Microsoft Windows 10 Mobile Security Technical Implementation Guide

U_MS_Windows_10_Mobile_STIG_V1R3_Manual-xccdf.xml

Version/Release Published Filters Downloads Update
V1R3 2017-09-11      
Update existing CKLs to this version of the STIG
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]
Vuln Rule Version CCI Severity Title Description
SV-84331r1_rule MSWM-10-200101 CCI-000062 MEDIUM Windows 10 Mobile must not display notifications in the Action Center when the device is locked. Many mobile devices display notifications on the lock screen so that users can obtain relevant information in a timely manner without having to frequently unlock the phone to determine if there are new notifications. However, in many cases, these notifications can contain sensitive information. When they are available on the lock screen, an adversary can see them merely by being in close physical proximity to the device. Configuring the MOS to not send notifications to the lock screen mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #21
SV-84333r1_rule MSWM-10-200303 CCI-000381 MEDIUM Windows 10 Mobile must not allow use of developer modes. Developer modes expose features of the MOS that are not available during standard operation. An adversary may leverage a vulnerability inherent in a developer mode to compromise the confidentiality, integrity, and availability of DoD-sensitive information. Disabling developer modes mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #24
SV-84335r1_rule MSWM-10-200305 CCI-000366 MEDIUM Windows 10 Mobile must disable the Windows Store. Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing such installations and executions could cause a compromise of DoD data accessible by these unauthorized/malicious applications. A risk assessment for the download of apps from the Microsoft Store has not yet been completed by the DoD, and therefore, should not be accessed for the download of authorized non-managed apps (personal apps) at this time. SFR ID: FMT_SMF_EXT.1.1 #10a
SV-84705r1_rule MSWM-10-200306 CCI-000366 MEDIUM Windows 10 Mobile must enforce an application installation policy by specifying an application whitelist. Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. The application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core applications (included in the operating system (OS) by the OS vendor) and pre-installed applications (provided by the MD vendor and wireless carrier), or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. SFR ID: FMT_SMF_EXT.1.1 #10b
SV-84707r1_rule MSWM-10-200512 CCI-000366 MEDIUM Windows 10 Mobile must be configured to implement the management setting: Disable the ability for a device to send out advertisements/Bluetooth beacons to a Bluetooth peripheral. Bluetooth usage could provide an attack vector for a hacker to connect to a mobile OS device without the knowledge of the user. Disabling Bluetooth advertising/beaconing reduces the risk of a non-authorized Bluetooth device connecting the DoD mobile OS device. SFR ID: FMT_SMF_EXT.1.1 #20d
SV-84709r1_rule MSWM-10-201003 CCI-000366 LOW Windows 10 Mobile must not allow passwords that include more than two repeating or sequential characters. Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. Passwords that contain repeating or sequential characters are significantly easier to guess than those that do not contain repeating or sequential characters. Therefore, disallowing repeating or sequential characters increases password strength and decreases risk. SFR ID: FMT_SMF_EXT.1.1 #01b
SV-84711r1_rule MSWM-10-201008 CCI-000044 LOW Windows 10 Mobile must not allow more than 10 consecutive failed authentication attempts. The more attempts an adversary has to guess a password, the more likely the adversary will enter the correct password and gain access to resources on the device. Setting a limit on the number of attempts mitigates this risk. Setting the limit at 10 gives authorized users the ability to make a few mistakes when entering the password but still provides adequate protection against dictionary or brute force attacks on the password. SFR ID: FMT_SMF_EXT.1.1 #02
SV-84713r1_rule MSWM-10-201009 CCI-000057 MEDIUM Windows 10 Mobile must lock the display after 15 minutes (or less) of inactivity. The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Such devices are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device. The maximum timeout period of 15 minutes has been selected to balance functionality and security; shorter timeout periods may be appropriate depending on the risks posed to the mobile device. SFR ID: FMT_SMF_EXT.1.1 #02b
SV-84715r1_rule MSWM-10-201012 CCI-000205 LOW Windows 10 Mobile must enforce a minimum password length of 6 characters. Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space. Having a too-short minimum password length significantly reduces password strength, increasing the chance of password compromise and resulting device and data compromise. SFR ID: FMT_SMF_EXT.1.1 #01a
SV-84717r1_rule MSWM-10-201405 CCI-001199 HIGH Windows 10 Mobile must protect data at rest on built-in storage media. The MOS must ensure the data being written to the mobile device's built-in storage media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read storage media directly, thereby circumventing operating system controls. Encrypting the data ensures confidentiality is protected even when the operating system is not running. SFR ID: FMT_SMF_EXT.1.1 #25
SV-84719r2_rule MSWM-10-201705 CCI-001199 HIGH Windows 10 Mobile must protect data at rest on removable storage media. The MOS must ensure the data being written to the mobile device's removable media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read removable media directly, thereby circumventing operating system controls. Encrypting the data ensures confidentiality is protected even when the operating system is not running. SFR ID: FMT_SMF_EXT.1.1 #26
SV-84721r2_rule MSWM-10-201901 CCI-000366 MEDIUM Windows 10 Mobile must be configured to disable automatic updates of system software. FOTA allows the user to download and install firmware updates over-the-air. These updates can include OS upgrades, security patches, bug fixes, new features and applications. Since the updates are controlled by the carriers, DoD will not have an opportunity to review and update policies prior to update availability to end users. Disabling FOTA will mitigate the risk of allowing users access to applications that could compromise DoD sensitive data. After reviewing the update and adjusting any necessary policies (i.e., disabling applications determined to pose risk), the administrator can re-enable FOTA. SFR ID: FMT_SMF_EXT.1.1 #45
SV-84723r1_rule MSWM-10-202409 CCI-000366 LOW Windows 10 Mobile must enable VPN protection. A key characteristic of a mobile device is that they typically will communicate wirelessly and are often expected to reside in locations outside the physical security perimeter of a DoD facility. In these circumstances, the threat of eavesdropping is substantial. Virtual private networks (VPNs) provide confidentiality and integrity protection for data transmitted over untrusted media (e.g., air) and networks (e.g., the Internet). They also provide authentication services to ensure that only authorized users are able to use them. Consequently, enabling VPN protection counters threats to communications to and from mobile devices. SFR ID: FMT_SMF_EXT.1.1 #03
SV-84725r1_rule MSWM-10-202412 CCI-000366 MEDIUM Windows 10 Mobile whitelist must not include applications with the following characteristics: - back up MD data to non-DoD cloud servers (including user and application access to cloud backup services, i.e. OneDrive, Box, Dropbox, Google Drive, Amazon Cloud Drive, Azure); - transmit MD diagnostic data to non-DoD servers; - voice assistant application if available when MD is locked; - voice dialing application if available when MD is locked; - allows synchronization of data or applications between devices Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. SFR ID: FMT_SMF_EXT.1.1 #10b
SV-84727r1_rule MSWM-10-202418 CCI-000366 MEDIUM Windows 10 Mobile must be configured to disable VPN split-tunneling (if the MD provides a configurable control for FDP_IFC_EXT.1.1). Spilt-tunneling allows multiple simultaneous remote connections to the mobile device. Without VPN split-tunneling disabled, malicious applications can covertly off-load device data to a third-party server or set up a trusted tunnel between a non-DoD third-party server and a DoD network, providing a vector to attack the network. SFR ID: FMT_SMF_EXT.1.1 #45
SV-84729r2_rule MSWM-10-202507 CCI-000366 MEDIUM Windows 10 Mobile must not allow backup to remote systems and must have a mechanism to restrict abilities of applications and OS components that leverage cloud storage by blocking backup to OneDrive. Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than the MOS. Where the remote backup involves a cloud-based solution, the backup capability is often used to synchronize data across multiple devices. In this case, DoD devices may synchronize DoD-sensitive information to a user's personal device or other unauthorized computers that are vulnerable to breach. Disallowing remote backup mitigates this risk. For Windows 10 Mobile, this requirement is needed to prevent access to Cloud Services such as OneDrive by OS applications and components such as: • OneNote • Backup SFR ID: FMT_SMF_EXT.1.1 #40MSWM-10-202507Currently in Windows 10 Mobile the resolution for this requirement to restrict OneDrive/Cloud access from a backend network control perspective. In a new Windows 10 release coming in 2016 we will add restricting backup capability by extending the capability of the Experience/AllowSyncMySettings MDM policy.
SV-84731r1_rule MSWM-10-202608 CCI-000097 MEDIUM Windows 10 Mobile must not allow backup to locally connected systems. Data on mobile devices is protected by numerous mechanisms, including user authentication, access control, and cryptography. When the data is backed up to an external system (either locally connected or cloud-based), many if not all of these mechanisms are no longer present. This leaves the backed up data vulnerable to attack. Disabling backup to external systems mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #40
SV-84733r1_rule MSWM-10-202801 CCI-000366 MEDIUM Windows 10 Mobile must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor (e.g., using a fingerprint), unless mechanism is DoD-approved. The fingerprint reader or iris scan (supported by some Windows 10 Mobile devices) can be used to authenticate the user in order to unlock the mobile device. At this time, no biometric reader has been approved for DoD use on mobile devices. This technology would allow unauthorized users to have access to DoD sensitive data if compromised. By not permitting the use of non-password authentication mechanisms, users are forced to use passcodes that meet DoD passcode requirements. SFR ID: FMT_SMF_EXT.1.1 #45
SV-84735r1_rule MSWM-10-202901 CCI-000366 MEDIUM Windows 10 Mobile must enable all IP traffic (other than IP traffic required to establish the VPN connection) to flow through the IPsec VPN client or provide an interface to VPN applications for this purpose. It is common for mobile devices to connect directly to wireless networks that DoD does not manage, including direct Internet access through the cellular service provider. This condition leaves the device vulnerable to attacks from those networks. It also prevents DoD from monitoring or filtering network traffic to or from the mobile device. This makes it more likely that users or application processes will have the ability to perform unauthorized activities or do so without detection. For example, the enterprise may have a filtering mechanism to prevent users from accessing certain websites. Directing all device IP traffic (other than traffic needed to establish the VPN connection) through a VPN client enables the enterprise to route and handle traffic appropriately based on DoD policy and IA objectives. This requirement is also related to verifying VPN split-tunneling is not enabled. SFR ID: FDP_IFC_EXT.1.1
SV-84737r1_rule MSWM-10-203003 CCI-000169 LOW Windows 10 Mobile must generate audit records. Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. They help identify attacks, so that breaches can either be prevented or limited in their scope. They facilitate analysis to improve performance and security. Auditable events include: 1. Start-up and shutdown of the audit functions; 2. All administrative actions; 3. Start-up and shutdown of the OS and kernel; 4. Insertion or removal of removable media; 5. Establishment of a synchronizing connection; 6. Specifically defined auditable events in Table 10 of MDF PP v.2.0. SFR ID: FAU_GEN.1.1
SV-84739r1_rule MSWM-10-290704 CCI-000381 MEDIUM Windows 10 Mobile must not allow a USB mass storage mode. USB mass storage mode enables the transfer of data and software from one device to another. This software can include malware. When USB mass storage is enabled on a mobile device, it becomes a potential vector for malware and unauthorized data exfiltration. Prohibiting USB mass storage mode mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #39
SV-84741r1_rule MSWM-10-500504 CCI-000366 MEDIUM Windows 10 Mobile must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (HandsFree Profile), and SPP (Serial Port Profile). Some Bluetooth profiles provide the capability for remote transfer of sensitive DoD data without encryption or otherwise do not meet DoD IT security policies and therefore should be disabled. SFR ID: FMT_SMF_EXT.1.1 #20f
SV-84743r1_rule MSWM-10-501706 CCI-000381 LOW Windows 10 Mobile must disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled. Many software systems automatically send diagnostic data to the manufacturer or a third party. This data enables the developers to understand real world field behavior and improve the product based on that information. Unfortunately, it can also reveal information about what DoD users are doing with the systems and what causes them to fail. An adversary embedded within the software development team or elsewhere could use the information acquired to breach mobile operating system security. Disabling automatic transfer of such information mitigates this risk. SFR ID: FMT_SMF_EXT.1.1#45
SV-84745r1_rule MSWM-10-910201 CCI-000366 MEDIUM Windows 10 Mobile must be configured to implement the management setting: Disable the ability for a user to add new email accounts. Personal or unauthorized email accounts can lead to the transmission of sensitive DoD data to unauthorized recipients Disabling this feature mitigates the risk. The use of personal or non-DoD email accounts on a DoD mobile device should be approved by the Authorizing Official (AO). SFR ID: FMT_SMF_EXT.1.1 #45
SV-84747r1_rule MSWM-10-910502 CCI-000366 MEDIUM Windows 10 Mobile must be configured to implement the management setting: Disable the device Bluetooth Discoverable Mode. Bluetooth usage could provide an attack vector for a hacker to connect to a mobile OS device without the knowledge of the user. Disabling Discoverable mode reduces the risk of a non-authorized Bluetooth device connecting the DoD mobile OS device. SFR ID: FMT_SMF_EXT.1.1 #20a
SV-84749r1_rule MSWM-10-910505 CCI-000366 LOW Windows 10 Mobile must be configured to implement the management setting: Disable the ability of the Edge browser to cache passwords in the Password Manager. Access to websites that require authentication can be streamlined for faster logon if credentials like passwords can be saved. But eliminating password prompts leaves protected websites vulnerable to access without a logon challenge. Disallowing password caching mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #45
SV-84751r1_rule MSWM-10-910703 CCI-000366 LOW Windows 10 Mobile must be configured to implement the management setting: Disable the capability to use NFC. NFC is a wireless technology that transmits small amounts of information from the device to the NFC reader. The data-in-transit (DIT) is not encrypted using FIPS 140-2 validated encryption. Any data transmitted can be potentially compromised. Disabling this feature mitigates this risk. SFR ID: FMT_MOF.1.2 #4
SV-84753r1_rule MSWM-10-911005 CCI-000366 MEDIUM Windows 10 Mobile must be configured to implement the management setting: Require a password be used before unlocking a Windows 10 Mobile device. Passwords provide a form of access control that prevents unauthorized individuals from accessing computing resources and sensitive data. Passwords may also be a source of entropy for generation of key encryption or data encryption keys. If a password is not required to access data, then this data is accessible to any adversary who obtains physical possession of the device. Requiring that a password be successfully entered before the mobile device data is unencrypted mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #1
SV-84755r3_rule MSWM-10-911101 CCI-000366 LOW Windows 10 Mobile must be configured to implement the management setting: Disable the ability to copy and paste data between trusted and non-trusted applications and between trusted and non-trusted networks. Copy/Paste data protection provides the capability to restrict transfer of data between managed (work/enterprise) and non-managed (personal) apps. Sensitive DoD data could be compromised if this feature is not disabled as data leakage can occur. Note: The Windows Information Protection configuration control policy implements the following individual controls: Network address space including: * IP address ranges * Domain name spaces to be protected * Control of copy and paste between apps and between DoD and non-DoD networks These may be configured separately on the MDM server as part of a single Data Protection policy. SFR ID: FMT_SMF_EXT.1.1 #42
SV-84757r1_rule MSWM-10-911102 CCI-000366 MEDIUM Windows 10 Mobile must be configured to implement the management setting: Disable the capability of the Cortana personal assistant A.I. to be functional when the device is locked. When a mobile device is locked, there should be no access to its protected/sensitive data as it could enable unauthorized people with physical access to the device to bring up and view sensitive information. The Cortana personal assistant can perform a number of voice related queries and actions which can aid productivity but also allows some of its actions to be done while the device is locked. For example, even if the device is locked, if you can bring up the Cortana search page you can ask things like "show me my calendar" and that will bring up potentially sensitive information under lockscreen. Disabling this feature mitigates the exposure of potentially sensitive information that should remain secured when a device is locked. SFR ID: FMT_SMF_EXT.1.1 #45
SV-84759r1_rule MSWM-10-911104 CCI-000366 MEDIUM Windows 10 Mobile must be configured to implement the management setting: Disable the capability for a user to manually unenroll from MDM management. The use of an MDM allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. If a user has the ability on their device to manually unenroll from MDM management, this removes all IA controls and exposes the device and the user to a number of threat vectors and takes them out of compliance. Disabling this feature mitigates the risk from loss of control and ensures that the devices maintain the required locked down state. SFR ID: FMT_SMF_EXT.1.1 #45
SV-84761r2_rule MSWM-10-911107 CCI-000366 MEDIUM Windows 10 Mobile must be configured to implement the management setting: Disable the capability for synching settings such as the theme, application settings, Internet Explorer sites visited, and cached passwords to Microsoft OneDrive cloud storage. Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than the MOS. Where the remote backup involves a cloud-based solution, the backup capability is often used to synchronize data across multiple devices. In this case, DoD devices may synchronize DoD-sensitive information to a user's personal device or other unauthorized computers that are vulnerable to breach. Disallowing remote backup mitigates this risk. For Windows 10 Mobile, this requirement is needed to prevent access to Cloud Services such as OneDrive by OS applications and components such as: • Backup SFR ID: FMT_SMF_EXT.1.1 #45
SV-84765r1_rule MSWM-10-912419 CCI-000366 MEDIUM Windows 10 Mobile devices must be upgraded to the Windows 10 Mobile Enterprise edition. Enterprise edition provides the ability to leverage several enhanced controls that have a dependency on the enterprise edition. During ongoing operating system development, Windows 10 has a cadence of MOS updates that add new features including improved enterprise and security capabilities as well as fixes to issues discovered after its initial release. Several key security related controls are not possible when the Enterprise version of Windows 10 mobile is not used, including: -disable automatic updates of Windows 10 Mobile -disable sending device diagnostic data to Microsoft SFR ID: FMT_SMF_EXT.1.1 #45
SV-86305r1_rule MSWM-10-902420 MEDIUM Windows10 Mobile must be running at a minimum an OS build number of 10.0.14393.10 or higher to meet all requirements in the STIG. During ongoing operating system development, Windows 10 has a cadence of MOS updates that adds new features, including improved enterprise and security capabilities as well as fixes to issues discovered after its initial release. Requirements and issues were discovered that were resolved through improvements in new Windows 10 Mobile OS releases. As a result, to completely meet all requirements outlined in the DOD STIG, devices used by DoD must have or exceed the minimum build numbers listed in the requirements. SFR #: FMT_SMF_EXT.1.1 #45System Administrator