Australasian Information Security Evaluation Program Certification Report Certificate Number: 2010/65 5 Feb 2010 Version 1.0 5 Feb 2010 Version 1.0 Page i Commonwealth of Australia 2010. Reproduction is authorised provided that the report is copied in its entirety. 5 Feb 2010 Version 1.0 Page ii Amendment Record Version Date Description 1.0 5/02/2010 Public release. 5 Feb 2010 Version 1.0 Page iii Executive Summary 1 Windows Mobile 6.5 is a compact operating system for use on Smartphones enabling users to extend their corporate Windows desktop to mobile devices in a secure manner. Windows Mobile 6.5 is the Target of Evaluation (TOE). 2 The core functionality of the TOE includes: a) Device data protection. The TOE provides the capability to protect data at rest and in transit. b) Device application control. The TOE provides the capability to only permit trusted applications to be installed and executed on the Mobile Device. c) Secure enterprise access. The TOE provides the capability to securely connect the TOE to trusted Enterprise assets and facilitate data transfer. d) Device access control. The TOE has inbuilt security mechanisms that can be enabled to provide controlled access to the Mobile Device. e) Device security management. The TOE has configurable security policies that establish which actions a user or application may take. 3 This report describes the findings of the IT security evaluation of Microsoft Corporation’s Windows Mobile 6.5, to the Common Criteria (CC) evaluation assurance level EAL4 + ALC_FLR.1. The report concludes that the product has met the target assurance level of EAL4 + ALC_FLR.1 and that the evaluation was conducted in accordance with the relevant criteria and the requirements of the Australasian Information Security Evaluation Program (AISEP). The evaluation was performed by stratsec and was completed on 22 December 2009. 4 The TOE forms the software part of a software and hardware ‘composed evaluation’ product. The TOE evaluation technical report (ETR) (Ref 33[1]) provides composition guidance for an Original Equipment Manufacturer (OEM) to meet in developing a hardware component for a composed product. 5 The OEM is the primary customer of the operating system. Microsoft provides the OEM with security updates and they are expected to pass them on to the end users. 6 The TOE User for the composed product is the end user. The end user administrator should ensure that the TOE is used in a composed product evaluated to EAL4+. 7 With regard to the secure operation of the TOE, the Australasian Certification Authority (ACA) recommends that: a) The administrator ensures that no applications are installed which will allow the user to change the security areas of the registry. 5 Feb 2010 Version 1.0 Page iv b) The administrator reviews the certificates in the Software Publishing Certificate (SPC), privileged and unprivileged certificate stores and removes any certificates that are not required. This action prevents unwanted, signed applications from being installed on the TOE. Note: some certificates are required for the TOE to operate, and the administrator should verify that the TOE can function without the certificates that are removed during provisioning. c) The administrator ensures that users are aware of the importance of running the TOE in the evaluated configuration. In the event of a device wipe, the mobile device should be returned to the administrator for reconfiguration. d) The administrator advises users against using the device as a primary data store. This is because data on the device and storage card is encrypted, and the keys stored on the device are destroyed during a device wipe. e) The administrator sets the lockout time on a device to reflect the criticality of the data stored on a mobile device. The reduction in lockout time reduces the chances of an attacker gaining access to a device in an unlocked state. f) The administrator sets mobile device policy to encrypt all areas of the device that may contain user data. g) The administrator ensures that the SD card and local device encryption is enabled prior to users placing any files into internal stores or SD media. h) The administrator lock down all unrequired physical ports on mobile devices to reduce the risk of vulnerabilities in OEM hardware and firmware. i) The administrator considers disabling the use of the Bluetooth radio in order to prevent exploitation of publically published weaknesses in the Bluetooth key pairing process. 8 This report includes information about the underlying security policies and architecture of the TOE, and information regarding the conduct of the evaluation. 9 It is the responsibility of the user to ensure that the TOE meets their requirements. For this reason, Australian Government users should refer to the ISM (Ref 33[3]) for guidance on Australian Government policy requirements. New Zealand Government users should consult the GCSB. It is recommended that a prospective user of the TOE refer to the Security Target at Ref 33[2], and read this Certification Report prior to deciding whether to use the product. 5 Feb 2010 Version 1.0 Page v Table of Contents 00HCHAPTER 1 - INTRODUCTION ........................................................................................................37H37H37H1 1H1H1H1.1 OVERVIEW ................................................................................................................................38H38H38H1 2H2H2H1.2 PURPOSE....................................................................................................................................39H39H39H1 3H3H3H1.3 IDENTIFICATION ........................................................................................................................40H40H40H1 4H4H4HCHAPTER 2 - TARGET OF EVALUATION.....................................................................................41H41H41H2 5H5H5H2.1 OVERVIEW ................................................................................................................................42H42H42H2 6H6H6H2.2 DESCRIPTION OF THE TOE ........................................................................................................43H43H43H2 7H7H7H2.3 TOE ARCHITECTURE.................................................................................................................44H44H44H3 8H8H8H2.4 CLARIFICATION OF SCOPE .........................................................................................................45H45H45H4 9H9H9H2.4.1 Evaluated Functionality....................................................................................................46H46H46H4 10H10H10H2.4.2 Non-evaluated Functionality ............................................................................................47H47H47H5 11H11H11H2.4.3 TOE for Composition........................................................................................................48H48H48H6 12H12H12H2.4.4 TOE User..........................................................................................................................49H49H49H6 13H13H13H2.5 USAGE.......................................................................................................................................50H50H50H6 14H14H14H2.5.1 Evaluated Configuration ..................................................................................................51H51H51H6 15H15H15H2.5.2 Delivery procedures .........................................................................................................52H52H52H7 16H16H16H2.5.3 Determining the Evaluated Configuration........................................................................53H53H53H9 17H17H17H2.5.4 Documentation................................................................................................................54H54H54H10 18H18H18H2.5.5 Secure Usage..................................................................................................................55H55H55H10 19H19H19HCHAPTER 3 - EVALUATION ...........................................................................................................56H56H56H11 20H20H20H3.1 OVERVIEW ..............................................................................................................................57H57H57H11 21H21H21H3.2 EVALUATION PROCEDURES.....................................................................................................58H58H58H11 22H22H22H3.3 FUNCTIONAL TESTING.............................................................................................................59H59H59H12 23H23H23H3.4 PENETRATION TESTING ...........................................................................................................60H60H60H12 24H24H24HCHAPTER 4 - CERTIFICATION......................................................................................................61H61H61H12 25H25H25H4.1 OVERVIEW ..............................................................................................................................62H62H62H12 26H26H26H4.2 CERTIFICATION RESULT ..........................................................................................................63H63H63H13 27H27H27H4.3 ASSURANCE LEVEL INFORMATION..........................................................................................64H64H64H13 28H28H28H4.4 RECOMMENDATIONS ...............................................................................................................65H65H65H13 29H29H29HANNEX A - REFERENCES AND ABBREVIATIONS....................................................................66H66H66H15 30H30H30HA.1 REFERENCES ...........................................................................................................................67H67H67H15 31H31H31HA.2 ABBREVIATIONS......................................................................................................................68H68H68H16 5 Feb 2010 Version 1.0 Page 1 Chapter 1 - Introduction 1.1 Overview 10 This chapter contains information about the purpose of this document and how to identify the TOE. 1.2 Purpose 11 The purpose of this Certification Report is to: a) report the certification of results of the IT security evaluation of the TOE, Windows Mobile 6.5, against the requirements of Common Criteria evaluation assurance level EAL4 + ALC_FLR.1; and b) provide a source of detailed security information about the TOE for any interested parties. 12 This report should be read in conjunction with the TOE’s Security Target (Ref 69H69H69H[2]) which provides a full description of the security requirements and specifications that were used as the basis of the evaluation. 1.3 Identification 13 Table 1 provides identification details for the evaluation. For details of all components included in the evaluated configuration refer to section 70H70H70H2.5.1 71H71H71H Evaluated Configuration. Table 1: Identification Information Item Identifier Evaluation Scheme Australasian Information Security Evaluation Program TOE Windows Mobile 6.5 Software Version Windows Mobile 6.5 Standard (Build 21849 AKU 5.0.63) Windows Mobile 6.5 Professional (Build 21854 AKU 5.0.80) Security Target Windows Mobile 6.5 EAL4+ Security Target v1.0, July 2009 Evaluation Level EAL4 + ALC_FLR.1 Evaluation Technical Report Windows Mobile 6.1 EAL4+ Evaluation Technical Report v1.0, January 2010 Criteria Common Criteria for Information Technology (IT) Security Evaluation, Version 3.1 Revision 3, July 2009, with interpretations as of 6 March 2008 Methodology Common Methodology for Information Technology Security Evaluation, Evaluation methodology, July 2009, Version 3.1 Revision 3, CCMB-2009-07-004 Conformance Common Criteria Part 2 extended. 5 Feb 2010 Version 1.0 Page 2 Common Criteria Part 3 conformant, EAL4 augmented with ALC_FLR.1. Sponsor and Developer Microsoft Corporation 1 Microsoft Way, Redmond WA 98052-8300 USA Evaluation Facility stratsec Suite 1/50 Geils Court, Deakin ACT Chapter 2 - Target of Evaluation 2.1 Overview 14 This chapter contains information about the TOE, including: a description of functionality provided; its architecture components; the scope of evaluation; security policies; and its secure usage. 2.2 Description of the TOE 15 The TOE is Windows Mobile 6.5 developed by Microsoft Corporation. 16 The TOE is a compact operating system for use on Smartphones enabling users to securely extend their corporate Windows desktop to mobile devices. 17 Windows Mobile 6.5 provides the basis for establishing a secure enterprise mobile messaging solution that can securely synchronize and access Line of Business (LOB) applications and services, including Microsoft Exchange to access email, contacts, tasks and calendar and other corporate applications that may be only accessible from within the enterprise network. 18 Windows Mobile powered devices can be centrally managed through the System Center Mobile Device Manager (SCMDM). Windows Mobile 6.5 supports the standards needed to allow the client to establish an authenticated and encrypted communications channel to MDM Gateway Server for enterprise management. 19 The inclusion of the SCMDM client application in Windows Mobile 6.5 provides a security management platform for Windows Mobile phones with over 130 policies and settings and built-in mechanisms that help prevent the misuse of corporate data. Enterprise administrators can lock down many areas of the Windows Mobile Smartphones, including certain communications and device functionality, while exercising significant control over the software to be installed on devices. 20 Windows Mobile 6.5 has a seamless user experience across cellular or Wi-Fi data connections to the enterprise network. SCMDM provides a single point for security–enhanced, behind-the-firewall access to corporate data and LOB applications for Windows Mobile. Enterprise Administrators can facilitate security over public wireless networks 5 Feb 2010 Version 1.0 Page 3 through a Mobile VPN link. The VPN link secures wireless communications between the Windows Mobile 6.5 powered mobile device and corporate servers through an SSL encrypted tunnel. 21 Figure 1 illustrates the claimed security functionality for Windows Mobile. Figure 1 – Windows Mobile 6.5 security architecture 2.3 TOE Architecture 22 Windows Mobile 6.5 is a compact operating system combined with a suite of basic applications for mobile devices based on the Microsoft Win32 API. 23 The base operating system components have been developed from the Windows CE 5.0 (version 5.2) source code. Enhancements and additions are made to the operating system to make it specific to Windows Mobile and then additional applications and features are also added through additional Windows Mobile specific source. 24 The Windows Mobile 6.5 architecture has the following distinct layers (see Figure 1 below): a) Windows Mobile layer. A layer of code that has been specifically developed to implement Windows Mobile specific functionality and applications. b) Operating system layer. Based on the Windows CE 5.0 operating system which is used as the basis for Windows Mobile 6.5. This includes core operating system functionality such as the kernel, device management and file system management. c) OEM adaptation layer. A layer of code that resides between the operating system kernel and the hardware of Mobile Device. It facilitates communication between the operating system and the hardware and includes code to handle interrupts, timers, and generic I/O control codes (IOCTLs). 25 The diagram below demonstrates that the Common Criteria EAL4+ evaluation of Windows Mobile has focused on the Windows Mobile and Windows CE components and has placed the OEM adaptation layer (OAL) and hardware outside the scope of this base evaluation. 5 Feb 2010 Version 1.0 Page 4 Figure 2 – Windows Mobile 6.5 architectural design layers 2.4 Clarification of Scope 26 The scope of the evaluation was limited to those claims made in the Security Target (Ref 72H72H72H[2]). 2.4.1 Evaluated Functionality 27 The TOE provides the following evaluated security functionality: Table 1 – Windows Mobile security features Security function TOE security feature Sensitive Data Protection. The TOE supports 128-bit AES encryption of data stored locally on the Mobile Device and also on removable storage cards. S/MIME support. The TOE provides additional protection features for e-mail messages, whether in transit between device and server or at rest. Device data protection. The TOE provides the capability to protect data at rest. Certified cryptographic module. The TOE includes a FIPS validated cryptographic module enabling applications to make use of inbuilt cryptographic operations. SSL/TLS channel encryption. The TOE supports SSL/TLS encryption enabling sensitive data to be transmitted between the device and server, over-the-air or through a wired connection. Secure enterprise access. The TOE provides the capability to securely connect trusted enterprise assets and facilitate secure data transfer. Mobile VPN. Incorporating secure key exchange (IKEv2), an IPSec VPN tunnel can be established between the TOE and the enterprise gateway, providing protection for information communicated between the TOE and Line of Business (LOB) servers within the trusted enterprise. 5 Feb 2010 Version 1.0 Page 5 Security function TOE security feature Enterprise Authentication. The TOE provides the capability to support enterprise authentication mechanisms. Controlled application installation. The TOE can be configured to only permit applications signed with a trusted certificate to be installed on the Mobile Device. Device application control. The TOE provides the capability to control the installation and execution of applications on the Mobile Device. Controlled application execution. The TOE implements code execution control to only permit applications signed with a trusted certificate to be executed on the Mobile Device. Device authentication and lock. The TOE implements functionality that requires the Mobile User to enter a password to gain access to the Mobile Device. Local device wipe. The TOE can be configured to perform a local device wipe after a specified number of incorrect login attempts by the Mobile User on the Mobile Device. Device access control. The TOE has capability to provide controlled access to information and functionality of the Mobile Device. Trusted provisioning. The TOE implements protection mechanisms to ensure that provisioning and configuration data can only be accepted by the Mobile Device from a trusted source. Security roles and policies. The TOE maintains multiple management roles and implements a suite of security policies which determine access to resources on the Mobile Device. Remote wipe. The TOE can be configured to accept a command from a management server to remotely wipe the Mobile Device. Device security management. The TOE has configurable security and management policies that enable enterprise management of the Mobile Device. Device management policies. The TOE supports a range of mobile device management capabilities which can be instilled by the Enterprise Administrator through Server Center Mobile Device Manager (SCMDM) 2008. 2.4.2 Non-evaluated Functionality 28 Potential users of the TOE are advised that some functions and services have not been evaluated as part of the evaluation. Potential users of the TOE should carefully consider their requirements for using functions and services outside of the evaluated configuration; Australian Government users should refer to Australian Government ICT Security Manual (ISM) 5 Feb 2010 Version 1.0 Page 6 (Ref 73H73H73H[3]) for policy relating to using an evaluated product in an un-evaluated configuration. New Zealand Government users should consult the Government Communications Security Bureau (GCSB). 29 The functions and services that have not been included as part of the evaluation are provided below: a) Application Layer which includes: i) Microsoft Windows Mobile applications; ii) OEM applications; and iii) Applications provided by independent software vendors. b) OEM Layer which includes i) drivers; ii) boot loader; iii) OEM configuration files; and iv) Hardware. 30 The mobile device handset does not form part of the TOE. Potential users should note that the security functionality provided by the TOE is independent of the handset hardware platform. 2.4.3 TOE for Composition 31 The TOE forms the software part of a software and hardware ‘composed evaluation’ product. The TOE ETR (Ref 74H74H74H[1]) provides composition guidance for an OEM to meet in developing a hardware component for a composed product. The ETR is a controlled document and is available from the ACA or Microsoft to Microsoft-approved OEMs. 2.4.4 TOE User 32 The OEM is the primary customer of the operating system. Microsoft provides the OEM with security updates and they are expected to pass them on to the end users. 2.5 Usage 2.5.1 Evaluated Configuration 33 This section describes the configurations of the TOE that were included within scope of the evaluation. The assurance gained via evaluation applies specifically to the TOE in the defined evaluated configuration. Additionally, Australian Government users should refer to the ISM (Ref 75H75H75H[3]) for guidance on Australian Government policy requirements. New Zealand Government users should consult the GCSB. 34 The evaluated configuration is provided in the Windows Mobile 6.5 “EAL4+” Enterprise Administrator, OEM and User Guidance Supplements (Refs 76H76H76H[4],77H77H77H[5] and 78H78H78H[6]). The principal policies that are applied to the TOE in the evaluated configuration are: 5 Feb 2010 Version 1.0 Page 7 a) Minimum Password Length and complexity Requirements; b) Storage card encryption; c) Device Encryption; d) Local device wipe after a configurable number of unsuccessful authentication attempts; e) S/MIME settings, 3DES/SHA1; f) Applications must be signed to be installed or to run; g) Mobile operator message and provisioning services SI, SL and OMA- CP are disabled; and h) Device password required for Desktop ActiveSync. 35 The TOE is required to be used on a mobile device evaluated to EAL4 which complies with the requirements stated in the Windows Mobile 6.5 ETR for composition (Ref 79H79H79H[1]). OEMs and evaluators of the composite product should refer to this ETR for an explanation of the functions that the OS relies on, and which must be implemented by the OEM. 2.5.2 Delivery procedures 36 The delivery process to the OEM comprises the following distinct stages: a) Final development. Specific actions taken during the final development stages to ensure that the TOE is ready for release. b) Release to manufacturer. The initial release to the OEMs for review and incorporation into mobile platforms. Development of specific applications and underlying software and hardware for integration with the TOE. c) Official release via Microsoft OEM Online. Once all integration and testing efforts have occurred the official release is provided through the Microsoft OEM Online (MOO) capability. 37 Post official release delivery to the OEM the following additional phases also occur: a) Mobile operator customization. Implementation of Mobile Operator applications and service offerings for use by end consumers of the Mobile Device. b) Delivery to mobile user. Final delivery to the end consumers of the TOE and Windows Mobile powered devices. 2.5.2.1 Final development 38 In the final stages of the develop phase, Windows Mobile Feature Teams (developers of the various features that comprise the Windows Mobile OS) are responsible for definition of test cases to validate that all feature requirements have been satisfied. During this phase the Adaptation Kit Update (AKU), or specific version of the TOE, is produced for testing. Feature requirements, test cases and the AKU for release testing pass into the RTM phase. 5 Feb 2010 Version 1.0 Page 8 2.5.2.2 Release to manufacturer (RTM) 39 In the RTM phase, test requirements and test cases are loaded into the Logo Test Kit (LTK) access database. Test cases are executed against the AKU intended for release. Test Case 5000 includes verification of the CRC for each component (executable and dynamic link library) comprising the WM operating system. Other test cases validate the correct functional behaviour of the Windows Mobile operating system features (including security features). Following execution of LTK against the AKU, results are logged and the following outcomes implemented: a) If testing passes. The AKU can be released to Microsoft-approved OEM for integration; or b) If testing has failed. Manual verification of failed tests is conducted to confirm whether test cases are incorrect, or that the AKU tested feature does not meet the requirement. Where it is confirmed that the test case is incorrect, it may be determined (by code analysis or other manual verification methods) that that the AKU still meets the feature requirements. In this case, an AKU may be released to market. If testing confirmed that feature requirements have not been met, the AKU is not released to market and feature teams may make changes to the feature. In this case a new AKU would result. 2.5.2.3 Microsoft OEM Online 40 The Microsoft OEM Online https://www.microsoftoem.com is a confidential and controlled site that is subject to legal agreements and bindings. Only licensed OEMs are permitted to access this site and collect products that they are licensed to access. At a minimum an OEM must have a Customer’s Non-Disclosure Agreement (“NDA”) with Microsoft, and one or more of the following: a) a Microsoft Business Terms Document For OEM Customers; b) a Microsoft OEM Business Terms Document for Embedded Systems (“BTDE”); c) a Microsoft OEM Embedded Systems License Agreement for Reference Platform Devices, an OEM Customer License Agreement, or a Microsoft OEM Distribution Agreement For Software Products For Embedded Systems (each an “Embedded Agreement”); d) an MSLI OEM Online Site Agreement (“Site Agreement”); e) a Microsoft OEM Distributor Channel Agreement (“OEM Distributor Channel Agreement”) 41 At this point licensed OEMs are permitted to access the finalised versions of the Windows Mobile operating system for installation on their specific Windows Mobile powered devices. 2.5.2.4 Mobile operator customization 42 In the mobile operator customization phase, Mobile Operators perform final customization of the mobile device. 5 Feb 2010 Version 1.0 Page 9 43 This customization of the mobile device may include: a) installation of mobile operator specific applications; b) setting of mobile device themes; c) configuration of functionality to allow device management within the mobile operator network; and/or d) device configuration (within the limitation of the mobile operator(s) security role) on behalf of customers. 44 Mobile Operators can make use of the CRC verification tool to determine whether the Windows Mobile operating system image provided by an OEM is the same as that released by Microsoft in the RTM Phase. 45 It is possible for an enterprise customer to bypass the Mobile Operator and negotiate provisioning of mobile devices directly from an OEM. In this case, this phase of delivery is not used. 46 There are no specific delivery responsibilities or approvals in this phase related to the Windows Mobile Operating System. The responsibilities and approvals within this phase are based on commercial arrangements between the OEM and the Mobile Operators. 2.5.2.5 Delivery to the enterprise administrator or end user 47 The Windows Mobile 6.5 Security Target (Ref. 80H80H80H[2]) includes assumptions that both the OEM and Mobile Operators are trusted to not alter/modify the security enforcing functions. With these assumptions in mind, the Enterprise Administrator or Mobile User can have assurance that the mobile device and operating system have not been altered if the manufacturers shrink wrapped packaging is intact. 48 The Enterprise Administrator or Mobile User is encouraged to check the shrink wrapping of the delivered Mobile Device. If there are signs of tampering or damage then the manufacturer should be contacted. 49 The Enterprise Administrator or Mobile User must acquire the relevant evaluation guidance supplements from the Microsoft TechNet website (32H32H32Hhttp://technet.microsoft.com/en-us/ee441336.aspx) so that Windows Mobile powered devices are administered and used in a controlled manner and in accordance with the evaluated configuration. 50 The following documents can be obtained from Microsoft TechNet: a) WM6.5 EAL4+ Enterprise Administrator Guidance Supplement (Ref. 81H81H81H[5]), and b) WM6.5 EAL4+ User Guidance Supplement (Ref. 82H82H82H[6]). 2.5.3 Determining the Evaluated Configuration 51 The TOE is labelled with the unique reference and can be reviewed by the end-user by completing the following steps: 52 For Windows Mobile 6.5 Professional: a) Go to Start > Settings 5 Feb 2010 Version 1.0 Page 10 b) Select the System tab c) Select the About to open the About window 53 For Windows Mobile 6.5 Standard: a) Go to Start > Settings b) Select About to open the About window 54 Device information is then displayed: a) Marketing description – In this case it is Windows Mobile 6.5. b) Window CE Operating system version – OS 5.2.21849. c) AKU build – Build 21849 AKU 5.0.63 2.5.4 Documentation 55 OEMs will be required to supply relevant evaluation guidance supplements to the enterprise administrator and end user so that Windows Mobile powered devices are administered and used in a controlled manner and in accordance with the evaluated configuration. 56 The following documents need to be distributed by the OEM: a) WM6.5 EAL4+ Enterprise Administrator Guidance Supplement (Ref. 83H83H83H[5]); and b) WM6.5 EAL4+ User Guidance Supplement (Ref. 84H84H84H[6]). 57 Other guidance is referenced from these documents and should be followed where there is no contradiction. In the case of a contradiction, the order of authority is: a) The DSD Consumer Guide (for Australian and New Zealand users) where one is available; b) This Certification Report; c) The guidance documentation listed above in Paragraph 85H85H85H56; and d) Any subsequent referenced guidance documentation. 2.5.5 Secure Usage 58 The evaluation of the TOE took into account certain assumptions about its operational environment. These assumptions must hold in order to ensure the security objectives of the TOE are met. 5 Feb 2010 Version 1.0 Page 11 Table 2 - Assumptions Identifier Assumption statement A.USAGE Mobile Users are trusted to: a) follow user guidance; b) ensure that the TOE continues to operate in the evaluated configuration; c) only permit ActiveSync connections between the Mobile Device and trusted computing devices; and d) store the Mobile Device when not in use in a physically protected area that is appropriate for the information processed by the TOE. A.DELIVERY The security enforcing components of the TOE will not be modified by either the Mobile Operator or the manufacturer of the Mobile Device during the delivery process. A.IT_ENTERPRISE The Active Directory Server and all LOB Servers are located within the enterprise boundary and are protected from unauthorized logical/physical access. A.ADMIN The Enterprise Administrator is not careless, wilfully negligent, or hostile, and will follow and abide by the instructions provided by administrator documentation. A.I&A_ENTERPRISE The IT environment will provide mechanisms for authenticating Mobile Users when accessing their mailbox and other resources within the corporate network. A.COMMS_ENT The IT environment will provide the server-side of a secure channel between the System Center Mobile Device Manager and LOB Servers and the Mobile Device. A.SEC_POLICY The IT environment will implement System Center Mobile Device Manager for managing devices and establishing enterprise policy. Chapter 3 - Evaluation 3.1 Overview 59 This chapter contains information about the procedures used in conducting the evaluation and the testing conducted as part of the evaluation. 3.2 Evaluation Procedures 60 The criteria against which the Target of Evaluation (TOE) has been evaluated are contained in the Common Criteria for Information Technology Security Evaluation Version 3.1 (Refs 86H86H86H[7], 87H87H87H[8], 88H88H88H[9]). The methodology used is described in the Common Methodology for Information Technology Security Evaluation Version 3.1 (CEM) (Ref 5 Feb 2010 Version 1.0 Page 12 89H89H89H[10]). The evaluation was carried out in accordance with the operational procedures of the Australasian Information Security Evaluation Program (AISEP) (Refs 90H90H90H[11], 91H91H91H[12], 92H92H92H[13] and 93H93H93H[14]). In addition, the conditions outlined in the Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security (Ref 94H94H94H[15]) were also upheld. 3.3 Functional Testing 61 To gain confidence that the developer’s testing was sufficient to ensure the correct operation of the TOE, the evaluators analysed the evidence of the developer’s testing effort. This analysis included examining: test coverage; test plans and procedures; and expected and actual results. The evaluators drew upon this evidence to perform a sample of the developer tests in order to verify that the test results were consistent with those recorded by the developers. The evaluators confirmed that the actual test results were consistent with the expected test results. 3.4 Penetration Testing 62 Penetration testing was conducted based on an independent vulnerability analysis of the TOE using the guidance documentation, functional specification, TOE design, security architecture description, implementation representation as well as available public information. The evaluators used these tests to determine that the TOE is resistant to attacks performed by an attacker possessing Enhanced-Basic attack potential. The following factors have been taken into consideration during the penetration tests: a) Time taken to identify and exploit (elapsed time); b) Specialist technical expertise required (specialist expertise); c) Knowledge of the TOE design and operation (knowledge of the TOE); d) Window of opportunity; and e) IT hardware/software or other equipment required for exploitation. 63 The results of the penetration testing note that a number of additional vulnerabilities exist that are dependent on an attacker having access to the underlying hardware and related interfaces. Access to the underlying hardware is out of scope of this evaluation; however must be considered when the TOE is used in composition with OEM hardware. Due to the nature of mobile devices, the opportunity for an attacker to access a lost or stolen device is greatly increased. Chapter 4 - Certification 4.1 Overview 64 This chapter contains information about the result of the certification, an overview of the assurance provided by the level chosen, and recommendations made by the certifiers. 5 Feb 2010 Version 1.0 Page 13 4.2 Certification Result 65 After due consideration of the conduct of the evaluation as witnessed by the certifiers, and of the Evaluation Technical Report (Ref 95H95H95H[1]), the Australasian Certification Authority certifies the evaluation of Windows Mobile 6.5 performed by the Australasian Information Security Evaluation Facility, stratsec. 66 stratsec has found that Windows Mobile 6.5 upholds the claims made in the Security Target (Ref 96H96H96H[2]) and has met the requirements of the Common Criteria (CC) evaluation assurance level EAL4 + ALC_FLR.1. 67 Certification is not a guarantee of freedom from security vulnerabilities. 4.3 Assurance Level Information 68 EAL4 provides assurance by a full security target and an analysis of the security functions in that ST, using a functional and complete interface specification, guidance documentation, a description of the basic modular design of the TOE, and a subset of the implementation to understand the security behaviour. 69 The analysis is supported by independent testing of the TOE security functions, evidence of developer testing based on the functional specification and TOE design, selective independent confirmation of the developer test results, and a vulnerability analysis demonstrating resistance to penetration attackers with an Enhanced-Basic attack potential. 70 EAL4 also provides assurance through the use of development environment controls and additional TOE configuration management including automation, and evidence of secure delivery procedures. 4.4 Recommendations 71 Not all of the evaluated functionality present in the TOE may be suitable for Australian and New Zealand Government users. For further guidance, Australian Government users should refer to the ISM (Ref 97H97H97H[3]) and New Zealand Government users should consult the Government Communications Security Bureau (GCSB). 72 In addition to ensuring that the assumptions concerning the operational environment are fulfilled and the guidance document is followed (Refs 98H98H98H[4], 99H99H99H[5] and 100H100H100H[6]), the ACA also recommends that: a) The administrator ensures that no applications are installed which will allow the user to change the security areas of the registry. b) The administrator reviews the certificates in the Software Provider Certificate (SPC), privileged and unprivileged certificate stores and removes any certificates that are not required. This action prevents unwanted, signed applications from being installed on the TOE. Note: some certificates are required for the TOE to operate, and the administrator should verify that the TOE can function without the certificates that are removed during provisioning. 5 Feb 2010 Version 1.0 Page 14 c) The administrator ensures that users are aware of the importance of running the TOE in the evaluated configuration. In event of a device wipe, the mobile device should be returned to the administrator for reconfiguration. d) The administrator advises users against using the device as a primary data store. This is because data on the device and storage card is encrypted, and the keys stored on the device are destroyed during a device wipe. e) The administrator sets the lockout time on a device to reflect the criticality of the data stored on a mobile device. The reduction in lockout time reduces the chances of an attacker gaining access to a device in an unlocked state. f) The administrator sets mobile device policy to encrypt all areas of the device that may contain user data. g) The administrator ensures that SD card and local device encryption is enabled prior to users placing any files into internal stores or SD media. h) The administrator lock down all unrequired physical ports on mobile devices to reduce the risk of vulnerabilities in OEM hardware and firmware. i) The administrator consider disabling the use of the Bluetooth radio in order to prevent exploitation of well know weaknesses in the Bluetooth key pairing process. 5 Feb 2010 Version 1.0 Page 15 Annex A - References and Abbreviations A.1 References [1] Windows Mobile 6.5 EAL4+ Evaluation Technical Report 1.0, January 2010 [2] Windows Mobile 6.5 EAL4+ Common Criteria Evaluation Security Target version 1.0, July 2009 [3] Australian Government ICT Security Manual (ISM), December 2008, Defence Signals Directorate, (available at 33H33H33Hwww.dsd.gov.au). [4] Windows Mobile 6.5 EAL4+ OEM Guidance Supplement version 1.0, January 2010 [5] WM6.5_EAL4+ Enterprise Administrator Guidance Supplement 1.0, January 2010 [6] Windows Mobile 6.5 User Guide Supplement version 1.0, January 2010 [7] Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and General Model (CC), Version 3.1, Revision 3, July 2009, CCMB-2009-07-001 [8] Common Criteria for Information Technology Security Evaluation, Part 2: Security Functional Components (CC), Version 3.1, Revision 3, July 2009, CCMB-2009-07-002 [9] Common Criteria for Information Technology Security Evaluation, Part 3: Security Assurance Components (CC), Version 3.1, Revision 3, July 2009, CCMB-2009-07-003 [10] Common Methodology for Information Technology Security Evaluation (CEM), Version 3.1 Revision 3, July 2009, CCMB-2009-07-004 [11] AISEP Publication No. 1 – Program Policy, AP 1, Version 3.1, 29 September 2006, Defence Signals Directorate. [12] AISEP Publication No. 2 – Certifier Guidance, AP 2. Version 3.1, 29 September 2006, Defence Signals Directorate. [13] AISEP Publication No. 3 – Evaluator Guidance, AP 3. Version 3.1, 29 September 2006, Defence Signals Directorate. [14] AISEP Publication No. 4 – Sponsor and Consumer Guidance, AP 4. Version 3.1, 29 September 2006, Defence Signals Directorate. [15] Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security, May 2000 5 Feb 2010 Version 1.0 Page 16 A.2 Abbreviations ACA Australasian Certification Authority AES Advanced Encryption Standard AISEF Australasian Information Security Evaluation Facility AISEP Australasian Information Security Evaluation Program CC Common Criteria CCMB Common Criteria Maintenance Board CEM Common Evaluation Methodology DSD Defence Signals Directorate EAL Evaluation Assurance Level ETR Evaluation Technical Report FLR Flaw Remediation GCSB Government Communications Security Bureau IOCTL Input Output Control LOB Line Of Business OAL OEM Adaptation Layer OEM Original Equipment Manufacturer PP Protection Profile SCMDM System Center Mobile Device Manager SD Secure Digital SFP Security Function Policy SFR Security Functional Requirements SPC Software Publishing Certificate SSL Secure Socket Layer ST Security Target TOE Target of Evaluation TSF TOE Security Functions TSP TOE Security Policy VPN Virtual Private Network