Windows Phone 8.1 must be configured to implement the management setting: Disable the capability of the Cortana personal assistant A.I. to be functional when the device is locked.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-58957	MSWP-81-500902	SV-73387r1_rule		Medium

Description
When a mobile device is locked, there should be no access to its protected/sensitive data since it could enable unauthorized people with physical access to the device to bring up and view confidential information. The Cortana personal assistant can perform a number of voice-related queries and actions that can aid productivity but also allows some of its actions to be done while the device is locked. Disabling this feature mitigates the exposure of potentially sensitive information that should remain secured when a device is locked. SFR ID: FMT_SMF.1.1 #42

Description

When a mobile device is locked, there should be no access to its protected/sensitive data since it could enable unauthorized people with physical access to the device to bring up and view confidential information. The Cortana personal assistant can perform a number of voice-related queries and actions that can aid productivity but also allows some of its actions to be done while the device is locked. Disabling this feature mitigates the exposure of potentially sensitive information that should remain secured when a device is locked. SFR ID: FMT_SMF.1.1 #42

STIG	Date
Microsoft Windows Phone 8.1 Security Technical Implementation Guide	2015-05-13

Details

Check Text ( C-59787r1_chk )
This validation procedure is performed on both the MDM administration console and the Windows Phone mobile device. It assumes you have an existing device time-out policy in place that will lock the device after a certain period. On the MDM administration console: 1. Ask the MDM administrator to verify the phone compliance policy. 2. Find the setting for "allow access to the Cortana personal assistant". 3. Verify that setting restriction is turned off/disallowed. On the Windows Phone mobile device: 1. If On, tap the power button to turn the screen off; otherwise, leave the screen off until the time-out period passes. The device could also be powered off instead. 2. Press the power button to turn on the screen. 3. The lockscreen background screen should appear. Press and hold the Search button at the lower right of the device. A screen will appear that says "Listening..." 4. Speak the voice command "show me my calendar". 5. Verify that when Cortana responds, she says, "You just need to unlock your phone first." If the MDM does not have a policy setting enforced for "allow access to the Cortana personal assistant", or if Cortana is able to provide voice assistance and show information under the lockscreen, this is a finding.

Check Text ( C-59787r1_chk )

This validation procedure is performed on both the MDM administration console and the Windows Phone mobile device. It assumes you have an existing device time-out policy in place that will lock the device after a certain period.

On the MDM administration console:
1. Ask the MDM administrator to verify the phone compliance policy.
2. Find the setting for "allow access to the Cortana personal assistant".
3. Verify that setting restriction is turned off/disallowed.

On the Windows Phone mobile device:
1. If On, tap the power button to turn the screen off; otherwise, leave the screen off until the time-out period passes. The device could also be powered off instead.
2. Press the power button to turn on the screen.
3. The lockscreen background screen should appear. Press and hold the Search button at the lower right of the device. A screen will appear that says "Listening..."
4. Speak the voice command "show me my calendar".
5. Verify that when Cortana responds, she says, "You just need to unlock your phone first."

If the MDM does not have a policy setting enforced for "allow access to the Cortana personal assistant", or if Cortana is able to provide voice assistance and show information under the lockscreen, this is a finding.

Fix Text (F-64351r1_fix)
Configure the MDM system to require the "allow access to the Cortana personal assistant" policy to be disabled for Windows Phone devices. Deploy the MDM policy on managed devices.