Surface Pro 3 MobileOperational Guidance
Microsoft Windows
Common Criteria Evaluation
Microsoft Windows 8.1
Microsoft Surface Pro 3
Common Criteria Supplemental Admin Guidance
Document InformationVersion Number / 0.01
Updated On / February 6, 2015
This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This documentis for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user.This work is licensed under the Creative Commons Attribution-NoDerivs-NonCommercial License (which allows redistribution of the work). To view a copy of this license, visit or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred.
© 2015Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Visual Basic, Visual Studio, Windows, the Windows logo, Windows NT, and Windows Serverare either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Table of Contents
1Introduction
1.1Configuration
1.1.1Evaluated Configuration
2Management Functions
3Managing Audits
3.1Audit Events
3.2Managing Audit Policy
3.2.1Local Administrator Guidance
4Managing Wipe
4.1Local Administrator Guidance
5Managing EAP-TLS
5.1IT Administrator Guidance
5.2Local Administrator Guidance
6Managing TLS
6.1Local Administrator Guidance
7Managing Apps
7.1Local Administrator Guidance
7.2User Guidance
8Managing Volume Encryption
8.1Local Administrator Guidance
9Administrative Templates\Windows Components\Bitlocker Drive Encryption\Operating System Drives\Allow enhanced PINs for startup Managing VPN
9.1IT Administrator Guidance
9.2Local Administrator Guidance
10Managing Accounts
10.1Local Administrator Guidance
11Managing Bluetooth
11.1Local Administrator Guidance
12Managing Passwords
12.1Strong Passwords
12.1.1IT Administrator Guidance
12.1.2Local Administrator Guidance
12.2Protecting Passwords
12.2.1User Guidance
12.3Logon/Logoff Password Policy
12.3.1Local Administrator Guidance
12.3.2User Guidance
13Managing Certificates
13.1Local Administrator Guidance
13.2User Guidance
14Managing Time
14.1Local Administrator Guidance
15Getting Version Information
15.1User Guidance
16Locking a Device
16.1Local Administrator Guidance
16.1.1User Guidance
16.2Managing Notifications Prior to Unlocking a Device
16.2.1Local Administrator Guidance
17Managing Airplane Mode
17.1User Guidance
18Device Enrollment
18.1Local Administrator Guidance
19Managing Updates
1Introduction
This document provides guidanceinformation for a Common Criteria evaluation.
1.1Configuration
1.1.1Evaluated Configuration
The Common Criteria evaluation includes a specific configuration of Windows, the “evaluated configuration”. To run Windows deployments using the evaluated configuration follow the deployment steps and apply the security policies and security settings indicated below. The Security Target section 1.1 describes the Windows editions and security patches included in the evaluated configuration.
The operating system is pre-installed on the devices in the evaluated configuration. When the device is turned on for the first time the Out of Box Experience (OOBE) runs to complete the configuration.
The following security policies are applied after completing the OOBE:
Security Policy / Policy SettingLocal Policies\Security Options\System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithm / Enabled
Administrative Template\Windows Components\Credentials User Interface\Do not display the password reveal button / Enabled
The following security settings are applied:
- Cipher suite selection is configured according to section 6 Managing TLS
- Volume encryption is enabled according to section 8 Managing Volume Encryption
- VPN connections route all traffic through the VPN tunnel as described section 9 Managing VPN
- Passwords use a minimum of six alphanumeric characters and symbols according to section 12.3 Password Policy
- RSA machine certificates are configured according to section 13 Managing Certificates to use a minimum 2048 bit key length
- Session locking is enabled according to section 16 Locking a Device
- Devices are enrolled for device management according to section 18 Device Enrollment
2Management Functions
The following table maps management functions to roles:
Activity / User Guidance / Local Administrator Guidance / IT Administrator GuidanceConfigure password policy / Windows 8.1
Configure session locking policy / Windows 8.1
Enable/disable the VPN protection / Windows 8.1 / Windows 8.1
Enable/disable [Wi-Fi, Bluetooth] / Windows 8.1 / Windows 8.1 / Windows 8.1
Enable/disable [camera, microphone] / Windows 8.1 / Windows 8.1
Specify wireless networks (SSIDs) to which the TSF may connect / Windows 8.1
Configure security policy for connecting to wireless networks / Windows 8.1
Transition to the locked state / Windows 8.1 / Windows 8.1
Full wipe of protected data / Windows 8.1
Configure application installation policy / Windows 8.1
Import keys/secrets into the secure key storage / Windows 8.1 / Windows 8.1
Destroy imported keys/secrets and any other keys/secrets in the secure key storage / Windows 8.1
Import X.509v3 certificates into the Trust Anchor Database / Windows 8.1
Remove imported X.509v3 certificates and any other X.509v3 certificates in the Trust Anchor Database / Windows 8.1
Enroll the TOE in management / Windows 8.1 / Windows 8.1
Remove applications / Windows 8.1
Update system software / Windows 8.1
Install applications / Windows 8.1
Enable/disable data transfer capabilities over USB port, Bluetooth / Windows 8.1
Enable/disable [wireless remote access connections except for personal Hotspot service, personal Hotspot connections, tethered connections / Windows 8.1 / Windows 8.1
Enable data-at rest protection / Windows 8.1
Enable removable media’s data at rest protection / Windows 8.1 / Windows 8.1
Configure the Access Point Name and proxy used for communications between the cellular network and other networks / Windows 8.1 / Windows 8.1
Enable/disable display notification in the locked state protection / Windows 8.1 / Windows 8.1
Wipe sensitive data / Windows 8.1
Alert the administrator / Windows 8.1
Remove Enterprise applications / Windows 8.1
Approve import and removal by applications of X.509v3 certificates in the Trust Anchor Database / Windows 8.1 / Windows 8.1
Enable/disable cellular voice functionality / Windows 8.1 / Windows 8.1
Enable/disable device messaging capabilities / Windows 8.1 / Windows 8.1
Enable/disable the cellular protocols used to connect to cellular network base stations / Windows 8.1 / Windows 8.1
Read audit logs kept by the TSF / Windows 8.1 / Windows 8.1
Configure the unlock banner / Windows 8.1
Enable/disable location services / Windows 8.1 / Windows 8.1
3Managing Audits
This section contains the following Common Criteria SFRs:
- Audit Data Generation (FAU_GEN.1), Security Audit Event Selection (FAU_SEL.1)
- Extended: Audit Storage Protection (FAU_STG_EXT.1)
- Specifications of Management Functions (FMT_SMF.1)
3.1Audit Events
Description / IdStart-up and shutdown of the audit functions / 4608, 1100
All administrative actions / <see table below>
User authentication attempts and success/failure of the attempt / 4624, 4625
4739, 4801
Startup and shutdown of the OS and kernel / 4608, 1100
Failures of security functions / 20
Integrity verification failures / 5038, 3004
Software updates / 1, 2, 3
Insertion or removal of removable media / 410
Establishment of a trusted channel / IPsec: 4651, 5451
TLS: 36880, 11, 81
Audit records reaching an administrator-configurable percentage of audit capacity, [assignment: other auditable events derived from this profile]]. / 1103, 1104
The following table correlates the set of administrative operations described in this document with their associated audits:
Administrative Action / Idshutdown of the audit functions / 1100
configure password policy: / 4739
configure session locking policy / 4656[1]
enable/disable the VPN protection / 4650,4651,5451
4655, 5452
enable/disable [assignment: Wi-Fi, Bluetooth] / 1015 (Wi-Fi, broadband)
<none> (Bluetooth)
enable/disable [camera, microphone] / <none>
transition to the locked state / 4800
import keys/secrets into the secure key storage, / 1006
destroy imported keys/secrets and [ [any other keys/secrets]] in the secure key storage, / 1004
import X.509v3 certificates into the Trust Anchor Database, / 90
remove imported X.509v3 certificates and [[any other X.509v3 certificates]] in the Trust Anchor Database, / 1004
enroll the TOE in management / 510
remove applications / 472
update system software / 19
install applications / 400
enable data-at rest protection, / 24579
enable removable media‘s data-at-rest protection, / 24579
remove Enterprise applications / 472
approve import and removal by applications of X509v3 certificates in the trust anchor database / 90, 1004
enable/disable device messaging capabilities, / 1015
enable/disable the cellular protocols used to connect to cellular network base stations, / 1015
read audit logs kept by the TSF, / 4673
configure the unlock banner using the text as specified in the administrative guidance when following the DoD access, / 4656[2]
Id / Log location / Message / Fields
4608 / Windows Logs -> Security
Subcategory: Security State Change / Startup of audit functions / Logged: <Date and time of event>
Task category: <type of event>
Keywords: <Outcome as Success or Failure>
1100 / Windows Logs -> Security
Subcategory: Security State Change / The event logging service has shut down / Logged: <Date and time of event>
Keywords: <Outcome as Success>
4739 / Windows Logs -> Security
Subcategory: Authentication Policy Change / Domain Policy was changed. / Logged: <Date and time of event>
Security ID: <SID of user account making audit policy change>
Account Name: <name of user account making audit policy change >
Account Domain: <domain of user account making audit policy change if applicable, otherwise computer>
Category: <Audit category that was changed.>
Subcategory: <Audit subcategory that was changed.>
Changes: <Change to audit policy.>
4656 / Windows Logs -> Security
Subcategory: Registry / A handle to an object was requested. / Logged: <Date and time of event>
Security ID: <SID of locked account>
Object Name: <Name of the object changed>
Accesses: <Access granted>
Access Mask: <Access requested>
4651 / Windows Logs -> Security
Subcategory: IPsec Main Mode / Ipsec main mode security association was established. A certificate was used for authentication. / Logged: <Date and time of event>
Task category: <type of event>
Local Endpoint: <Subject identity as IP address>
Remote Endpoint: <Subject identity as IP address of non-TOE endpoint of connection
Keying Module Name: <Transport layer protocol as IKEv1 or IKEv2>
Local Certificate: <The entry in the SPD that applied to the decision as certificate SHA Thumbprint>
Remote Certificate: <The entry in the SPD that applied to the decision as certificate SHA Thumbprint>
Cryptographic Information: <The entry in the SPD that applied to the decision as MM SA Id and cryptographic parameters established in the SA>
Keywords: <Outcome as Success>
5451 / Windows Logs -> Security
Subcategory: IPsec Quick Mode / IPsec quick mode security association was established / Logged: <Date and time of event>
Task category: <type of event>
Local Endpoint: <Subject identity as IP address/port>
Remote Endpoint: <Subject identity as IP address/port of non-TOE endpoint of connection
Keying Module Name: <Transport layer protocol as IKEv1 or IKEv2>
Cryptographic Information: <The entry in the SPD that applied to the decision as MM SA Id, QM SA Id, Inbound SPI, Outbound SPI and cryptographic parameters established in the SA >
Keywords: <Outcome as Success>
4655 / Windows Logs -> Security
Subcategory: IPsec Main Mode / IPsec main mode security association ended / Logged: <Date and time of event>
Task category: <type of event>
Local Endpoint: <Subject identity as IP address/port >
Remote Endpoint: <Subject identity as IP address/port of non-TOE endpoint of connection/channel >
Keying Module Name: <Transport layer protocol as IKEv1 or IKEv2>
Keywords: <Outcome as Success>
5452 / Windows Logs -> Security
Subcategory: IPsec Quick Mode / IPsec quick mode security association ended / Logged: <Date and time of event>
Task category: <type of event>
Local Endpoint: <Subject identity as IP address/port>
Remote Endpoint: <Subject identity as IP address/port of non-TOE endpoint of connection
Cryptographic Information: <The entry in the SPD that applied to the decision as the QM SA Id, Tunnel Id, Traffic Selector Id>
Keywords: <Outcome as Success>
1015 / Applications and Services Logs -> Microsoft -> Windows -> Wcmsvc -> Operational / Interface token applied / Logged: <Date and time of event>
Security ID: <SID of user account that deleted the certificate/secrets>
Media type: <indication of broadband (Wwan) or WiFi (Wlan)>
AutoProfiles: <indication of added or removed action (blank if removed, else name of Wwan or Wlan profile)>
4800 / Windows Logs -> Security
Subcategory: Logoff / The workstation was locked. / Logged: <Date and time of event>
Security UserID: <SID of logon user>
Account Name: <name of logon account>
Account Domain: <domain of logon account>
90 / Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational / <un-named> / Logged: <Date and time of event>
Security UserID: <SID of user account that imported the certificate/secrets>
Subject: <Certificate subject name, CN, etc.>
1006 / Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-System -> Operational / A new certificate has been installed. / Logged: <Date and time of event>
Security UserID: <SID of user account that deleted the certificate/secrets>
Subject: <Certificate subject name, CN, etc.>
Thumbprint: <Certificate thumbprint>
1004 / Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-System -> Operational / A certificate has been deleted. / Logged: <Date and time of event>
Security ID: <SID of user account that deleted the certificate/secrets>
Subject: <Certificate subject name, CN, etc.>
Thumbprint: <Certificate thumbprint>
19 / Windows Logs -> System / Installation Successful: Windows successfully installed the following update: <app/update name> / Logged: <Date and time of event>
Security ID: <SID of user account that installed the app>
updateTitle: <app/update name>
updateGuid: <app/update Guid>
serviceGuid: <app/service GUID>
updateRevisionNumber: <app version>
510 / Applications and Services Logs -> Microsoft -> Windows -> SystemSettings -> Operational / Attempted to turn on workplace device management. Result is <status code> ending at phase 3 / Logged: <Date and time of event>
Security UserID: <SID of user account that initiated enrolling TOE in management>
ResultCode: <status code>
CorpDeviceOperationPhase: 3
472 / Applications and Services Logs -> Microsoft -> Windows -> AppXDeployment-Server -> Microsoft-Windows-AppXDeployment-Server/Operational / Moving package folder <%program files location%\<package Id> to <%deleted program files location%\<package Id>. Result: <status code> / Logged: <Date and time of event>
Security ID: <SID of user account that installed the app>
SourceFolderPath: <%program files location%\<package Id>
DestinationFolderPath: <%deleted program files location%\<package Id>
400 / Applications and Services Logs -> Microsoft -> Windows -> AppXDeployment-Server -> Microsoft-Windows-AppXDeployment-Server/Operational / Deployment Add operation on Package <package Id> from: (<.appx pathname> ) finished successfully / Logged: <Date and time of event>
Security ID: <SID of user account that installed the app>
PackageFullName: <package Id>
Path: <.appx pathname>
24579 / Windows Logs -> System / Encryption of volume <drive letter>: completed / Logged: <Date and time of event>
Security UserID: <SID of user account that installed the app>
Volume: <encrypted volume letter>
11010 / Applications and Services Logs -> Microsoft-Windows-WLAN-AutoConfig -> Operational / Wireless Security Started / Logged: <Date and time of event>
Network Adapter: <enabled adapter name>
Local MAC Address: <enabled adapter MAC address>
1006 / Applications and Services Logs -> Microsoft-Windows-CertificateServicesClient-Lifecycle-User -> Operational
Applications and Services Logs -> Microsoft-Windows-CertificateServicesClient-Lifecycle-System -> Operational / A new certificate has been installed / Logged: <Date and time of event>
SubjectNames: <New certificate subject name>
Thumbprint: <New certificate thumbprint>
EKUs: <New certificate EKUs>
NotValidAfter: :<New certificate expiration date>
1004 / Applications and Services Logs -> Microsoft-Windows-CertificateServicesClient-Lifecycle-User -> Operational
Applications and Services Logs -> Microsoft-Windows-CertificateServicesClient-Lifecycle-System -> Operational / A certificate has been deleted / Logged: <Date and time of event>
SubjectNames: <Deleted certificate subject name>
Thumbprint: <Deleted certificate thumbprint>
EKUs: <Deleted certificate EKUs>
NotValidAfter: :<Deleted certificate expiration date>
5446 / Windows Logs -> Security
Subcategory: Filtering Platform Policy Change / Windows Filtering Platform callout has been changed / Logged: <Date and time of event>
Task category: <type of event>
Change type: <Operation as add, change or delete>
Callout ID: <Callout identifier as GUID>
Callout Name: <Callout identifier as text-based name>
Layer ID: <Layer identifier as GUID>
Layer Name: <Layer identifier as text-based name>
Keywords: <Outcome as Success or Failure>
5447 / Windows Logs -> Security
Subcategory: Other Policy Change Events / Windows Filtering Platform filter has been changed / Logged: <Date and time of event>
Task category: <type of event>
Change type: <Operation as add, change or delete>
Filter ID: <Filter Id as GUID>
Filter Name: <Filter identifier as text-based name>
Layer ID: <Layer Id as GUID>
Layer Name: <Layer identifier as text-based name>
Additional Information: <Filter conditions>
5450 / Windows Logs -> Security
Subcategory: Filtering Platform Policy Change / Windows Filtering Platform sub-layer has been changed / Logged: <Date and time of event>
Task category: <type of event>
Change type: <Operation as add, change or delete>
Sub-layer ID: <Sub-layer Id as GUID>
Sub-layer Name: <Sub-layer identifier as text-based name>
4657 / Windows Logs -> Security
Subcategory: Registry / Registry entry change / Logged: <Date and time of event>
Task category: <type of event>
Security ID: <user identity>
Object name: <key path>
Changes: <old and new registry values>
Keywords: <Outcome as Success or Failure>
4801 / Windows Logs -> Security
Subcategory: Logon / The workstation was unlocked. / Logged: <Date and time of event>