Windows 8, Server 2012 Supplemental Admin Guidance

Windows 8, Server 2012 Supplemental Admin Guidance

Windows 8, Server 2012 Supplemental Admin Guidance

Microsoft Windows

Common Criteria Evaluation

Microsoft Windows 8

Microsoft Windows Server 2012

Microsoft Windows 8, Microsoft Windows Server 2012 Common Criteria Supplemental Admin Guidance

Document Information
Version Number / 1.0
Updated On / December 23, 2014

This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This documentis for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. This work is licensed under the Creative Commons Attribution-NoDerivs-NonCommercial License (which allows redistribution of the work). To view a copy of this license, visit http://creativecommons.org/licenses/by-nd-nc/1.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred.

© 2014 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Visual Basic, Visual Studio, Windows, the Windows logo, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Table of Contents

1 Introduction 5

1.1 Configuration 5

1.1.1 Evaluated Configuration 5

1.1.2 Unsupported Configuration 6

1.2 Terms for regular user 6

2 Managing Access Conrol 6

2.1 Managing Discretionary Access Control 6

2.2 Management Web Access 8

2.3 Managing Mandatory Integrity Control 10

2.4 Managing the Firewall 11

2.5 Managing Dynamic Access Control 12

3 Managing Identification and Authentication 14

3.1 Managing User Lockout 14

3.1.1 Managing Account Lockout Threshold 14

3.1.2 Managing Locked User Accounts 15

3.2 Managing Users and Groups 15

3.3 Managing IPsec 16

3.4 Managing Authentication 17

3.4.1 Managing Logon 17

3.4.2 Managing Smart Cards 18

3.4.3 Managing Password Complexity 18

3.5 Managing User Account Information 18

3.6 Managing PKI 19

4 Managing Time 20

5 Managing Secure Connection Protocols 21

5.1 Managing IPsec Algorithms 21

5.2 Managing TLS 22

6 Managing Locking 23

7 Managing Auditing 24

7.1 Audits 24

7.2 User Identity in Audits 27

7.3 Audit Log Protection 28

7.4 Managing Audit Policy 28

7.5 Managing Audit Log Size 29

7.6 Other Event Logs 30

8 Cryptographic APIs 30

1  Introduction

This document provides Administrator guidance for the following Windows operating systems as evaluated for Common Criteria based on the Windows 8 RT Server 2012 Security Target:

-  Microsoft Windows 8 Pro (32-bit and 64-bit versions)

-  Microsoft Windows 8 Enterprise (32-bit and 64-bit versions)

-  Microsoft Windows Server 2012 Standard

-  Microsoft Windows Server 2012 Datacenter

1.1  Configuration

1.1.1  Evaluated Configuration

The Common Criteria evaluation includes a specific configuration of Windows, the “evaluated configuration”. To run Windows deployments using the evaluated configuration follow the deployment steps described here and ensure the security policy settings in the table below are set as indicated. The Security Target section 1.1 describes the Windows editions and security patches included in the evaluated configuration.

The following TechNet articles describe how to install Windows 8 and Windows Server 2012:

-  Install, Deploy, and Migrate to Windows 8: http://technet.microsoft.com/en-us/library/hh832022.aspx[1]

-  Installing Windows Server 2012: http://technet.microsoft.com/en-us/library/jj134246.aspx[2]

Security Policy / Policy Setting /
Local Policies\Security Options\Audit: Shut down system immediately if unable to log security audits / Enabled
Local Policies\Security Options\System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithm / Enabled
Administrative Templates\System\Logon\Turn on PIN sign-in / Enabled
Administrative Templates\System\Internet Communication Management\Internet Communication Settings: Turn off Windows Update device driver searching / Enabled
Administrative Templates\System\Driver Installation: Turn off Windows Update device driver search prompt / Disabled
Administrative Template\Windows Components\Credentials User Interface\Do not display the password reveal button / Enabled

1.1.2  Unsupported Configuration

The following list describes IIS web server configuration items that are not supported by the evaluated configuration.

·  In the evaluated configuration execute permission of web content is not allowed. Read access to web content is allowed by default, the other access must be specifically assigned by the authorized administrator.

·  ASP.Net, Basic authentication and Forms based authentication are unsupported configurations for IIS in the evaluation.

1.2  Terms for regular user

The terms regular user, standard user, normal user and non-adminstrative user are all used to refer to a regular user.

2  Managing Access Conrol

2.1  Managing Discretionary Access Control

This section contains the following Common Criteria SFRs:

·  Complete Access Control for Discretionary Access (FDP_ACC.1(DAC))

·  Security Attribute Based Access Control for Discretionary Access (FDP_ACF.1(DAC))

·  Management of Security Attributes for Discretionary Access Control (FMT_MSA.1(DAC))

·  Static Attribute Initialization for Discretionary Access Control Policy (FMT_MSA.3(DAC))

·  Static Attribute Value Inheritance for Discretionary Access (FMT_MSA.4)

·  Revocation for Object Access for DAC (FMT_REV.1(DAC))

The information provided in this section and the referenced articles is applicable to all Windows editions in the evaluated configuration with the exception of Active Directory objects. Active Directory objects are managed on Windows Server 2012 editions configured with the Active Directory Domain Services role.

The Discretionary Access Control (DAC) policy determines if access is allowed in accordance with a standard access check. The access check algorithm is described by the Security Target in section 6.2.2.1.3 DAC Enforcement Algorithm.

The DAC enforcement algorithm determines if subjects can access objects by applying a set of rules based upon their respective security attributes that are described in sections 6.2.2.1.1 Subject DAC Attributes and 6.2.2.1.2 Object DAC Attributes.

Users can manage the security attributes of all types of objects covered by the Discretionary Access Control (DAC) policy subject to the controls identified in section 6.2.2.1.2 Object DAC Attributes of the Security Target.

Subject security attributes are managed through users, groups and group memberships as described in section 3.2 of this document. Object security attributes are stored and managed by their security descriptors. Some objects are created and managed by the system and cannot be directly managed by users, while other objects are created and managed by third party applications that may or may not expose mechanisms for users to manage their security attributes. The following objects named in the Security Target table 6-3 Named Objects may be directly managed by users via the indicated operating system utilities described on TechNet:

-  Registry keys

Registry Editor: http://technet.microsoft.com/en-us/library/cc755256.aspx

-  NTFS files and folders

File and Folder Permissions: http://technet.microsoft.com/en-us/library/bb727008.aspx

-  Printers

Managing Printers and Print Servers: http://technet.microsoft.com/en-us/library/cc754769.aspx

-  Active Directory objects (these topics are only applicable on Windows Server 2012 editions configured with the Active Directory Domain Services role)

ADSI Edit (adsiedit.msc): http://technet.microsoft.com/en-us/library/cc773354(v=ws.10).aspx

How to Use ADSI Edit to Apply Permissions: http://technet.microsoft.com/en-us/library/aa997502(v=exchg.65).aspx

Users can only manage the default security descriptor for Registry keys, Active Directory objects and NTFS files and folders, and then only in the case a new object’s security descriptor is based upon its parent object’s inheritable ACEs as described in section 6.2.2.1.5 Default DAC Protection in the Security Target. Users may do so by modifying the permissions granted by inheritable ACEs of the suitable parent or container objects.

The following TechNet topic describes best practices for managing DAC policy and to determine the current status of the subject and object security attributes:

-  Access Control: http://technet.microsoft.com/en-us/library/cc780807(v=ws.10).aspx

The DAC policy does not require or allow users to manage its initialization or activation.

Modifications of object security attributes are applied by the DAC policy on the next access control decision for the given object. Modifications of subject security attributes are applied by the DAC policy on subjects that are created after the modification takes place –for users this occurs the next time they are logged on and for processes the next time a given process is created. In the case of Active Directory objects in a domain with multiple domain controllers, brief periods of time may occur during which security attributes modified on one domain controller have not yet been replicated to other domain controllers receiving client requests for Active Directory object information that may be used by the DAC policy on the requesting client.

The following TechNet topic describes how object owners may control management of object security attributes:

-  Managing Object Ownership: http://technet.microsoft.com/en-us/library/cc732983.aspx

Object security attributes may be revoked by making DACL changes as described in section 6.2.2.1.6 DAC Management of the Security Target.

2.2  Management Web Access

This section contains the following Common Criteria SFRs:

·  Complete Access Control for Web Access (FDP_ACC.1(WA))

·  Complete Access Control for Web Publishing (FDP_ACC.1(WP)

·  Security Attribute Based Access Control for Web Access (FDP_ACF.1(WA))

·  Security Attribute Based Access Control for Web Access (FDP_ACF.1(WA))

·  Management of Security Attributes for Web Access (FMT_MSA.1(WA))

·  Management of Security Attributes for Web Publishing (FMT_MSA.1(WP))

·  Static Attribute Initialization for Web Access Policies (FMT_MSA.3(WA))

·  Static Attribute Initialization for Web Publishing Policies (FMT_MSA.3(WP))

·  Static Attribute Value Inheritance (FMT_MSA.4)

·  Revocation for Object Access (FMT_REV.1(OBJ))

The information provided in this section and the referenced articles is applicable to all Windows Server 2012 editions in the evaluated configuration with the Web Server (IIS) role installed and all Windows 8 editions in the evaluated configuration with the Internet Information Services feature installed.

The web access control and web publishing URL authorization algorithm is used to determine if access to web content by a given subject is allowed. The URL authorization algorithm is described in the Security Target section 6.2.2.4 Web Access Control and Web Publishing Access Control.

By default no URL Authorization rules are configured for web content and they cannot be managed. The administrator manages URL authorization rules by first installing the Web Server\Security\URL Authorization feature in the Web Server role service and restarting the IIS service. When URL Authorization is installed a default rule is created for the Web server that is inherited by all web content allowing access to all users. The following TechNet topic describes how the administrator manages the URL authorization rules to specify allow and deny rules that control access to site content:

-  Authorization Rules: http://technet.microsoft.com/en-us/library/hh831601.aspx

The administrator manages the default URL authorization rule by starting the IIS Manager tool, navigating to the Web server node in the left pane and then double-clicking the Authorization Rules icon in the IIS features view – this will display the list of all URL authorization rules that are applicable to the server and hence inherited by all web content. The default URL authorization providing web content access to all users is the first rule in the list and can be deleted or modified by the Remove or Edit operations shown in the Actions pane.

By default only the administrator can manage the URL authorization rules. The administrator can authorize other users to manage the URL authorization rules by installing the Management Tools\Management Service feature in the Web Server role service and restarting the IIS service – doing so populates the IIS Manager Permissions feature into the IIS Manager tool. The following TechNet topic describes how the administrator controls management of permissions:

-  IIS Manager Permissions: http://technet.microsoft.com/en-us/library/hh831690.aspx

The following TechNet topic describes how the administrator controls management of authorization rules:

-  Configuring URL Authorization Rules in IIS 7: http://technet.microsoft.com/en-us/library/cc772206(v=ws.10).aspx

The following link includes a description of how IIS processes authorization rules (look towards the bottom of the page):

-  ASP.NET Authorization: http://msdn.microsoft.com/en-us/library/wce3kxhd.ASPX

URL authorization changes are enforced the next time an access check is made.

HTTP status codes returned for web page requests indicate whether the request was successfuil or unsuccessful. The following Microsoft Support page describes the 401 and 403 status codes that are returned when access is denied due to Web access access control policy:

-  The HTTP status code in IIS 7.0, IIS 7.5, and IIS 8.0: http://support.microsoft.com/kb/943891

The following TechNet topic describes how to configure IIS authentication, for example to configure accepting only anonymous, digest, certificate, and NT authentication schemes:

-  Configuring Authentication in IIS 7[3]: http://technet.microsoft.com/en-us/library/cc733010(v=ws.10).aspx

As described in the above TechNet topic, the anonymous authentication scheme can be configured to set the security principal under which anonymous users will be assigned when requesting Web content. By default, for the anonymous authentication scheme IIS configures the IUSR_<web-server-machine-name> account to be used or alternatively the Web administrator can specifiy a different user account to be used – this account is then impersonated on behalf of anonymous users before their web content request is satisfied

The HTTP verbs are authorized by the Web Access Control and Web Publishing as follows:

-  Access URL: This web permission is also know as “URL Authorization” and is applicable to all HTTP verbs by default, or can be configured for a subset of verbs. The following TechNet topic explains how to manage the URL Authorization web permission:

o  Configuring URL Authorization Rules in IIS 7: http://technet.microsoft.com/en-us/library/cc772206(v=ws.10).aspx[4]