UCF STIG Viewer Logo

Microsoft Windows 10 Mobile Security Technical Implementation Guide


Overview

Date Finding Count (34)
2016-09-26 CAT I (High): 2 CAT II (Med): 23 CAT III (Low): 9
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-70097 High Windows 10 Mobile must protect data at rest on removable storage media.
V-70095 High Windows 10 Mobile must protect data at rest on built-in storage media.
V-70143 Medium Windows 10 Mobile devices must be upgraded to the Windows 10 Mobile Enterprise edition. Enterprise edition provides the ability to leverage several enhanced controls that have a dependency on the enterprise edition.
V-69709 Medium Windows 10 Mobile must not display notifications in the Action Center when the device is locked.
V-70109 Medium Windows 10 Mobile must not allow backup to locally connected systems.
V-70091 Medium Windows 10 Mobile must lock the display after 15 minutes (or less) of inactivity.
V-70125 Medium Windows 10 Mobile must be configured to implement the management setting: Disable the device Bluetooth Discoverable Mode.
V-70123 Medium Windows 10 Mobile must be configured to implement the management setting: Disable the ability for a user to add new email accounts.
V-70099 Medium Windows 10 Mobile must be configured to disable automatic updates of system software.
V-69713 Medium Windows 10 Mobile must disable the Windows Store.
V-70117 Medium Windows 10 Mobile must not allow a USB mass storage mode.
V-69711 Medium Windows 10 Mobile must not allow use of developer modes.
V-70105 Medium Windows 10 Mobile must be configured to disable VPN split-tunneling (if the MD provides a configurable control for FDP_IFC_EXT.1.1).
V-70107 Medium Windows 10 Mobile must not allow backup to remote systems and must have a mechanism to restrict abilities of applications and OS components that leverage cloud storage by blocking backup to OneDrive.
V-70113 Medium Windows 10 Mobile must enable all IP traffic (other than IP traffic required to establish the VPN connection) to flow through the IPsec VPN client or provide an interface to VPN applications for this purpose.
V-71681 Medium Windows10 Mobile must be running at a minimum an OS build number of 10.0.14393.10 or higher to meet all requirements in the STIG.
V-70131 Medium Windows 10 Mobile must be configured to implement the management setting: Require a password be used before unlocking a Windows 10 Mobile device.
V-70085 Medium Windows 10 Mobile must be configured to implement the management setting: Disable the ability for a device to send out advertisements/Bluetooth beacons to a Bluetooth peripheral.
V-70135 Medium Windows 10 Mobile must be configured to implement the management setting: Disable the capability of the Cortana personal assistant A.I. to be functional when the device is locked.
V-70083 Medium Windows 10 Mobile must enforce an application installation policy by specifying an application whitelist.
V-70111 Medium Windows 10 Mobile must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor (e.g., using a fingerprint), unless mechanism is DoD-approved.
V-70139 Medium Windows 10 Mobile must be configured to implement the management setting: Disable the capability for synching settings such as the theme, application settings, Internet Explorer sites visited, and cached passwords to Microsoft OneDrive cloud storage.
V-70137 Medium Windows 10 Mobile must be configured to implement the management setting: Disable the capability for a user to manually unenroll from MDM management.
V-70119 Medium Windows 10 Mobile must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (HandsFree Profile), and SPP (Serial Port Profile).
V-70103 Medium Windows 10 Mobile whitelist must not include applications with the following characteristics: - back up MD data to non-DoD cloud servers (including user and application access to cloud backup services, i.e. OneDrive, Box, Dropbox, Google Drive, Amazon Cloud Drive, Azure); - transmit MD diagnostic data to non-DoD servers; - voice assistant application if available when MD is locked; - voice dialing application if available when MD is locked; - allows synchronization of data or applications between devices associated with user; - payment processing; and - allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.
V-70093 Low Windows 10 Mobile must enforce a minimum password length of 6 characters.
V-70127 Low Windows 10 Mobile must be configured to implement the management setting: Disable the ability of the Edge browser to cache passwords in the Password Manager.
V-70121 Low Windows 10 Mobile must disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled.
V-70087 Low Windows 10 Mobile must not allow passwords that include more than two repeating or sequential characters.
V-70101 Low Windows 10 Mobile must enable VPN protection.
V-70115 Low Windows 10 Mobile must generate audit records.
V-70129 Low Windows 10 Mobile must be configured to implement the management setting: Disable the capability to use NFC.
V-70089 Low Windows 10 Mobile must not allow more than 10 consecutive failed authentication attempts.
V-70133 Low Windows 10 Mobile must be configured to implement the management setting: Disable the ability to copy and paste data between trusted and non-trusted applications and between trusted and non-trusted networks.