Microsoft Windows Phone 8.1 Security Technical Implementation Guide

U_Microsoft_Windows_Phone_8-1_STIG_V1R2_Manual-xccdf.xml

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]
Details

Version / Release: V1R2

Published: 2015-05-13

Updated At: 2018-09-23 05:01:57

Download

Filter

Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.
    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-73361r1_rule MSWP-81-100301 CCI-000366 MEDIUM Windows Phone 8.1 must be configured to disable developer modes. Developer modes circumvent certain security measures, so their use for standard operation is not recommended. Developer modes may increase the likelihood of compromise of confidentiality, integrity, and availability. SFR ID: FMT_SMF.1.1 #21
    SV-73363r1_rule MSWP-81-100303 CCI-000366 MEDIUM Windows Phone 8.1 must be configured to enforce an application installation policy by specifying one or more authorized application repositories. Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing such installations and executions could cause a compromise of DoD data accessible by these unauthorized/malicious applications. SFR ID: FMT_SMF.1.1 #10
    SV-73365r1_rule MSWP-81-100305 CCI-000366 MEDIUM Windows Phone 8.1 must be configured to enforce an application installation policy through an application whitelist specifying a set of allowed applications and versions. Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. The actions of some enterprise apps cannot be controlled by whitelist, such as backup of application information to OneDrive. Other mitigation techniques will be required to facilitate those actions to safeguard data. SFR ID: FMT_SMF.1.1 #10
    SV-73367r1_rule MSWP-81-100603 CCI-000366 MEDIUM Windows Phone 8.1 must be configured to disable USB mass storage mode. This data transfer capability could allow users to transfer sensitive DoD data onto unauthorized USB storage devices, thus leading to the compromise of this DoD data. SFR ID: FMT_SMF.1.1 #42
    SV-73369r1_rule MSWP-81-100807 CCI-000043 LOW Windows Phone 8.1 must be configured to prohibit more than 10 consecutive failed authentication attempts. Users must not be able to override the system policy on the maximum number of consecutive failed authentication attempts because this could allow them to raise the maximum, thus giving adversaries more chances to guess/brute-force passwords, which increases the risk of the mobile device being compromised. Therefore, only administrators should have the authority to set consecutive failed authentication attempt policies. SFR ID: FMT_SMF.1.1 #02
    SV-73371r1_rule MSWP-81-100808 CCI-000057 MEDIUM Windows Phone 8.1 must be configured to lock the display after 15 minutes (or less) of inactivity. The screen lock time-out must be set to a value that helps protect the device from unauthorized access. Having a too-long time-out would increase the window of opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Such devices are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device. The maximum time-out period of 15 minutes has been selected to balance functionality and security; shorter time-out periods may be appropriate, depending on the risks posed to the mobile device. SFR ID: FMT_SMF.1.1 #02
    SV-73373r1_rule MSWP-81-100810 CCI-000205 LOW Windows Phone 8.1 must be configured to enforce a minimum password length of 6 characters. Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space. Having a too-short minimum password length significantly reduces password strength, increasing the chance of password compromise and resulting device and data compromise. SFR ID: FMT_SMF.1.1 #01
    SV-73375r1_rule MSWP-81-101102 CCI-000366 HIGH Windows Phone 8.1 must be configured to enable data-at-rest protection for built-in storage media. The operating system must ensure the data being written to the mobile device's built-in storage media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read storage media directly, thereby circumventing operating system controls. Encrypting the data ensures confidentiality is protected even when the operating system is not running. SFR ID: FMT_SMF.1.1 #22
    SV-73377r1_rule MSWP-81-101202 CCI-000366 HIGH Windows Phone 8.1 must be configured to enable data-at-rest protection for removable storage media or to disable the removable storage media. The operating system must ensure the data being written to the mobile device's removable media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read removable media directly, thereby circumventing operating system controls. Encrypting the data ensures confidentiality is protected even when the operating system is not running. Windows Phone 8.1 platform cannot enforce encryption for removable media, so the use of removable media must be disabled. This alternative mitigation, prohibiting the use of removable storage media using an IA control, eliminates the threat of data vulnerabilities since no data can be stored on such media. SFR ID: FMT_SMF.1.1 #23
    SV-73379r1_rule MSWP-81-300812 CCI-000048 LOW Before establishing a user session, Windows Phone 8.1 must display an administrator-specified advisory notice and consent warning banner regarding use of Windows Phone 8.1. The operating system is required to display the DoD-approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. This ensures the legal requirements for auditing and monitoring are met. System use notification messages can be displayed when individuals log on to the information system. The approved DoD text must be used as specified in the DoD CIO memorandum dated 9 May 2008. SFR ID: FTA_TAB.1.1
    SV-73381r1_rule MSWP-81-500101 CCI-000366 MEDIUM Windows Phone 8.1 must be configured to implement the management setting: Disable the capability of being able to show notifications in the Action Center while a device is locked. When a mobile device is locked, there should be no access to its protected/sensitive data since it could enable unauthorized people with physical access to the device to bring up and view confidential information. The Action Center on the Windows Phone 8.1 platform allows the viewing of recent notifications including emails, calendar reminders, instant messages, and other potentially sensitive information. Disabling this feature mitigates the exposure of this data. SFR ID: FMT_SMF.1.1 #42
    SV-73383r1_rule MSWP-81-500607 CCI-000366 MEDIUM Windows Phone 8.1 must be configured to implement the management setting: Disable the ability of users to be able to manually turn off the VPN. For consumer use, the ability to turn off or suspend a VPN connection may be useful in cases of bypassing server issues or decreasing battery utilization, but, in a DoD environment, a VPN connection needs to be retained to provide a consistent secure tunnel for communications with DoD networks. Therefore, disabling the ability for a user to be able to turn off VPN makes it more difficult for an adversary to capture network traffic. For Windows Phone 8.1, this requirement is needed to prevent access to cloud services like OneDrive by OS applications and components such as: Office Hub/Applications OneNote Backup SFR ID: FMT_SMF.1.1 #42
    SV-73385r1_rule MSWP-81-500802 CCI-000366 MEDIUM Windows Phone 8.1 must be configured to implement the management setting: Not allow the device unlock password to contain more than two sequential or repeating characters (e.g., 456, aaa). Password complexity or strength refers to how difficult it is to determine a password using a dictionary or brute-force attack. Passwords with sequential or repeating numbers or alphabetic characters (e.g., 456, 987, 222, abc, ddd) are considered easier to crack than random patterns. Therefore, disallowing sequential or repeating numbers or alphabetic characters makes it more difficult for an adversary to discover the password. SFR ID: FMT_SMF.1.1 #42
    SV-73387r1_rule MSWP-81-500902 CCI-000366 MEDIUM Windows Phone 8.1 must be configured to implement the management setting: Disable the capability of the Cortana personal assistant A.I. to be functional when the device is locked. When a mobile device is locked, there should be no access to its protected/sensitive data since it could enable unauthorized people with physical access to the device to bring up and view confidential information. The Cortana personal assistant can perform a number of voice-related queries and actions that can aid productivity but also allows some of its actions to be done while the device is locked. Disabling this feature mitigates the exposure of potentially sensitive information that should remain secured when a device is locked. SFR ID: FMT_SMF.1.1 #42
    SV-73389r1_rule MSWP-81-500903 CCI-000366 MEDIUM Windows Phone 8.1 must be configured to implement the management setting: Disable the capability for a user to manually unenroll from MDM management. The use of an MDM allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. If a user has the ability on their device to manually unenroll from MDM management, this removes all IA controls and exposes the device and the user to a number of threat vectors and takes them out of compliance. Disabling this feature mitigates the risk from loss of control and ensures that the devices maintain the required locked down state. SFR ID: FMT_SMF.1.1 #42
    SV-73391r1_rule MSWP-81-500906 CCI-000366 MEDIUM Windows Phone 8.1 must be configured to implement the management setting: Disable the sharing of Office documents through service providers like email and cloud. Generally, when doing document collaboration, it is useful, from a productivity perspective, to be able to share those documents with peers who can review and edit those documents. But, if those same documents can be shared to public locations through email and cloud storage services, data leakage scenarios are possible, enabling sensitive data to be shared outside of secure DoD locations. To mitigate these threats, the sharing capability of documents should be disabled to prevent this possibility. SFR ID: FMT_SMF.1.1 #42
    SV-73393r1_rule MSWP-81-500907 CCI-000366 MEDIUM Windows Phone 8.1 must be configured to implement the management setting: Disable the capability for syncing settings such as the theme, application settings, Internet Explorer sites visited, and cached passwords to Microsoft OneDrive cloud storage. A public cloud backup feature may gather a user's information, such as PII, or sensitive documents. With this feature enabled, sensitive information will be backed up to the manufacturer's servers and database. This data is stored at a location that has unauthorized employees accessing this data. This data is stored on a server that has a location unknown to the DoD. Disabling this feature mitigates the risk of a backup feature that stores sensitive data on a server that has the potential to be located in a country other than the United States. SFR ID: FMT_SMF.1.1 #42
    SV-73395r1_rule MSWP-81-501203 CCI-000366 MEDIUM Windows Phone 8.1 must be configured to implement the management setting: Disallow the sharing of device telemetry captured as a result of crashes and other logging processes. Applications and OS processes have a capability to have telemetry data called Software Quality Metrics (SQM) that can send software instrumentation metrics to the SQM service and to the client to download client-specific control data. The protocol allows applications and operating system components to collect and send instrumentation metrics, including customer experience data, crash reports, and traces to a hosted service over HTTP/HTTPS. That data, while not including any privacy-sensitive information, could potentially contain information sensitive to DoD. Disabling this feature mitigates the risk of any unknown information being stored in Microsoft telemetry tracking databases. SFR ID: FMT_SMF.1.1 #42
    SV-73397r1_rule MSWP-81-501407 CCI-000366 MEDIUM Windows Phone 8.1 must be configured to implement the management setting: Employ mobile device management services to centrally manage security-relevant configuration and policy settings. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large-scale environment relative to an environment in which each device must be configured separately. SFR ID: FMT_SMF.1.1 #42
    SV-73401r1_rule MSWP-81-501408 CCI-000366 MEDIUM Windows Phone 8.1 must be designed to implement protected and secure OS Updates. MOS updates and upgrades are an essential part of the life cycle of modern smartphones and generally occur annually. OS updates need to be a trusted process to prevent compromise of OS code, drivers, code signing, and malware injection. That process needs to be delivered over a securely encrypted and mutually authenticated method. If the MOS update process security cannot be documented, then the ability to disable updates or manage their availability by MDM is an acceptable option. The UBE action on the mobile device ensures that all approved (whitelist) apps will receive important functional and security updates, in addition to system security updates. SFR ID: FMT_SMF.1.1 #42
    SV-73403r1_rule MSWP-81-501409 CCI-000366 MEDIUM Windows Phone 8.1 must disable split-tunneling on the VPN client. Without strong mutual authentication, a mobile device may connect to an unauthorized network. In many cases, the user may falsely believe that the device is connected to an authorized network and then provide authentication credentials and other sensitive information. A strong bidirectional, cryptographically based authentication method over VPN mitigates this risk. For Windows Phone 8.1, this requirement is needed to prevent access to cloud services like OneDrive by OS applications and components such as: Office Hub/Applications OneNote Backup SFR ID: FMT_SMF.1.1 #42
    SV-73405r1_rule MSWP-81-501411 CCI-000366 MEDIUM Windows Phone 8.1 must have a mechanism to restrict capabilities of applications and OS components that leverage cloud storage by blocking access to OneDrive at the firewall level. While backup and collaboration of data is useful from a productivity perspective, if that same data can be shared to public locations through cloud storage services, data leakage scenarios are possible, enabling sensitive data to be shared outside of secure DoD locations. To mitigate these threats, the ability to store or backup data in public cloud areas should be blocked. For Windows Phone 8.1, this requirement is needed to prevent access to cloud services like OneDrive by OS applications and components such as: Office Hub/Applications OneNote Backup SFR ID: FMT_SMF.1.1 #42
    SV-73407r1_rule MSWP-81-501412 CCI-000366 MEDIUM Windows Phone 8.1 must require an Always On VPN session when used. Without strong mutual authentication, a mobile device may connect to an unauthorized network. In many cases, the user may falsely believe that the device is connected to an authorized network and then provide authentication credentials and other sensitive information. A strong bidirectional, cryptographically based authentication method over VPN mitigates this risk. A VPN can be configured to time out when idle, which, depending on the configuration for a triggered connection, might enable scenarios where the VPN is not on and unprotected access to the Internet is possible. Requiring the VPN connection to be Always On ensures that the VPN is at all times protecting and securing traffic. For Windows Phone 8.1, this configuration supports the DoD requirement that applications cannot access or store data to cloud storage services. For Windows Phone 8.1, this requirement is needed to prevent access to cloud services like OneDrive by OS applications and components such as: Office Hub/Applications OneNote Backup SFR ID: FMT_SMF.1.1 #42
    SV-73409r1_rule MSWP-81-501413 CCI-000366 MEDIUM Windows Phone 8.1 must have a mechanism to restrict capabilities of applications and OS components that leverage cloud storage by disabling the Backup feature. While backup and collaboration of data is useful from a productivity perspective, if that same data can be shared to public locations through cloud storage services, data leakage scenarios are possible, enabling sensitive data to be shared outside of secure DoD locations. To mitigate these threats, the ability to store or backup data in public cloud areas should be blocked. For Windows Phone 8.1, this requirement is needed to prevent access to cloud services like OneDrive by OS applications and components such as: Office Hub/Applications OneNote Backup SFR ID: FMT_SMF.1.1 #42
    SV-73455r1_rule MSWP-81-501414 CCI-000366 MEDIUM Windows Phone 8.1 must be running build 8.10.15116 or higher (GDR2). Throughout ongoing operating system development, Windows Phone has a process of MOS updates to add new features including improved enterprise and security capabilities as well as fixes to issues discovered after its initial release. These releases are termed General Distribution Releases (GDR). In working with DoD and our enterprise customers worldwide, requirements and issues were discovered that resulted in necessary changes to the Windows Phone MOS. One of those changes in the General Distribution Release 2 (GDR2) provides the capability needed to implement the VPN process required by the DoD to ensure that personal cloud services are blocked from use by the end user, and is the key to success for all associated requirements. SFR ID: FMT_SMF.1.1 #42