Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-58977 | MSWP-81-501412 | SV-73407r1_rule | Medium |
Description |
---|
Without strong mutual authentication, a mobile device may connect to an unauthorized network. In many cases, the user may falsely believe that the device is connected to an authorized network and then provide authentication credentials and other sensitive information. A strong bidirectional, cryptographically based authentication method over VPN mitigates this risk. A VPN can be configured to time out when idle, which, depending on the configuration for a triggered connection, might enable scenarios where the VPN is not on and unprotected access to the Internet is possible. Requiring the VPN connection to be Always On ensures that the VPN is at all times protecting and securing traffic. For Windows Phone 8.1, this configuration supports the DoD requirement that applications cannot access or store data to cloud storage services. For Windows Phone 8.1, this requirement is needed to prevent access to cloud services like OneDrive by OS applications and components such as: Office Hub/Applications OneNote Backup SFR ID: FMT_SMF.1.1 #42 |
STIG | Date |
---|---|
Microsoft Windows Phone 8.1 Security Technical Implementation Guide | 2015-03-26 |
Check Text ( C-59807r1_chk ) |
---|
This validation procedure is only performed on the MDM system. 1. Ask the MDM administrator to review the current VPN profile for Windows Phone 8.1 devices. 2. Find the setting in the profile that controls the use of an "Always On" VPN connection. 3. Verify that the setting is set to required. If the VPN profile's setting for "Always On" is not set to required, this is a finding. |
Fix Text (F-64371r2_fix) |
---|
Configure the MDM system to enforce a VPN profile that sets the connection to be an Always On connection. Configure the MDM settings as follows: 1. Create a new VPN profile, or modify an existing one that has a configuration setting that enforces the setting for "Always On". 2. Deploy the policy to managed devices. |