Microsoft Windows 8.1, Microsoft Windows Server 2012 R2 Common Criteria Supplemental Admin Guidance

Microsoft Windows Common Criteria Evaluation Microsoft Windows 8.1 Microsoft Windows Server 2012 R2 Microsoft Windows 8.1, Microsoft Windows Server 2012 R2 Common Criteria Supplemental Admin Guidance Microsoft 2014 Page 1 of 30

Document Information Version Number 1.0 Updated On January 9, 2015 This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. This work is licensed under the Creative Commons Attribution-NoDerivs-NonCommercial License (which allows redistribution of the work). To view a copy of this license, visit http://creativecommons.org/licenses/by-nd-nc/1.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred. 2015 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Visual Basic, Visual Studio, Windows, the Windows logo, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Microsoft 2014 Page 2 of 30

TABLE OF CONTENTS 1 INTRODUCTION...5 1.1 CONFIGURATION...5 1.1.1 EVALUATED CONFIGURATION... 5 1.1.2 UNSUPPORTED CONFIGURATION... 6 1.2 TERMS FOR REGULAR USER...6 1.3 ADMINISTRATIVE GUIDANCE REFERENCES...6 2 MANAGING ACCESS CONROL...6 2.1 MANAGING DISCRETIONARY ACCESS CONTROL...6 2.2 MANAGEMENT WEB ACCESS...8 2.3 MANAGING MANDATORY INTEGRITY CONTROL... 10 2.4 MANAGING THE FIREWALL... 11 2.5 MANAGING DYNAMIC ACCESS CONTROL... 12 3 MANAGING IDENTIFICATION AND AUTHENTICATION... 13 3.1 MANAGING USER LOCKOUT... 13 3.1.1 MANAGING ACCOUNT LOCKOUT THRESHOLD... 14 3.1.2 MANAGING LOCKED USER ACCOUNTS... 14 3.2 MANAGING USERS AND GROUPS... 15 3.3 MANAGING IPSEC... 16 3.4 MANAGING AUTHENTICATION... 17 3.4.1 MANAGING LOGON... 17 3.4.2 MANAGING SMART CARDS... 17 3.4.3 MANAGING PASSWORD COMPLEXITY... 18 Microsoft 2014 Page 3 of 30

3.5 MANAGING USER ACCOUNT INFORMATION... 18 3.6 MANAGING PKI... 19 4 MANAGING TIME... 20 5 MANAGING SECURE CONNECTION PROTOCOLS... 20 5.1 MANAGING IPSEC ALGORITHMS... 20 5.2 MANAGING TLS... 22 6 MANAGING LOCKING... 23 7 MANAGING AUDITING... 24 7.1 AUDITS... 24 7.2 USER IDENTITY IN AUDITS... 27 7.3 AUDIT LOG PROTECTION... 27 7.4 MANAGING AUDIT POLICY... 28 7.5 MANAGING AUDIT LOG SIZE... 28 7.6 OTHER EVENT LOGS... 29 8 CRYPTOGRAPHIC APIS... 30 Microsoft 2014 Page 4 of 30

1 Introduction This document provides Administrator guidance for the following Windows operating systems as evaluated for Common Criteria based on the Windows 8.1 RT Server 2012 R2 Security Target: - Microsoft Windows 8.1 Pro (32-bit and 64-bit versions) - Microsoft Windows 8.1 Enterprise (32-bit and 64-bit versions) - Microsoft Windows Server 2012 R2 Standard - Microsoft Windows Server 2012 R2 Datacenter 1.1 Configuration 1.1.1 Evaluated Configuration The Common Criteria evaluation includes a specific configuration of Windows, the evaluated configuration. To run Windows deployments using the evaluated configuration follow the deployment steps described here and ensure the security policy settings in the table below are set as indicated. The Security Target section 1.1 describes the Windows editions and security patches included in the evaluated configuration. The following TechNet articles describe how to install Windows 8.1 and Windows Server 2012 R2: - Install, Deploy, and Migrate to Windows 8.1: http://technet.microsoft.com/en-us/library/hh832022.aspx 1 - Installing Windows Server 2012 R2: http://technet.microsoft.com/en-us/library/jj134246.aspx 2 Security Policy Local Policies\Security Options\Audit: Shut down system immediately if unable to log security audits Local Policies\Security Options\System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithm Administrative Templates\System\Logon\Turn on PIN sign-in Administrative Templates\System\Internet Communication Management\Internet Communication Settings: Turn off Windows Update device driver searching Administrative Templates\System\Driver Installation: Turn off Windows Update device driver search prompt Administrative Template\Windows Components\Credentials User Interface\Do not display the password reveal button Policy Setting Enabled Enabled Enabled Enabled Disabled Enabled 1 The evaluated configuration installed from media using this web page and followed the Windows Deployment Scenarios and Tools link ((http://technet.microsoft.com/en-us/library/dn744294.aspx) and then followed the Windows 8.1 deployment scenarios link (http://technet.microsoft.com/en-us/library/dn744294.aspx#sec01) to the New Computer section. 2 The evaluated configuration installed from media using this web page. The evaluated configuration did not disable Driver Signature Enforcement. Microsoft 2014 Page 5 of 30

1.1.2 Unsupported Configuration The following list describes IIS web server configuration items that are not supported by the evaluated configuration. In the evaluated configuration execute permission of web content is not allowed. Read access to web content is allowed by default, the other access must be specifically assigned by the authorized administrator. ASP.Net, Basic authentication and Forms based authentication are unsupported configurations for IIS in the evaluation. 1.2 Terms for regular user The terms regular user, standard user, normal user and non-adminstrative user are all used to refer to a regular user. 1.3 Administrative Guidance References The content at the links to public Microsoft documentation for Windows 8 and Windows Server 2012 administrative guidance also apply as guidance for Windows 8.1 and Windows Server 2012 R2. In addition, all other administrative guidance references also apply to Windows 8.1 and Windows Server 2012 R2. 2 Managing Access Conrol 2.1 Managing Discretionary Access Control Complete Access Control for Discretionary Access (FDP_ACC.1(DAC)) Security Attribute Based Access Control for Discretionary Access (FDP_ACF.1(DAC)) Management of Security Attributes for Discretionary Access Control (FMT_MSA.1(DAC)) Static Attribute Initialization for Discretionary Access Control Policy (FMT_MSA.3(DAC)) Static Attribute Value Inheritance for Discretionary Access (FMT_MSA.4) Revocation for Object Access for DAC (FMT_REV.1(DAC)) The information provided in this section and the referenced articles is applicable to all Windows editions in the evaluated configuration with the exception of Active Directory objects. Active Directory objects are managed on Windows Server 2012 R2 editions configured with the Active Directory Domain Services role. The Discretionary Access Control (DAC) policy determines if access is allowed in accordance with a standard access check. The access check algorithm is described by the Security Target in section 6.2.2.1.3 DAC Enforcement Algorithm. Microsoft 2014 Page 6 of 30

The DAC enforcement algorithm determines if subjects can access objects by applying a set of rules based upon their respective security attributes that are described in sections 6.2.2.1.1 Subject DAC Attributes and 6.2.2.1.2 Object DAC Attributes. Users can manage the security attributes of all types of objects covered by the Discretionary Access Control (DAC) policy subject to the controls identified in section 6.2.2.1.2 Object DAC Attributes of the Security Target. Subject security attributes are managed through users, groups and group memberships as described in section 3.2 of this document. Object security attributes are stored and managed by their security descriptors. Some objects are created and managed by the system and cannot be directly managed by users, while other objects are created and managed by third party applications that may or may not expose mechanisms for users to manage their security attributes. The following objects named in the Security Target table 6-3 Named Objects may be directly managed by users via the indicated operating system utilities described on TechNet: - Registry keys Registry Editor: http://technet.microsoft.com/en-us/library/cc755256.aspx - NTFS files and folders File and Folder Permissions: http://technet.microsoft.com/en-us/library/bb727008.aspx - Printers Managing Printers and Print Servers: http://technet.microsoft.com/en-us/library/cc754769.aspx - Active Directory objects (these topics are only applicable on Windows Server 2012 R2 editions configured with the Active Directory Domain Services role) ADSI Edit (adsiedit.msc): http://technet.microsoft.com/en-us/library/cc773354(v=ws.10).aspx How to Use ADSI Edit to Apply Permissions: http://technet.microsoft.com/en-us/library/aa997502(v=exchg.65).aspx Users can only manage the default security descriptor for Registry keys, Active Directory objects and NTFS files and folders, and then only in the case a new object s security descriptor is based upon its parent object s inheritable ACEs as described in section 6.2.2.1.5 Default DAC Protection in the Security Target. Users may do so by modifying the permissions granted by inheritable ACEs of the suitable parent or container objects. The following TechNet topic describes best practices for managing DAC policy and to determine the current status of the subject and object security attributes: - Access Control: http://technet.microsoft.com/en-us/library/cc780807(v=ws.10).aspx Microsoft 2014 Page 7 of 30

The DAC policy does not require or allow users to manage its initialization or activation. Modifications of object security attributes are applied by the DAC policy on the next access control decision for the given object. Modifications of subject security attributes are applied by the DAC policy on subjects that are created after the modification takes place for users this occurs the next time they are logged on and for processes the next time a given process is created. In the case of Active Directory objects in a domain with multiple domain controllers, brief periods of time may occur during which security attributes modified on one domain controller have not yet been replicated to other domain controllers receiving client requests for Active Directory object information that may be used by the DAC policy on the requesting client. The following TechNet topic describes how object owners may control management of object security attributes: - Managing Object Ownership: http://technet.microsoft.com/en-us/library/cc732983.aspx Object security attributes may be revoked by making DACL changes as described in section 6.2.2.1.6 DAC Management of the Security Target. 2.2 Management Web Access Complete Access Control for Web Access (FDP_ACC.1(WA)) Complete Access Control for Web Publishing (FDP_ACC.1(WP) Security Attribute Based Access Control for Web Access (FDP_ACF.1(WA)) Security Attribute Based Access Control for Web Access (FDP_ACF.1(WA)) Management of Security Attributes for Web Access (FMT_MSA.1(WA)) Management of Security Attributes for Web Publishing (FMT_MSA.1(WP)) Static Attribute Initialization for Web Access Policies (FMT_MSA.3(WA)) Static Attribute Initialization for Web Publishing Policies (FMT_MSA.3(WP)) Static Attribute Value Inheritance (FMT_MSA.4) Revocation for Object Access (FMT_REV.1(OBJ)) The information provided in this section and the referenced articles is applicable to all Windows Server 2012 R2 editions in the evaluated configuration with the Web Server (IIS) role installed and all Windows 8.1 editions in the evaluated configuration with the Internet Information Services feature installed. Microsoft 2014 Page 8 of 30

The web access control and web publishing URL authorization algorithm is used to determine if access to web content by a given subject is allowed. The URL authorization algorithm is described in the Security Target section 6.2.2.4 Web Access Control and Web Publishing Access Control. By default no URL Authorization rules are configured for web content and they cannot be managed. The administrator manages URL authorization rules by first installing the Web Server\Security\URL Authorization feature in the Web Server role service and restarting the IIS service. When URL Authorization is installed a default rule is created for the Web server that is inherited by all web content allowing access to all users. The following TechNet topic describes how the administrator manages the URL authorization rules to specify allow and deny rules that control access to site content: - Authorization Rules: http://technet.microsoft.com/en-us/library/hh831601.aspx The administrator manages the default URL authorization rule by starting the IIS Manager tool, navigating to the Web server node in the left pane and then double-clicking the Authorization Rules icon in the IIS features view this will display the list of all URL authorization rules that are applicable to the server and hence inherited by all web content. The default URL authorization providing web content access to all users is the first rule in the list and can be deleted or modified by the Remove or Edit operations shown in the Actions pane. By default only the administrator can manage the URL authorization rules. The administrator can authorize other users to manage the URL authorization rules by installing the Management Tools\Management Service feature in the Web Server role service and restarting the IIS service doing so populates the IIS Manager Permissions feature into the IIS Manager tool. The following TechNet topic describes how the administrator controls management of permissions: - IIS Manager Permissions: http://technet.microsoft.com/en-us/library/hh831690.aspx The following TechNet topic describes how the administrator controls management of authorization rules: - Configuring URL Authorization Rules in IIS 7: http://technet.microsoft.com/en-us/library/cc772206(v=ws.10).aspx The following link includes a description of how IIS processes authorization rules (look towards the bottom of the page): - ASP.NET Authorization: http://msdn.microsoft.com/en-us/library/wce3kxhd.aspx URL authorization changes are enforced the next time an access check is made. HTTP status codes returned for web page requests indicate whether the request was successfuil or unsuccessful. The following Microsoft Support page describes the 401 and 403 status codes that are returned when access is denied due to Web access access control policy: - The HTTP status code in IIS 7.0, IIS 7.5, and IIS 8.0: http://support.microsoft.com/kb/943891 Microsoft 2014 Page 9 of 30

The following TechNet topic describes how to configure IIS authentication, for example to configure accepting only anonymous, digest, certificate, and NT authentication schemes: - Configuring Authentication in IIS 7: http://technet.microsoft.com/en-us/library/cc733010(v=ws.10).aspx As described in the above TechNet topic, the anonymous authentication scheme can be configured to set the security principal under which anonymous users will be assigned when requesting Web content. By default, for the anonymous authentication scheme IIS configures the IUSR_<web-server-machine-name> account to be used or alternatively the Web administrator can specifiy a different user account to be used this account is then impersonated on behalf of anonymous users before their web content request is satisfied The HTTP verbs are authorized by the Web Access Control and Web Publishing as follows: - Access URL: This web permission is also know as URL Authorization and is applicable to all HTTP verbs by default, or can be configured for a subset of verbs. The following TechNet topic explains how to manage the URL Authorization web permission: o Configuring URL Authorization Rules in IIS 7: http://technet.microsoft.com/en-us/library/cc772206(v=ws.10).aspx - Directory Browsing: This web permission applies to the GET verb allowing IIS to return the list of children (NTFS files and folders) located within a URL that references a NTFS folder. The following topic TechNet topic describes how to manage the Directory Browsing permission: o Enable or Disable Directory Browsing in IIS 7: http://technet.microsoft.com/en-us/library/cc731109(v=ws.10).aspx - Read, Write, Execute: These web permissions apply to URLs for a specified set of HTTP verbs based upon the file name extension in the request path as configured using Request Restrictions and as applied by the Web server s Feature Permissions policy both are part of IIS Handler Mappings. The following TechNet topics describe this further: o Configuring Handler Mappings in IIS 7: http://technet.microsoft.com/en-us/library/cc771240(v=ws.10).aspx o Configure Request Restrictions for a Handler Mapping (IIS 7): http://technet.microsoft.com/en-us/library/cc730969(v=ws.10).aspx o Edit Feature Permissions for the Handler Mappings Feature (IIS 7): http://technet.microsoft.com/en-us/library/cc725855(v=ws.10).aspx 2.3 Managing Mandatory Integrity Control Mandatory Integrity Control Functions (FDP_ACC.1(MIC)) Mandatory Integrity Control Functions (FDP_ACF.1(MIC) Management of Security Attributes for Mandatory Integrity Control (FMT_MSA.1(MIC)) Static Attribute Initialization for Mandatory Integrity Control Policies (FMT_MSA.3(MIC)) Revocation for Object Access (FMT_REV.1(OBJ)) Microsoft 2014 Page 10 of 30

The MIC access control algorithm is used to determine if access to objects by a given subject is allowed. The MIC access control algorithm is described in the Security Target section 6.2.2.3 Mandatory Integrity Control. The MIC policy does not require activation or management to ensure it is secure and users cannot manage the default security attributes used to enforce the MIC policy. The MIC architecture is described in the following TechNet article: - Mandatory Integrity Control: http://msdn.microsoft.com/en-us/library/windows/desktop/bb648648(v=vs.85).aspx Administrators can manage the MIC security attributes used in the MIC policy for file and directory objects by use of the icacls.exe utility according to the following TechNet topic (see the /setintegritylevel parameter): - Icacls: http://technet.microsoft.com/en-us/library/cc753525.aspx Modifications of object security attributes are applied by the MIC policy on the next access control decision for the given object. 2.4 Managing the Firewall Subset Information Flow Control (FDP_IFC.1(OSPP)) Simple Security Attributes for Network Information Flow Control Policy (FDP_IFF.1(OSPP)) Static Attribute Initialization for Network Information Flow Control (FMT_MSA.3(OSPP)) Management of TSF Data for Network Information Flow Control (FMT_MTD.1(OSPP)) Only the administrator user can access the firewall management interfaces listed in the Error! Reference source not found. of the Security Target in section 9.2.3.1 Interfaces. The following TechNet topic includes and explanation of the firewall rule priority: - Understanding the Firewall: http://technet.microsoft.com/en-us/library/dd421709(v=ws.10).aspx Microsoft 2014 Page 11 of 30

Only the administrator may modify the firewall s enabled state or modify other firewall settings. The following TechNet topic describes the PowerShell cmdlet to modify the firewall s enabled state by use of the Enabled parameter or to enable the administrator to modify the Inbound or Outbound firewall filtering rules via other parameters: - Set-NetFirewallProfile: http://technet.microsoft.com/en-us/library/jj554896.aspx Like all the PowerShell cmdlet interfaces identified for configuring the firewall, the Set-NetFirewallProfile PowerShell cmdlet includes the -Profile parameter that is used to indicate which firewall profile the command is relevant to, including one or more of Domain, Public, or Private. The following TechNet topic describes the firewall protection that is provided by each profile setting: - Windows Firewall Profiles: http://msdn.microsoft.com/en-us/library/windows/desktop/bb736287(v=vs.85).aspx 2.5 Managing Dynamic Access Control Complete Access Control for Discretionary Access (FDP_ACC.1(DYN)) Security Attribute Based Access Control for Discretionary Access (FDP_ACF.1(DYN)) (FMT_MSA.1(DYN)) Static Attribute Initialization for Discretionary Access Control Policy (FMT_MSA.3(DYN)) Static Attribute Value Inheritance for Discretionary Access (FMT_MSA.4) Revocation of Object Access (FMT_REV.1(OBJ)) The DYN access control algorithm is used to determine if access to objects by a given subject is allowed. The DYN access control algorithm is described in the Security Target section 6.2.2.2 Dynamic Access Control. Dynamic Access Control applies only to NTFS objects. The following Technet topic provides an overview of the Dynamic Access Control scenarios with references for additional resources and is applicable to : - Dynamic Access Control: Scenario Overview: http://technet.microsoft.com/en-us/library/hh831717.aspx The security attributes used by the DYN access control algorithm are: - Central access rules: an expression of authorization rules that can include one or more conditions involving user groups, user claims, device claims, and resource properties. Microsoft 2014 Page 12 of 30

- User claims: attributes associated with a specific user stored in active directory or within a security token for the current process or thread. - Device claims: attributes associated with a specific computer object stored in active directory or being used by the current process or thread on behalf of the current user - Resource attributes: global resource properties marked for use in authorization and published in AD The following TechNet topic gives step-by-step instructions on how to create and deploy a Central Access Policy containing user claims and device claims (see To create claim types for instructions on how to manage claims): - Deploy a Central Access Policy (Demonstration Steps) : http://technet.microsoft.com/en-us/library/hh846167.aspx The demonstration steps in the above Deploy a Central Access Policy (Demonstration Steps) topic show the procedures for accomplishing the various deployment tasks via the Graphical User Interface (GUI) available in the Claim Types Editor in the Active Directory Administrative Center (ADAC) or alternatively via Windows PowerShell equivalent commands. Use of the Windows PowerShell equivalent commands is recommended to deploy Central Access Policy as described in the topic. For example, the To create and enable pre-created resource properties subtopic describes using the ADAC GUI or equivalently the procedure is also described by using the New-ADResourceProperty and Set-ADResourceProperty Windows PowerShell commands. Individual Files and folders may be manually classified on file servers as described in the following TechNet topic (that is also referenced in the above-mentioned scenarios review): Set up Manual File Classification: http://technet.microsoft.com/en-us/library/dn268284.aspx Conditional expressions of authorization rules are created and managed for a domain by the Central Access Rule Editor in ADAC. The Central Access Rules are combined to form a Central Access Policy stored in Active Directory. Group Policy then propogates the Central Access Policy to the files and folders on domain member servers. The above Deploy a Central Access Policy (Demonstration Steps) TechNet topic gives step-by-step instructions on how to create and deploy a Central Access Policy. Conditional expressions can also be managed for individual file or directory objects based on claims using the Advanced Security Settings dialog of the ACL Editor and are then stored as ACEs contained in the SACL for the given object. These expressions are propagated to child files and folders using Ntfs inheritance rules. The following TechNet topic describes the enhanced ACL Editor: - Access Control and Authorization Overview (see the heading Enhanced ACL Editor ): http://technet.microsoft.com/en-us/library/jj134043.aspx 3 Managing Identification and Authentication 3.1 Managing User Lockout Microsoft 2014 Page 13 of 30

Authentication Failure Handling (FIA_AFL.1) Management of TSF Data for Authentication Failure Handling (FMT_MTD.1(Threshold)) Management of TSF Data for Authentication Failure Handling (FMT_MTD.1(Re-enable)) The operational procedures require a local or domain administrator. The information provided in this section and subsections and the referenced articles for Active Directory users is applicable to all Windows Server 2012 R2 editions in the evaluated configuration. The remaining information and referenced articles applies to local users and is applicable to all Windows editions in the evaluated configuration. 3.1.1 Managing Account Lockout Threshold The following TechNet topic explains the net accounts command line utility for standalone computers (followed by command line options for managing account lockout policy): - Net Accounts: http://technet.microsoft.com/en-us/library/bb490698.aspx In addition to the parameters given in the referenced article, the following are also valid options: /lockoutthreshold: number : Sets the number of times a bad password may be entered until the account is locked out. If set to 0 then the account is never locked out. /lockoutwindow: minutes : Sets the number of minutes of the lockout window. /lockoutduration: minutes : Sets the number of minutes the account will be locked out for. Alternatively, domain policy for account lockout threshold is managed via the LockoutThreshold property on the Set-ADDefaultDomainPasswordPolicy PowerShell cmdlet: - Set-ADDefaultDomainPasswordPolicy: http://technet.microsoft.com/en-us/library/ee617251.aspx 3.1.2 Managing Locked User Accounts The following TechNet topic describes the Properties dialog for managing local user accounts for the case of enabling a disabled account the case of unlocking a locked account is very similar where the Account is locked out checkbox must be changed from the checked to the unchecked state: - Disable or activate a local user account: http://technet.microsoft.com/en-us/library/cc781924(v=ws.10).aspx Domain accounts are unlocked via the Unlock-ADAccount PowerShell cmdlet as explained in the following TechNet topic: - Unlock-ADAccount: http://technet.microsoft.com/en-us/library/ee617234.aspx Microsoft 2014 Page 14 of 30

3.2 Managing Users and Groups User Attribute Definition for Individual Users (FIA_ATD.1(USR)) Revocation for Authorized Administrators (FMT_REV.1(Admin) Management of TSF Data for Initialization of User Security Attributes (FMT_MTD.1(Init-Attr)) Management of TSF Data for Modification of User Security Attributes Other Than Authentication Data (FMT_MTD.1(Mod-Attr)) Management of TSF Data for Modification of Authentication Data (FMT_MTD.1(Mod-Auth)), Security Roles (FMT_SMR.1) The information provided in this section and the referenced articles for Active Directory users and groups is applicable to all Windows Server 2012 R2 editions in the evaluated configuration. The remaining information and referenced articles for local users and groups is applicable to all Windows editions in the evaluated configuration. The terms regular user, standard user, normal user and non-adminstrative user are all used to refer to a regular user. The following TechNet topics include instructions to create or delete local and domain users: - Net User: http://technet.microsoft.com/en-us/library/cc771865.aspx - New-ADUser: http://technet.microsoft.com/en-us/library/ee617253.aspx - Remove-ADUser: http://technet.microsoft.com/en-us/library/ee617206.aspx The following TechNet topics include instructions for an administrator to create or delete local and domain groups, and add or remove members: - Create a local group: http://technet.microsoft.com/en-us/library/cc737998(v=ws.10).aspx - Delete a local group: http://technet.microsoft.com/en-us/library/cc778278(v=ws.10).aspx - Add a member to a local group: http://technet.microsoft.com/en-us/library/cc739265(v=ws.10).aspx - Remove a member from a local group: http://technet.microsoft.com/en-us/library/cc739265(v=ws.10).aspx - Notice the Additional considerations heading modifies the instructions to accommodate removing a member from a local group in the user interface method. For the command-line method the same command is used as for adding a member with the exception of replacing the /add parameter with /delete (see the following TechNet topic for the syntax for the command line option: Net localgroup: http://technet.microsoft.com/en-us/library/bb490706.aspx). - New-ADGroup : http://technet.microsoft.com/en-us/library/ee617258.aspx - Remove-ADGroup: http://technet.microsoft.com/en-us/library/ee617228.aspx - New-ADGroupMember: http://technet.microsoft.com/en-us/library/ee617210.aspx 3 Microsoft 2014 Page 15 of 30

- Remove-ADGroupMember: http://technet.microsoft.com/en-us/library/ee617242.aspx 3 The following Windows Help topic includes instructions for a user to change their own local or domain password or for an administrator to reset local and domain passwords and is applicable to all Windows editions in the evaluated configuration: - Change Password: http://windows.microsoft.com/en-us/windows-8/change-your-password Private/public keys are associated with a user account when the account is enrolled for a user certificate. Section 3.6 of this document includes information about how users enroll for certificates. Privileges allowing a local or domain user account to perform various system-related operations on the local computer are automatically assigned based on group membership (e.g. local or domain administrators). The following TechNet topic includes instructions to restrict the logon hours and logon workstations for a domain user: - Set-ADUser: http://technet.microsoft.com/en-us/library/ee617215.aspx 3.3 Managing IPsec Timing of Authentication for OS Logon (FIA_UAU.1(RITE)) The guidance for FTP_ITC.1 includes instructions to configure IPsec for endpoint authentication of remote IT entities in section Error! Reference source not found. of this document. The referenced guidance includes information about configuring the remote authentication using machine certificates. Explicit instructions to configure the machine certificate authentication method is provided, including how to verify if authentication was successful. The Windows Firewall is used to configure the Network Flow Control Policy in order to allow specific types of network traffic between endpoints that need not be authenticated. Firewall Rules allow or block network traffic based on various criteria. The TOE then processes allowed network traffic. For example a rule allowing ICMP network protocol traffic results in the TOE processing that traffic according to the ICMP standard. Connection Security Rules configure the authentication of two computers before they begin communications using the IPsec protocol. The TOE then 3 The caller must be a domain administrator to execute this operation. Microsoft 2014 Page 16 of 30

processes IKE traffic to authenticate the two computers according to the IKE protocol. The following two TechNet topics explain the Windows Firewall Rules and Connection Security Rules in more detail: - Understanding Firewall Rules: http://technet.microsoft.com/en-us/library/dd421709(v=ws.10).aspx - Understanding Connection Security Rules: http://technet.microsoft.com/en-us/library/dd448591(v=ws.10).aspx 3.4 Managing Authentication 3.4.1 Managing Logon Multiple Authentication Mechanisms (FIA_UAU.5) The information provided in this section and the referenced articles for Set-ADDefaultDomainPasswordPolicy is applicable to all Windows Server 2012 R2 editions in the evaluated configuration. The rest of the information provided in this section and the referenced articles for local or domain users and groups is applicable to all Windows editions in the evaluated configuration.. The following Windows Help topic describes how to conduct initial logon authentication for users: - Sign in to or out of Windows: http://windows.microsoft.com/en-us/windows-8/sign-in-out-of-windows The following Windows Help topics describe how to change a user password: - Change your password: http://windows.microsoft.com/en-us/windows-8/change-your-password The following TechNet topic describes how to set maximum password age for local user accounts: - Net accounts: http://technet.microsoft.com/en-us/library/bb490698.aspx The following TechNet topic describes how to set maximum password age for domain user accounts: - Set-ADDefaultDomainPasswordPolicy: http://technet.microsoft.com/en-us/library/ee617251.aspx 3.4.2 Managing Smart Cards The following TechNet topic describes how to configure smart card logon: Microsoft 2014 Page 17 of 30

- Administer Smart Cards: http://technet.microsoft.com/en-us/library/cc736901(v=ws.10).aspx The following TechNet topic describes the group policy setting controlling what happens when the smart card for a logged-on account is removed from the smart card reader (see heading Additional smart card Group Policy settings and registry keys ): - Smart Card Group Policy and Registry Settings: http://technet.microsoft.com/en-us/library/ff404287(v=ws.10).aspx#bkmk_3 3.4.3 Managing Password Complexity Management of Security Functions Behavior for Password Management (FMT_MOF.1(Pass)) The following TechNet topics describe the characteristics for passwords that are available, instructions for setting the enforcement mechanism and a discussion of strong passwords and recommended minimum settings: - Enforcing Strong Password Usage Throughout Your Organization: http://technet.microsoft.com/en-us/library/cc875814.aspx - Strong Password: http://technet.microsoft.com/en-us/library/cc756109(v=ws.10).aspx - Password Best practices: http://technet.microsoft.com/en-us/library/cc784090(v=ws.10).aspx 3.5 Managing User Account Information Subject Binding for Individual Users (FIA_USB.1(USR)) The following Windows Help topic describes how to sign in to Windows: - How do I run an application once with a full administrator access token? http://windows.microsoft.com/en-us/windows7/how-do-i-run-an-application-once-with-a-full-administratoraccess-token Microsoft 2014 Page 18 of 30

The following Windows Help topic describes the default User Account Control setting providing restrictive defaults for security attributes of subjects created by administrator users in the evaluated configuration (see the Notify me only when apps try to make changes to my computer (default) setting): - What are User Account Control settings? http://windows.microsoft.com/en-us/windows-8/what-are-uac-settings The following Windows Help topic describes how an authorized administrator can disable or enable User Account Control Settings to take effect at the next user logon: - Turn User Account Control on or off: http://windows.microsoft.com/en-us/windows7/turn-user-account-control-on-or-off 4 3.6 Managing PKI Public Key Based Authentication (FIA_PK_EXT.1) The following TechNet topic describes managing certificates (including the Obtain a Certificate sub-topic): - Manage Certificates : http://technet.microsoft.com/en-us/library/cc771377.aspx - Certutil: http://technet.microsoft.com/library/cc732443.aspx The guidance for setting up a trusted channel to communicate with a CA is described in the guidance for FTP_ITC.1 (OS)) IPSEC. The following TechNet topic describes how to manually import a certificate: - Import a Certificate: http://technet.microsoft.com/en-us/library/cc754489.aspx The TOE comes preloaded with root certificates for various Certificate Authorities. The following TechNet topic describes how to manage trust relationships: - Manage Trusted Root Certificates: http://technet.microsoft.com/en-us/library/cc754841.aspx 4 Swipe from the right-edge, select Search, select Settings and enter uac, and then select Change User Account Controls settings Microsoft 2014 Page 19 of 30

4 Managing Time Reliable Time Stamps (FPT_STM.1) The administrator sets the time using the Set-Date PowerShell cmdlet that is documented here: - http://technet.microsoft.com/en-us/library/7f44d9e2-6956-4e55-baeb-df7a649fdca1 The administrator configures the time service to synchronize time from a time server using the W32tm command that is documented here: - http://technet.microsoft.com/en-us/library/cc773263(v=ws.10).aspx#w2k3tr_times_tools_dyax The administrator ensures the communication path between the TOE client and the time service provider is protected from attacks that could compromise the integrity of the time by establishing an IPsec policy using the Microsoft Windows 8 Microsoft Windows Server 2012 --- for IPsec VPN Clients (January 23 2014), where section 3 provides detailed instructions that can be used to configure the TOE client and the time service provider. The administrator ensures the NTP server is authenticated by verifying the IP address provided by the IT administrator for the NTP Server in the main mode and quick mode security associations according to the audit trail for the FTP_ITC.1 requirement outlined in section 4.1 Audit Policy for IPsec Operations of the IPsec VPN Client guidance. In particular, audits are provided when a trusted channel is established that includes the IP address of the channel s local and remote endpoints. If the integrity of the trusted channel is compromised, then this is indicated by the audit Id 4960 that is also discussed in section 4.1. 5 Managing Secure Connection Protocols 5.1 Managing IPsec Algorithms Inter-TSF Trusted Channel (FTP_ITC.1 (OS)) IPSEC Basic Internal TSF Data Transfer Protection (FPT_ITT.1) Remote Management Capabilities (FMT_SMF_RMT.1) Microsoft 2014 Page 20 of 30

The administrator ensures IPSEC is being used to establish a trusted channel by following the guidance in the links below: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012, http://technet.microsoft.com/en-us/library/hh831807.aspx The following are links to Powershell cmdlets used to manage the IPSEC rules for establishing trusted channels (this includes how to configure IPSEC rules that use certificate authentication as well as those that use Pre-Shared Secrets): New-NetIPsecAuthProposal, http://technet.microsoft.com/en-us/library/jj554847.aspx New-NetIPsecPhase1AuthSet, http://technet.microsoft.com/en-us/library/jj554862.aspx New-NetIPsecMainModeCryptoProposal, http://technet.microsoft.com/en-us/library/jj573824.aspx New-NetIPsecMainModeCryptoSet, http://technet.microsoft.com/en-us/library/jj554882.aspx New-NetIPsecMainModeRule, http://technet.microsoft.com/en-us/library/jj554867.aspx New-NetIpsecQuickModeCryptoProposal, http://technet.microsoft.com/en-us/library/jj554875.aspx New-NetIpsecQuickModeCryptoSet, http://technet.microsoft.com/en-us/library/jj573823.aspx Microsoft 2014 Page 21 of 30

New-NetIPsecRule, http://technet.microsoft.com/en-us/library/jj554889.aspx Any machines being remotely managed must have IPsec configured to protect the network channels between the machines (FMT_SMF_RMT.1). 5.2 Managing TLS Inter-TSF Trusted Channel (FTP_ITC.1 (OS)) TLS Remote Management Capabilities (FMT_SMF_RMT.1) The information provided in this section and the referenced articles on configuring TLS is applicable to all Windows editions in the evaluated configuration. The information on IIS configuration is applicable to all Windows Server 2012 R2 editions in the evaluated configuration with the Web Server (IIS) role installed and all Windows 8.1 editions in the evaluated configuration with the Internet Information Services feature installed. The following ciphersuites are supported in the evaluated configuration: - TLS_RSA_WITH_AES_128_CBC_SHA - TLS_RSA_WITH_AES_256_CBC_SHA - TLS_RSA_WITH_AES_128_CBC_SHA256 - TLS_RSA_WITH_AES_256_CBC_SHA256 - TLS_DHE_DSS_WITH_AES_128_CBC_SHA - TLS_DHE_DSS_WITH_AES_256_CBC_SHA - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 The administrator ensures TLS is being used to establish a trusted channel for web communications to a server by following the configuration instructions for the web server at the following link: http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis Microsoft 2014 Page 22 of 30

Note that although the link indicates these instructions are for IIS 7 the same instructions apply to IIS8. On the client side the following link in the How to Control the Use of TLS section specifies how to configure the web browser to use TLS 1.2: http://technet.microsoft.com/en-us/library/dd560644(v=ws.10).aspx The administrator configures the protocols used on a machine by following the configuration instructions at the following link: http://support.microsoft.com/kb/245030 The administrator configures the cipher suites used on a machine by following the configuration instructions at the following link:. The following link specifies how enabling FIPS policy affects TLS: http://support.microsoft.com/kb/811833 6 Managing Locking TSF-initiated Session Locking (FTA_SSL.1) User-initiated Locking (FTA_SSL.2) The inactivity time period for TSF-initiated session locking is configured by the administrator via Windows security policy. The relevant security policy is Interactive logon: Machine inactivity limit as described in the following Technet topic in the section heading titled New and changed functionality : - Security Policy Settings Overview: http://technet.microsoft.com/en-us/library/2fdcbb11-8037-45b1-9015-665393268e36 The following Technet topics include guidance for administrators to open the Local Group Policy Editor tool or the Group Policy Management Console, respectively, that are used to configure the Windows security policy for standalone or domain-joined machines: - Local Group Policy Editor: http://technet.microsoft.com/en-us/library/dn265982.aspx - Group Policy Management Console: http://technet.microsoft.com/en-us/library/dn265969.aspx Microsoft 2014 Page 23 of 30

The following Windows topic describes how to configure screen savers 5 : - How to use screen savers: http://windows.microsoft.com/en-us/windows-8/using-screen-savers The following Windows topic describes how users can initiate a session lock: - How do I lock or unlock my PC?: http://windows.microsoft.com/en-us/windows-8/lock-unlock-pc 7 Managing Auditing 7.1 Audits Audit Data Generation (FAU_GEN.1(OSPP)) Audit events and the associated audit subcategories are listed in Error! Reference source not found. of the Security Target. The authorized administrator may review the audit log by use of the Get-EventLog PowerShell cmdlet. The following TechNet topic describes the syntax for using this cmdlet and also includes several examples demonstrating how to extract individual information from the audit records in order to verify that all records expected have been generated and that the audit records contain the expected information: - Get-EventLog: http://technet.microsoft.com/en-us/library/hh849834.aspx Event records displayed to the console by Get-EventLog utilze a numeric value for the audit category that can be correlated to a subcategory text value using the following table: Subcategory Name Hex category number Decimal category number Security State Change 0x00003000 12288 5 Note selecting the On resume display logon screen checkbox shown below the Screen saver list discussed in the topic requires authentication in order to resume the session in response to user activity dismissing the screensaver Microsoft 2014 Page 24 of 30

Security System Extension 0x00003001 12289 System Integrity 0x00003002 12290 IPsec Driver 0x00003003 12291 Other System Events 0x00003004 12292 Logon 0x00003100 12544 Logoff 0x00003101 12545 Account Lockout 0x00003102 12546 IPsec Main Mode 0x00003103 12547 Special Logon 0x00003104 12548 IPsec Quick Mode 0x00003105 12549 IPsec Extended Mode 0x00003106 12550 Other Logon/Logoff Events 0x00003107 12551 Network Policy Server 0x00003108 12552 User / Device Claims 0x00003109 12553 File System 0x00003200 12800 Registry 0x00003201 12801 Kernel Object 0x00003202 12802 SAM 0x00003203 12803 Other Object Access Events 0x00003204 12804 Certification Services 0x00003205 12805 Application Generated 0x00003206 12806 Handle Manipulation 0x00003207 12807 File Share 0x00003208 12808 Filtering Platform Packet Drop 0x00003209 12809 Filtering Platform Connection 0x0000320A 12810 Detailed File Share 0x0000320B 12811 Removable Storage 0x0000320C 12812 Central Policy Staging 0x0000320D 12813 Sensitive Privilege Use 0x00003300 13056 Microsoft 2014 Page 25 of 30

Non Sensitive Privilege Use 0x00003301 13057 Other Privilege Use Events 0x00003302 13058 Process Creation 0x00003400 13312 Process Terminati 0x00003401 13313 DPAPI Activity 0x00003402 13314 RPC Events 0x00003403 13315 Audit Policy Change 0x00003500 13568 Authentication Policy Change 0x00003501 13569 Authorization Policy Change 0x00003502 13570 MPSSVC Rule-Level Policy Change 0x00003503 13571 Filtering Platform Policy Change 0x00003504 13572 Other Policy Change Events 0x00003505 13573 User Account Management 0x00003600 13824 Computer Account Management 0x00003601 13825 Security Group Management 0x00003602 13826 Distribution Group Management 0x00003603 13827 Application Group Management 0x00003604 13828 Other Account Management Events 0x00003605 13829 Directory Service Access 0x00003700 14080 Directory Service Changes 0x00003701 14081 Directory Service Replication 0x00003702 14082 Detailed Directory Service Replication 0x00003703 14083 Credential Validation 0x00003802 14336 Kerberos Service Ticket Operations 0x00003801 14337 Other Account Logon Events 0x00003802 14338 Kerberos Authentication Service 0x00003803 14339 The Event Viewer administrator tool also provides a mechanism to review the audit trail as described in this TechNet topic that also includes information on creating custom views that filter the audit trail according to various criteria based on the individual information in the audit records: Microsoft 2014 Page 26 of 30

- Event Viewer How To : http://technet.microsoft.com/en-us/library/cc749408.aspx Withhe Fast Logon Optimization feature a Windows 8.1 computer enters hibernate state when a shutdown operation is conducted through the graphical user interface presented by the power icon in the lower right corner of the screen (e.g. by pressing Ctrl-Alt-Del). When enabled the feature skips the shutdown audit by default the feature is enabled in Windows 8.1 Enterprise and Professional editions. In order to ensure the shutdown audit is conducted on those editions the administrator must disable this feature as follows: - Open the Control Panel and choose Hardware and Sound / Power Options - Click on Choose what the power buttons do - Click on Change settings that are currently unavailable - Uncheck the Turn on fast startup (recommended) option under the Shutdown settings label - Click the Save Changes button and exit the Control Panel. 7.2 User Identity in Audits User Identity Association (FAU_GEN.2) As described in the Security Target section 6.2.1.1 Audit Collection the security identifier that represents the user on whose behalf the event occurred is recorded with all audit events this occurs by default and cannot be configured. 7.3 Audit Log Protection Audit Review (FAU_SAR.1) Restricted Audit Review (FAU_SAR.2) The Security Target section 6.2.1.5 Audit Log Restricted Access Protection describes how the security event log file is restricted such that only the system may open the security event log file and it opens it exclusively at boot so that no other process may open the file. The Security Target section 6.2.1.1 Audit Collection explains the audit records format. Microsoft 2014 Page 27 of 30

7.4 Managing Audit Policy Selective Audit (FAU_SEL.1) Protected Audit Trail Storage (FAU_STG.1) Management of TSF Data for Audit Selection (FMT_MTD.1(Audit Sel)) Management of TSF Data for Audit Data (FMT_MTD.1(Audit)) Management of TSF Data for Audit Storage Threshold (FMT_MTD.1(AuditStg)) Only the administrator has access to the commands that may be used to manage the audit trail storage object, including the storage threshold configuration. Only the administrator for a given host identity has access to the commands that may be used to select the set of events to be audited for that host. Audits are generated on a given computer based upon operations that occur on that computer and record the computer name ( host identity ) as part of the audit data. Thus, selecting the set of audits on a given computer based upon the host identity is equivalent to enabling or disabling all audit event types on that computer. - Audits for specific file system and registry named object identities are configured using the Explorer and Registry Editor. These system utilities provide an administrator interface to modify the system access control list (SACL) of any file or registry key in order to include or exclude it for auditing. All named object types in the system are audited based upon the same SACL mechanism, however the system does not provide administrator management interfaces for other object types. The following topics describe how to select audits for file or registry key objects: Apply or Modify Auditing Policy Settings for a Local File or Folder: http://technet.microsoft.com/en-us/library/cc771070.aspx - Audit activity on a registry key: http://technet.microsoft.com/en-us/library/cc757250(v=ws.10).aspx Audits may be included or excluded for specific user identities by use of the auditpol.exe utility as described by the following topic: Auditpol set: http://technet.microsoft.com/enus/library/cc755264.aspx. As noted in the topic the administrator may not be excluded from audit policy. Audits for specific user identities are also selected by managing the SACL of named objects, and thus is also configured using the Explorer and Registry Editor administrator interfaces as described above. Only the administrator has access to the commands that may be used to clear audit log of all audit records. It is not possible to delete individual audit records. 7.5 Managing Audit Log Size Microsoft 2014 Page 28 of 30

Action in Case of Possible Audit Data Loss (FAU_STG.3) Prevention of Audit Data Loss (FAU_STG.4(SL)) Prevention of Audit Data Loss (FAU_STG.4(OL)) The TOE can be configured to preserve the audit trail and shutdown immediately when the audit log fills. When this condition occurs, then only allow the administrator can log on the computer until the audit trail is cleared. The following interfaces that are described in the Error! Reference source not found. of the Security Target describe how to configure this capability: - Control Event Log behavior when the log reaches its maximum size - Setting CrashOnAuditFial for the Audit Log The following TechNet topic includes guidance on the use of group policy settings regarding options to configure the audit log in order to avoid gettinginto a situation where the audit records are lost: - Planning and Deploying Advanced Security Audit Policies: http://technet.microsoft.com/en-us/library/dn319115.aspx A warning to the administrator may be generated when a configurable threshold is reached in the audit log. To enable this capability create a REG_DWORD value named WarningLevel under the HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\Eventlog\Security registry key. The value that is entered for the WarningLevel is a percentage full condition, for example the value 90 sets a 90% threshold such that then the audit log reaches 90% of its specified maximum capacity it will generate audit Id 1103. The registry value can be anywhere in the range [1 99]. To disable the threshold warning the registry value may be set to any value outside the [1 99] range or remove the registry value. Only administrators are able to manage the HKEY_LOCAL_MACHINE node of the registry. 7.6 Other Event Logs The IIS-Configuration log is applicable to all Windows Server 2012 R2 editions in the evaluated configuration with the Web Server (IIS) role installed and all Windows 8.1 editions in the evaluated configuration with the Internet Information Services feature installed. The other event logs referenced in this section are applicable to all Windows editions in the evaluated configuration. In some cases event records in other event logs are useful, for example the System event log and the Microsoft-Windows-CAPI2/Operational log record log information related to initialization of the trusted channel for TLS, and the Application and Services Logs/Microsoft/Windows/IIS-Configuration/Operational log record IIS configuration changes. These event logs are managed using the wevtutil utility as described in the following TechNet topic: - Wevtutil: http://technet.microsoft.com/en-us/library/cc732848.aspx Microsoft 2014 Page 29 of 30

For example, the wevtutil utility can be used to accomplish the following administrator tasks: - secure such that only administrators may access the event records with the wevtutil sl <logname> /ca:o:bag:syd:parai(a;;fa;;;ba) command - enable with the wevtutil sl <logname> /e:<enabled> command - set the maximum log size with the wevtutil sl <logname>/ms:<size> command - set the retention policy such that when the maximum log size is reached new incoming events overwrite the oldest events in the log using the wevtutil sl /rt:true command - clear the log with the wevtutil cl <logname> command The administrator can manage the system event log and the operational event logs such that they are enabled for access only by the administrator, with retention policy to overwrite the oldest events with the newest events, and with sufficient size such that old events are not overwritten before the administrator periodically reviews these logs. When the administrator clears the system log the Event Id 104 Log clear event is recorded and will be the first one overwritten when the System log fills. A Log clear event is not recorded for operational logs, so the administrator must keep a record of the oldest event in the given operational log in order to be notified when that operational log fills. 8 Cryptographic APIs Cryptographic Support (FCS) The Error! Reference source not found. of the Security Target indicates the set of TSFI providing cryptographic support and MSDN references for their correct use. The following Cryptographic Next Generation (CNG) reference provides a technical discussion of the CNG programming elements: - CNG Reference: http://msdn.microsoft.com/en-us/library/windows/desktop/aa376214(v=vs.85).aspx The following Cryptography Functions reference provides a technical discussion of the CryptoAPI programming elements. The section to be looked at on the page at the below link is the Base Cryptography Functions section: - Cryptography Functions Reference: http://msdn.microsoft.com/en-us/library/windows/desktop/aa380252(v=vs.85).aspx#base_cryptography_functions Microsoft 2014 Page 30 of 30