Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Windows Phone 6.5 (with Good Mobility Suite) Security Technical Implementation Guide

  • Version/Release: V1R2
  • Published: 2011-10-04
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This STIG contains technical security controls required for the use of Windows Phone 6.5 devices in the DoD environment when managed by the Good Mobility Suite.
b
The VPN client on wireless clients (PDAs, smartphones) used for remote access to DoD networks must be FIPS 140-2 validated. This check is not applicable if the installed VPN client is not used for remote access to DoD networks.
Medium - V-18627 - SV-40030r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-WP-034-01
Vuln IDs
  • V-18627
Rule IDs
  • SV-40030r1_rule
DoD data could be compromised if transmitted data is not secured with a compliant VPN. FIPS validation provides a level of assurance that the encryption of the device has been securely implemented.ECWN-1
Checks: C-39046r1_chk

This check is not applicable if the installed VPN client is not used for remote access to DoD networks. Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client specification sheets and FIPS 140-2 certificate. Verify the devices have a VPN client installed and is FIPS 140-2 validated. Check the NIST certificate for the mobile OS or VPN client. Mark as a finding if the VPN is not FIPS 140-2 validated

Fix: F-20573r2_fix

Comply with policy requirement.

b
All wireless PDA clients used for remote access to DoD networks must have a VPN that supports AES encryption. This check is not applicable if the installed VPN client is not used for remote access to DoD networks.
Medium - V-19897 - SV-40031r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-WP-034-02
Vuln IDs
  • V-19897
Rule IDs
  • SV-40031r1_rule
DoD data could be compromised if transmitted data is not secured with a compliant VPN.System AdministratorECWN-1
Checks: C-39047r1_chk

This check is not applicable if the installed VPN client is not used for remote access to DoD networks. Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client specification sheets. Verify AES encryption is enabled for the VPN client. Mark as a finding if AES is not supported or is not enabled

Fix: F-20573r2_fix

Comply with policy requirement.

b
All wireless PDA clients used for remote access to DoD networks must have a VPN supporting CAC authentication. This check is not applicable if the installed VPN client is not used for remote access to DoD networks.
Medium - V-19898 - SV-40032r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-WP-034-03
Vuln IDs
  • V-19898
Rule IDs
  • SV-40032r1_rule
DoD data could be compromised if transmitted data is not secured with a compliant VPN.System AdministratorECWN-1
Checks: C-39048r1_chk

This check is not applicable if the installed VPN client is not used for remote access to DoD networks. Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Verify the VPN client supports CAC authentication to the DoD network (recommend asking the site wireless device administrator to demo this capability). Mark as a finding if CAC authentication is not supported.

Fix: F-20573r2_fix

Comply with policy requirement.

b
All wireless PDA client VPNs must have split tunneling disabled. This check is not applicable if the installed VPN client is not used for remote access to DoD networks.
Medium - V-19899 - SV-40033r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-WP-034-04
Vuln IDs
  • V-19899
Rule IDs
  • SV-40033r1_rule
DoD data could be compromised if transmitted data is not secured with a compliant VPN. Split tunneling could allow connections from non-secure Internet sites to access data on the DoD network.System AdministratorECWN-1
Checks: C-39049r1_chk

This check is not applicable if the installed VPN client is not used for remote access to DoD networks. Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Check to see if the VPN has a setting to disable split tunneling. Verify split tunneling has been disabled. Mark not applicable if the VPN is not used for remote access to a DoD network

Fix: F-20573r2_fix

Comply with policy requirement.

b
Smartphone devices must have required operating system software versions installed.
Medium - V-24981 - SV-32836r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-WP-001
Vuln IDs
  • V-24981
Rule IDs
  • SV-32836r2_rule
Required security features are not available in earlier OS versions. In addition, there are known vulnerabilities in earlier versions.System AdministratorECSC-1, ECWN-1
Checks: C-33514r1_chk

-Verify the Windows Phone version 6.5 or later: --Log into the Windows Phone. --Go to Settings > General > About >Version. -Verify the Good App version is 6.0.1.x or later: --Log into the Windows Phone device. --Launch the Good app and enter login info. --Go to Preferences > About. Mark as a finding if either version is not as required.

Fix: F-27622r1_fix

Install required OS version.

a
Smart Card Readers (SCRs) used with smartphone must have required software version installed.
Low - V-24982 - SV-32837r2_rule
RMF Control
Severity
Low
CCI
Version
WIR-MOS-WP-002
Vuln IDs
  • V-24982
Rule IDs
  • SV-32837r2_rule
Required security features are not available in earlier software versions. In addition, there may be known vulnerabilities in earlier versions.System AdministratorECSC-1
Checks: C-33515r1_chk

Verify the following: For the Apriva SCR, the firmware is 03.30.08 or later and the SCR driver is 01.05.06 or later. For the BAL SCR, the firmware is 1.3.4.12 or later.

Fix: F-27623r1_fix

Install required SCR software version.

a
If smartphone email auto signatures are used, the signature message must not disclose that the email originated from a smartphone (e.g., “Sent From My Wireless Handheld”).
Low - V-24984 - SV-32838r2_rule
RMF Control
Severity
Low
CCI
Version
WIR-MOS-WP-004
Vuln IDs
  • V-24984
Rule IDs
  • SV-32838r2_rule
The disclaimer message may give information which may key an attacker in on the device. This is primarily an OPSEC issue. This setting was directed by the CYBERCOM.System AdministratorECSC-1
Checks: C-33516r2_chk

Verify the auto-signature, if used, meets requirements. -Check a random sample of 3-4 devices. -On the handheld, launch the Good client and go to Preferences > Signature. Mark as a finding if the device has been configured with an auto-signature and signature states the email originated from a smartphone.

Fix: F-27625r2_fix

Ensure the smartphone email auto-signature message does not disclose the email originated from a smartphone or a mobile device (e.g., “Sent From My Wireless Handheld”).

a
All non-core applications on the smartphone must be approved by the DAA or Command IT Configuration Control Board.
Low - V-24986 - SV-32839r2_rule
RMF Control
Severity
Low
CCI
Version
WIR-MOS-WP-006-01
Vuln IDs
  • V-24986
Rule IDs
  • SV-32839r2_rule
Non-approved applications can contain malware. Approved applications should be reviewed and tested by the approving authority to ensure they do not contain malware, spyware, or have unexpected features (e.g., send private information to a web site, track user actions, connect to a non-DoD management server).Information Assurance OfficerDCCB-1, ECWN-1
Checks: C-33517r1_chk

-Select 3-4 random devices managed by the site to review. -Make a list of non-core applications on each device. --Have the user log into the device. View all App icons on the home screen or in folders on the home screen. --If an App is not in the list of core Apps (see below), then note the name of the App. --Verify the site has written approval to use the App from the DAA or site IT CCB. -Mark as a finding if any App has not been approved. A list of standard core Windows Phone 6.5 device Apps can be found in the STIG Configuration Tables document. Note: The DAA or IT CCB should also indicate if location services are approved for any approved applications, including core applications (e.g., camera, maps, etc.).

Fix: F-27627r2_fix

Have DAA or Command IT CCB review and approve all non-core applications on mobile OS devices.

b
All smartphones must display the required banner during device unlock/ logon.
Medium - V-25022 - SV-32840r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-MOS-WP-007
Vuln IDs
  • V-25022
Rule IDs
  • SV-32840r2_rule
DoD CIO memo requires all PDAs, BlackBerrys, and smartphones to have a consent banner displayed during logon/device unlock to ensure users understand their responsibilities to safeguard DoD data. System AdministratorECWM-1
Checks: C-33518r1_chk

The following banner is required: “I've read & consent to terms in IS user agreem't.” Check Procedure: Verify that when the Good App is launched the banner is displayed on the screen. The banner must exactly match the required phrase.

Fix: F-27693r2_fix

Display the required banner during device unlock/logon.