DOCSLIB.ORG

Certification Report Certificate Number: 2010/65

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Certification Report Certificate Number: 2010/65 Australasian Information Security Evaluation Program Certification Report Certificate Number: 2010/65 5 Feb 2010 Version 1.0 Commonwealth of Australia 2010. Reproduction is authorised provided that the report is copied in its entirety. 5 Feb 2010 Version 1.0 Page i Amendment Record Version Date Description 1.0 5/02/2010 Public release. 5 Feb 2010 Version 1.0 Page ii Executive Summary 1 Windows Mobile 6.5 is a compact operating system for use on Smartphones enabling users to extend their corporate Windows desktop to mobile devices in a secure manner. Windows Mobile 6.5 is the Target of Evaluation (TOE). 2 The core functionality of the TOE includes: a) Device data protection. The TOE provides the capability to protect data at rest and in transit. b) Device application control. The TOE provides the capability to only permit trusted applications to be installed and executed on the Mobile Device. c) Secure enterprise access. The TOE provides the capability to securely connect the TOE to trusted Enterprise assets and facilitate data transfer. d) Device access control. The TOE has inbuilt security mechanisms that can be enabled to provide controlled access to the Mobile Device. e) Device security management. The TOE has configurable security policies that establish which actions a user or application may take. 3 This report describes the findings of the IT security evaluation of Microsoft Corporation’s Windows Mobile 6.5, to the Common Criteria (CC) evaluation assurance level EAL4 + ALC_FLR.1. The report concludes that the product has met the target assurance level of EAL4 + ALC_FLR.1 and that the evaluation was conducted in accordance with the relevant criteria and the requirements of the Australasian Information Security Evaluation Program (AISEP). The evaluation was performed by stratsec and was completed on 22 December 2009. 4 The TOE forms the software part of a software and hardware ‘composed evaluation’ product. The TOE evaluation technical report (ETR) (Ref [1])33 provides composition guidance for an Original Equipment Manufacturer (OEM) to meet in developing a hardware component for a composed product. 5 The OEM is the primary customer of the operating system. Microsoft provides the OEM with security updates and they are expected to pass them on to the end users. 6 The TOE User for the composed product is the end user. The end user administrator should ensure that the TOE is used in a composed product evaluated to EAL4+. 7 With regard to the secure operation of the TOE, the Australasian Certification Authority (ACA) recommends that: a) The administrator ensures that no applications are installed which will allow the user to change the security areas of the registry. 5 Feb 2010 Version 1.0 Page iii b) The administrator reviews the certificates in the Software Publishing Certificate (SPC), privileged and unprivileged certificate stores and removes any certificates that are not required. This action prevents unwanted, signed applications from being installed on the TOE. Note: some certificates are required for the TOE to operate, and the administrator should verify that the TOE can function without the certificates that are removed during provisioning. c) The administrator ensures that users are aware of the importance of running the TOE in the evaluated configuration. In the event of a device wipe, the mobile device should be returned to the administrator for reconfiguration. d) The administrator advises users against using the device as a primary data store. This is because data on the device and storage card is encrypted, and the keys stored on the device are destroyed during a device wipe. e) The administrator sets the lockout time on a device to reflect the criticality of the data stored on a mobile device. The reduction in lockout time reduces the chances of an attacker gaining access to a device in an unlocked state. f) The administrator sets mobile device policy to encrypt all areas of the device that may contain user data. g) The administrator ensures that the SD card and local device encryption is enabled prior to users placing any files into internal stores or SD media. h) The administrator lock down all unrequired physical ports on mobile devices to reduce the risk of vulnerabilities in OEM hardware and firmware. i) The administrator considers disabling the use of the Bluetooth radio in order to prevent exploitation of publically published weaknesses in the Bluetooth key pairing process. 8 This report includes information about the underlying security policies and architecture of the TOE, and information regarding the conduct of the evaluation. 9 It is the responsibility of the user to ensure that the TOE meets their requirements. For this reason, Australian Government users should refer to the ISM (Ref 33[3]) for guidance on Australian Government policy requirements. New Zealand Government users should consult the GCSB. It is recommended that a prospective user of the TOE refer to the Security Target at Ref [2],33 and read this Certification Report prior to deciding whether to use the product. 5 Feb 2010 Version 1.0 Page iv Table of Contents CHAPTER00H 1 - INTRODUCTION ........................................................................................................137H37H37H 1.11H1H1H OVERVIEW ................................................................................................................................138H38H38H 1.22H2H2H PURPOSE....................................................................................................................................139H39H39H 1.33H3H3H IDENTIFICATION ........................................................................................................................140H40H40H CHAPTER4H4H4H 2 - TARGET OF EVALUATION.....................................................................................241H41H41H 2.15H5H5H OVERVIEW ................................................................................................................................242H42H42H 2.26H6H6H DESCRIPTION OF THE TOE ........................................................................................................243H43H43H 2.37H7H7H TOE ARCHITECTURE.................................................................................................................344H44H44H 2.48H8H8H CLARIFICATION OF SCOPE .........................................................................................................445H45H45H 2.4.19H9H9H Evaluated Functionality....................................................................................................446H46H46H 2.4.210H10H10H Non-evaluated Functionality ............................................................................................547H47H47H 2.4.311H11H11H TOE for Composition........................................................................................................648H48H48H 2.4.412H12H12H TOE User..........................................................................................................................649H49H49H 2.513H13H13H USAGE.......................................................................................................................................650H50H50H 2.5.114H14H14H Evaluated Configuration ..................................................................................................651H51H51H 2.5.215H15H15H Delivery procedures .........................................................................................................752H52H52H 2.5.316H16H16H Determining the Evaluated Configuration........................................................................953H53H53H 2.5.417H17H17H Documentation................................................................................................................1054H54H54H 2.5.518H18H18H Secure Usage ..................................................................................................................1055H55H55H CHAPTER19H19H19H 3 - EVALUATION ...........................................................................................................1156H56H56H 3.120H20H20H OVERVIEW ..............................................................................................................................1157H57H57H 3.221H21H21H EVALUATION PROCEDURES .....................................................................................................1158H58H58H 3.322H22H22H FUNCTIONAL TESTING.............................................................................................................1259H59H59H 3.423H23H23H PENETRATION TESTING ...........................................................................................................1260H60H60H CHAPTER24H24H24H 4 - CERTIFICATION......................................................................................................1261H61H61H 4.125H25H25H OVERVIEW ..............................................................................................................................1262H62H62H 4.226H26H26H CERTIFICATION RESULT ..........................................................................................................1363H63H63H 4.327H27H27H ASSURANCE LEVEL INFORMATION..........................................................................................1364H64H64H 4.428H28H28H RECOMMENDATIONS ...............................................................................................................1365H65H65H ANNEX29H29H29H A - REFERENCES AND ABBREVIATIONS....................................................................1566H66H66H
Load more

Recommended publications
  • ATTACKING RDP How to Eavesdrop on Poorly Secured RDP Connections
    IT SECURITY KNOW-HOW Adrian Vollmer ATTACKING RDP How to Eavesdrop on Poorly Secured RDP Connections March 2017 © SySS GmbH, March 2017 Wohlboldstraße 8, 72072 Tübingen, Germany +49 (0)7071 - 40 78 56-0 [email protected] www.syss.de Vollmer | Attacking RDP 1 Introduction The Remote Desktop Protocol (RDP) is used by system administrators everyday to log onto remote Windows machines. Perhaps most commonly, it is used to perform administrative tasks on critical servers such as the domain controller with highly privileged accounts, whose credentials are transmitted via RDP. It is thus vital to use a secure RDP configuration. We at SySS regularly observe that due to misconfigurations, system administrators in an Active Directory environment are routinely presented with (and ignore) certificate warnings like this: Figure 1: An SSL certificate warning If warnings like these are a common occurrence in your environment, you will not be able to recognize a real man-in-the-middle (MitM) attack. This article was written to raise awareness of how important it is to take certificate warnings seriously and how to securely configure your Windows landscape. The intended audience is system administrators, penetration testers and security enthusiasts. While not necessary, it is recommended that you have a firm understanding of the following subjects: – Public key cryptography as well as symmetric cryptography (RSA and RC4) – SSL – x509 certificates – TCP 2 Vollmer | Attacking RDP – Python – Hexadecimal numbers and binary code We will demonstrate how a MitM can sniff your credentials if you aren’t careful. None of this is particularly new – it even has been done before, for example by Cain [2].
    [Show full text]
  • The Future Computer the Future Computer
    Anyone MICROSOFT TECHNOLOGY who knows DEPLOYMENT ISSUE 6 OCTOBER 2003 this much TECHNOLOGY about our software .NET: CHANGING THE FACE OF DEVELOPING is probably SQL SERVER: WAITING FOR YUKON TERMINAL SERVICES: certifiable. AT YOUR FINGERTIPS The Affinity Homes Group chose Phoenix Software, a Microsoft Certified Partner, to migrate 250 users and their 20 servers to It takes a special company to be a Microsoft Gold Certified Open here Windows 2000, Microsoft Exchange 5.5 and Partner, one that’s demonstrated an exceptional level of You naturally want your IT service provider to have proven Microsoft Exchange 2000 Server. Richard Swift, specialist expertise in a particular Microsoft solution. And expertise across the full range of Microsoft products for the ultimate Head of Information Systems at Affinity you will reap the rewards for all their hard work, as you get commented: “We had been working with and solutions. Every Microsoft Certified Partner has met the assurance of the highest possible levels of service. Microsoft resource guide Phoenix for a number of years and they are a rigorous technical criteria set by Microsoft, so you can be THETHE FUTUREFUTURE Whatever challenges you’re facing, a Microsoft Gold Certified Microsoft Certified Partner, that gave us the confident that they can give you the high level of service Partner is perfectly qualified to make your IT systems for IT Professionals and added comfort of knowing that they had the you expect, together with trustworthy, independent advice. Developers right level of expertise that we were looking for”. workFor moreharder details, for you. visit Visit www.microsoft.com/uk/certified www.microsoft.com/uk/certified COMPUTERCOMPUTER PUSHINGPUSHING THETHE BOUNDARIESBOUNDARIES ATAT < ©Microsoft©Microsoft Corporation.
    [Show full text]
  • Download Deploying Windows 7, Essential Guidance
    FROM THE Windows® 7 Resource Kit Mitch Tulloch, Tony Northrup, Jerry Honeycutt, Ed Wilson, and the Windows 7 Team at Microsoft I Chapter 3 Deployment Platform .............................................. 85 I Chapter 4 Planning Deployment ............................................ 113 I Chapter 5 Testing Application Compatability ........................... 139 I Chapter 6 Developing Disk Images ......................................... 179 I Chapter 7 Migrating User State Data ...................................... 223 I Chapter 8 Deploying Applications .......................................... 247 I Chapter 9 Preparing Windows PE ........................................... 273 I Chapter 10 Confi guring Windows Deployment Services .............. 293 I Chapter 11 Using Volume Activation ........................................ 335 I Chapter 12 Deploying with Microsoft Deployment Toolkit ........... 355 DEPLOYING WINDOWS 7 83 Chapter 3 Deployment Platform n Tools Introduction 85 n Windows 7 Deployment Terminology 87 n Platform Components 89 n Deployment Scenarios 99 n Understanding Setup 101 n Basic Deployment Process 105 n Microsoft Deployment Toolkit Process 107 n Summary 110 n Additional Resources 111 uilding on technology that the Windows Vista operating system introduced, Windows 7 Bdeployment technology has evolved significantly since Windows XP Professional . For example, it supports file-based disk imaging to make high-volume deployments quicker, more efficient, and more cost effective . The Windows 7 operating system also provides
    [Show full text]
  • IT Academy Program Benefits
    IT Academy Program Benefits What Membership Offers IT Academy membership offers many valuable benefits. You can: • Increase your students’ employability with relevant technology courses that help them get jobs after graduation. • Offer educators and other staff members the opportunity to enhance their own professional development. • Gain access to resources that will help you save time and money. • Unlimited access to E-Learning portfolio courses focused on the Microsoft Office applications plus Windows desktop courses, Windows Server, Windows Client, SQL Server, Visual Studio, and many other Microsoft technologies. • The ability to administer content and manage your students’ progress with the online Instructor Learning Management System. • Essential computer skills training with Microsoft Digital Literacy. • One complimentary enrollment in the Microsoft Certified Trainer program for a qualified educator at your institution and a 25 percent discount on enrollments for any additional instructors. • A 60 percent discount on the Full E-Reference Library, which is a collection of E-Reference Libraries for Microsoft Press. • Academic pricing on Microsoft Official Academic Courses (MOAC). • Academic pricing on Microsoft Official Courseware (MOC). • Academic pricing on Microsoft Certification exams. • Up to 100 lab licenses for Windows 7, Microsoft Office Professional 2007, or Microsoft Office Professional Academic 2010. • Five complimentary annual subscriptions to the Full E-Reference Library from Microsoft Press and a 60 percent discount for additional subscriptions. • One complimentary subscription to Microsoft DreamSpark. • One complimentary, Not for Resale (NFR) version of Microsoft TechNet Subscription Professional. Lea • Educator resources such as downloadable and customizable lesson plans to help you save class preparation time, personalized course completion certificates, and a complementary tool that enables you to create your own online courses.
    [Show full text]
  • Tapani Havia
    Tapani Havia Microsoft Windows Server 2012 Centrally Managed Basic Services for Microsoft Windows 8 Clients Helsinki Metropolia University of Applied Sciences Bachelor of Engineering Information Technology Bachelor’s Thesis 14th May 2013 PREFACE This Bachelor’s Thesis is the outcome of my professional knowledge of the Microsoft Windows Server 2012 centrally managed basic services. I wish to thank my instructors Kari Järvi and Jonita Martelius for their invaluable help and support while writing the study. Last but not least I wish to thank my wife Mia Havia for her endless patience while writing the study. Espoo, May 14, 2013 Tapani Havia Abstract Author(s) Tapani Havia Title Microsoft Windows Server 2012 Number of Pages 153 pages + 10 appendices Date 14th May 2013 Degree Bachelor of Engineering Degree Program Information Technology Specialization option Data Networks Instructor(s) Kari Järvi, Principal Lecturer Microsoft published the latest operating system versions; Windows Server 2012 and Windows 8 last autumn. It was the correct time to create a test environment and test how basic services and their centralized remote management could be done nowadays. The purpose was to come up with as versatile an environment as possible which any person interested in the topic could do and continue to the desired direction. The initial plan was to create the test environment in one computer virtually. The environment was done with redundancy of basic services without Network Load Balancing or Failover Clustering features. Finally, the environment within the framework of the study included 11 virtual servers and three virtual workstations. For the host computer’s operating system was chosen the Windows Server 2012 Datacenter edition and the needed hypervisor software was chosen between Microsoft Hyper-V and VMware Workstation 9, the environment was done with VMware.
    [Show full text]
  • Configuring Microsoft Sharepoint Hybrid Capabilities
    Configuring Microsoft SharePoint Hybrid Capabilities Jeremy Taylor, Neil Hodgkinson, and Manas Biswas Forewords by Jeff Teper, Corporate Vice President, Microsoft OneDrive and SharePoint and Seshadri Mani, Principal Program Manager, Microsoft Offi ce 365 OneDrive and SharePoint PUBLISHED BY Microsoft Press A division of Microsoft Corporation One Microsoft Way Redmond, Washington 98052-6399 Copyright © 2016 by Microsoft Corporation All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher. ISBN: 978-1-5093-0243-7 Microsoft Press books are available through booksellers and distributors worldwide. If you need support related to this book, email Microsoft Press Support at [email protected]. Please tell us what you think of this book at http://aka.ms/tellpress. This book is provided “as-is” and expresses the author’s views and opinions. The views, opinions and information expressed in this book, including URL and other Internet website references, may change without notice. Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred. Microsoft and the trademarks listed at http://www.microsoft.com on the “Trademarks” webpage are trademarks of the Microsoft group of companies. All other marks are property of their respective owners. Acquisitions and Developmental Editor: Rosemary Caperton Editorial Production: Dianne Russell, Octal Publishing, Inc. Copyeditor: Bob Russell, Octal Publishing, Inc. Technical Reviewers: Jeremy Taylor, Neil Hodgkinson, and Manas Biswas; Technical Review services provided by Content Master, a member of CM Group, Ltd.
    [Show full text]
  • 8.2.03 Release Guide
    WebFOCUS Release Guide Release 8.2 Version 03 March 06, 2019 Active Technologies, EDA, EDA/SQL, FIDEL, FOCUS, Information Builders, the Information Builders logo, iWay, iWay Software, Parlay, PC/FOCUS, RStat, Table Talk, Web390, WebFOCUS, WebFOCUS Active Technologies, and WebFOCUS Magnify are registered trademarks, and DataMigrator and Hyperstage are trademarks of Information Builders, Inc. Adobe, the Adobe logo, Acrobat, Adobe Reader, Flash, Adobe Flash Builder, Flex, and PostScript are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. Due to the nature of this material, this document refers to numerous hardware and software products by their trademarks. In most, if not all cases, these designations are claimed as trademarks or registered trademarks by their respective companies. It is not this publisher's intent to use any of these names generically. The reader is therefore cautioned to investigate all claimed trademark rights before using any of these names other than to refer to the product described. Copyright © 2018, by Information Builders, Inc. and iWay Software. All rights reserved. Patent Pending. This manual, or parts thereof, may not be reproduced in any form without the written permission of Information Builders, Inc. Contents 1. WebFOCUS Release Information ................................................5 Functionality ......................................................................... 5 Browser Information ...................................................................6
    [Show full text]
  • Deployment Guide | Microsoft Office 365 for Citrix Xenapp and Xendesktop 7.X
    Deployment Guide | Microsoft Office 365 for Citrix XenApp and XenDesktop 7.x Microsoft Office 365 for Citrix XenApp and XenDesktop 7.x Microsoft Office 365 ProPlus is a bundled These challenges are relevant for most software plus subscription-based offering organizations. focused on user productivity-based applications. Office 365 ProPlus includes a Historically, Microsoft Office is one of the combination of online-based applications most common applications delivered via that are accessed from anywhere via a web Citrix XenApp, due to its ability to provide browser, in addition to the latest traditional, the user with the latest version of Office with locally installed version of Microsoft Office. the best user experience for a wide range of Included with Office 365 ProPlus is an online use cases. With Office 365 ProPlus, the value email account that has 50 GB of mail storage of Citrix XenApp has not changed. To deliver and 1 TB of file storage per user licensed for Office 365 to users properly, we provide the OneDrive for Business. following recommendations to enable an optimized user experience while minimizing the potential impact to the underlying Office 365 is a great solution for any infrastructure. organization, but due to user, application and business requirements, there is often Outlook a requirement for a locally installed version of the Office applications in addition to the As part of an Office 365 implementation with online versions. Typically, organizations Citrix XenApp or XenDesktop, organizations require the locally installed versions for the can use Exchange Online instead of managing following reasons: and maintaining Exchange servers installed on-premises.
    [Show full text]
  • Microsoft Diagnostics and Recovery Toolset 7 Evaluation Guide
    Microsoft Diagnostics and Recovery Toolset 7 Evaluation Guide White Paper Descriptor This document provides administrators with information and steps-by-step technique for deploying Microsoft® Diagnostics and Recovery Toolset in an enterprise environment. Copyright © 2011 MICROSOFT CORPORATION Overview ................................................................................................................................................... 3 Intended Audience ............................................................................................................................... 3 Prerequisite Knowledge ....................................................................................................................... 3 Creating the DaRT 7 Recovery Image ..................................................................................................... 4 Install DaRT .......................................................................................................................................... 4 Install Debugging Tools for Windows ................................................................................................... 4 Run the DaRT Recovery Image Wizard ............................................................................................... 5 Deploying DaRT 7 Recovery Images ....................................................................................................... 8 Deployment Instructions ........................................................................................................................
    [Show full text]
  • Dell EMC SC Series Storage and Microsoft Multipath I/O
    Dell EMC SC Series Storage and Microsoft Multipath I/O Abstract This document provides an overview of Microsoft® Multipath I/O (MPIO) along with best practice guidelines for configuring MPIO on Microsoft Windows Server® with Dell EMC™ SC Series storage. July 2018 Dell EMC Best Practices Revisions Revisions Date Description October 2010 Initial release October 2010 Corrected errors November 2011 Additional content on Microsoft® Windows Server® Core October 2012 Updated to include Windows Server 2012 content May 2013 Updated to include Windows Server 2008 R2/2012 iSCSI initiator setup and appendix listing recommended hotfixes and registry values October 2013 Updated to include Windows Server 2012 R2 content January 2014 Updated hotfix information January 2015 Updated configuration recommendations March 2015 Updated hotfix and configuration recommendations April 2015 Added SAS front-end content February 2016 Removed Windows Server 2003 content and updated hotfix recommendations October 2016 Re-ordered document for clarity, added Windows Server 2016 and Nano Server content, and updated hotfix recommendations January 2017 Updated configuration recommendations June 2017 Updated hotfix info and configuration recommendations January 2018 Re-ordered document for clarity, updated hotfix and configuration recommendations, updated guidance on Nano Server July 2018 Updated configuration recommendations; added guidance on Live Volume ALUA support with SCOS 7.3 Acknowledgements Author: Marty Glaser The information in this publication is provided “as is.” Dell Inc. makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Use, copying, and distribution of any software described in this publication requires an applicable software license.
    [Show full text]
  • Good Practice Guide on Vulnerability Disclosure from Challenges to Recommendations
    Good Practice Guide on Vulnerability Disclosure From challenges to recommendations NOVEMBER 2015 www.enisa.europa.eu European Union Agency For Network And Information Security Good Practice Guide on Vulnerability Disclosure Creation date: November 15 About ENISA The European Union Agency for Network and Information Security (ENISA) is a centre of network and information security expertise for the European Union (EU), its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu. Authors This document was created by the CERT Capability team at ENISA in consultation with RAND Europe Project officer Cosmin Ciobanu Contact To contact the authors please use [email protected] For media enquiries about this report, please use [email protected]. Acknowledgements The project team wishes to thank all the interviewees, and those who provided written input for the project, for their time and invaluable insights. Their contribution to this project has been essential. 02 Good Practice Guide on Vulnerability Disclosure Creation date: November 15 Legal notice Notice must be taken that this publication represents the views and interpretations of the authors and editors, unless stated otherwise.
    [Show full text]
  • Dell EMC SC Series: Microsoft Windows Server Best Practices
    Best Practices Dell EMC SC Series: Microsoft Windows Server Best Practices Abstract This document provides best practices for configuring Microsoft® Windows Server® to perform optimally with Dell EMC™ SC Series storage. June 2019 680-042-007 Revisions Revisions Date Description October 2016 Initial release for Windows Server 2016 November 2016 Update to include BitLocker content February 2017 Update MPIO best practices November 2017 Update guidance on support for Nano Server with Windows Server 2016 June 2019 Update for Windows Server 2019 and SCOS 7.4; template update Acknowledgements Author: Marty Glaser The information in this publication is provided “as is.” Dell Inc. makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Use, copying, and distribution of any software described in this publication requires an applicable software license. Copyright © 2016–2019 Dell Inc. or its subsidiaries. All Rights Reserved. Dell, EMC, Dell EMC and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owners. [5/29/2019] [Best Practices] [680-042-007] 2 Dell EMC SC Series: Microsoft Windows Server Best Practices | 680-042-007 Table of contents Table of contents Revisions............................................................................................................................................................................
    [Show full text]