Good Mobility Suite Server (Windows Phone 6.5) Security Technical Implementation Guide

U_Good_Mobility_Suite_(Windows_Phone)_V1R2_manual-xccdf.xml

This STIG provides technical security controls required for the use of the Good Mobility Suite with Windows Phone 6.5 devices in the DoD environment.
Details

Version / Release: V1R2

Published: 2011-10-04

Updated At: 2018-09-23 02:43:10

Download

Filter

Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.
    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-30809r2_rule WIR-WMS-GD-001 MEDIUM The required smartphone management server or later version must be used. Earlier versions of the smartphone management server may have security vulnerabilities or have not implemented required security features. System AdministratorECSC-1
    SV-30810r2_rule WIR-WMS-GD-002 MEDIUM The host server where the smartphone management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Web Server, Apache Tomcat, IIS, etc.). Wireless email services are installed on a Windows Server. The server must be compliant with the Windows STIG and applicable Application STIGs to ensure the system is not vulnerable to attack resulting in a Denial of Service or compromise of the wireless email server.System AdministratorECSC-1
    SV-30811r2_rule WIR-WMS-GD-003 HIGH The smartphone management server email system must be set up with the required system components in the required network architecture. The wireless email server architecture must comply with the DoD environment because approval of the smartphone management server is contingent on installation with the correct settings. DoD enclaves could be at risk of penetration or DoD data could be compromised if the smartphone management server is not installed as required.System AdministratorECSC-1
    SV-30812r2_rule WIR-WMS-GD-004 HIGH The smartphone management server host-based or appliance firewall must be installed and configured as required. A smartphone user could get access to unauthorized network resources (application and content servers, etc.) if the smartphone management server host firewall is not set up as required.System AdministratorECSC-1
    SV-30819r2_rule WIR-WMS-GD-007 MEDIUM Smartphone user accounts must not be assigned to the default security/IT policy. The smartphone default security/IT policy on the smartphone management server does not include most DoD required security policies for data encryption, authentication, and access control. DoD enclaves are at risk of data exposure and hacker attack if users are assigned the default (or other non-STIG compliant) security/IT policy.System AdministratorECSC-1
    SV-30727r2_rule WIR-GMMS-004 LOW “Re-challenge for CAC PIN every” must be set. A user’s CAC PIN or software certificate PIN is cached in memory on the device for a short period of time so a user does not have to re-enter his/her PIN every time the user’s digital certificates are required for an S/MIME operation. The cached memory is cleared after a set period of time to limit exposure of the digital certificates to unauthorized use. Otherwise, a hacker may be able to gain access to the device while the PIN is still cached in memory and access the Good application and gain access to sensitive DoD information.System AdministratorECSC-1
    SV-39982r1_rule WIR-WMS-GD-009-01 LOW Handheld password will be set as required. Long used passwords are more susceptible to being compromised by a hacker, which could lead to a possible compromise of the iPhone/iPad and sensitive DoD data stored on the iPhone/iPad.System AdministratorECWN-1, IAIA-1
    SV-30822r2_rule WIR-WMS-GD-009-02 LOW Previously used passwords must be disallowed for security/email client on smartphone. Previously used passwords are more susceptible to being compromised by a hacker, which could lead to a possible compromise of the smartphone and sensitive DoD data stored on the smartphone.System AdministratorECWN-1, IAIA-1
    SV-30823r2_rule WIR-WMS-GD-009-03 MEDIUM Password minimum length must be set as required for the smartphone security/email client. Short passwords can be easily determined by various password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.System AdministratorECWN-1, IAIA-1
    SV-30824r2_rule WIR-WMS-GD-009-04 LOW Repeated password characters must be disallowed for the Good app. Repeated password characters reduces the strength of a password to withstand attacks by password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.System AdministratorECWN-1, IAIA-1
    SV-30825r2_rule WIR-WMS-GD-009-06 MEDIUM Maximum invalid password attempts must be set as required for the smartphone security/email client. A hacker with unlimited attempts can determine the password of a smartphone within a few minutes using password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.System AdministratorECWN-1, IAIA-1
    SV-30827r2_rule WIR-WMS-GD-009-07 MEDIUM Data must be wiped after maximum password attempts reached for the smartphone security/email client. A hacker with unlimited attempts can determine the password of a smartphone within a few minutes using password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data. System AdministratorECWN-1, IAIA-1
    SV-30826r2_rule WIR-WMS-GD-009-05 MEDIUM Inactivity lock must be set as required for the smartphone security/email client. Sensitive DoD data could be exposed to unauthorized viewing or use if lost or stolen smartphone screen was not locked.System AdministratorPESL-1
    SV-30735r2_rule WIR-GMMS-006-01 MEDIUM "Do not allow data to be copied from the Good application" must be checked. Sensitive data could be saved in the non-FIPS 140-2 validated area of memory on the smartphone, which would violate DoD policy and may expose sensitive DoD data.System AdministratorECCR-1
    SV-30738r2_rule WIR-GMMS-008 MEDIUM The Over-The-Air (OTA) device provisioning PIN must have expiration set. The time period that a device can be provisioned via Over-The-Air (OTA) provisioning needs to be controlled to ensure unauthorized people do not have the capability to setup rogue devices on the network.System AdministratorECWN-1
    SV-30739r2_rule WIR-GMMS-009 LOW OTA Provisioning PIN reuse must not be allowed. The reuse of the OTA PIN can allow a hacker to provision an unauthorized device on the system.System AdministratorECWN-1
    SV-30830r1_rule WIR-GMMS-007 LOW If access is enabled to the Good app contacts lists by the smartphone, the list of contact information must be limited. Sensitive contact information could be exposed.System AdministratorECWN-1
    SV-30832r2_rule WIR-GMMS-001 MEDIUM Password access to the Good app on the smartphone must be enabled. A hacker could gain access to sensitive data in the smartphone application and gain an attack vector to the enclave if the password access control/authentication feature of the application is not enabled.System AdministratorECWN-1, IAIA-1
    SV-32013r2_rule WIR-WMS-GD-010 LOW The PKI digital certificate installed on the wireless email management server must be a DoD PKI-issued certificate. When a self signed PKI certificate is used, a rogue wireless email management server can impersonate the DoD wireless email management server. DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI.System AdministratorIATS-1
    SV-32759r2_rule WIR-GMMS-021-02 MEDIUM The following Bluetooth configuration must be set as required: General Audio/Video Distribution Profile. The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32760r2_rule WIR-GMMS-021-03 MEDIUM The following Bluetooth configuration must be set as required: Personal Area Networking Profile. The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32761r2_rule WIR-GMMS-021-04 MEDIUM The following Bluetooth configuration must be set as required: Serial Port Profile. The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32762r2_rule WIR-GMMS-021-01 MEDIUM The following Bluetooth configuration must be set as required: Enable discovery. The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32764r2_rule WIR-GMMS-021-05 MEDIUM The following Bluetooth configuration must be set as required: Generic Object (Exchange) Profile. The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32765r2_rule WIR-GMMS-021-06 MEDIUM The following Bluetooth configuration must be set as required: Common ISDN Access Profile. The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32767r2_rule WIR-GMMS-021-07 MEDIUM The following Bluetooth configuration must be set as required: Dial Up Network Profile. The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32769r2_rule WIR-GMMS-021-08 MEDIUM The following Bluetooth configuration must be set as required: Fax Profile. The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32771r2_rule WIR-GMMS-021-09 MEDIUM The following Bluetooth configuration must be set as required: LAN Access Profile. The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32772r2_rule WIR-GMMS-021-10 MEDIUM The following Bluetooth configuration must be set as required: Cordless Telephony Profile. The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32773r2_rule WIR-GMMS-021-11 MEDIUM The following Bluetooth configuration must be set as required: Intercom Profile. The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32774r2_rule WIR-GMMS-021-12 MEDIUM The following Bluetooth configuration must be set as required: Wireless Application Protocol Bearer. The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32775r2_rule WIR-GMMS-021-13 MEDIUM The following Bluetooth configuration must be set as required: Active Sync. The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32776r2_rule WIR-GMMS-021-14 MEDIUM The following Bluetooth configuration must be set as required: Advanced Audio Distribution Profile. The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32777r2_rule WIR-GMMS-021-15 MEDIUM The following Bluetooth configuration must be set as required: Basic Imaging Profile. The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32778r2_rule WIR-GMMS-021-16 MEDIUM The following Bluetooth configuration must be set as required: Basic Printing. Profile. The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32779r2_rule WIR-GMMS-021-17 MEDIUM The following Bluetooth configuration must be set as required: OBEX File Transfer Profile. The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32780r2_rule WIR-GMMS-021-18 MEDIUM The following Bluetooth configuration must be set as required: Object Push Profile. The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32781r2_rule WIR-GMMS-021-19 MEDIUM The following Bluetooth configuration must be set as required: Synchronization Profile. The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32783r2_rule WIR-GMMS-021-20 MEDIUM The following Bluetooth configuration must be set as required: Phone Book Access Profile. The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave. System AdministratorECWN-1
    SV-32787r2_rule WIR-GMMS-021-21 MEDIUM The following Bluetooth configuration must be set as required: Video Distribution Profile. The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32789r2_rule WIR-GMMS-021-22 MEDIUM The following Bluetooth configuration must be set as required: Video Conferencing Profile. The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32791r2_rule WIR-GMMS-021-23 MEDIUM The following Bluetooth configuration must be set as required: Message Access Profile. The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32792r2_rule WIR-GMMS-021-24 MEDIUM The following Bluetooth configuration must be set as required: External Service Discovery Profile. The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32794r2_rule WIR-GMMS-021-25 MEDIUM The following Bluetooth configuration must be set as required: Device ID Profile. The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32799r2_rule WIR-GMMS-021-26 MEDIUM The following Bluetooth configuration must be set as required: Service Discovery Application Profile. The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32800r2_rule WIR-GMMS-021-27 MEDIUM The following Bluetooth configuration must be set as required: Unrestricted Digital Information. The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32801r2_rule WIR-GMMS-021-28 MEDIUM The following Bluetooth configuration must be set as required: Audio / Video Remote Control Transport Protocol. The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32802r2_rule WIR-GMMS-021-29 MEDIUM The following Bluetooth configuration must be set as required: HeadSet and Hands Free Profile. The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32803r2_rule WIR-GMMS-021-30 MEDIUM The following Bluetooth configuration must be set as required: Human Interface Device Profile (Service and Host). The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32804r2_rule WIR-GMMS-021-31 MEDIUM The following Bluetooth configuration must be set as required: Hard Copy Cable Replacement Profile. The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32805r2_rule WIR-GMMS-021-32 MEDIUM The following Bluetooth configuration must be set as required: SIM Access. The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32806r2_rule WIR-GMMS-020 MEDIUM The Infrared radio must be disabled. The Infrared radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.System AdministratorECWN-1
    SV-32807r2_rule WIR-GMMS-022-01 MEDIUM The following Storage Card configuration must be set as required: Wipe storage card when wiping data. Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on external data storage cards (e.g., MicroSD, etc.).System AdministratorECCR-1
    SV-32808r2_rule WIR-GMMS-022-02 MEDIUM The following Storage Card configuration must be set as required: Enable storage card encryption. Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on external data storage cards (e.g., MicroSD, etc.).System AdministratorECCR-1
    SV-32809r2_rule WIR-GMMS-022-03 MEDIUM The following Storage Card configuration must be set as required: Allow encrypted storage cards to work only with handheld that originally encrypted them. Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on external data storage cards (e.g., MicroSD, etc.).System AdministratorECCR-1
    SV-32810r2_rule WIR-GMMS-023-01 MEDIUM The following Data Encryption configuration must be set as required: My Music. Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on Windows Phone folders.System AdministratorECCR-1
    SV-32811r2_rule WIR-GMMS-023-02 MEDIUM The following Data Encryption configuration must be set as required: My Pictures. Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on Windows Phone folders.System AdministratorECCR-1
    SV-32812r2_rule WIR-GMMS-023-03 MEDIUM The following Data Encryption configuration must be set as required: Personal. Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on Windows Phone folders.System AdministratorECCR-1
    SV-32813r2_rule WIR-GMMS-023-04 MEDIUM The following Data Encryption configuration must be set as required: My Music. Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on Windows Phone folders.System AdministratorECCR-1
    SV-32814r2_rule WIR-GMMS-023-05 MEDIUM following Data Encryption configuration must be set as required: My Pictures. Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on Windows Phone folders.System AdministratorECCR-1
    SV-32815r2_rule WIR-GMMS-023-06 MEDIUM The following Data Encryption configuration must be set as required: Personal. Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on Windows Phone folders.System AdministratorECCR-1
    SV-32817r2_rule WIR-WMS-GD-009-08 MEDIUM Password complexity must be set as required. Non-complex passwords can be easily determined by various password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.System AdministratorECWN-1, IAIA-1
    SV-32850r1_rule WIR-GMMS-024-01 MEDIUM A list of Windows Mobile Pocket PC blocked apps must be set up on the Good server. Malware could be installed on the smartphone if required controls are not followed.System AdministratorECVP-1
    SV-32851r1_rule WIR-GMMS-024-02 MEDIUM A list of Windows Mobile Smartphone blocked apps must be set up on the Good server. Malware could be installed on the smartphone if required controls are not followed.System AdministratorECVP-1
    SV-32852r2_rule WIR-GMMS-025-01 MEDIUM The following Good Mobile Access configuration must be set as required: Enable Good Mobile Access. The user could connect to unauthorized Intranet shares, servers, and other resources if this configuration is not set correctly.System AdministratorDCFA-1
    SV-32854r2_rule WIR-GMMS-025-02 MEDIUM The following Good Mobile Access configuration must be set as required: Require user to authenticate via NTLM. The user could connect to unauthorized Intranet shares, servers, and other resources if this configuration is not set correctly.System AdministratorDCFA-1
    SV-32855r2_rule WIR-GMMS-025-03 MEDIUM The following Good Mobile Access configuration must be set as required: Route both Intranet and Internet traffic through Good Mobile Access. The user could connect to unauthorized Intranet shares, servers, and other resources if this configuration is not set correctly.System AdministratorDCFA-1
    SV-32856r2_rule WIR-GMMS-025-04 MEDIUM The following Good Mobile Access configuration must be set as required: Allow internet access on handheld when Good Mobile Access is not running. The user could connect to unauthorized Intranet shares, servers, and other resources if this configuration is not set correctly.System AdministratorDCFA-1
    SV-32857r2_rule WIR-GMMS-025-05 MEDIUM The following Good Mobile Access configuration must be set as required: Route only Intranet traffic through Good Mobile Access. The user could connect to unauthorized Intranet shares, servers, and other resources if this configuration is not set correctly.System AdministratorDCFA-1
    SV-32858r2_rule WIR-GMMS-012 MEDIUM S/MIME must be enabled on the Good server. Sensitive DoD data could be exposed if the required setting is not configured on the Good server. If S/MIME support is not configured on the server, the user will not be able to view critical encrypted email or be able to encrypt email with sensitive DoD information.System AdministratorECCR-1
    SV-33567r1_rule WIR-GMMS-002 MEDIUM Either CAC or password authentication must be enabled for user access to the Good app on the smartphone. Sensitive DoD data is saved inside the Good app and could be exposed if strong authentication is not implemented. The Good application stores sensitive DoD information. A hacker with access to the smartphone could easily gain access to the Good application if the required authentication control is not set.System AdministratorIAIA-1
    SV-33569r1_rule WIR-GMMS-003 MEDIUM “Require CAC to be present” must be set. Sensitive DoD data is saved inside the Good app and could be exposed if strong authentication is not implemented. The Good applications stores sensitive DoD information. A hacker with access to the smartphone could easily gain access to the Good application if the required authentication control is not set.System AdministratorIAIA-1
    SV-33591r1_rule WIR-WMS-GD-011 HIGH Authentication on system administration accounts for wireless management servers must be configured. CTO 07-15Rev1 requires administrator accounts use either CAC authentication or use complex passwords to ensure strong access control is enforced.System AdministratorIAIA-1, IATS-1