UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Windows Phone 8.1 must require an Always On VPN session when used.


Overview

Finding ID Version Rule ID IA Controls Severity
V-58977 MSWP-81-501412 SV-73407r1_rule Medium
Description
Without strong mutual authentication, a mobile device may connect to an unauthorized network. In many cases, the user may falsely believe that the device is connected to an authorized network and then provide authentication credentials and other sensitive information. A strong bidirectional, cryptographically based authentication method over VPN mitigates this risk. A VPN can be configured to time out when idle, which, depending on the configuration for a triggered connection, might enable scenarios where the VPN is not on and unprotected access to the Internet is possible. Requiring the VPN connection to be Always On ensures that the VPN is at all times protecting and securing traffic. For Windows Phone 8.1, this configuration supports the DoD requirement that applications cannot access or store data to cloud storage services. For Windows Phone 8.1, this requirement is needed to prevent access to cloud services like OneDrive by OS applications and components such as: Office Hub/Applications OneNote Backup SFR ID: FMT_SMF.1.1 #42
STIG Date
Microsoft Windows Phone 8.1 Security Technical Implementation Guide 2015-03-26

Details

Check Text ( C-59807r1_chk )
This validation procedure is only performed on the MDM system.

1. Ask the MDM administrator to review the current VPN profile for Windows Phone 8.1 devices.
2. Find the setting in the profile that controls the use of an "Always On" VPN connection.
3. Verify that the setting is set to required.

If the VPN profile's setting for "Always On" is not set to required, this is a finding.
Fix Text (F-64371r2_fix)
Configure the MDM system to enforce a VPN profile that sets the connection to be an Always On connection.

Configure the MDM settings as follows:
1. Create a new VPN profile, or modify an existing one that has a configuration setting that enforces the setting for "Always On".
2. Deploy the policy to managed devices.