National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme Validation Report for Microsoft Windows 10 Mobile and Microsoft Windows 10 Report Number: CCEVS-VR-10694-2016 Dated: May 12, 2016 Version: 1.0 National Institute of Standards and Technology National Security Agency Information Technology Laboratory Information Assurance Directorate 100 Bureau Drive 9800 Savage Road STE 6940 Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6940 ® TM VALIDATION REPORT Microsoft Windows 10 Mobile and Microsoft Windows 10 with Mobile Devices ii ACKNOWLEDGEMENTS Validation Team Sheldon Durrant Ken Elliot Stelios Melachrinoudis Common Criteria Testing Laboratory Leidos, Inc. Columbia, MD VALIDATION REPORT Microsoft Windows 10 Mobile and Microsoft Windows 10 with Mobile Devices iii Table of Contents 1 Executive Summary...................................................................................................................1 2 Identification..............................................................................................................................3 2.1 Threats...............................................................................................................................3 2.2 Organizational Security Policies.......................................................................................4 3 Architectural Information ..........................................................................................................5 4 Assumptions...............................................................................................................................8 4.1 Clarification of Scope .......................................................................................................8 5 Security Policy.........................................................................................................................10 5.1 Security Audit.................................................................Error! Bookmark not defined. 5.2 Cryptographic Support....................................................................................................10 5.3 User Data Protection.......................................................................................................10 5.4 Identification and Authentication ...................................................................................10 5.5 Security Management .....................................................................................................10 5.6 Protection of the TSF......................................................................................................10 5.7 Session Locking..............................................................Error! Bookmark not defined. 5.8 Trusted Path/Channels ....................................................................................................11 6 Documentation.........................................................................................................................12 7 Independent Testing.................................................................................................................13 8 Evaluated Configuration ..........................................................................................................14 9 Results of the Evaluation .........................................................................................................15 10 Validator Comments/Recommendations .................................................................................16 11 Annexes....................................................................................................................................17 12 Security Target.........................................................................................................................18 13 Abbreviations and Acronyms ..................................................................................................19 14 Bibliography ............................................................................................................................23 VALIDATION REPORT Microsoft Windows 10 Mobile and Microsoft Windows 10 with Mobile Devices 1 List of Tables Table 1: Evaluation Details............................................................................................................. 2 Table 2: ST and TOE Identification................................................................................................ 3 Table 3: TOE Security Assurance Requirements ......................................................................... 15 VALIDATION REPORT Microsoft Windows 10 Mobile and Microsoft Windows 10 with Mobile Devices 1 1 Executive Summary This report is intended to assist the end-user of this product and any security certification agent for that end-user to determine the suitability of this Information Technology (IT) product in their environment. End-users should review the Security Target (ST), which is where specific security claims are made, as well as this Validation Report (VR), which describes how those security claims were evaluated, tested, and any restrictions that may be imposed upon the evaluated configuration, to help in that determination. Prospective users should carefully read the Assumptions and Clarification of Scope in Section 4 and the Validator Comments in Section 10, where any restrictions on the evaluated configuration are highlighted. This report documents the National Information Assurance Partnership (NIAP) assessment of the evaluation of Microsoft Windows 10 Mobile and Windows 10 with Microsoft Lumia 950, Microsoft Lumia 950 XL, Microsoft Lumia 550, Microsoft Lumia 635, and Microsoft Surface Pro 4. It presents the evaluation results, their justifications, and the conformance results. This VR is not an endorsement of the Target of Evaluation (TOE) by any agency of the U.S. Government and no warranty of the TOE is either expressed or implied. This VR applies only to the specific version and configuration of the product as evaluated and as documented in the ST. The evaluation of Microsoft Windows 10 Mobile and Windows 10 with Microsoft Lumia 950, Microsoft Lumia 950 XL, Microsoft Lumia 550, Microsoft Lumia 635, and Microsoft Surface Pro 4 was performed by Leidos Common Criteria Testing Laboratory (CCTL) in Columbia, Maryland, in the United States and was completed in February 2016. The evaluation was conducted in accordance with the requirements of the Common Criteria and Common Methodology for IT Security Evaluation (CEM), version 3.1, revision 4 and the assurance activities specified in the Protection Profile for Mobility Device Fundamentals, version 2.0. The evaluation was consistent with NIAP Common Criteria Evaluation and Validation Scheme (CCEVS) policies and practices as described on their web site (www.niap-ccevs.org). The Leidos evaluation team determined that Microsoft Windows 10 Mobile and Windows 10 with Microsoft Lumia 950, Microsoft Lumia 950 XL, Microsoft Lumia 550, Microsoft Lumia 635, and Microsoft Surface Pro 4 is conformant to the claimed Protection Profile (PP) and, when installed, configured and operated as specified in the evaluated guidance documentation, satisfied all of the security functional requirements stated in the ST. The information in this VR is largely derived from the publically available Assurance Activities Report (AAR) and the associated proprietary test report produced by the Leidos evaluation team. The TOE is a hardware and software solution that consists of Microsoft Windows 10 Operating System editions running on the following devices:  Microsoft Lumia 950, Windows 10 Mobile  Microsoft Lumia 950 XL, Windows 10 Mobile  Microsoft Lumia 550, Windows 10 Mobile  Microsoft Lumia 635, Windows 10 Mobile  Microsoft Surface Pro 4, Windows 10 Pro and Enterprise, 64-bit The validation team monitored the activities of the evaluation team, examined evaluation evidence, provided guidance on technical issues and evaluation processes, and reviewed the evaluation results produced by the evaluation team. The validation team found that the evaluation results showed that all assurance activities specified in the claimed PP had been completed successfully and that the product satisfied all of the security functional and assurance requirements as stated in the ST. Therefore the validation team concludes that the testing laboratory’s findings are accurate, the conclusions justified, and the conformance results are correct. The conclusions of the testing laboratory in the evaluation technical report are consistent with the evidence produced. VALIDATION REPORT Microsoft Windows 10 Mobile and Microsoft Windows 10 with Mobile Devices 2 Table 1: Evaluation Details Item Identifier Evaluated Product Microsoft Windows 10 Mobile and Windows 10 Sponsor & Developer Michael Grimm Microsoft Corporation CCTL Leidos Common Criteria Testing Laboratory 6841 Benjamin Franklin Drive Columbia, MD 21046 Completion Date May 2016 CC Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 4, September 2012 Interpretations There were no applicable interpretations used for this evaluation. CEM Common Methodology for Information Technology Security Evaluation: Version 3.1, Revision 4, September 2012 PP Protection Profile for Mobility Device Fundamentals, Version 2.0 Evaluation Class None Disclaimer The information contained in this Validation Report is not an endorsement of the Microsoft Windows 10 mobile devices by any agency of the U.S. Government and no warranty of Microsoft Windows 10 mobile devices is either expressed or implied. Evaluation Personnel Gregory Beaver Dawn Campbell Gary Grainger Robert Russ Amit Sharma Kevin Steiner Validation Personnel Sheldon Durrant, Lead Validator Ken Elliot, Senior Validator Stelios Melachrinoudis, Lead Validator VALIDATION REPORT Microsoft Windows 10 Mobile and Microsoft Windows 10 with Mobile Devices 3 2 Identification The CCEVS is a joint National Security Agency (NSA) and National Institute of Standards and Technology (NIST) effort to establish commercial facilities to perform trusted product evaluations. Under this program, security evaluations are conducted by commercial testing laboratories called Common Criteria Testing Laboratories (CCTLs) in accordance with National Voluntary Laboratory Assessment Program (NVLAP) accreditation. The NIAP Validation Body assigns validators to monitor the CCTLs to ensure quality and consistency across evaluations. Developers of information technology products desiring a security evaluation contract with a CCTL and pay a fee for their product’s evaluation. Upon successful completion of the evaluation, the product is added to NIAP’s Product Compliant List (PCL). The following table identifies the evaluated Security Target and TOE. Table 2: ST and TOE Identification Name Description ST Title Microsoft Windows 10 and Microsoft Windows 10 Mobile Security Target ST Version 1.0 Publication Date May 2016 Vendor and ST Author Microsoft TOE Reference Microsoft Windows 10 and Microsoft Windows 10 Mobile TOE Hardware Models Microsoft Lumia 950, Windows 10 Mobile Microsoft Lumia 950 XL, Windows 10 Mobile Microsoft Lumia 550, Windows 10 Mobile Microsoft Lumia 635, Windows 10 Mobile Microsoft Surface Pro 4, Windows 10 Pro and Enterprise, 64-bit TOE Software Version Microsoft Windows 10 Mobile Edition Microsoft Windows 10 Pro Edition (64-bit version) Microsoft Windows 10 Enterprise Edition (64-bit version) Keywords Mobility Device 2.1 Threats The ST identifies the following threats that the TOE and its operational environment are intended to counter:  An attacker is positioned on a wireless communications channel or elsewhere on the network infrastructure. Attackers may monitor and gain access to data exchanged between the Mobile Device and other endpoints.  An attacker is positioned on a wireless communications channel or elsewhere on the network infrastructure. Attackers may initiate communications with the Mobile Device or alter communications between the Mobile Device and other endpoints in order to compromise the Mobile Device. These attacks include malicious software update of any applications or system software on the device. These attacks also include malicious web pages or email attachments which are usually delivered to devices over the network. VALIDATION REPORT Microsoft Windows 10 Mobile and Microsoft Windows 10 with Mobile Devices 4  The loss or theft of the Mobile Device may give rise to loss of confidentiality of user data including credentials. These physical access threats may involve attacks which attempt to access the device through external hardware ports, through its user interface, and also through direct and possibly destructive access to its storage media. The goal of such attacks is to access data from a lost or stolen device which is not expected to return to its user.  Applications loaded onto the Mobile Device may include malicious or exploitable code. This code could be included intentionally by its developer or unknowingly by the developer, perhaps as part of a software library. Malicious apps may attempt to exfiltrate data to which they have access. They may also conduct attacks against the platform‘s system software which will provide them with additional privileges and the ability to conduct further malicious activities. Malicious applications may be able to control the device's sensors (GPS, camera, microphone) to gather intelligence about the user's surroundings even when those activities do not involve data resident or transmitted from the device. Flawed applications may give an attacker access to perform network-based or physical attacks that otherwise would have been prevented.  Persistent access to a device by an attacker implies that the device has lost integrity and cannot regain it. The device has likely lost this integrity due to some other threat vector, yet the continued access by an attacker constitutes an on-going threat in itself. In this case the device and its data may be controlled by an adversary at least as well as by its legitimate owner. 2.2 Organizational Security Policies There are no Organizational Security Policies for the Mobile Device protection profile. VALIDATION REPORT Microsoft Windows 10 Mobile and Microsoft Windows 10 with Mobile Devices 5 3 Architectural Information The TOE is a hardware and software solution that consists of Microsoft Windows 10 Operating System editions running on the following devices:  Microsoft Lumia 950, Windows 10 Mobile, Qualcomm Snapdragon 808, GSM, WCDMA, LTE, Qualcomm WCN3620, IEEE 801.11 Wi-Fi a/b/g/n adapter, Qualcomm TPM 2.0, Bluetooth 4.1  Microsoft Lumia 950 XL, Windows 10 Mobile, Qualcomm Snapdragon 810, GSM, WCDMA, LTE, Qualcomm WCN3620, IEEE 801.11 Wi-Fi a/b/g/n adapter, Qualcomm TPM 2.0, Bluetooth 4.1  Microsoft Lumia 550, Windows 10 Mobile, Qualcomm Snapdragon 210, GSM, WCDMA, LTE, Qualcomm WCN3620, IEEE 801.11 Wi-Fi b/g/n adapter, Qualcomm TPM 2.0  Microsoft Lumia 635, Windows 10 Mobile, Qualcomm Snapdragon 400, GSM, WCDMA, LTE, Qualcomm WCN3620, IEEE 801.11 Wi-Fi b/g/n adapter, Qualcomm TPM 2.0  Microsoft Surface Pro 4, Windows 10 Pro and Enterprise, 64-bit, Intel Core i7 , Marvell 8897, IEEE 801.11 Wi-Fi b/g/n adapter, Intel TPM 2.0, Bluetooth 4.1 The Microsoft Windows 10 Mobile and Microsoft Windows 10 editions are preemptive multitasking, multiprocessor, and multi-user operating systems. In general, operating systems provide users with a convenient interface to manage underlying hardware. They control the allocation and manage computing resources such as processors, memory, and Input/Output (I/O) devices. Microsoft Windows 10 Mobile and Microsoft Windows 10 also referred to as “Windows”, expands these basic operating system capabilities to controlling the allocation and managing higher level IT resources such as security principals (user or machine accounts), files, printing objects, services, window station, desktops, cryptographic keys, network ports traffic, directory objects, and web content. Multi-user operating systems such as Windows keep track of which user is using which resource, grant resource requests, account for resource usage, and mediate conflicting requests from different programs and users. The TOE includes the following variants of Windows:  Microsoft Windows 10 Mobile Edition  Microsoft Windows 10 Pro Edition (64-bit version)  Microsoft Windows 10 Enterprise Edition (64-bit version) The TOE includes both physical and logical boundaries. Its operational environment is that of a networked environment with IEEE 802.11 (Wi-Fi), mobile broadband networks (3G/4G and LTE), and Bluetooth networks. VALIDATION REPORT Microsoft Windows 10 Mobile and Microsoft Windows 10 with Mobile Devices 6 The Security Functional Requirements were evaluated with respect to the TOE configurations listed above; however, there are a few variations in requirement specifics and applicability between the Windows 10 Mobile Edition-based TOEs (Mobile Edition) and the Windows 10 Pro and Enterprise Edition-based TOEs (Client Edition). These differences are summarized in the following table: SFR Mobile Edition Client Edition Notes FCS_CKM_EXT.2.1 DEKs are generated as 128-bit AES Keys DEKs are generated as 256-bit AES Keys For the Client Edition, while the TOE can generate either 128-bit or 256-bit keys, the administrative guidance restricts the generated key to 256 bits. FCS_COP.1(PBKD*) The iteration count is 3,300 because of slower processor speeds on the Mobile ARM hardware. The iteration count is 8,000. This SFR is FCS_COP.1(5) in the MDFPP. FCS_STG_EXT.1.4, FCS_STG_EXT.1.5 Exceptions to restricting the use or destruction of imported keys/secrets may only be authorized by a common application developer. Exceptions to restricting the use or destruction of imported keys/secrets may only be authorized by the user or an administrator. FCS_TLSC_EXT.1 Supports 3 optional ciphersuites (see SFR for specifics). Supports 9 optional ciphersuites (see SFR for specifics). FDP_DAR_EXT.1 Uses 128-bit AES for data-at-rest protection. Uses 256-bit AES for data-at-rest protection The Client Edition can use 128-bit or 256-bit keys, but this is administratively restricted to 256-bit keys. FMT_SMF_EXT.2 Will offer to wipe protected data when being unenrolled, in addition to alerting the administrator and removing Enterprise applications. Only alerts the administrator and removes Enterprise applications upon unenrollment. FPT_BBD_EXT.1.1 Was not examined for this feature. Prevents code executing on a baseband processor from accessing application VALIDATION REPORT Microsoft Windows 10 Mobile and Microsoft Windows 10 with Mobile Devices 7 processor resources without mediation. VALIDATION REPORT Microsoft Windows 10 Mobile and Microsoft Windows 10 with Mobile Devices 8 4 Assumptions The ST identifies the following assumptions about the use of the product:  It is assumed that the TOE‘s security functions are configured correctly in a manner to ensure that the TOE security policies will be enforced on all applicable network traffic flowing among the attached networks.  It is assumed that the mobile user will immediately notify the administrator if the Mobile Device is lost or stolen.  It is assumed that the mobile user exercises precautions to reduce the risk of loss or theft of the Mobile Device. 4.1 Clarification of Scope All evaluations (and all products) have limitations, as well as potential misconceptions that need clarification. This text covers some of the more important limitations and clarifications of this evaluation. Note that: 1. As with any evaluation, this evaluation only shows that the evaluated configuration meets the security claims made, with a certain level of assurance (the assurance activities specified in the claimed PPs and performed by the evaluation team). 2. This evaluation covers only the specific device models, operating system editions, and software versions identified in this document, and not any earlier or later versions released or in process. For example, functionality that is offered in Windows 10 Home edition was not evaluated. 3. The evaluation of security functionality of the product was limited to the functionality specified in the claimed PPs. Any additional security related functional capabilities of the product were not covered by this evaluation. Any additional non-security related functional capabilities of the product, even those described in the ST, were not covered by this evaluation. 4. Accordingly, the functionality offered by applications outside the Windows Store was not tested. The MDFPP has requirements it places on TOE system services that applications can leverage and this evaluation used only apps from the Windows Store to comply with those requirements. In particular, users and administrators should install applications from the Windows Store or via an MDM; otherwise the device will be outside the evaluated configuration. 5. At the time of this evaluation, the native IPsec functionality provided by Windows 10 had not been evaluated against the VPN Client Protection Profile. This evaluation makes no statements about the future success or failure of such an evaluation. The native IPsec client is included in the TOE as distributed and is used to meet IPsec requirements mandated by the MDFPP, but the TOE has not been evaluated as a VPN Client. Sponsors and customers needing an evaluated VPN Client should look for a separate evaluation of that functionality. 6. Device manufacturers, OS developers, and mobile carriers provide many applications that provide capabilities outside of what is required in the MDF PP. AVA_VAN.1 in Section 6.6 of MDFPP V2.0 limits the scope of vulnerability search activities. Hence, identifying and inspecting data collected and transmitted by applications is beyond the scope of MDFPP V2.0. 7. This evaluation did not specifically search for, nor attempt to exploit, vulnerabilities that were not “obvious” or vulnerabilities to objectives not claimed in the ST. The CEM defines an “obvious” VALIDATION REPORT Microsoft Windows 10 Mobile and Microsoft Windows 10 with Mobile Devices 9 vulnerability as one that is easily exploited with a minimum of understanding of the TOE, technical sophistication and resources. VALIDATION REPORT Microsoft Windows 10 Mobile and Microsoft Windows 10 with Mobile Devices 10 5 Security Policy The TOE enforces the following security policies as described in the ST. 5.1 Cryptographic Support Windows provides CAVP validated cryptographic functions that support encryption/decryption, cryptographic signatures, cryptographic hashing, cryptographic key agreement (which is not studied in this evaluation), and random number generation. The TOE additionally provides support for public keys, credential management and certificate validation functions and provides support for the National Security Agency’s Suite B cryptographic algorithms. Windows also provides a key isolation service designed to limit the potential exposure of secret and private keys. In addition to using cryptography for its own security functions, Windows offers access to the cryptographic support functions for user-mode and kernel-mode programs. Public key certificates generated and used by Windows to authenticate users and machines as well as protect both user and system data in transit.  Software-based disk encryption: Windows implements BitLocker to provide encrypted data storage for fixed and removable volumes and protects the disk volume’s encryption key with one or more intermediate keys and authorization factor  IPsec: Windows implements IPsec to provide protected, authenticated, confidential, and tamper- proof networking between two peer computers. 5.2 User Data Protection In the context of this evaluation Windows protects user data at rest and provides secure storage of X.509v3 certificates. 5.3 Identification and Authentication In the context of this evaluation, Windows provides the ability to use, store, and protect X.509 certificates that are used for TLS and authenticates the user to their mobile device. 5.4 Security Management Windows includes several functions to manage security policies. Policy management is controlled through a combination of access control, membership in administrator groups, and privileges. 5.5 Protection of the TSF Windows provides a number of features to ensure the protection of TOE security functions. For applications and processes within the scope of this evaluation, Windows protects against unauthorized data disclosure and modification by using a suite of Internet standards. Windows ensures process isolation security for all processes through private virtual address spaces, execution context, and security context. The Windows data structures defining process address space, execution context, memory protection, and security context are stored in protected kernel-mode memory. Windows includes self- testing features that ensure the integrity of executable program images and its cryptographic functions. Finally, Windows provides a trusted update mechanism to update Windows binaries itself. Like TSF processes, user processes also are provided a private address space and process context, and therefore are protected from each other. Additionally, the TSF has the ability to protect memory pages using Data Execution Prevention (DEP) which marks memory pages in a process as non-executable VALIDATION REPORT Microsoft Windows 10 Mobile and Microsoft Windows 10 with Mobile Devices 11 unless the location explicitly contains executable code. When the processor is asked to execute instructions from a page marked as data, the processor will raise an exception for the OS to handle. The Windows kernel, user-mode applications, and all Windows Store Applications implement Address Space Layout Randomization (ASLR) in order to load executable code at unpredictable base addresses. The base address is generated using a pseudo-random number generator that is seeded by high quality entropy sources when available which provides at least 8 random bits for memory mapping. 5.6 TOE Access Windows provides the ability for a user to lock their session either immediately or after a defined interval. Windows constantly monitors the mouse, keyboard, and touch display for activity and locks the computer after a set period of inactivity. Windows allows an authorized administrator to configure the system to display a logon banner before the logon dialog. 5.7 Trusted Path/Channels Windows uses a suite of protocols to provide a Virtual Private Network Connection (VPN) between itself, acting as a VPN client, and a VPN gateway in addition to providing protected communications for HTTPS and TLS. VALIDATION REPORT Microsoft Windows 10 Mobile and Microsoft Windows 10 with Mobile Devices 12 6 Documentation Microsoft offers a number of guidance documents along with a CC-specific supplemental document describing the installation process for the TOE as well as guidance for subsequent use and administration of the applicable security features. The guidance documentation examined during the course of the evaluation and delivered with the TOE is as follows:  Microsoft Windows Common Criteria Evaluation Microsoft Windows 10 Mobile and Microsoft Windows 10 Common Criteria Supplemental Admin Guidance, Version 1.0, February 18 2016. The above document is considered to be part of the evaluated TOE. Any additional customer documentation delivered with the TOE or made available through electronic downloads should not be relied upon for using the TOE in its evaluated configuration. The Security Target used is:  Microsoft Windows 10 and Microsoft Windows 10 Mobile Security Target, Version 1.0, May 11, 2016. VALIDATION REPORT Microsoft Windows 10 Mobile and Microsoft Windows 10 with Mobile Devices 13 7 Independent Testing This section describes the testing efforts of the evaluation team. It is derived from information contained in the following proprietary documents:  Windows 10 Mobile Common Criteria Test Report and Procedures for Mobility Device Fundamentals PP, Version 1.1, April 7, 2016 A non-proprietary version of the tests performed and samples of the evidence that was generated is summarized in the following document:  Microsoft Windows 10 Mobile and Microsoft Windows 10 with Lumia 950, Lumia 950 XL, Lumia 550, Lumia 635, and Surface Pro 4 Common Criteria Assurance Activities Report, Version 1.0, May 11, 2016 The purpose of the testing activity was to confirm the TOE behaves in accordance with the TOE security functional requirements as specified in the ST for a product claiming conformance to PP MDF v2.0. The evaluation team devised a Test Plan based on the Testing Assurance Activities specified in PP MDF. The Test Plan described how each test activity was to be instantiated within the TOE test environment. The evaluation team executed the tests specified in the Test Plan and documented the results in the team test report listed above. Independent testing took place primarily at the Leidos CCTL location in Columbia, Maryland. The evaluation team performed limited testing at Microsoft facilities in Redmond, Washington. The evaluators received the TOE in the form that normal customers would receive it, installed and configured the TOE in accordance with the provided guidance, and exercised the Team Test Plan on equipment configured in the testing laboratory. Given the complete set of test results from the test procedures exercised by the evaluators, the testing requirements for PP MDF v2.0 were fulfilled. VALIDATION REPORT Microsoft Windows 10 Mobile and Microsoft Windows 10 with Mobile Devices 14 8 Evaluated Configuration The evaluated version of the TOE consists of the following software and hardware device combinations. TOE Software Identification: The following Windows Operating System editions are included in the evaluation:  Microsoft Windows 10 Mobile on Microsoft Lumia 950  Microsoft Windows 10 Mobile on Microsoft Lumia 950 XL  Microsoft Windows 10 Mobile on Microsoft Lumia 550  Microsoft Windows 10 Mobile on Microsoft Lumia 635  Microsoft Windows 10 Pro, 64-bit on Microsoft Surface Pro 4  Microsoft Windows 10 Enterprise, 64-bit on Microsoft Surface Pro 4 The following security updates must be applied to the above Windows 10 products:  All critical updates as of October 31, 2015 TOE Hardware Identification: The following hardware devices and components are included in the evaluation:  Lumia 950, Windows 10 Mobile, Qualcomm Snapdragon 808, GSM, WCDMA, LTE, Qualcomm WCN3620, IEEE 801.11 Wi-Fi a/b/g/n adapter, Qualcomm TPM 2.0, Bluetooth 4.1  Lumia 950 XL, Windows 10 Mobile, Qualcomm Snapdragon 810, GSM, WCDMA, LTE, Qualcomm WCN3620, IEEE 801.11 Wi-Fi a/b/g/n adapter, Qualcomm TPM 2.0, Bluetooth 4.1  Lumia 550, Windows 10 Mobile, Qualcomm Snapdragon 210, GSM, WCDMA, LTE, Qualcomm WCN3620, IEEE 801.11 Wi-Fi b/g/n adapter, Qualcomm TPM 2.0  Microsoft Lumia 635, Windows 10 Mobile, Qualcomm Snapdragon 400, GSM, WCDMA, LTE, Qualcomm WCN3620, IEEE 801.11 Wi-Fi b/g/n adapter, Qualcomm TPM 2.0  Surface Pro 4, Windows 10 Enterprise, 64-bit, Intel Core i7, Marvell 8897, IEEE 801.11 Wi-Fi b/g/n adapter, Intel TPM 2.0, Bluetooth 4.0 The TOE must be deployed as described in Section 4 Assumptions of this document and be configured in accordance with the Microsoft Windows 10 Mobile and Microsoft Windows 10 Common Criteria Supplemental Admin Guidance, Version 1.0, May 11, 2016. Per Policy Letter #22, user installation of vendor-delivered bug fixes and security patches is encouraged between completion of the evaluation and the Assurance Maintenance Date; with such updates properly installed, the product is still considered by NIAP to be in its evaluated configuration. VALIDATION REPORT Microsoft Windows 10 Mobile and Microsoft Windows 10 with Mobile Devices 15 9 Results of the Evaluation The evaluation was conducted based upon the assurance activities specified in Protection Profile for Mobility Device Fundamentals Version 2.0, in conjunction with version 3.1, revision 4 of the CC and the CEM. A verdict for an assurance component is determined by the resulting verdicts assigned to the corresponding evaluator action elements. The validation team’s assessment of the evidence provided by the evaluation team is that it demonstrates that the evaluation team performed the assurance activities in the claimed PPs, and correctly verified that the product meets the claims in the ST. The details of the evaluation are recorded in the Evaluation Technical Report (ETR), which is controlled by the Leidos CCTL. The security assurance requirements are listed in the following table. Table 3: TOE Security Assurance Requirements Assurance Component ID Assurance Component Name ASE_CCL.1 Conformance claims ASE_ECD.1 Extended components definition ASE_INT.1 ST introduction ASE_OBJ.1 Security objectives for the operational environment ASE_REQ.1 Stated security requirements ASE_SPD.1 Security Problem Definition ASE_TSS.1 TOE summary specification ADV_FSP.1 Basic functional specification AGD_OPE.1 Operational user guidance AGD_PRE.1 Preparative procedures ALC_CMC.1 Labeling of the TOE ALC_CMS.1 TOE CM coverage ALC_TSU_EXT.1 Timely Security Updates ATE_IND.1 Independent testing – conformance AVA_VAN.1 Vulnerability survey VALIDATION REPORT Microsoft Windows 10 Mobile and Microsoft Windows 10 with Mobile Devices 16 10 Validator Comments/Recommendations The functionality evaluated is scoped exclusively to the security functional requirements specified in the Security Target, and only the functionality implemented by the SFR’s within the Security Target was evaluated. All other functionality provided by Microsoft Windows 10 Mobile and Windows 10 with Microsoft Lumia 950, Microsoft Lumia 950 XL, Microsoft Lumia 550, Microsoft Lumia 635, and Microsoft Surface Pro 4, to include software that was not part of the evaluated configuration, needs to be assessed separately and no further conclusions can be drawn about their effectiveness. For Windows 10 on Surface Pro 4, evaluators discovered that Windows displays the following warning when the user is about to surpass the policy for failed authentication attempts: “If you keep entering the wrong password, you’ll be locked out to help protect your data. To unlock, you’ll need a BitLocker recovery key.” It is important for users, customers, and sponsors to understand that until an update is issued to modify this warning to one that better reflects the evaluated configuration, the warning must be disregarded as of the completion of this evaluation. There is no BitLocker recovery key created, utilized, or transmitted anywhere when Windows 10 is in its evaluated configuration, including as a recovery mechanism. Consequently, when the maximum number of unsuccessful authentication attempts has been surpassed, the user is not “locked out” but instead the user and organizational data on the device is wiped. When attempting to install a black-listed application from the Windows Store, the installation may initially appear to proceed, leading a user to believe that the black-list policy is not in effect. Evaluation testing has demonstrated that the installation will not complete; rather it will instead fail with an error code of 0x80073CF9, which generally indicates that an app is not available. VALIDATION REPORT Microsoft Windows 10 Mobile and Microsoft Windows 10 with Mobile Devices 17 11 Annexes Not applicable. VALIDATION REPORT Microsoft Windows 10 Mobile and Microsoft Windows 10 with Mobile Devices 18 12 Security Target Name Description ST Title Microsoft Windows 10 and Microsoft Windows 10 Mobile Security Target ST Version 1.0 Publication Date May 11, 2016 VALIDATION REPORT Microsoft Windows 10 Mobile and Microsoft Windows 10 with Mobile Devices 19 13 Abbreviations and Acronyms ACE Access Control Entry ACL Access Control List ACP Access Control Policy AD Active Directory ADAM Active Directory Application Mode AES Advanced Encryption Standard AGD Administrator Guidance Document AH Authentication Header ALPC Advanced Local Process Communication ANSI American National Standards Institute API Application Programming Interface APIC Advanced Programmable Interrupt Controller BTG BitLocker To Go CA Certificate Authority CBAC Claims Basic Access Control, see DYN CBC Cipher Block Chaining CC Common Criteria CD-ROM Compact Disk Read Only Memory CIFS Common Internet File System CIMCPP Certificate Issuing and Management Components For Basic Robustness Environments Protection Profile, Version 1.0, April 27, 2009 CM Configuration Management; Control Management COM Component Object Model CP Content Provider CPU Central Processing Unit CRL Certificate Revocation List CryptoAPI Cryptographic API CSP Cryptographic Service Provider DAC Discretionary Access Control DACL Discretionary Access Control List DC Domain Controller DEP Data Execution Prevention DES Data Encryption Standard DH Diffie-Hellman DHCP Dynamic Host Configuration Protocol DFS Distributed File System DMA Direct Memory Access DNS Domain Name System DS Directory Service DSA Digital Signature Algorithm DYN Dynamic Access Control EAL Evaluation Assurance Level ECB Electronic Code Book EFS Encrypting File System ESP Encapsulating Security Protocol VALIDATION REPORT Microsoft Windows 10 Mobile and Microsoft Windows 10 with Mobile Devices 20 FEK File Encryption Key FIPS Federal Information Processing Standard FRS File Replication Service FSMO Flexible Single Master Operation FTP File Transfer Protocol FVE Full Volume Encryption GB Gigabyte GC Global Catalog GHz Gigahertz GPC Group Policy Container GPO Group Policy Object GPOSPP US Government Protection Profile for General-Purpose Operating System in a Networked Environment GPT Group Policy Template GPT GUID Partition Table GUI Graphical User Interface GUID Globally Unique Identifiers HTTP Hypertext Transfer Protocol HTTPS Secure HTTP I/O Input / Output I&A Identification and Authentication IA Information Assurance ICF Internet Connection Firewall ICMP Internet Control Message Protocol ICS Internet Connection Sharing ID Identification IDE Integrated Drive Electronics IETF Internet Engineering Task Force IFS Installable File System IIS Internet Information Services IKE Internet Key Exchange IP Internet Protocol IPv4 IP Version 4 IPv6 IP Version 6 IPC Inter-process Communication IPI Inter-process Interrupt IPsec IP Security ISAPI Internet Server API IT Information Technology KDC Key Distribution Center LAN Local Area Network LDAP Lightweight Directory Access Protocol LPC Local Procedure Call LSA Local Security Authority LSASS LSA Subsystem Service LUA Least-privilege User Account MAC Message Authentication Code MB Megabyte MMC Microsoft Management Console VALIDATION REPORT Microsoft Windows 10 Mobile and Microsoft Windows 10 with Mobile Devices 21 MSR Model Specific Register NAC (Cisco) Network Admission Control NAP Network Access Protection NAT Network Address Translation NIC Network Interface Card NIST National Institute of Standards and Technology NLB Network Load Balancing NMI Non-maskable Interrupt NTFS New Technology File System NTLM New Technology LAN Manager OS Operating System PAE Physical Address Extension PC/SC Personal Computer/Smart Card PIN Personal Identification Number PKCS Public Key Certificate Standard PKI Public Key Infrastructure PP Protection Profile RADIUS Remote Authentication Dial In Service RAID Redundant Array of Independent Disks RAM Random Access Memory RAS Remote Access Service RC4 Rivest’s Cipher 4 RID Relative Identifier RNG Random Number Generator RPC Remote Procedure Call RSA Rivest, Shamir and Adleman RSASSA RSA Signature Scheme with Appendix SA Security Association SACL System Access Control List SAM Security Assurance Measure SAML Security Assertion Markup Language SAR Security Assurance Requirement SAS Secure Attention Sequence SD Security Descriptor SHA Secure Hash Algorithm SID Security Identifier SIP Session Initiation Protocol SIPI Startup IPI SF Security Functions SFP Security Functional Policy SFR Security Functional Requirement SMB Server Message Block SMI System Management Interrupt SMTP Simple Mail Transport Protocol SP Service Pack SPI Security Parameters Index SPI Stateful Packet Inspection SRM Security Reference Monitor SSL Secure Sockets Layer VALIDATION REPORT Microsoft Windows 10 Mobile and Microsoft Windows 10 with Mobile Devices 22 SSP Security Support Providers SSPI Security Support Provider Interface ST Security Target SYSVOL System Volume TCP Transmission Control Protocol TDI Transport Driver Interface TLS Transport Layer Security TOE Target of Evaluation TPM Trusted Platform Module TSC TOE Scope of Control TSF TOE Security Functions TSS TOE Summary Specification UART Universal Asynchronous Receiver / Transmitter UI User Interface UID User Identifier UNC Universal Naming Convention US United States UPN User Principal Name URL Uniform Resource Locator USB Universal Serial Bus USN Update Sequence Number v5 Version 5 VDS Virtual Disk Service VPN Virtual Private Network VSS Volume Shadow Copy Service WAN Wide Area Network WCF Windows Communications Framework WebDAV Web Document Authoring and Versioning WebSSO Web Single Sign On WDM Windows Driver Model WIF Windows Identity Framework WMI Windows Management Instrumentation WSC Windows Security Center WU Windows Update WSDL Web Service Description Language WWW World-Wide Web X64 A 64-bit instruction set architecture X86 A 32-bit instruction set architecture VALIDATION REPORT Microsoft Windows 10 Mobile and Microsoft Windows 10 with Mobile Devices 23 14 Bibliography The Validation Team used the following documents to produce this Validation Report: [1] Common Criteria for Information Technology Security Evaluation Part 1: Introduction, Version 3.1, Revision 4, September 2012. [2] Common Criteria for Information Technology Security Evaluation Part 2: Security Functional Requirements, Version 3.1 Revision 4, September 2012. [3] Common Criteria for Information Technology Security Evaluation Part 3: Security Assurance Components, Version 3.1 Revision 4, September 2012. [4] Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 4, September 2012. [5] Microsoft Windows 10 and Microsoft Windows 10 Mobile Security Target, Version 1.0, May 11, 2016 [6] Common Criteria Evaluation and Validation Scheme - Guidance to CCEVS Approved Common Criteria Testing Laboratories, Version 2.0, 8 Sep 2008. [7] Evaluation Technical Report for Microsoft Windows 10 Mobile and Window 10, Version 1.0, April 13, 2016 [8] Microsoft Windows 10 Mobile and Microsoft Windows 10 Common Criteria Supplemental Admin Guidance, Version 1.0, Version 1.0, May 11, 2016