Windows Phone 8.1 must be configured to enable data-at-rest protection for built-in storage media.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-58945	MSWP-81-101102	SV-73375r1_rule		High

Description
The operating system must ensure the data being written to the mobile device's built-in storage media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read storage media directly, thereby circumventing operating system controls. Encrypting the data ensures confidentiality is protected even when the operating system is not running. SFR ID: FMT_SMF.1.1 #22

Description

The operating system must ensure the data being written to the mobile device's built-in storage media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read storage media directly, thereby circumventing operating system controls. Encrypting the data ensures confidentiality is protected even when the operating system is not running. SFR ID: FMT_SMF.1.1 #22

STIG	Date
Microsoft Windows Phone 8.1 Security Technical Implementation Guide	2015-05-13

Details

Check Text ( C-59775r2_chk )
This validation procedure is performed on both the MDM administration console and the Windows Phone mobile device. On the MDM administration console: 1. Ask the MDM administrator to display the device encryption setting. 2. Verify device encryption is activated. On the Windows Phone mobile device: 1. Launch "Settings". 2. Select "storage sense". 3. Verify the word "encrypted" appears after the measurement of how much storage is in use. For example, "2.62 GB used, encrypted" is compliant, whereas "2.62 GB used" is not compliant. If the MDM is not configured to enforce encryption, or if the word "encrypted" does not appear in the specified location in the "storage sense" screen of the Settings app, this is a finding.

Check Text ( C-59775r2_chk )

This validation procedure is performed on both the MDM administration console and the Windows Phone mobile device.

On the MDM administration console:
1. Ask the MDM administrator to display the device encryption setting.
2. Verify device encryption is activated.

On the Windows Phone mobile device:
1. Launch "Settings".
2. Select "storage sense".
3. Verify the word "encrypted" appears after the measurement of how much storage is in use.

For example, "2.62 GB used, encrypted" is compliant, whereas "2.62 GB used" is not compliant.

If the MDM is not configured to enforce encryption, or if the word "encrypted" does not appear in the specified location in the "storage sense" screen of the Settings app, this is a finding.

Fix Text (F-64339r1_fix)
Configure the MDM system to require the device encryption for Windows Phone devices. Deploy the MDM policy to managed devices.