Windows 10 Mobile Device PP Operational Guidance

Windows 10 Mobile Device PP Operational Guidance

Microsoft Windows

Common Criteria Evaluation

Microsoft Windows 10 Version 1511

Operational Guidance

Document Information
Version Number / 1.0
Updated On / May 13, 2016

This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein. se

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This documentis for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. This work is licensed under the Creative Commons Attribution-NoDerivs-NonCommercial License (which allows redistribution of the work). To view a copy of this license, visit http://creativecommons.org/licenses/by-nd-nc/1.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred.

© 2016 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Visual Basic, Visual Studio, Windows, the Windows logo, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Table of Contents

1 Introduction 9

1.1 Configuration 9

1.1.1 Evaluated Configuration 9

1.1.2 Mobile Device Management Solutions 10

2 Management Functions 10

3 Managing Audits 11

3.1 Audit Events 12

3.2 Managing Audit Policy 31

3.2.1 Local Administrator Guidance 31

4 Managing Wipe 33

4.1 IT Administrator 33

4.2 Local Administrator Guidance 34

5 Managing EAP-TLS 34

5.1 IT Administrator Guidance 34

5.2 Local Administrator Guidance 35

5.3 User Guidance 35

6 Managing TLS 35

6.1 IT Administrator Guidance 35

6.2 Local Administrator Guidance 36

6.3 User Guidance 37

7 Managing Apps 37

7.1 IT Administrator Guidance 37

7.2 Local Administrator Guidance 37

7.3 User Guidance 38

8 Managing Volume Encryption 38

8.1 Local Administrator Guidance 38

8.2 User Guidance 39

9 Managing VPN 39

10 Managing Accounts 39

10.1 Local Administrator Guidance 40

11 Managing Bluetooth 40

11.1 IT Administrator 40

11.2 Local Administrator Guidance 41

11.3 User Guidance 41

12 Managing Passwords 41

12.1 Strong Passwords 41

12.1.1 IT Administrator Guidance 41

12.1.2 Local Administrator Guidance 41

12.2 Protecting Passwords 42

12.2.1 User Guidance 42

12.3 Logon/Logoff Password Policy 42

12.3.1 Local Administrator Guidance 42

12.3.2 User Guidance 43

13 Managing Certificates 43

13.1 Developer Guidance 43

13.2 IT Administrator Guidance 44

13.3 Local Administrator Guidance 44

13.4 User Guidance 45

13.5 Custom Certificate Requests 46

14 Managing Time 46

14.1 Local Administrator Guidance 46

15 Getting Version Information 46

15.1 User Guidance 47

16 Locking a Device 47

16.1 IT Administrator Guidance 47

16.2 Local Administrator Guidance 47

16.3 User Guidance 48

16.4 Managing Notifications Prior to Unlocking a Device 48

16.4.1 Local Administrator Guidance 48

17 Managing Airplane Mode 48

17.1 User Guidance 48

18 Managing Device Enrollment 48

18.1 IT Administrator 49

18.2 Local Administrator Guidance 49

18.3 User Guidance 49

19 Managing Updates 50

19.1 IT Administrator 50

19.2 Local Administrator 50

20 Managing Health Attestation 50

20.1 IT Administrator 50

21 Managing Collection Devices 50

21.1 IT Administrator 50

21.1.1 Local Aministrator Guidance 51

21.1.2 User Guidance 51

22 Managing USB 51

22.1 Local Administrator 51

23 Managing Backup 51

23.1 Local Administrator 51

23.2 User Guidance 52

24 Managing Developer Mode 52

24.1 IT Administrator 52

24.2 Local Administrator Guidance 52

25 Managing Cryptographic Algorithms 52

26 Managing Internet Connection Sharing (ICS) 53

26.1 Local Administrator Guidance 53

27 Managing Location Services (GPS) 53

27.1 IT Administrator 53

27.2 Local Administrator Guidance 53

28 Managing Wi-Fi 53

28.1 IT Administrator 53

28.2 Local Administrator Guidance 54

29 Managing Mobile Broadband 54

29.1 User Guidance 54

30 Managing Health Attestation 54

30.1 IT Administrator Guidance 54

30.2 Local Administrator Guidance 54

31 Natively Installed Applications 54

1  Introduction

This document provides operational guidance information for a Common Criteria evaluation describing only the security functionality which the administrator should use – any security functionality not described in this document is not part of the evaluation.

1.1  Configuration

1.1.1  Evaluated Configuration

The Common Criteria evaluation includes a specific configuration of Windows, the “evaluated configuration”. To run Windows deployments using the evaluated configuration follow the deployment steps and apply the security policies and security settings indicated below. The Security Target section 1.1 describes the Windows editions and security patches included in the evaluated configuration.

The operating system is pre-installed on the devices in the evaluated configuration. When the device is turned on for the first time the Out of Box Experience (OOBE) runs to complete the configuration.

The following security policies are applied after completing the OOBE:

Security Policy / Policy Setting /
Local Policies\Security Options\System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithm / Enabled
Administrative Template\Windows Components\Credentials User Interface\Do not display the password reveal button / Enabled

The following security settings are applied to create the evaluated configuration:

·  Cipher suite selection is configured according to section 5 Managing TLS

·  Volume encryption is enabled according to section 8 Managing Volume Encryption

·  VPN connections route all traffic through the VPN tunnel as described section 9 Managing VPN

·  Passwords use a minimum of six alphanumeric characters and symbols according to section 12.1 Strong Passwords

·  RSA machine certificates are configured according to section 13 Managing Certificates to use a minimum 2048 bit key length

·  Session locking is enabled according to section 16 Locking a Device

·  Devices are enrolled for device management according to section 18 Device Enrollment

·  Enrolled policy must have the Enterprise Data Protection settings enabled

The following Windows Update packages must be installed:

·  All critical updates as of December 31, 2015

Some of the links in this document may be written for Windows versions that are earlier than Windows 10. The content in all these links apply to the Windows 10 version.

1.1.2  Mobile Device Management Solutions

Many of the configurations described in this guide for the IT Administrator role are applied to the device through a Mobile Device Management (MDM) solution. The specific steps to perform a configuration through the MDM are solution-specific and are not described in this document. Examples of possible configuration option text are provided in this document, but are not guaranteed to match any specific MDM solution. See the MDM solution documentation for detailed configuration actions.

2  Management Functions

The following table maps management functions to roles:

Management Function / User Guidance / Local Administrator Guidance / IT Administrator Guidance
1 / Configure password policy / √ / √
2 / Configure session locking policy / √ / √
3 / Enable/disable the VPN protection / √ / √
4 / Enable/disable [Wi-Fi, Bluetooth] / √ / √
5 / Enable/disable [camera, microphone] / √ / √
6 / Specify wireless networks (SSIDs) to which the TSF may connect / √ / √
7 / Configure security policy for connecting to wireless networks / √ / √
8 / Transition to the locked state / √ / √
9 / TSF10 wipe of protected data / √
10 / Configure application installation policy / √ / √
11 / Import keys/secrets into the secure key storage / √ / √
12 / Destroy imported keys/secrets and any other keys/secrets in the secure key storage / √ / √
13 / Import X.509v3 certificates into the Trust Anchor Database / √ / √
14 / Remove imported X.509v3 certificates and any other X.509v3 certificates in the Trust Anchor Database / √
15 / Enroll the TOE in management / √
16 / Remove applications / √ / √
17 / Update system software / √ / √
18 / Install applications / √ / √
19 / Remove Enterprise applications / √ / √
20 / Configure the Bluetooth trusted channel / √ / √
21 / Enable/disable display notification in the locked state / √
22 / Enable/disable all data signaling over [USB hardware ports] / √
24 / Enable/disable developer modes / √ / √
25 / Enable data-at rest protection / √ / √
26 / Enable removable media’s data at rest protection / √ / √
28 / Wipe Enterprise data / √ / √
30 / Configure whether to allow a trusted channel if certificate validation is not possible / √ / √
32 / Read audit logs kept by the TSF / √ / √
33 / Configure certificate used to validate digitally signed applications / √ / √
34 / Approve exceptions for shared use of keys/secrets by multiple applications / √ / √
35 / Approve exceptions for destruction of keys/secrets by other applications / √ / √
36 / Configure the unlock banner / √ / √
37 / Configure the auditable items / √
38 / Retrieve TSF-software integrity verification values / √
40 / Enable/disable backup to remote system / √ / √
44 / Enable/disable location services / √ / √

3  Managing Audits

This section contains the following Common Criteria SFRs:

·  Audit Data Generation (FAU_GEN.1), Security Audit Event Selection (FAU_SEL.1)

·  Extended: Audit Storage Protection (FAU_STG_EXT.1)

·  Specifications of Management Functions (FMT_SMF_EXT.1)

3.1  Audit Events

The following required audits are described for FAU_GEN.1:

Description / Id
Start-up and shutdown of the audit functions / Windows Logs/Security: 4608, 1100
All administrative actions / <see first table below>
Startup and shutdown of the OS and kernel / Windows Logs/Security: 4608, 1100
Insertion or removal of removable media / Microsoft- Windows-Kernel-PnP/Device Configuration: 410
Establishment of a synchronizing connection / Windows Logs -> System
Source: Schannel : 36880
Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11
Specifically defined auditable events from table 10 / <see second table below>
Audit records reaching [assignment: integer value less than 100] percentage of audit capacity, [assignment: other auditable events derived from this profile / Windows Logs/Security: 1103

Table 1: FAU_GEN.1 audits
The following table correlates the set of administrative operations described in this document with their associated audits. Section FMT_SMF_EXT.1 has test procedures to produce these audits.

Administrative Action / Id
1.  configure password policy:
a.  minimum password length
b.  minimum password complexity
c.  maximum password lifetime / Windows Logs/Security: 4739
2.  configure session locking policy:
a.  screen-lock enabled/disabled
b.  screen lock timeout
c.  number of authentication failures / Windows Logs/Security: 4657
3.  enable/disable the VPN protection:
a.  across device
[b. on a per-app basis
c. no other method] / Windows Logs/Security:
Enable: 4651, 5451
Disable: 4655, 5452
4.  enable/disable [Wi-Fi, Bluetooth] / WiFi: Microsoft-Windows-WLAN-AutoConfig/Operational Id 11001 (enable) 11004 (disable)
Bluetooth: Windows Logs/Security: 4657
5.  enable/disable [camera, microphone]:
a.  across device [
b. on a per-app basis
c. no other method] / Camera: Windows Logs/Security: 4657
Microphone: Microsoft-Windows-Audio/Operational: 65
6.  specify wireless networks (SSIDs) to which the TSF may connect / Microsoft-Windows-WLAN-AutoConfig/Operational: 14001
7.  configure security policy for each wireless network:
a.  [selection: specify the CA(s) from which the TSF will accept WLAN authentication server certificate(s), specify the FQDN(s) of acceptable WLAN authentication server certificate(s)]
b.  security type
c.  authentication protocol
d.  client credentials to be used for authentication / Windows Logs/Security: 4656
8.  transition to the locked state / Windows Logs/Security: 4800
9.  TSF wipe of protected data / Success: System: 12
Failure: Wipe Failure Screen
System: 4502
10.  configure application installation policy by [selection:
a.  restricting the sources of applications,
b.  specifying a set of allowed applications based on [assignment: application characteristics] (an application whitelist),
c.  denying installation of applications] / Windows Logs/Security: 4657
11.  import keys/secrets into the secure key storage / Microsoft-Windows-CAPI2/Operational: 90
12.  destroy imported keys/secrets and [[any other keys/secrets]] in the secure key storage / System: 12
13.  import X.509v3 certificates into the Trust Anchor Database / Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-User -> Operational: 1006
14.  remove imported X.509v3 certificates and [[any other X.509v3 certificates]] in the Trust Anchor Database / Microsoft-Windows-CertificateServicesClient-Lifecycle-System: 1004
15.  enroll the TOE in management / Microsoft-Windows-SystemSettingsThreshold/Operational: 510
16.  remove applications / Microsoft-Windows-AppXDeploymentServer/Operational: 472
17.  update system software / Windows Logs/Setup: 1, 2, 3
18.  install applications / Microsoft-Windows-AppXDeploymentServer/Operational 400
19.  remove Enterprise applications / Microsoft-Windows-AppXDeploymentServer/Operational: 472
20.  configure the Bluetooth trusted channel:
a.  disable/enable the Discoverable mode (for BR/EDR)
b.  change the Bluetooth device name
[selection:
d. disable/enable Advertising (for LE),
i. no other Bluetooth configuration] / Windows Logs/Security: 4657
21.  enable/disable display notification in the locked state of: [
a.  email notifications,
b.  calendar appointments,
c.  contact associated with phone call notification,
d.  text message notification,
e.  other application-based notifications,
f.  all notifications] / Windows Logs/Security: 4657
22.  enable/disable all data signaling over [USB hardware ports] / Windows Logs/Security: 4657
23.  enable/disable [none] / <none>
24.  enable/disable developer modes / Windows Logs/Security: 4657
25.  enable data-at rest protection / Windows Logs/System: Id 24667
26.  enable removable media’s data-at-rest protection / Windows Logs/System: Id 24579
27.  enable/disable bypass of local user authentication / N/A
28.  wipe Enterprise data / N/A
29.  approve [import, removal] by applications of X.509v3 certificates in the Trust Anchor Database / N/A
30.  configure whether to establish a trusted channel or disallow establishment if the TSF cannot establish a connection to determine the validity of a certificate / 4950
31.  enable/disable the cellular protocols used to connect to cellular network base stations / N/A
32.  read audit logs kept by the TSF / Windows Logs/Security: 4673
33.  configure [certificate] used to validate digital signature on applications / Import certificate: Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-User -> Operational: 1006
Remove certificate: Microsoft-Windows-CertificateServicesClient-Lifecycle-System: 1004
34.  approve exceptions for shared use of keys/secrets by multiple applications / Microsoft-Windows-AppXDeploymentServer/Operational 400
35.  approve exceptions for destruction of keys/secrets by applications that did not import the key/secret / Microsoft-Windows-AppXDeploymentServer/Operational 400
36.  configure the unlock banner / Windows Logs/Security: 4657
37.  configure the auditable items / Windows Logs/Security: 4719
38.  retrieve TSF-software integrity verification values / Windows Logs/Security: 4657
39.  enable/disable [selection:
a.  USB mass storage mode,
b.  USB data transfer without user authentication,
USB data transfer without authentication of the connecting system] / N/A
40.  enable/disable backup to [remote system] / Windows Logs/Security: 4657
41.  enable/disable [selection:
a.  Hotspot functionality authenticated by [selection: pre-shared key, passcode, no authentication],
USB tethering authenticated by [selection: pre-shared key, passcode, no authentication]] / N/A
42.  approve exceptions for sharing data between [selection: application processes, groups of application processes] / N/A
43.  place applications into application process groups based on [assignment: application characteristics] / N/A
44.  enable/disable location services:
a.  across device
[
b. on a per-app basis
c. no other method] / Windows Logs/Security: 4657
45.  [none] / N/A

Table 2: Administrative Actions audits