Windows Phone 8.1 must be configured to implement the management setting: Disable the ability of users to be able to manually turn off the VPN.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-58953	MSWP-81-500607	SV-73383r1_rule		Medium

Description
For consumer use, the ability to turn off or suspend a VPN connection may be useful in cases of bypassing server issues or decreasing battery utilization, but, in a DoD environment, a VPN connection needs to be retained to provide a consistent secure tunnel for communications with DoD networks. Therefore, disabling the ability for a user to be able to turn off VPN makes it more difficult for an adversary to capture network traffic. For Windows Phone 8.1, this requirement is needed to prevent access to cloud services like OneDrive by OS applications and components such as: Office Hub/Applications OneNote Backup SFR ID: FMT_SMF.1.1 #42

Description

For consumer use, the ability to turn off or suspend a VPN connection may be useful in cases of bypassing server issues or decreasing battery utilization, but, in a DoD environment, a VPN connection needs to be retained to provide a consistent secure tunnel for communications with DoD networks. Therefore, disabling the ability for a user to be able to turn off VPN makes it more difficult for an adversary to capture network traffic. For Windows Phone 8.1, this requirement is needed to prevent access to cloud services like OneDrive by OS applications and components such as: Office Hub/Applications OneNote Backup SFR ID: FMT_SMF.1.1 #42

STIG	Date
Microsoft Windows Phone 8.1 Security Technical Implementation Guide	2015-03-26

Details

Check Text ( C-59783r1_chk )
This validation procedure is performed on both the MDM administration console and the Windows Phone mobile device. On the MDM administration console: 1. Ask the MDM administrator to verify the phone compliance policy. 2. Find the setting for "manual VPN On/Off Control". 3. Verify that setting restriction is turned off/disallowed. This validation procedure is performed on the Windows Phone mobile device. On the Windows Phone mobile device: 1.Wait for the MDM policy to be applied. 2. Go to settings/VPN. 3. Verify that the VPN Status toggle is On and that the control is disabled and cannot be turned off. If, on the MDM System, the "manual VPN On/Off Control" policy is not disabled, this is a finding. If, on the Windows Phone mobile device, the VPN Status toggle is not disabled, this is a finding.

Check Text ( C-59783r1_chk )

This validation procedure is performed on both the MDM administration console and the Windows Phone mobile device.

On the MDM administration console:
1. Ask the MDM administrator to verify the phone compliance policy.
2. Find the setting for "manual VPN On/Off Control".
3. Verify that setting restriction is turned off/disallowed.

This validation procedure is performed on the Windows Phone mobile device.

On the Windows Phone mobile device:
1.Wait for the MDM policy to be applied.
2. Go to settings/VPN.
3. Verify that the VPN Status toggle is On and that the control is disabled and cannot be turned off.

If, on the MDM System, the "manual VPN On/Off Control" policy is not disabled, this is a finding.

If, on the Windows Phone mobile device, the VPN Status toggle is not disabled, this is a finding.

Fix Text (F-64347r2_fix)
Configure the MDM system to enforce a security policy that disallows manually turning off VPN in Windows Phone settings. Deploy the policy on managed devices.