for example the System event log and the Microsoft-Windows-CAPI2/Operational log record log information related to initialization
of the trusted channel for TLS. These event logs are managed using the wevtutil utility as described in the following TechNet topic:
-
Wevtutil: http://technet.microsoft.com/en-us/library/cc732848.aspx
For example, the wevtutil utility can be used to accomplish the following administrator tasks:
-
secure such that only administrators may access the event records with the wevtutil sl <logname> /ca:O:BAG:SYD:PARAI(A;;FA;;;BA) command
enable with the wevtutil sl <logname> /e:<enabled> command
set the maximum log size with the wevtutil sl <logname>/ms:<size> command
set the retention policy such that when the maximum log size is reached new incoming events overwrite the oldest events in the log using the wevtutil sl /rt:true command
clear the log with the wevtutil cl <logname> command
The administrator can manage the system event log and the operational event logs such that they are enabled for access only by the administrator, with retention policy to overwrite the oldest
events with the newest events, and with sufficient size such that old events are not overwritten before the administrator periodically reviews these logs. When the administrator clears the
system log the Event Id 104 “Log clear” event is recorded and will be the first one overwritten when the System log fills. A “Log clear” event is not recorded for operational logs, so the
administrator must keep a record of the oldest event in the given operational log in order to be notified when that operational log fills.
8 Cryptographic APIs
This section contains the following Common Criteria SFRs:

Cryptographic Support (FCS)
The information provided in this section and the referenced articles is applicable to all Windows editions in the evaluated configuration.
The Error! Reference source not found. of the Security Target indicates the set of TSFI providing cryptographic support and MSDN references for their correct use. The following Cryptographic
Next Generation (CNG) reference provides a technical discussion of the CNG programming elements:
-
CNG Reference: http://msdn.microsoft.com/en-us/library/windows/desktop/aa376214(v=vs.85).aspx
Microsoft © 2014
Page 24 of 25
Windows 8, Windows RT
Supplemental Admin Guidance
The following Cryptography Functions reference provides a technical discussion of the CryptoAPI programming elements. The section to be looked at on the page at the below link is the Base
Cryptography Functions section:
-
Cryptography Functions Reference: http://msdn.microsoft.com/en-us/library/windows/desktop/aa380252(v=vs.85).aspx#base_cryptography_functions
Microsoft © 2014
Page 25 of 25
Related documents
Managing SharePoint using System Center
Managing SharePoint using System Center
Here - Tech Guy TJ
Here - Tech Guy TJ
MBUG Office 365 B2B
MBUG Office 365 B2B
Chapter 1Computer Concept
Chapter 1Computer Concept
presentation here
presentation here
Ignite Webcast - Office 365 Service Management
Ignite Webcast - Office 365 Service Management
Session 0 Isolation - Windows 7
Session 0 Isolation - Windows 7
Download