acceptedGood Mobility Suite Server (Windows Phone 6.5) Security Technical Implementation GuideThis STIG provides technical security controls required for the use of the Good Mobility Suite with Windows Phone 6.5 devices in the DoD environment.
DISA, Field Security OperationsSTIG.DOD.MILRelease: 2 Benchmark Date: 28 Oct 20111I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>Required smartphone management server version used<GroupDescription></GroupDescription>WIR-WMS-GD-001The required smartphone management server or later version must be used.<VulnDiscussion>Earlier versions of the smartphone management server may have security vulnerabilities or have not implemented required security features. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>Upgrade to required (or later) server version. The required Good Mobile Control (GMC) server version is 1.0.3.95 or later.
Click on the Settings tab in the console to view the GMC Version.
The required Good Mobile Messaging (GMM) server version is 6.0.3.46 or later.
Click on the Servers tab in the console to view the GMM server version.
If either server version is not as required, mark as a finding.
Smartphone management server STIG compliant<GroupDescription></GroupDescription>WIR-WMS-GD-002The host server where the smartphone management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Web Server, Apache Tomcat, IIS, etc.). <VulnDiscussion>Wireless email services are installed on a Windows Server. The server must be compliant with the Windows STIG and applicable Application STIGs to ensure the system is not vulnerable to attack resulting in a Denial of Service or compromise of the wireless email server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>Ensure all applications installed on the host server are STIG compliant.Work with the OS Reviewer or check VMS for last review of each host Good computer asset. The review should include the SQL server and Apache Tomcat.
Mark as a finding if the previous or current OS review of the Windows server did not include a review of the SQL server and Apache Tomcat. If IIS is installed, the review should also include IIS.Smartphone management server architecture<GroupDescription></GroupDescription>WIR-WMS-GD-003The smartphone management server email system must be set up with the required system components in the required network architecture. <VulnDiscussion>The wireless email server architecture must comply with the DoD environment because approval of the smartphone management server is contingent on installation with the correct settings. DoD enclaves could be at risk of penetration or DoD data could be compromised if the smartphone management server is not installed as required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>Install required smartphone management server components in required network architecture.Verify the Good servers (Good Mobile Control server and Good Mobile Messaging server) are installed in the same network segment as the Back-end MS Exchange server.
Mark as a finding if the Good servers are not installed in the same network segment as the Back-end MS Exchange server.
Configure smartphone management server firewall<GroupDescription></GroupDescription>WIR-WMS-GD-004The smartphone management server host-based or appliance firewall must be installed and configured as required.<VulnDiscussion>A smartphone user could get access to unauthorized network resources (application and content servers, etc.) if the smartphone management server host firewall is not set up as required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>Install the smartphone management server host-based or appliance firewall and configure as required. The Good server host-based or appliance firewall must be configured as required.
The Good server firewall is configured with the following rules:
- Deny all except when explicitly authorized.
- Internal traffic from the Good server is limited to internal systems used to host the smartphone services (e.g., email and LDAP servers) and approved back-office application and content servers. Communications with other services, clients, and/or servers are not authorized.
- Internet traffic from the Good server is limited to only those specified smartphone services (e.g., Good NOC server, OCSP, SSL/TLS, HTTP, and LDAP). All outbound connections are initiated by the Good server and/or service.
- Firewall settings listed in the STIG/ISCG Technology Overview will be implemented, including blocking connections to web proxy servers and back-office application and content servers unless the server Internet Protocol (IP) address is on the firewall list of trusted IP addresses and subnets.
Note: At a minimum, the IP address of the site Internet proxy server must be listed so the Good secure browser can connect to the Internet.
Note: The HBSS firewall can be used to meet these requirements if one or more firewall rules have been set up on the firewall as described above.
Check Procedures:
-Verify the firewall configuration meets approved architecture configuration requirements (or have the Network Reviewer do the review of the firewall).
-Verify the firewall is configured to block connections to internal servers unless the server IP address is included on the list of trusted networks. IP addresses of the enclave web proxy server and authorized back-office application and content servers the Good server connects to should be included on this list.
-Mark as a finding if a list of trusted networks by IP address is not configured on the Good server host-based firewall.
User accounts assigned to STIG compliant policy<GroupDescription></GroupDescription>WIR-WMS-GD-007Smartphone user accounts must not be assigned to the default security/IT policy. <VulnDiscussion>The smartphone default security/IT policy on the smartphone management server does not include most DoD required security policies for data encryption, authentication, and access control. DoD enclaves are at risk of data exposure and hacker attack if users are assigned the default (or other non-STIG compliant) security/IT policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>User accounts will only be assigned a STIG compliant security/IT policy.User accounts will only be assigned a STIG-compliant security/IT policy.
Determine which policy sets on the Good server user accounts have been assigned to using the following procedures:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server by using the following procedures:
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy set on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non STIG-compliant policy sets be deleted except for a "Provisioning" policy set, which is used for initial setup and software update of the Android device.
Note: Other checks will be used to verify the policy sets identified as STIG-compliant are configured correctly.
Verify all users are assigned to a STIG policy set.
--Log into the Good Mobile Control console.
--Click on the Handhelds tab.
Mark as a finding if any user account is assigned a policy set identified as not STIG-compliant.
Re-challenge for CAC PIN<GroupDescription></GroupDescription>WIR-GMMS-004“Re-challenge for CAC PIN every” must be set.<VulnDiscussion>A user’s CAC PIN or software certificate PIN is cached in memory on the device for a short period of time so a user does not have to re-enter his/her PIN every time the user’s digital certificates are required for an S/MIME operation. The cached memory is cleared after a set period of time to limit exposure of the digital certificates to unauthorized use. Otherwise, a hacker may be able to gain access to the device while the PIN is still cached in memory and access the Good application and gain access to sensitive DoD information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>Set the “Re-challenge for CAC PIN every” to checked and set to required value.This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone devices and click on Handheld Authentication on the left side.
-Verify “Re-challenge for CAC PIN every” is checked and set to 60 minutes or less.
(Note: 15 minutes or less is the recommended setting.)
Mark as a finding if “Re-challenge for CAC PIN every” is not checked and not set to the required value.
Set handheld password to expire as required<GroupDescription></GroupDescription>WIR-WMS-GD-009-01Handheld password will be set as required.<VulnDiscussion>Long used passwords are more susceptible to being compromised by a hacker, which could lead to a possible compromise of the iPhone/iPad and sensitive DoD data stored on the iPhone/iPad.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1, IAIA-1</IAControls>Set handheld password as required.This check is Not Applicable if “Authenticate with CAC PIN” is checked.
This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Handheld Authentication on the left side.
-Verify “After X invalid password attempts:” is set to 10 or less.
Mark as a finding if “After X invalid password attempts:” is not set to 10 or less.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Handheld Authentication on the left side.
-Verify “Expire password after” is set to 90 days or less.
Disallow previously used passwords<GroupDescription></GroupDescription>WIR-WMS-GD-009-02Previously used passwords must be disallowed for security/email client on smartphone.<VulnDiscussion>Previously used passwords are more susceptible to being compromised by a hacker, which could lead to a possible compromise of the smartphone and sensitive DoD data stored on the smartphone.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1, IAIA-1</IAControls>Disallow previously used passwords.This check is not applicable if “Authenticate with CAC PIN” is checked.
This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Handheld Authentication on the left side.
-Verify “Disallow previously used passwords” is set to 3 or more.
Mark as a finding if “Disallow previously used passwords” is not set to 3 or more.
Password minimum length<GroupDescription></GroupDescription>WIR-WMS-GD-009-03Password minimum length must be set as required for the smartphone security/email client.<VulnDiscussion>Short passwords can be easily determined by various password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1, IAIA-1</IAControls>Require password minimum length is set as required.This check is not applicable if “Authenticate with CAC PIN” is checked.
This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Handheld Authentication on the left side.
-Verify “Require minimum length of” is set to 8 or more for the STIG/ISCG Policy Set.
Mark as a finding if “Require minimum length of” is not set to 8 or more for the STIG/ISCG Policy Set.
Disallow repeated password characters<GroupDescription></GroupDescription>WIR-WMS-GD-009-04Repeated password characters must be disallowed for the Good app.<VulnDiscussion>Repeated password characters reduces the strength of a password to withstand attacks by password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1, IAIA-1</IAControls>Disallow repeated password characters.This check is not applicable if “Authenticate with CAC PIN” is checked.
This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Handheld Authentication on the left side.
-Verify “Disallow repeated characters after” is set to 1 or 2.
Mark as a finding if “Disallow repeated characters after” is not set to 1 or 2.
Maximum invalid password attempts<GroupDescription></GroupDescription>WIR-WMS-GD-009-06Maximum invalid password attempts must be set as required for the smartphone security/email client.<VulnDiscussion>A hacker with unlimited attempts can determine the password of a smartphone within a few minutes using password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1, IAIA-1</IAControls>Set the maximum invalid password attempts as required.This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Handheld Authentication on the left side.
-Verify “After X invalid password attempts:” is set to 10 or less.
Mark as a finding if “After X invalid password attempts:” is not set to 10 or less.
Wipe handheld data after maximum password attempts<GroupDescription></GroupDescription>WIR-WMS-GD-009-07Data must be wiped after maximum password attempts reached for the smartphone security/email client.<VulnDiscussion>A hacker with unlimited attempts can determine the password of a smartphone within a few minutes using password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1, IAIA-1</IAControls>Wipe handheld data after maximum password attempts have been reached.This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Handheld Authentication on the left side.
-Verify “After X invalid password attempts:” is set to 10 or less.
Mark as a finding if “After X invalid password attempts:” is not set to 10 or less.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Handheld Authentication on the left side.
-Verify “Wipe handheld data” is selected.
Mark as a finding if “Wipe handheld data” is not selected.
Lock handheld when idle<GroupDescription></GroupDescription>WIR-WMS-GD-009-05Inactivity lock must be set as required for the smartphone security/email client.<VulnDiscussion>Sensitive DoD data could be exposed to unauthorized viewing or use if lost or stolen smartphone screen was not locked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>PESL-1</IAControls>Set the handheld inactivity lock as required.This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Handheld Authentication on the left side.
-Verify “Require password when idle for more than” is set to 15 minutes or less.
Mark as a finding if “Require password when idle for more than” is not set to 15 minutes or less.
.Screen capture<GroupDescription></GroupDescription>WIR-GMMS-006-01"Do not allow data to be copied from the Good application" must be checked.<VulnDiscussion>Sensitive data could be saved in the non-FIPS 140-2 validated area of memory on the smartphone, which would violate DoD policy and may expose sensitive DoD data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECCR-1</IAControls>Check "Do not allow data to be copied from the Good application" in the Good console. This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Messaging on the left side.
-Verify “Do not allow data to be copied from the Good application” is checked.
Mark as a finding if “Do not allow data to be copied from the Good application” is not checked.
Expire OTA PIN<GroupDescription></GroupDescription>WIR-GMMS-008The Over-The-Air (OTA) device provisioning PIN must have expiration set.<VulnDiscussion>The time period that a device can be provisioned via Over-The-Air (OTA) provisioning needs to be controlled to ensure unauthorized people do not have the capability to setup rogue devices on the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Set the Over-the-Air (OTA) device provisioning PIN as required. This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Provisioning on the left side.
-Verify “OTA Provisioning PIN expires after” is checked and is set to 7 days or less.
Mark as a finding if “OTA Provisioning PIN expires after” is not checked or is not set to 7 days or less.
Do not allow OTA Provisioning PIN reuse<GroupDescription></GroupDescription>WIR-GMMS-009OTA Provisioning PIN reuse must not be allowed.<VulnDiscussion>The reuse of the OTA PIN can allow a hacker to provision an unauthorized device on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Do not allow OTA Provisioning PIN reuse.This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Provisioning on the left side.
-Verify “Allow OTA Provisioning PIN reuse” is unchecked.
Mark as a finding if “Allow OTA Provisioning PIN reuse” is checked.
Contacts synchronization<GroupDescription></GroupDescription>WIR-GMMS-007If access is enabled to the Good app contacts lists by the smartphone, the list of contact information must be limited. <VulnDiscussion>Sensitive contact information could be exposed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>If access is enabled to the Good app contacts lists by the smartphone OS, limit contact information to only default fields: First name, Last name, Work number, Mobile number, and Pager number.This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
- Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Messaging section on the left side.
-If “Enable access to Good Contacts” is checked, click on the Choose Fields button and verify only the following fields are checked: first name, last name, work number, mobile number, and pager number.
Mark as a finding if “Enable access to Good Contacts” is checked and more than the following fields are checked: first name, last name, work number, mobile number, and pager number.
Password access to the Good app<GroupDescription></GroupDescription>WIR-GMMS-001Password access to the Good app on the smartphone must be enabled. <VulnDiscussion>A hacker could gain access to sensitive data in the smartphone application and gain an attack vector to the enclave if the password access control/authentication feature of the application is not enabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1, IAIA-1</IAControls>Password access to the Good app on the smartphone shall be enabled. This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Handheld section on the left side.
-Verify S/MIME with password-protected lock screen or CAC PIN (Enables S/MIME) is checked.
Mark as a finding if S/MIME with password-protected lock screen or CAC PIN (Enables S/MIME) is not checked.
Wireless email management server PKI certificate<GroupDescription></GroupDescription>WIR-WMS-GD-010The PKI digital certificate installed on the wireless email management server must be a DoD PKI-issued certificate. <VulnDiscussion>When a self signed PKI certificate is used, a rogue wireless email management server can impersonate the DoD wireless email management server. DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>IATS-1</IAControls>Use a DoD issued digital certificate on the wireless email management server.Verify that a DoD server certificate has been installed on the Good wireless email management server and that the self-signed certificate, available as an option during the setup of the wireless email management server, has not been installed.
Ask the SA to access the Good server using Internet Explorer. Verify no certificate error occurs. Click the Lock icon next to the address bar then select “view certificates”. On the General tab, verify the “Issued to:” and “Issued by:” fields do not show the same value. Then on the Certification Path tab, verify the top certificate is a trusted DoD Root certificate authority (e.g., DoD Root CA 2) and the certificate status field states “This certificate is OK”.
If a certificate error occurs, either the default self-signed certificate is still installed, the Good server has not been rebooted since the DoD issued certificate has been installed, or the computer accessing the Good server does not have the DoD Root and Intermediate certificate authorities installed. The reviewer can select the “Continue to this website” option and follow the same procedure above. If the certificate is issued from an approved DoD PKI, ask the SA to run InstallRoot on the computer accessing the Good server. Otherwise, have the SA follow the procedures outlined in the STIG/ISCG to request/install a certificate issued from a trusted DoD PKI.
Mark as a finding if a DoD server certificate has not been installed on the Good wireless email management server or that the self-signed certificate has been installed.
Bluetooth Configuration - 02<GroupDescription></GroupDescription>WIR-GMMS-021-02The following Bluetooth configuration must be set as required: General Audio/Video Distribution Profile.<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management.
-Verify "General Audio/Video Distribution Profile" is not checked.
Bluetooth Configuration - 03<GroupDescription></GroupDescription>WIR-GMMS-021-03The following Bluetooth configuration must be set as required: Personal Area Networking Profile.<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management.
-Verify "Personal Area Networking Profile " is not checked.
Bluetooth Configuration - 04<GroupDescription></GroupDescription>WIR-GMMS-021-04The following Bluetooth configuration must be set as required: Serial Port Profile.<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management.
-Verify "Serial Port Profile" is checked.
Bluetooth Configuration - 01<GroupDescription></GroupDescription>WIR-GMMS-021-01The following Bluetooth configuration must be set as required: Enable discovery.<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section.
-Verify "Enable discovery" is not checked.
Bluetooth Configuration - 05<GroupDescription></GroupDescription>WIR-GMMS-021-05The following Bluetooth configuration must be set as required: Generic Object (Exchange) Profile.<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management.
-Verify "Generic Object (Exchange) Profile" is not checked.
Bluetooth Configuration - 06<GroupDescription></GroupDescription>WIR-GMMS-021-06The following Bluetooth configuration must be set as required: Common ISDN Access Profile.<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management.
-Verify "Common ISDN Access Profile" is not checked.
Bluetooth Configuration - 07<GroupDescription></GroupDescription>WIR-GMMS-021-07The following Bluetooth configuration must be set as required: Dial Up Network Profile.<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management.
-Verify "Dial Up Network Profile" is not checked.
Bluetooth Configuration - 08<GroupDescription></GroupDescription>WIR-GMMS-021-08The following Bluetooth configuration must be set as required: Fax Profile.<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management.
-Verify "Fax Profile" is/not checked.
Bluetooth Configuration - 09<GroupDescription></GroupDescription>WIR-GMMS-021-09The following Bluetooth configuration must be set as required: LAN Access Profile.<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management.
-Verify "LAN Access Profile" is not checked.
Bluetooth Configuration - 10<GroupDescription></GroupDescription>WIR-GMMS-021-10The following Bluetooth configuration must be set as required: Cordless Telephony Profile.<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management.
-Verify "Cordless Telephony Profile" is not checked
Bluetooth Configuration - 11<GroupDescription></GroupDescription>WIR-GMMS-021-11The following Bluetooth configuration must be set as required: Intercom Profile.
<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management.
-Verify "Intercom Profile" is not checked.
Bluetooth Configuration - 12<GroupDescription></GroupDescription>WIR-GMMS-021-12The following Bluetooth configuration must be set as required: Wireless Application Protocol Bearer.<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management.
-Verify "Wireless Application Protocol Bearer" is not checked.
Bluetooth Configuration - 13<GroupDescription></GroupDescription>WIR-GMMS-021-13The following Bluetooth configuration must be set as required: Active Sync.
<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management.
-Verify "Active Sync" is not checked.
Bluetooth Configuration - 14<GroupDescription></GroupDescription>WIR-GMMS-021-14The following Bluetooth configuration must be set as required: Advanced Audio Distribution Profile.<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_WinPhone_Policy_Set. It is recommended that all non STIG-compliant policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management.
-Verify "Advanced Audio Distribution Profile" is not checked.
Bluetooth Configuration - 15<GroupDescription></GroupDescription>WIR-GMMS-021-15The following Bluetooth configuration must be set as required: Basic Imaging Profile.<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management.
-Verify "Basic Imaging Profile" is not checked.
Bluetooth Configuration - 16<GroupDescription></GroupDescription>WIR-GMMS-021-16The following Bluetooth configuration must be set as required: Basic Printing. Profile.<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management.
-Verify "Basic Printing Profile" is not checked.
Bluetooth Configuration - 17<GroupDescription></GroupDescription>WIR-GMMS-021-17The following Bluetooth configuration must be set as required: OBEX File Transfer Profile.<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management.
-Verify "OBEX File Transfer Profile" is not checked.
Bluetooth Configuration - 18<GroupDescription></GroupDescription>WIR-GMMS-021-18The following Bluetooth configuration must be set as required: Object Push Profile.<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management.
-Verify "Object Push Profile" is not checked.
Bluetooth Configuration - 19<GroupDescription></GroupDescription>WIR-GMMS-021-19The following Bluetooth configuration must be set as required: Synchronization Profile.<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management.
-Verify "Synchronization Profile" is not checked.
Bluetooth Configuration - 20<GroupDescription></GroupDescription>WIR-GMMS-021-20The following Bluetooth configuration must be set as required: Phone Book Access Profile.<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management.
-Verify " Phone Book Access Profile " is/not checked.
Bluetooth Configuration - 21<GroupDescription></GroupDescription>WIR-GMMS-021-21The following Bluetooth configuration must be set as required: Video Distribution Profile.<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management.
-Verify "Video Distribution Profile" is not checked.
Bluetooth Configuration - 22<GroupDescription></GroupDescription>WIR-GMMS-021-22The following Bluetooth configuration must be set as required: Video Conferencing Profile.<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management.
-Verify "Video Conferencing Profile" is not checked.
Bluetooth Configuration - 23<GroupDescription></GroupDescription>WIR-GMMS-021-23The following Bluetooth configuration must be set as required: Message Access Profile.<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management.
-Verify "Message Access Profile" is not checked.
Bluetooth Configuration - 24<GroupDescription></GroupDescription>WIR-GMMS-021-24The following Bluetooth configuration must be set as required: External Service Discovery Profile.<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management.
-Verify "External Service Discovery Profile" is not checked.
Bluetooth Configuration - 25<GroupDescription></GroupDescription>WIR-GMMS-021-25The following Bluetooth configuration must be set as required: Device ID Profile.<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management.
-Verify "Device ID Profile" is not checked.
Bluetooth Configuration - 26<GroupDescription></GroupDescription>WIR-GMMS-021-26The following Bluetooth configuration must be set as required: Service Discovery Application Profile.<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management.
-Verify "Service Discovery Application Profile" is not checked.
Bluetooth Configuration - 27<GroupDescription></GroupDescription>WIR-GMMS-021-27The following Bluetooth configuration must be set as required: Unrestricted Digital Information.<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management.
-Verify "Unrestricted Digital Information" is not checked.
Bluetooth Configuration - 28<GroupDescription></GroupDescription>WIR-GMMS-021-28The following Bluetooth configuration must be set as required: Audio / Video Remote Control Transport Protocol.<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management.
-Verify "Audio / Video Remote Control Transport Protocol" is not checked.
Bluetooth Configuration - 29<GroupDescription></GroupDescription>WIR-GMMS-021-29The following Bluetooth configuration must be set as required: HeadSet and Hands Free Profile.<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management.
-Verify "HeadSet and Hands Free Profile" is not checked.
Bluetooth Configuration - 30<GroupDescription></GroupDescription>WIR-GMMS-021-30The following Bluetooth configuration must be set as required: Human Interface Device Profile (Service and Host).<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management.
-Verify "Human Interface Device Profile (Service and Host" is not checked.
Bluetooth Configuration - 31<GroupDescription></GroupDescription>WIR-GMMS-021-31The following Bluetooth configuration must be set as required: Hard Copy Cable Replacement Profile.<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management.
-Verify "Hard Copy Cable Replacement Profile" is not checked.
Bluetooth Configuration - 32<GroupDescription></GroupDescription>WIR-GMMS-021-32The following Bluetooth configuration must be set as required: SIM Access.<VulnDiscussion>The Bluetooth radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the Bluetooth setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section, then Bluetooth profile management.
-Verify "SIM Access" is not checked.
Infrared Configuration<GroupDescription></GroupDescription>WIR-GMMS-020The Infrared radio must be disabled.<VulnDiscussion>The Infrared radio can be used by a hacker to connect to the Windows Phone device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>In the Good server, do not check “Enable Infrared radio” in each Windows Phone policy set.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the network Communications Section.
-Verify "Enable Infrared radio" is not checked.
Storage Card Security - 01<GroupDescription></GroupDescription>WIR-GMMS-022-01The following Storage Card configuration must be set as required: Wipe storage card when wiping data.<VulnDiscussion>Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on external data storage cards (e.g., MicroSD, etc.).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECCR-1</IAControls>Configure the Storage Card setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the Storage Card Section.
-Verify "Wipe storage card when wiping data" is checked.
Storage Card Security - 02<GroupDescription></GroupDescription>WIR-GMMS-022-02The following Storage Card configuration must be set as required: Enable storage card encryption.<VulnDiscussion>Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on external data storage cards (e.g., MicroSD, etc.).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECCR-1</IAControls>Configure the Storage Card setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the Storage Card Section.
-Verify "Enable storage card encryption" is/not checked.
Storage Card Security - 03<GroupDescription></GroupDescription>WIR-GMMS-022-03The following Storage Card configuration must be set as required: Allow encrypted storage cards to work only with handheld that originally encrypted them.<VulnDiscussion>Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on external data storage cards (e.g., MicroSD, etc.).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECCR-1</IAControls>Configure the Storage Card setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the Storage Card Section.
-Verify "Allow encrypted storage cards to work only with handheld that originally encrypted them" is checked.
Windows Phone folder encryption - 01<GroupDescription></GroupDescription>WIR-GMMS-023-01The following Data Encryption configuration must be set as required: My Music.<VulnDiscussion>Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on Windows Phone folders.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECCR-1</IAControls>Configure the Data Encryption setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the Data Encryption Section.
-Under the Windows Mobile Smartphone section, verify "My Music" is checked.
Windows Phone folder encryption - 02<GroupDescription></GroupDescription>WIR-GMMS-023-02The following Data Encryption configuration must be set as required: My Pictures.<VulnDiscussion>Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on Windows Phone folders.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECCR-1</IAControls>Configure the Data Encryption setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the Data Encryption Section.
-Under the Windows Mobile Smartphone section, verify "My Pictures" is checked.
Windows Phone folder encryption - 03<GroupDescription></GroupDescription>WIR-GMMS-023-03The following Data Encryption configuration must be set as required: Personal.<VulnDiscussion>Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on Windows Phone folders.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECCR-1</IAControls>Configure the Data Encryption setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the Data Encryption Section.
-Under the Windows Mobile Smartphone section, verify "Personal" is checked.
Windows Phone folder encryption - 04<GroupDescription></GroupDescription>WIR-GMMS-023-04The following Data Encryption configuration must be set as required: My Music.<VulnDiscussion>Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on Windows Phone folders.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECCR-1</IAControls>Configure the Data Encryption setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the Data Encryption Section.
-Under the Windows Mobile Pocket PC section, verify "My Music" is checked.
Windows Phone folder encryption - 05<GroupDescription></GroupDescription>WIR-GMMS-023-05following Data Encryption configuration must be set as required: My Pictures.<VulnDiscussion>Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on Windows Phone folders.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECCR-1</IAControls>Configure the Data Encryption setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the Data Encryption Section.
-Under the Windows Mobile Pocket PC section, verify "My Pictures" is checked.
Windows Phone folder encryption - 06<GroupDescription></GroupDescription>WIR-GMMS-023-06The following Data Encryption configuration must be set as required: Personal.<VulnDiscussion>Sensitive DoD data could be exposed to unauthorized individuals if required security controls are not implemented on Windows Phone folders.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECCR-1</IAControls>Configure the Data Encryption setting on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the Data Encryption Section.
-Under the Windows Mobile Pocket PC section, verify "Personal" is checked.
Password complexity<GroupDescription></GroupDescription>WIR-WMS-GD-009-08Password complexity must be set as required.<VulnDiscussion>Non-complex passwords can be easily determined by various password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1, IAIA-1</IAControls>Set password complexity as required. This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Handheld Authentication on the left side.
-Verify “Do not allow sequential numbers” is checked for the STIG/ISCG Policy Set.
Blocked Apps – Windows Mobile Pocket PC<GroupDescription></GroupDescription>WIR-GMMS-024-01A list of Windows Mobile Pocket PC blocked apps must be set up on the Good server.<VulnDiscussion>Malware could be installed on the smartphone if required controls are not followed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECVP-1</IAControls>Configure a list of blocked Windows Mobile Pocket PC/Smartphone apps on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the Blocked Application Section.
-Under the Windows Mobile Pocket PC section, verify the following applications are listed:
-All Bluetooth applications
-Opera
-Any other browser listed except IE Mobile
-ActiveSync,
-Messaging and Outlook Mobile,
-Pictures & Videos
Blocked Apps – Windows Mobile Smartphone<GroupDescription></GroupDescription>WIR-GMMS-024-02A list of Windows Mobile Smartphone blocked apps must be set up on the Good server.<VulnDiscussion>Malware could be installed on the smartphone if required controls are not followed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECVP-1</IAControls>Configure a list of blocked Windows Mobile Pocket PC/Smartphone apps on the Good server as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the Blocked Application Section.
-Under the Windows Mobile Smartphone section, verify the following applications are listed:
-All Bluetooth applications
-Opera
-Any other browser listed except IE Mobile
-ActiveSync,
-Messaging and Outlook Mobile,
-Pictures & Videos
Good Mobile Access configuration -01<GroupDescription></GroupDescription>WIR-GMMS-025-01The following Good Mobile Access configuration must be set as required: Enable Good Mobile Access.<VulnDiscussion>The user could connect to unauthorized Intranet shares, servers, and other resources if this configuration is not set correctly.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>DCFA-1</IAControls>Set the Good Mobile Access configuration as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the Blocked Application Section.
-Under the Plug-in Policies Access Section, Good Mobile Access – Secure Browser section, verify Enable Good Mobile Access is checked.
Good Mobile Access configuration -02<GroupDescription></GroupDescription>WIR-GMMS-025-02The following Good Mobile Access configuration must be set as required: Require user to authenticate via NTLM.<VulnDiscussion>The user could connect to unauthorized Intranet shares, servers, and other resources if this configuration is not set correctly.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>DCFA-1</IAControls>Set the Good Mobile Access configuration as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the Blocked Application Section.
-Under the Plug-in Policies Access Section, Good Mobile Access – Secure Browser section, verify Require user to authenticate via NTLM is not checked.
Good Mobile Access configuration -03<GroupDescription></GroupDescription>WIR-GMMS-025-03The following Good Mobile Access configuration must be set as required: Route both Intranet and Internet traffic through Good Mobile Access.<VulnDiscussion>The user could connect to unauthorized Intranet shares, servers, and other resources if this configuration is not set correctly.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>DCFA-1</IAControls>Set the Good Mobile Access configuration as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the Blocked Application Section.
-Under the Plug-in Policies Access Section, Good Mobile Access – Secure Browser section, verify Route both Intranet and Internet traffic through Good Mobile Access is checked.
Good Mobile Access configuration -04<GroupDescription></GroupDescription>WIR-GMMS-025-04The following Good Mobile Access configuration must be set as required: Allow internet access on handheld when Good Mobile Access is not running.<VulnDiscussion>The user could connect to unauthorized Intranet shares, servers, and other resources if this configuration is not set correctly.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>DCFA-1</IAControls>Set the Good Mobile Access configuration as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the Blocked Application Section.
-Under the Plug-in Policies Access Section, Good Mobile Access – Secure Browser section, verify Allow internet access on handheld when Good Mobile Access is not running is not checked.
Good Mobile Access configuration -05<GroupDescription></GroupDescription>WIR-GMMS-025-05The following Good Mobile Access configuration must be set as required: Route only Intranet traffic through Good Mobile Access.<VulnDiscussion>The user could connect to unauthorized Intranet shares, servers, and other resources if this configuration is not set correctly.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>DCFA-1</IAControls>Set the Good Mobile Access configuration as required.This is a Good security policy set check. Recommend that all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets that have been assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: STIG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG policy sets be deleted.
2. Select each policy set users are assigned to, in turn, and verify the required settings are in the policy set.
Note: If there is a finding, note the name of the non STIG-compliant policy set in the Findings Details section in VMS / Component Provided Tracking Database.
---------------------
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the Smartphone and click on the Blocked Application Section.
-Under the Plug-in Policies Access Section, Good Mobile Access – Secure Browser section, verify Route only Intranet traffic through Good Mobile Access is not checked.
S/MIME configuration<GroupDescription></GroupDescription>WIR-GMMS-012S/MIME must be enabled on the Good server. <VulnDiscussion>Sensitive DoD data could be exposed if the required setting is not configured on the Good server. If S/MIME support is not configured on the server, the user will not be able to view critical encrypted email or be able to encrypt email with sensitive DoD information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECCR-1</IAControls>Enable S/MIME on the Good server.This is a Good server configuration check.
Log into the Good server management interface, select the Setting tab, and open the Secure Messaging (S/MIME) section.
Verify Enable Secure Messaging (S/MIME) is checked.
Mark as a finding if Enable Secure Messaging (S/MIME) is not checked.
Enable Good App authentication<GroupDescription></GroupDescription>WIR-GMMS-002Either CAC or password authentication must be enabled for user access to the Good app on the smartphone.<VulnDiscussion>Sensitive DoD data is saved inside the Good app and could be exposed if strong authentication is not implemented. The Good application stores sensitive DoD information. A hacker with access to the smartphone could easily gain access to the Good application if the required authentication control is not set.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>IAIA-1</IAControls>Set user authentication on the Good app on the smartphone to either CAC or password authentication. This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the mobile OS device devices and click on Handheld Authentication on the left side.
-Verify either “Authenticate with CAC PIN” or “Authenticate with password” is selected.
Mark as a finding if either of the required settings is not configured in the policy.
CAC authentication configuration setting<GroupDescription></GroupDescription>WIR-GMMS-003“Require CAC to be present” must be set.<VulnDiscussion>Sensitive DoD data is saved inside the Good app and could be exposed if strong authentication is not implemented. The Good applications stores sensitive DoD information. A hacker with access to the smartphone could easily gain access to the Good application if the required authentication control is not set.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>IAIA-1</IAControls>Set “Require CAC to be present” to required value. This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Handheld Authentication on the left side.
- If “Authenticate with CAC PIN” is checked (CAC authentication is required) verify “Require CAC to be present” is also checked. Note: if “Authenticate with CAC PIN” is not checked, then “Require CAC to be present” does not need to be checked.
Mark as a finding if not not set as required.
Wireless management server authentication<GroupDescription></GroupDescription>WIR-WMS-GD-011Authentication on system administration accounts for wireless management servers must be configured.<VulnDiscussion>CTO 07-15Rev1 requires administrator accounts use either CAC authentication or use complex passwords to ensure strong access control is enforced.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>IAIA-1, IATS-1</IAControls>Configure required authentication on system administration accounts for wireless management servers.Detailed Policy Requirements:
One of the following authentications methods must be enforced for system administrator accounts:
1. CAC authentication.
2. The account password must be compliant with CTO 07-15 Rev1.
–Password must be a 14+ character complex password consisting of at least 2 of the following: upper case letter, lower case letter, numbers, and special characters. The password must be changed every 60 days.
Check Procedures:
The Good messaging server uses Active Directory authentication for admin accounts to the management console. Site admin accounts are usually set up with a user ID/password authentication rather than CAC authentication. Therefore, verify the site AD is set up to require admin accounts to use passwords meeting the requirements of CTO 07-15Rev1. Discuss with the Network and AD reviewer and site IAO to verify compliance.
Mark as a finding if site admin accounts do not meet the requirements.