Version 2.4 January 28, Prepared by:

(1)

Microsoft Windows 10 with

Surface 3, Surface Pro 3, Dell Venue 8 Pro, HP Pro X2,

Lenovo X1 Carbon, and Panasonic FZ-G1

Common Criteria

Assurance Activities Report

Version 2.4

January 28, 2016

Prepared by:

Leidos Inc. (formerly Science Applications International Corporation)

https://www.leidos.com/commercialcyber/ate

Common Criteria Testing Laboratory

6841 Benjamin Franklin Drive

(2)

Prepared for:

National Information Assurance Partnership

Common Criteria Evaluation and Validation Scheme

The Developer of the TOE:

Microsoft Corporation Corporate Headquarters One Microsoft Way Redmond, WA 98052-6399

The TOE Evaluation was Sponsored by:

Microsoft Corporation Corporate Headquarters

One Microsoft Way Redmond, WA 98052-6399

Evaluation Personnel:

Greg Beaver Dawn Campbell Gary Grainger Kevin Steiner

Common Criteria Versions

 Common Criteria for Information Technology Security Evaluation Part 1: Introduction, Version 3.1, Revision 4, September 2012.

 Common Criteria for Information Technology Security Evaluation Part 2: Security Functional

Components, Revision 4, September 2012.

 Common Criteria for Information Technology Security Evaluation Part 3: Security Assurance

Components, Revision 4, September 2012. Common Evaluation Methodology Versions

 Common Methodology for Information Technology Security Evaluation, Evaluation

Methodology, Version 3.1, Revision 4, September 2012. Protection Profiles

(3)

Table of Contents

1 Introduction ... 8

1.1 Evidence ... 8

1.2 Protection Profile... 8

2 Security Functional Requirement Assurance Activities ... 8

2.1 Security Audit (FAU) ... 8

2.1.1 Audit Data Generation (FAU_GEN.1) ... 8

2.1.2 Security Audit Review (FAU_SAR.1) ... 36

2.1.3 Security Audit Event Selection (FAU_SEL.1) ... 36

2.1.4 Audit Storage Protection (FAU_STG.1) ... 37

2.1.5 Prevention of Audit Data Loss (FAU_STG.4) ... 39

2.2 Cryptographic Support (FCS) ... 39

2.2.1 Cryptographic Key Generation (FCS_CKM.1(1)) ... 39

2.2.2 Cryptographic Key Generation (WLAN) (FCS_CKM.1(2)) ... 44

2.2.3 Cryptographic Key Generation (WLAN) (FCS_CKM.1(3)) ... 50

2.2.4 Cryptographic Key Establishment FCS_CKM.2.1(1) ... 51

2.2.5 Cryptographic Key Distribution (WLAN) FCS_CKM.2.1(2) ... 55

2.2.6 Cryptographic Key Support (REK) FCS_CKM_EXT.1 ... 57

2.2.7 Extended: Cryptographic Key Support (FCS_CKM_EXT.1.4) ... 59

2.2.8 Cryptographic Key Random Generation (FCS_CKM_EXT.2) ... 59

2.2.9 Cryptographic Key Encryption Keys (FCS_CKM_EXT.3) ... 60

2.2.10 Cryptographic Key Destruction (FCS_CKM_EXT.4) ... 62

2.2.11 TSF Wipe (FCS_CKM_EXT.5) ... 64

2.2.12 Cryptographic Salt Generation (FCS_CKM_EXT.6) ... 67

2.2.13 Cryptographic Operation (FCS_COP.1(1)) ... 67

2.2.14 Hashing Algorithms (FCS_COP.1(2)) ... 76

2.2.15 Signature Algorithms (FCS_COP.1(3)) ... 78

2.2.16 Keyed Hash Algorithms (FCS_COP.1(4)) ... 80

2.2.17 Password-Based Key Derivation Functions (FCS_COP.1(5)) ... 81

(4)

2.2.19 Initialization Vector Generation (FCS_IV_EXT.1) ... 83

2.2.20 Random Bit Generation (FCS_RBG_EXT.1) ... 83

2.2.21 Extended: Cryptographic Algorithm Services (FCS_SRV_EXT.1.1) ... 85

2.2.22 Extended: Cryptographic Algorithm Services (FCS_SRV_EXT.1.2) ... 86

2.2.23 Extended: Cryptographic Key Storage (FCS_STG_EXT.1) ... 87

2.2.24 Extended: Encrypted Cryptographic Key Storage (FCS_STG_EXT.2) ... 90

2.2.25 Extended: Integrity of encrypted key storage (FCS_STG_EXT.3) ... 91

2.2.26 Extended: EAP TLS Protocol (FCS_TLSC_EXT.1.1) ... 92

2.2.34 Extended: TLS Protocol (FCS_TLSC_EXT.2.1) ... 101

2.3 User Data Protection (FDP) ... 108

2.3.1 Extended: Security Access Control (FDP_ACF_EXT.1.1) ... 108

2.3.4 Extended: Limitation of Bluetooth Device Access (FDP_BLT_EXT.1) ... 112

2.3.5 Extended: Protected Data Encryption (FDP_DAR_EXT.1) ... 113

2.3.6 Extended: Subset information flow control (FDP_IFC_EXT.1) ... 114

(5)

2.3.8 Extended: Inter-TSF user data transfer protection (FDP_UPC_EXT.1) ... 117

2.4 Identification and Authentication (FIA) ... 119

2.4.1 Authentication failure handling (FIA_AFL_EXT.1) ... 119

2.4.2 Bluetooth Authorization and Authentication (FIA_BLT_EXT.1) ... 121

2.4.3 Bluetooth Authorization and Authentication (FIA_BLT_EXT.1.2) ... 122

2.4.4 Extended: Bluetooth Authentication (FIA_BLT_EXT.2)... 123

2.4.5 Extended: Rejection of Duplicate Bluetooth Connections FIA_BLT_EXT.3 ... 124

2.4.6 Port Access Entity Authentication (FIA_PAE_EXT.1) ... 125

2.4.7 Extended: Password Management (FIA_PMG_EXT.1) ... 126

2.4.8 Extended: Authentication Throttling (FIA_TRT_EXT.1) ... 127

2.4.9 Protected Authentication Feedback (FIA_UAU.7) ... 128

2.4.10 Extended: Authentication for Cryptographic Operation (FIA_UAU_EXT.1) .. 128

2.4.11 Extended: Timing of Authentication (FIA_UAU_EXT.2) ... 130

2.4.12 Extended: Re-Authentication (FIA_UAU_EXT.3) ... 130

2.4.13 Extended: Validation of certificates (FIA_X509_EXT.1) ... 131

2.4.14 Extended: X509 certificate authentication (FIA_X509_EXT.2) ... 132

2.4.15 Extended: X509 certificate authentication (FIA_X509_EXT.2.3) ... 134

2.4.16 Extended: X509 certificate authentication (FIA_X509_EXT.2.4) ... 134

2.4.17 Extended: Request Validation of certificates (FIA_X509_EXT.3) ... 135

2.5 Security Management (FMT) ... 136

2.5.1 Extended: Management of Security Functions Behavior (FMT_MOF_EXT.1.1) ... 136

2.5.2 Extended: Management of Security Functions Behavior (FMT_MOF_EXT.1.2) ... 137

2.5.3 Extended: Specification of Management Functions (FMT_SMF_EXT.1) ... 138

2.5.4 Extended: Specification of Remediation Actions (FMT_SMF_EXT.2)... 176

2.6 Protection of the TSF (FPT) ... 177

2.6.1 Extended: Anti-Exploitation Services (ASLR) (FPT_AEX_EXT.1) ... 177

2.6.2 Extended: Anti-Exploitation Services (ASLR) (FPT_AEX_EXT.1.3) ... 177

2.6.3 Extended: Anti-Exploitation Services (ASLR) (FPT_AEX_EXT.1.4) ... 178

2.6.4 Extended: Anti-Exploitation Services (Memory Page Permissions) (FPT_AEX_EXT.2.1) ... 178

(6)

2.6.5 Extended: Anti-Exploitation Services (Memory Page Permissions)

(FPT_AEX_EXT.2.2) ... 179

2.6.6 Extended: Anti-Exploitation Services (Overflow Protection) (FPT_AEX_EXT.3) ... 180

2.6.7 Extended: Anti-Exploitation Services (Overflow Protection) (FPT_AEX_EXT.3.2) ... 180

2.6.8 Extended: Domain Isolation (FPT_AEX_EXT.4) ... 181

2.6.9 Application Processor Mediation (FPT_BBD_EXT.1) ... 183

2.6.10 Extended: Limitation of Bluetooth Profile Support (FPT_BLT_EXT.1) ... 184

2.6.11 Extended: Key Storage (FPT_KST_EXT.1)... 184

2.6.12 Extended: No Key Transmission (FPT_KST_EXT.2) ... 185

2.6.13 Extended: No Plaintext Key Export (FPT_KST_EXT.3) ... 186

2.6.14 Extended: Self-Test Notification (FPT_NOT_EXT.1) ... 187

2.6.15 Extended: Self-Test Notification (FPT_NOT_EXT.1.2) ... 188

2.6.16 Extended: Self-Test Notification (FPT_NOT_EXT.1.3) ... 189

2.6.17 Reliable Time Stamps (FPT_STM.1) ... 190

2.6.18 Extended: TSF Cryptographic Functionality Testing (FPT_TST_EXT.1) ... 191

2.6.19 Extended: TSF Integrity Testing (FPT_TST_EXT.2.1) ... 192

2.6.20 Extended: TSF Integrity Testing (FPT_TST_EXT.2.2) ... 194

2.6.21 Extended: Trusted Update: TSF Version Query (FPT_TUD_EXT.1) ... 195

2.6.22 Extended: Trusted Update Verification (FPT_TUD_EXT.2) ... 196

2.6.23 Extended: Trusted Update Verification (FPT_TUD_EXT.2.4) ... 198

2.7 TOE Access (FTA) ... 200

2.7.1 Extended: TSF- and User-initiated locked state (FTA_SSL_EXT.1) ... 200

2.7.2 Default TOE Access Banners (FTA_TAB.1) ... 202

2.7.3 Extended: Wireless Network Access (FTA_WSE_EXT.1) ... 202

2.8 Trusted Path/Channels (FTP) ... 203

(7)

3 Security Assurance Requirements ... 205

3.1 Class ADV: Development ... 205

3.1.1 ADV_FSP.1 Basic Functional Specification ... 205

3.2 Class AGD: Guidance Documents ... 206

3.2.1 AGD_OPE.1 Operational User Guidance ... 206

3.2.2 AGD_PRE.1 Preparative Procedures ... 207

3.3 Class ALC: Life-Cycle Support ... 207

3.3.1 ALC_CMC.1 Labeling of the TOE Assurance Activity ... 207

3.3.2 ALC_CMS.1 TOE CM Coverage Assurance Activity ... 208

3.3.3 Timely Security Updates (ALC_TSU_EXT) Assurance Activity ... 208

3.4 ATE_IND.1 Independent Testing Conformance ... 209

3.4.1 ATE_IND.1 Assurance Activity ... 209

3.4.2 Cryptographic Algorithm Validation Programming Testing... 210

3.5 Class AVA: Vulnerability Assessment ... 213

(8)

1 I

NTRODUCTION

This document presents assurance activity evaluation results of the Microsoft Windows 10 evaluation. There are three types of assurance activities and the following is provided for each:

1. TOE Summary Specification (TSS)—an indication that the required information is in the TSS section of the Security Target

2. Guidance—a specific reference to the location in the guidance is provided for the required information

3. Test—a summary of the test procedure and result is provided for each required test activity. This Assurance Activities Report contains sections for each functional class and family and sub-sections addressing each of the SFRs specified in the Security Target.

1.1 Evidence

[ST] Microsoft Windows 10 Security Target, v1.0, January 26, 2016

[Guide] Microsoft Windows 10 Mobile Device Operational Guidance, V1.0, January

12, 2016

[TPM 1.2 Design] TPM Main Part 1: Design Principles, Specification Version 1.2, Revision

116, 1 March 2011

[TPM 1.2 Commands] TPM Main Part 3: Commands, Specification Version 1.2, Revision 116, 1

March 2011

[TPM 2.0 Arch] Trusted Platform Module Library Part 1: Architecture, Family “2.0”, Level

00, Revision 01.16, October 30, 2014

[TPM 2.0 Commands] Trusted Platform Module Library Part 3: Commands, Family “2.0”, Level 00,

Revision 01.16, October 30, 2014

1.2 Protection Profile

[PP MDF] Protection Profile for Mobility Device Fundamentals, Version 2.01, 17

September 2014

2 S

ECURITY

F

UNCTIONAL

R

EQUIREMENT

A

SSURANCE

A

CTIVITIES

This section describes the assurance activities associated with the SFRs defined in the ST and the results of those activities as performed by the evaluation team. The assurance activities are derived from the [PP MDF].

2.1 Security Audit (FAU)

2.1.1 Audit Data Generation (FAU_GEN.1) 2.1.1.1 TSS Assurance Activities

(9)

2.1.1.2 Guidance Assurance Activities

The evaluator shall check the administrative guide and ensure that it lists all of the auditable events and provides a format for audit records. Each audit record format type must be covered, along with a brief description of each field. The evaluator shall check to make sure that every audit event type mandated by the PP is described and that the description of the fields contains the information required in FAU_GEN.1.2.

[Guide] Section 3.1 Audit Events identifies the auditable events.

Requirement Description

Additional Record Contents

Log: Event Id FAU_GEN.1 Start-up and

shutdown of the audit functions

Windows Logs/Security: 4608, 1100 4608

Windows Logs -> Security

Subcategory: Security State Change Startup of audit functions

Logged: <Date and time of event> Task category: <type of event>

Keywords: <Outcome as Success or Failure> 1100

Subcategory: Security State Change The event logging service has shut down Logged: <Date and time of event> Keywords: <Outcome as Success> FAU_GEN.1 Startup and shutdown

of the OS and kernel

Windows Logs/Security: 4608, 1100 4608

Subcategory: Security State Change Startup of audit functions

Keywords: <Outcome as Success or Failure> 1100

Subcategory: Security State Change The event logging service has shut down Logged: <Date and time of event> Keywords: <Outcome as Success> FAU_GEN.1 Insertion or removal

of removable media

Microsoft- Windows-Kernel-PnP/Device Configuration: 410 Windows 10 audits insertion of removable media, winch meets the condition insertion or removal.

410

(10)

Log: Event Id Kernel-PnP -> Device Configuration Device < DeviceInstanceId> was started Logged: <Date and time of event> Security ID: <user identity>

DeviceInstanceId: <Device path and volume GUID of inserted removable media>

FAU_GEN.1 Establishment of a synchronizing connection

Windows Logs -> System Source: Schannel : 36880

Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11

36880

Windows Logs -> System

Source: Schannel An SSL client handshake completed successfully. The negotiated cryptographic parameters are as follows.

Logged: <Date and time of event> Protocol: <TLS protocol>

CipherSuite: <cypher suite> 11

Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational

Build Chain

System/TimeCreated/SystemTime: <Date and time of event> UserData/CertGetCertificateChain/Certificate/subjectName: <subject name in client certificate>

UserData/CertGetCertificateChain/CertificateChain/ChainEle ment/Certificate <issuer of leaf certificate as subject name in chained certificate>

TrustStatus -> ErrorStatus: <Error code > FAU_GEN.1 Audit records

reaching an administrator-configurable percentage of audit capacity Windows Logs/Security: 1103

The security audit log is now <the configured value > percent full.

Logged: <Date and time of event> Keywords: <Outcome as Success> FAU_SEL.1 All modifications to

the audit

configuration that occur while the audit collection functions are operating. No additional Information. Windows Logs/Security: 4719 4719

Subcategory: Audit Policy Change System audit policy was changed

Logged: <Date and time of event> Task category: <category of audit> Task Subcategory: <subcategory of audit> Subcategory GUID: <subcategory GUID name> Security ID: <user identity>

Account Name: <account name> Account Domain: <account domain>

(11)

Log: Event Id Login ID: <login Id>

Changes: <Success/Failure changes> Keywords: <Outcome as Success or Failure> FCS_CKM_EXT

.1

generation of a REK No additional Information.

Windows Logs/System: 24 24

Windows Logs -> System Source: TPM Logged: <Date and time of event> FCS_CKM_EXT .5 Success or failure of the wipe. No additional Information. Windows Logs/System: Success: 12 Failure: 4502 12

Windows Logs -> System 12Logged: <Date and time of OS startup>(This event along with no other earlier events indicates a wipe has occurred.)

4502

Microsoft-Windows-ResetEngAttempt to restore the system to original condition has failed. Changes to the system have been undone.

Logged: <Date and time of event> FCS_CKM.1(1) Failure of key generation activity for authentication keys. No additional Information. Microsoft-Windows-Crypto-NCrypt: 4 Logged: <Date and time of event>

Provider Name: <Key storage provider name> Key Name: <Unique name for key>

Algorithm Name: <Key algorithm name> FCS_HTTPS_E XT.1 Failure of the certificate validity check. Issuer Name and Subject Name of certificate. [No additional information].

11

Build Chain System/TimeCreated/SystemTime: <Date and time of event>

UserData/CertGetCertificateChain/Certificate/subjectName: <subject name in client certificate>

TrustStatus -> ErrorStatus: <Error code > (Error 20 indicates an untrusted root in the certificate chain)

FCS_RBG_EXT. 1 Failure of the randomization process. No additional information.

Windows Logs -> System: 20 20

Windows Logs -> System Source: Kernel-Boot

The last boot’s success was <LastBootGood event data>. Logged: <Date and time of event>

(12)

Log: Event Id

kernel-mode cryptographic self-tests and RNG initialization succeeded or failed>

FCS_STG_EXT. 1

Import or destruction of key. [No other events]

Identity of key. Role and identity of requestor.

Import: Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient/Lifecycle-System: 1006

Destruction: Windows Logs/System: 12 1006

Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-User -> Operational Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-System -> Operational A new certificate has been installed. Logged: <Date and time of event>

Subject: <Certificate subject name, CN, etc.> Thumbprint: <Certificate thumbprint>

12

Windows Logs -> System 12 Logged: <Date and time of OS startup>

This event along with no other earlier events indicates a wipe has occurred. FCS_STG_EXT. 3 Failure to verify integrity of stored key. Identity of key being verified. Bitlocker recovery Bitlocker recovery

System event Id 20 is recorded by source Kernel-Boot indicating event data “LastBootGood” as “false”. This event together with the indication of the TSF executable causing the failed boot on the Recovery screen.

20

Windows Logs -> System Source: Kernel-Boot

The last boot’s success was <LastBootGood event data>. Logged: <Date and time of event>

LastBootGood: <Outcome as true or false indicating if the kernel-mode cryptographic self-tests and RNG initialization succeeded or failed>

FCS_TLSC_EX T.1

Failure to establish an EAP-TLS session.

TrustStatus -> ErrorStatus: <Error code >

(13)

Log: Event Id

System -> TimeCreated -> SystemTime: <Date and time of event>

UserData -> CertVerifyRevocation -> Certificate -> subjectName: <certificate subject name>

UserData -> RevocationStatus -> error: <error code > Error code 0x80092013 indicates “The revocation function was unable to check revocation because the revocation server was offline.

Verify Chain Policy

UserData > CertVerifyCertificateChainPolicy > Certificate -> subjectName: <certificate subject name->

UserData -> Result value -> error: <error code>

Error 0x800B010F: The certificate’s CN name does not match the passed value.

36888

Windows Logs -> System Source: Schannel

A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is %1.

Description Error

Code Value

Unexpected message 10 Bad record MAC 20 Record overflow 22 Decompression fail 30 Handshake failure 40 Illegal parameter 47 Unknown CA 48 Access denied 49 Decode error 50 Decrypt error 51 Protocol version 70 Insufficient security 71 Internal error 80

(14)

Requirement Description Additional Record Contents Log: Event Id Unsupported extension 110 Establishment/termin ation of an EAP-TLS session.

Windows Logs -> System : 36880 Windows Logs -> System Source: Schannel

An SSL client handshake completed successfully. The negotiated cryptographic parameters are as follows. Logged: <Date and time of event>

Protocol: <TLS protocol> CipherSuite: <cypher suite>

Termination : Applications and Services Logs -> Microsoft -> Windows -> SChannel-Events -> Perf: 1793

Logged: <Date and time of event> FCS_TLSC_EX T.2 Failure to establish a TLS session. Reason for failure.

Windows Logs -> System : 36888 36888

A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is %1.

Description Error

Code Value

Unexpected message 10 Bad record MAC 20 Record overflow 22 Decompression fail 30 Handshake failure 40 Illegal parameter 47 Unknown CA 48 Access denied 49 Decode error 50 Decrypt error 51 Protocol version 70 Insufficient security 71 Internal error 80 Unsupported extension 110

(15)

Log: Event Id

Error 20 indicates an untrusted root in the certificate chain. Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 41

41

UserData -> RevocationStatus -> error: <error code > Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 30

Verify Chain Policy 30

UserData > CertVerifyCertificateChainPolicy > Certificate -> subjectName: <certificate subject name->

UserData -> Result value -> error: <error code>

Error 0x800B010F: The certificate’s CN name does not match the passed value.

Failure to verify presented identifier. Presented identifier and reference identifier.

TrustStatus -> ErrorStatus: <Error code > (Error 20 indicates an untrusted root in the certificate chain)

Establishment/termin ation of a TLS session Non-TOE endpoint of connection.

Windows Logs -> System : 36880 36880

(16)

Log: Event Id

11

Build Chain

Termination : Applications and Services Logs -> Microsoft -> Windows -> SChannel-Events -> Perf: 1793

<This event indicates that the TLS connection was terminated> Logged: <Date and time of event>

FDP_DAR_EXT .1 Failure to encrypt/decrypt data. No additional information.

Windows Logs -> System : 24588 Logged: <Date and time of event> Volume: <encrypted volume letter> FDP_STG_EXT. 1 Addition or removal of certificate from Trust Anchor Database. Subject name of certificate.

Applications and Services Logs -> Microsoft -> Windows: Import: : CAPI2: 90

Removal: CertificateServicesClient-Lifecycle-System / Operational Id 1004

90

<un-named>Logged: <Date and time of event>

Security UserID: <SID of user account that imported the certificate/secrets>

Subject: <Certificate subject name, CN, etc.> 1004

Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-User -> Operational Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-System -> Operational A certificate has been deleted Logged: <Date and time of event> Security ID: <SID of user account that deleted the

certificate/secrets>

SubjectNames: <Deleted certificate subject name> Thumbprint: <Deleted certificate thumbprint> EKUs: <Deleted certificate EKUs>

(17)

Requirement Description Additional Record Contents Log: Event Id FDP_UPC_EXT. 1 Application initiation of trusted channel. Name of application. Trusted channel protocol. Non-TOE endpoint of connection.

TLS: Windows Logs -> System Source: Schannel 36880 and

Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational 11

Bluetooth: Windows Logs -> System: 8 Windows Logs -> System : 36880 36880

11

Build Chain

TrustStatus -> ErrorStatus: <Error code > 8

Windows Logs -> System Source: BTHUSB

The remote adapter < remote bluetooth radio address> was successfully paired with the local adapter. Logged: <Date and time of event>

EventData: <remote bluetooth radio address> FIA_AFL_EXT. 1 Excess of authentication failure limit. No additional information.

Exceeding failure limit: Windows Logs/Security: 4740 4740

Logged: <Date and time of event> Security ID: <SID of locked account> Account Name: <name of locked account> Account Domain: <domain of locked account> FIA_BLT_EXT. 1 User authorization of Bluetooth device. User authorization User authorization decision.

Windows Logs/System (BTHUSB): 8 Windows Logs/System (UserPnp): 20001

(18)

Log: Event Id for local Bluetooth

service. Bluetooth address and name of device. Bluetooth profile. Identity of local service. 8

EventData: <remote bluetooth radio address> 20001

Windows Logs -> System Source: UserPnP

Driver Manager concluded the process to install driver <driver name> for Device Instance ID <ID value include device address>

Logged: <Date and time of event> Security UserID: <SID of user>

DeviceInstanceID: <instance ID (including remote device address)>

SetupClass: <Bluetooth service/profile GUID> FIA_BLT_EXT. 2 Initiation of Bluetooth connection. Bluetooth address and name of device.

Windows Logs/System (BTHUSB): 8 8

EventData: <remote bluetooth radio address> Failure of Bluetooth

connection.

Reason for failure.

Windows Logs/System (BTHUSB): 16 16

The mutual authentication between the local Bluetooth adapter and a device with Bluetooth adapter address <device address> failed.Logged: <Date and time of event>

Data: <remote device address> FIA_UAU_EXT. 2 Action performed before authentication. No additional information.

N/A due to no selection in Security Target

FIA_UAU_EXT. 3 User changes Password Authentication Factor. No additional information. Windows Logs/Security: 4738 4738

Subcategory: User Account Management A user account was changed

Logged: <Date and time of event> Security ID: <user identity> FIA_X509_EXT. 1 Failure to validate X.509v3 certificate. Reason for failure of validation.

(19)

Log: Event Id

Build Chain System/TimeCreated/SystemTime: <Date and time of event>

UserData/CertGetCertificateChain/Certificate/subjectName: <subject name in client certificate>

TrustStatus -> ErrorStatus: <Error code > FIA_X509_EXT. 2 Failure to establish connection to determine revocation status. No additional information.

41

Verify Revocation

UserData -> RevocationStatus -> error: <error code > Error code 0x80092013 indicates “The revocation function was unable to check revociation because the revocation server was offline.

FMT_SMF_EXT .1

Change of settings. Role of user that changed setting. Value of new setting.

See AAR Table below : Administrative Actions audits

Success or failure of function. Role of user that performed function. Function performed. Reason for failure

See AAR Table below : Administrative Actions audits

Initiation of software update. Version of update. Windows Logs/System: 19 19

Windows Logs -> System Installation Successful: Windows successfully installed the following update: <app/update name> Logged: <Date and time of event>

Security ID: <SID of user account that installed the app> updateTitle: <app/update name>

updateGuid: <app/update Guid> serviceGuid: <app/service GUID> updateRevisionNumber: <app version> Initiation of application installation or update. Name and version of application. Microsoft-Windows-AppXDeploymentServer/Operational: 400

(20)

Requirement Description Additional Record Contents Log: Event Id 400

Applications and Services Logs -> Microsoft -> Windows -> AppXDeployment-Server ->

Microsoft-Windows-AppXDeployment-Server/Operational Deployment Add operation on Package <package Id> from: (<.appx pathname> ) finished successfully Logged: <Date and time of event> Security ID: <SID of user account that installed the app> PackageFullName: <package Id>

Path: <.appx pathname> FMT_SMF_EXT .2 Unenrollment. Identity of administrator. Remediation action performed. Un-enroll: Microsoft-Windows-SystemSettingsThreshold/Operational: 511 Wipe protected data: Windows Logs/System: 12 Un-enroll:

Microsoft-Windows-SystemSettingsThreshold/Operational: 511

Attempted to turn off workplace device management. Result is <result code>

Logged: <Date and time of event> Security: <user identity>

Remediation action removed Enterprise apps.

Wipe protected data: Windows Logs/System: 12 (Logged: <Date and time of OS startup> (This event along with no other earlier events indicates a wipe has occurred.) FPT_NOT_EXT. 1 [Measurement of TSF software]. [Integrity verification value].

HealthAttestation log fileresponse

See topic ‘Take appropriate policy action based on evaluation results’ in online guidance for list of measurements and verification.

FPT_TST_EXT. 1

Initiation of self-test. Failure of self-test.

None Windows Logs/System: 20 20

Source: Kernel-Boot The last boot’s success was <LastBootGood event data>. Logged: <Date and time of event>

LastBootGood: <Outcome as true or false indicating if the kernel-mode cryptographic self-tests and RNG initialization succeeded or failed>

FPT_TST_EXT. 2

Start-up of TOE. Boot Mode. Windows Logs/System: 21 21

Source: Kernel-Boot The OS loader advanced options menu was displayed and the user selected option <boot mode>

Logged: <Date and time of event> OptionSelected: <auxililiary boot mode>

Note: this event is recorded if the operating system was started in an auxiliary boot mode whereas its absence indicates the operating system started in normal boot mode.

(21)

Requirement Description Additional Record Contents Log: Event Id [Detected integrity violations]. [The TSF code that caused the integrity violation]. Recovery Screen

System event Id 20 is recorded by source Kernel-Boot indicating event data “LastBootGood” as “false”.

This event together with the indication of the TSF executable causing the failed boot on the Recovery screen. Since the OS is often not functional in this scenario, the reason cannot be “recorded”.’

FPT_TUD_EXT. 2

Success or failure of signature verification for software updates.

Windows Logs/Setup: 1, 2, 3 1

Windows Logs -> Setup Initiating changes for package Logged: <Date and time of event>

PackageIdentifier: <KB package Id> InitialPackageState: Resolved IntendedPackageState: Installed

ErrorCode: <success outcome indicated by 0x0> 2

Windows Logs -> Setup Package was successfully changed to the Installed state Logged: <Date and time of event> PackageIdentifier: <KB package Id>

IntendedPackageState: Installed

Windows Logs -> Setup Windows update could not be installed because … “The data is invalid” Logged: <Date and time of event>

Commandline: <KB package Id>

ErrorCode: <install failure indicated by 0x800700D (2147942413)> Success or failure of signature verification for applications. Microsoft-Windows-AppXDeploymentServer/Operational Id 400/404 for success/failure 400

Microsoft-Windows-AppXDeployment-Server/OperationalDeployment Add operation on Package <package Id> from: (<.appx pathname> ) finished successfullyLogged: <Date and time of event> Security ID: <SID of user account that installed the app> PackageFullName: <package Id>

Path: <.appx pathname> 404

AppX Deployment operation failed for package <app package identity> with error <error code>. The specific error text for this failure is: <failure text>.

Logged: <Date and time of event>

(22)

Log: Event Id PackageFullName: <package Id>

FTA_TAB.1 Change in banner setting.

No additional information.

Windows Logs/Security: 4656 4656

Windows Logs -> Security Subcategory: Registry

A handle to an object was requested. Logged: <Date and time of event> Security ID: <SID of locked account> Object Name: <Name of the object changed> Accesses: <Access granted>

Access Mask: <Access requested> FTA_WSE_EXT .1 All attempts to connect to access points. Identity of access point. Microsoft-Windows-WLAN-AutoConfig/Operational log event Id 8000, 8003 8000 Microsoft-Windows-WLAN-AutoConfig/Operational WLAN AutoConfig service started a connection to a wireless networkLogged: <Date and time of event>

Network Adapter: <adapter device name> 8003

Microsoft-Windows-WLAN-AutoConfig/Operational WLAN AutoConfig service has successfully disconnectd from a wireless network Logged: <Date and time of event> Network Adapter: <adapter device name>

FTP_ITC_EXT.1 Initiation and termination of trusted channel. Trusted channel protocol. Non-TOE endpoint of connection. IPSec:

Windows Logs/Security: Initiation: 4651, 5451, Termination: 4655, 5452

HTTP/TLS: Windows Logs -> System: 36880

EAP-TLS/802.1x/802.11-2012: Microsoft-Windows-WLAN-AutoConfig/Operational: 8001, 8003

4651

Subcategory: IPsec Main ModeIpsec main mode security association was established. A certificate was used for authentication. Logged: <Date and time of event> Task category: <type of event>

Local Endpoint: <Subject identity as IP address>

Remote Endpoint: <Subject identity as IP address of non-TOE endpoint of connection >

Keying Module Name: <Transport layer protocol as IKEv1 or IKEv2>

Local Certificate: <The entry in the SPD that applied to the decision as certificate SHA Thumbprint>

Remote Certificate: <The entry in the SPD that applied to the decision as certificate SHA Thumbprint>

Cryptographic Information: <The entry in the SPD that applied to the decision as MM SA Id and cryptographic

(23)

Log: Event Id Keywords: <Outcome as Success> 5451

Subcategory: IPsec Quick ModeIPsec quick mode security association was established Logged: <Date and time of event> Task category: <type of event>

Local Endpoint: <Subject identity as IP address/port> Remote Endpoint: <Subject identity as IP address/port of non-TOE endpoint of connection >

Cryptographic Information: <The entry in the SPD that applied to the decision as MM SA Id, QM SA Id, Inbound SPI, Outbound SPI and cryptographic parameters established in the SA >

Keywords: <Outcome as Success> 4655

Subcategory: IPsec Main Mode IPsec main mode security association ended Logged: <Date and time of event> Task category: <type of event>

Local Endpoint: <Subject identity as IP address/port > Remote Endpoint: <Subject identity as IP address/port of non-TOE endpoint of connection/channel >

Subcategory: IPsec Quick ModeIPsec quick mode security association ended Logged: <Date and time of event> Task category: <type of event>

Local Endpoint: <Subject identity as IP address/port> Remote Endpoint: <Subject identity as IP address/port of non-TOE endpoint of connection >

Cryptographic Information: <The entry in the SPD that applied to the decision as the QM SA Id, Tunnel Id, Traffic Selector Id>

Keywords: <Outcome as Success>

HTTP/TLS:

Applications and Services Windows Logs -> System Source: Schannel : 36880

36880

Logged: <Date and time of event> Protocol: <TLS protocol>

(24)

Log: Event Id

(Note: The event identifies the Non-TOE endpoints) 11

Applications and Services Logs -> Microsoft -> Windows -> SChannel-Events -> Perf: 1793

1793

EAP-TLS/802.1x/802.11-2012:

8001

SSID: <Wireless network name> (non-TOE endpoint of connection)

Authentication: WPA2-Enterprise (protocol) 802.1x Enabled: Yes (protocol)

8003

SSID: < Wireless network name> (non-TOE endpoint of connection)

The evaluator shall also make a determination of the administrative actions that are relevant in the context of this PP including those listed in the Management section. The evaluator shall examine the administrative guide and make a determination of which administrative commands are related to the configuration (including enabling or disabling) of the mechanisms implemented in the TOE that are necessary to enforce the requirements specified in the PP. The evaluator shall document the methodology or approach taken while determining which actions in the administrative guide are security relevant with respect to this PP. The evaluator may perform this activity as part of the activities associated with ensuring the AGD_OPE guidance satisfies the requirements.

[Guide] Section 3.1 Audit Events identifies the administrative operations with their associated audits. The evaluator examined the management functions identified in the security target FMT_SMF_EXT.1 to determine which actions are security relevant.

(25)

Administrative Actions audits

Administrative Action Audit Log Id

1. configure password policy: a. minimum password length

b. minimum password complexity c. maximum password lifetime

Subcategory: Authentication Policy Change Domain Policy was changed. Logged: <Date and time of event>

Security ID: <SID of user account making audit policy change> Account Name: <name of user account making audit policy change >

Account Domain: <domain of user account making audit policy change if applicable, otherwise computer>

Category: <Audit category that was changed.> Subcategory: <Audit subcategory that was changed.> Changes: <Change to audit policy.>

2. configure session locking policy: a. screen-lock enabled/disabled

b. screen lock timeout

c. number of authentication failures

Subcategory: Authentication Policy Change Domain Policy was changed. Logged: <Date and time of event>

Security ID: <SID of user account making audit policy change> Account Name: <name of user account making audit policy change >

Account Domain: <domain of user account making audit policy change if applicable, otherwise computer>

Category: <Audit category that was changed.> Subcategory: <Audit subcategory that was changed.> Changes: <Change to audit policy.>

3. enable/disable the VPN protection: a. across device [b. on a per-app basis c. no other method] Windows Logs/Security: Enable: 4651, 5451 Disable: 4655, 5452 4651

Subcategory: IPsec Main ModeIpsec main mode security association was established. A certificate was used for authentication. Logged: <Date and time of event>

Task category: <type of event>

Local Endpoint: <Subject identity as IP address>

Remote Endpoint: <Subject identity as IP address of non-TOE endpoint of connection >

Local Certificate: <The entry in the SPD that applied to the decision as certificate SHA Thumbprint>

Remote Certificate: <The entry in the SPD that applied to the decision as certificate SHA Thumbprint>

Cryptographic Information: <The entry in the SPD that applied to the decision as MM SA Id and cryptographic parameters established in the SA>

(26)

Administrative Action Audit Log Id 5451

Subcategory: IPsec Quick ModeIPsec quick mode security association was established Logged: <Date and time of event> Task category: <type of event>

Local Endpoint: <Subject identity as IP address/port>

Remote Endpoint: <Subject identity as IP address/port of non-TOE endpoint of connection >

Cryptographic Information: <The entry in the SPD that applied to the decision as MM SA Id, QM SA Id, Inbound SPI, Outbound SPI and cryptographic parameters established in the SA >

Subcategory: IPsec Main Mode IPsec main mode security association ended

Local Endpoint: <Subject identity as IP address/port >

Remote Endpoint: <Subject identity as IP address/port of non-TOE endpoint of connection/channel >

Subcategory: IPsec Quick ModeIPsec quick mode security association ended Logged: <Date and time of event>

Task category: <type of event>

Local Endpoint: <Subject identity as IP address/port>

Remote Endpoint: <Subject identity as IP address/port of non-TOE endpoint of connection >

Cryptographic Information: <The entry in the SPD that applied to the decision as the QM SA Id, Tunnel Id, Traffic Selector Id> Keywords: <Outcome as Success>

4. enable/disable [GPS, Wi-Fi, Bluetooth, mobile broadband]

GPS: Windows Logs/Security: 4657 4657

Subcategory: Registry Registry entry change Logged: <Date and time of event>

Task category: <type of event> Security ID: <user identity> Object name: <key path>

Changes: <old and new registry values> Keywords: <Outcome as Success or Failure>

(27)

Administrative Action Audit Log Id WiFi: Microsoft-Windows-WLAN-AutoConfig/Operational Id 11001 (enable) 11004 (disable) 11001 Microsoft-Windows-WLAN-AutoConfig/Operational Wireless network association succeededLogged: <Date and time of event>

Network Adapter: <adapter device name> Local MAC address: <Wi-Fi address> 11004

Microsoft-Windows-WLAN-AutoConfig/Operational Wireless security stopped Logged: <Date and time of event>

Network Adapter: <adapter device name> Local MAC address: <Wi-Fi address> Bluetooth: Windows Logs/Security: 4657 4657

Changes: <old and new registry values> Keywords: <Outcome as Success or Failure> Mobile Broadband:

WWAN-SVC-EVENTS/WWAN Operational Channel: 11009 Received ContextState Logged: <Date and time of event> State: <WwanActivatinoStateActivated>

State: <WwanActivatinoStateDeActivated>

5. enable/disable [camera, microphone]: a. across device [

b. on a per-app basis

c. no other method]

Changes: <old and new registry values> Keywords: <Outcome as Success or Failure> 6. specify wireless networks (SSIDs) to

which the TSF may connect

Subcategory: Registry A handle to an object was requested. Logged: <Date and time of event>

(28)

Administrative Action Audit Log Id Object Name: <Name of the object changed> Accesses: <Access granted>

Access Mask: <Access requested>

7. configure security policy for each wireless network:

a. [selection: specify the CA(s) from which the TSF will accept WLAN authentication server certificate(s), specify the FQDN(s) of acceptable WLAN authentication server certificate(s)]

b. security type

c. authentication protocol

d. client credentials to be used for

authentication

Security ID: <SID of locked account> Object Name: <Name of the object changed> Accesses: <Access granted>

8. transition to the locked state Windows Logs/Security: 4800 4800

Subcategory: Logoff The workstation was locked. Logged: <Date and time of event>

Security UserID: <SID of logon user> Account Name: <name of logon account> Account Domain: <domain of logon account> 9. TSF wipe of protected data Success: System: 12 _{Failure: Wipe Failure Screen}

System: 4502 12

The operating system started at system time <time>. Logged: <Date and time of OS startup>

This event along with no other earlier events indicates a wipe has occurred.

4502

Microsoft-Windows-ResetEng

Attempt to restore the system to original condition has failed. Changes to the system have been undone. Logged: <Date and time of event>

10. configure application installation policy by [selection:

a. restricting the sources of applications,

b. specifying a set of allowed

applications based on [assignment: application characteristics] (an application whitelist),

(29)

c. denying installation of applications]

11. import keys/secrets into the secure key

storage

Microsoft-Windows-CAPI2/Operational: 90 90

Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational <un-named>

Security UserID: <SID of user account that imported the certificate/secrets>

Subject: <Certificate subject name, CN, etc.> 12. destroy imported keys/secrets and [[any

other keys/secrets]] in the secure key storage

System: 12 12

Windows Logs -> System 12

Logged: <Date and time of OS startup>

This event along with no other earlier events indicates a wipe has occurred.

13. import X.509v3 certificates into the Trust

Anchor Database

Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-User -> Operational: 1006 1006

Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-User -> Operational Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-System -> Operational A new certificate has been installed.

Subject: <Certificate subject name, CN, etc.> Thumbprint: <Certificate thumbprint> 14. remove imported X.509v3 certificates and

[[all X.509v3 certificates]] in the Trust Anchor Database

Microsoft-Windows-CertificateServicesClient-Lifecycle-System: 1004

1004 Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-User -> Operational

Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-System -> Operational A certificate has been deleted Logged: <Date and time of event>

Security ID: <SID of user account that deleted the certificate/secrets>

NotValidAfter: :<Deleted certificate expiration date>

15. enroll the TOE in management Microsoft-Windows-SystemSettingsThreshold/Operational: 510 510

Applications and Services Logs -> Microsoft -> Windows -> SystemSettingsThreshold -> Operational

Attempted to turn on workplace device management. Result is <status code> ending at phase 3 Logged: <Date and time of event>

(30)

Administrative Action Audit Log Id TOE in management>

ResultCode: <status code> CorpDeviceOperationPhase: 3

16. remove applications Microsoft-Windows-AppXDeploymentServer/Operational: 472 472

Microsoft-Windows-AppXDeployment-Server /Operational Moving package folder <%program files location%\<package Id> to <%deleted program files location%\<package Id>. Result: <status code>

Security ID: <SID of user account that installed the app> SourceFolderPath: <%program files location%\<package Id> DestinationFolderPath: <%deleted program files

location%\<package Id> 17. update system software Windows Logs/Setup: 1, 2, 3

1

Windows Logs -> Setup Initiating changes for package Logged: <Date and time of event>

PackageIdentifier: <KB package Id> InitialPackageState: Resolved IntendedPackageState: Installed

Windows Logs -> Setup Package was successfully changed to the Installed state

Logged: <Date and time of event> PackageIdentifier: <KB package Id> IntendedPackageState: Installed

Windows Logs -> Setup Windows update could not be installed because … “The data is invalid” Logged: <Date and time of event>

Commandline: <KB package Id>

ErrorCode: <install failure indicated by 0x800700D (2147942413)>

18. install applications Microsoft-Windows-AppXDeploymentServer/Operational 400 400

Microsoft-Windows-AppXDeployment-Server/Operational Deployment Add operation on Package <package Id> from: (<.appx pathname> ) finished successfully

Security ID: <SID of user account that installed the app> PackageFullName: <package Id>

(31)

19. remove Enterprise applications Microsoft-Windows-AppXDeploymentServer/Operational: 472 472

Microsoft-Windows-AppXDeployment-Server /Operational Moving package folder <%program files location%\<package Id> to <%deleted program files location%\<package Id>. Result: <status code>

Security ID: <SID of user account that installed the app> SourceFolderPath: <%program files location%\<package Id> DestinationFolderPath: <%deleted program files

location%\<package Id>

20. configure the Bluetooth trusted channel: a. disable/enable the Discoverable

mode (for BR/EDR)

b. change the Bluetooth device name

[

c. allow/disallow additional wireless technologies to be used with Bluetooth,

d. disable/enable Advertising (for LE), e. disable/enable the Connectable mode f. disable/enable the Bluetooth services and/or profiles available on the device,

g. specify minimum level of security for each pairing ,

h. configure allowable methods of Out of Band pairing

i. no other Bluetooth configuration]

Windows Logs -> Security Subcategory: Registry Registry entry change

Logged: <Date and time of event> Task category: <type of event> Security ID: <user identity> Object name: <key path>

Changes: <old and new registry values> Keywords: <Outcome as Success or Failure>

21. enable/disable display notification in the locked state of: [

a. email notifications, b. calendar appointments,

c. contact associated with phone call notification,

d. text message notification, e. other application-based

notifications,

f. all notifications]

<none>

22. enable/disable all data signaling over

[USB hardware ports]

(32)

Administrative Action Audit Log Id Keywords: <Outcome as Success or Failure> 23. enable/disable [none] <none>

24. enable/disable developer modes Windows Logs/Security: 4657 4657

Changes: <old and new registry values>

25. enable data-at rest protection Windows Logs/System: Id 24579 24579

Windows Logs -> System Encryption of volume <drive letter>: completed

Security UserID: <SID of user account that installed the app> Volume: <encrypted volume letter>

26. enable removable media’s data-at-rest

protection

Windows Logs/System: Id 24579 24579

Windows Logs -> System Encryption of volume <drive letter>: completed

Security UserID: <SID of user account that installed the app> Volume: <encrypted volume letter>

27. enable/disable bypass of local user

authentication

N/A

28. wipe Enterprise data N/A

29. approve [import, removal] by applications

of X.509v3 certificates in the Trust Anchor Database

N/A

30. configure whether to establish a trusted

channel or disallow establishment if the TSF cannot establish a connection to determine the validity of a certificate

N/A

31. enable/disable the cellular protocols used

to connect to cellular network base stations

Microsoft-Windows-WWAN-SVC-Events/Operational: 11004 11004

Microsoft-Windows-WWAN-SVC-Events/Operational Set RadioState

(33)

Administrative Action Audit Log Id “WwanRadioOn”>

32. read audit logs kept by the TSF Windows Logs/Security: 4673 4673

Subcategory: Sensitive Privilege Use / Non Sensitive Privilege Use A privileged service was called.

Security ID: <SID of user account that viewed the log> Account Name: <user account name that viewed the log> Account Domain: <domain of user account that viewed the log> Keywords: <Outcome as Success>

33. configure [certificate] used to validate

digital signature on applications

Import certificate: Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-User -> Operational: 1006

Remove certificate:

Microsoft-Windows-CertificateServicesClient-Lifecycle-System: 1004 1006

Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-User -> Operational Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-System -> Operational A new certificate has been installed.

Subject: <Certificate subject name, CN, etc.> Thumbprint: <Certificate thumbprint> 1004

Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-User -> Operational Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-System -> Operational A certificate has been deleted Logged: <Date and time of event>

Security ID: <SID of user account that deleted the certificate/secrets>

NotValidAfter: :<Deleted certificate expiration date> 34. approve exceptions for shared use of

keys/secrets by multiple applications

N/A

35. approve exceptions for destruction of

keys/secrets by applications that did not import the key/secret

N/A

36. configure the unlock banner Windows Logs/Security: 4656 4656

(34)

Administrative Action Audit Log Id Logged: <Date and time of event> Security ID: <SID of locked account> Object Name: <Name of the object changed> Accesses: <Access granted>

Access Mask: <Access requested> 37. configure the auditable items Windows Logs/Security: 4719

4719

Subcategory: Audit Policy Change System audit policy was changed

Logged: <Date and time of event> Task category: <category of audit> Task Subcategory: <subcategory of audit> Subcategory GUID: <subcategory GUID name> Security ID: <user identity>

Account Name: <account name> Account Domain: <account domain> Login ID: <login Id>

Changes: <Success/Failure changes> Keywords: <Outcome as Success or Failure> 38. retrieve TSF-software integrity

verification values

39. enable/disable [selection: a. USB mass storage mode, b. USB data transfer without user

authentication,

USB data transfer without authentication of the connecting system]

N/A

40. enable/disable backup to [remote system] Windows Logs/Security: 4656 4656