Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-69709 | MSWM-10-200101 | SV-84331r1_rule | Medium |
Description |
---|
Many mobile devices display notifications on the lock screen so that users can obtain relevant information in a timely manner without having to frequently unlock the phone to determine if there are new notifications. However, in many cases, these notifications can contain sensitive information. When they are available on the lock screen, an adversary can see them merely by being in close physical proximity to the device. Configuring the MOS to not send notifications to the lock screen mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #21 |
STIG | Date |
---|---|
Microsoft Windows 10 Mobile Security Technical Implementation Guide | 2016-09-26 |
Check Text ( C-70151r1_chk ) |
---|
Review Windows 10 Mobile configuration settings to determine if the MOS displays notifications on the lock screen. If feasible, use a spare device and configure it for notifications on common triggers such as calendar appointments. This validation procedure is performed on both the MDM administration console and the Windows 10 Mobile device. It assumes you have an existing device timeout policy in place that will lock the device after a certain period. On the MDM administration console: 1. Ask the MDM administrator to verify the phone compliance policy. 2. Find the setting for "allow Action Center notifications". 3. Verify that setting restriction is turned off/disallowed. On the Windows 10 Mobile device: 1. If On, tap the power button to turn the screen off otherwise leave the screen off until the timeout period passes. The device could also be powered off instead. 2. Press the power button to turn on the screen. 3. The lock screen background screen should appear. Swipe a finger from the very top of the screen to bring up the action center. 4. Verify that when the action center appears that that the only thing visible are the 4 configurable settings buttons along with the "all settings" button. If an MDM policy for "allow Action Center notifications" is not set to turned off/disallowed or if on the Windows 10 Mobile device any notifications for various services like email show up under the settings buttons, this is a finding. |
Fix Text (F-75913r1_fix) |
---|
Configure the MDM system to require the "allow Action Center notifications" policy to be disabled for Windows 10 Mobile devices. Deploy the MDM policy on managed devices. |