Windows Phone 8.1 must be configured to prohibit more than 10 consecutive failed authentication attempts.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-58939	MSWP-81-100807	SV-73369r1_rule		Low

Description
Users must not be able to override the system policy on the maximum number of consecutive failed authentication attempts because this could allow them to raise the maximum, thus giving adversaries more chances to guess/brute-force passwords, which increases the risk of the mobile device being compromised. Therefore, only administrators should have the authority to set consecutive failed authentication attempt policies. SFR ID: FMT_SMF.1.1 #02

Description

Users must not be able to override the system policy on the maximum number of consecutive failed authentication attempts because this could allow them to raise the maximum, thus giving adversaries more chances to guess/brute-force passwords, which increases the risk of the mobile device being compromised. Therefore, only administrators should have the authority to set consecutive failed authentication attempt policies. SFR ID: FMT_SMF.1.1 #02

STIG	Date
Microsoft Windows Phone 8.1 Security Technical Implementation Guide	2015-05-13

Details

Check Text ( C-59769r1_chk )
This validation procedure is performed on both the MDM administration console and the Windows Phone mobile device. On the MDM administration console: 1. Ask the MDM administrator to display the device password settings. Check that these settings are configured. 2. Number of repeated sign-on failures before device is wiped is 10 or less. This validation procedure is performed on the Windows Phone mobile device. NOTE: This test should not be used on a production device. On the Windows Phone mobile device: 1. Ensure that the device has timed out or power cycled so that the lockscreen is shown. 2. Attempt to unlock the device using an incorrect PIN. 3. On the last attempt, a warning will be presented and will ask the user to enter A1B2C3. This is to ensure that random logon attempts were not being pocket dialed. Once A1B2C3 is entered, a final attempt to unlock the phone can be made. 4. Verify that after the 10th attempt or less, the message Goodbye is displayed as the Windows Phone reboots and wipes/hard resets. If the MDM is not configured to wipe the device in 10 attempts or less, or the device does not wipe after 10 attempts to unlock it, this is a finding.

Check Text ( C-59769r1_chk )

This validation procedure is performed on both the MDM administration console and the Windows Phone mobile device.

On the MDM administration console:
1. Ask the MDM administrator to display the device password settings. Check that these settings are configured.
2. Number of repeated sign-on failures before device is wiped is 10 or less.

This validation procedure is performed on the Windows Phone mobile device.
NOTE: This test should not be used on a production device.

On the Windows Phone mobile device:
1. Ensure that the device has timed out or power cycled so that the lockscreen is shown.
2. Attempt to unlock the device using an incorrect PIN.
3. On the last attempt, a warning will be presented and will ask the user to enter A1B2C3. This is to ensure that random logon attempts were not being pocket dialed. Once A1B2C3 is entered, a final attempt to unlock the phone can be made.
4. Verify that after the 10th attempt or less, the message Goodbye is displayed as the Windows Phone reboots and wipes/hard resets.

If the MDM is not configured to wipe the device in 10 attempts or less, or the device does not wipe after 10 attempts to unlock it, this is a finding.

Fix Text (F-64333r1_fix)
Configure the MDM system to enforce a local device wipe after 10 or less repeated sign-on failures. Deploy the policy on managed devices.