Microsoft Android 11 must be configured to enable encryption for data at rest on removable storage media or alternately, the use of removable storage media must be disabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-255211 | MSFT-11-002000 | SV-255211r870824_rule | High |
| Description |
|---|
| The Microsoft Android device must ensure the data being written to the mobile device's removable media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read removable media directly, thereby circumventing operating system controls. Encrypting the data ensures confidentiality is protected even when the operating system is not running. SFR ID: FMT_SMF_EXT.1.1 #21, #47f |
| STIG | Date |
|---|---|
| Microsoft Android 11 COPE Security Technical Implementation Guide | 2022-11-14 |
Details
| Check Text ( C-58824r870737_chk ) |
|---|
| Review Microsoft Android device settings to determine if the Microsoft Android device has disabled use of removable storage media. This validation procedure is performed on both the EMM Administration console and the Android 11 device. On the EMM console: 1. Open "Set user restrictions". 2. Verify that "Disallow usb file transfer" is toggled to "On". 3. Verify that "Disallow mount physical media" is toggled to "On". On the Microsoft Android 11 device: 1. Insert SD card and/or attach a USB storage device. 2. Validate that use of either is unavailable for storing data. If the use of removable storage has not been disabled, this is a finding. |
| Fix Text (F-58768r870738_fix) |
|---|
| Configure the Microsoft Android 11 device to disable use of removable storage media. On the EMM console: 1. Open "Set user restrictions". 2. Toggle "Disallow usb file transfer" to "On". 3. Toggle "Disallow mount physical media" to "On". |