Windows Phone 8.1 must be configured to implement the management setting: Disable the capability for syncing settings such as the theme, application settings, Internet Explorer sites visited, and cached passwords to Microsoft OneDrive cloud storage.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-58963	MSWP-81-500907	SV-73393r1_rule		Medium

Description
A public cloud backup feature may gather a user's information, such as PII, or sensitive documents. With this feature enabled, sensitive information will be backed up to the manufacturer's servers and database. This data is stored at a location that has unauthorized employees accessing this data. This data is stored on a server that has a location unknown to the DoD. Disabling this feature mitigates the risk of a backup feature that stores sensitive data on a server that has the potential to be located in a country other than the United States. SFR ID: FMT_SMF.1.1 #42

Description

A public cloud backup feature may gather a user's information, such as PII, or sensitive documents. With this feature enabled, sensitive information will be backed up to the manufacturer's servers and database. This data is stored at a location that has unauthorized employees accessing this data. This data is stored on a server that has a location unknown to the DoD. Disabling this feature mitigates the risk of a backup feature that stores sensitive data on a server that has the potential to be located in a country other than the United States. SFR ID: FMT_SMF.1.1 #42

STIG	Date
Microsoft Windows Phone 8.1 Security Technical Implementation Guide	2015-05-13

Details

Check Text ( C-59793r1_chk )
This validation procedure is performed on both the MDM administration console and the Windows Phone mobile device. It assumes you have an existing device time-out policy in place that will lock the device after a certain period. On the MDM administration console: 1. Ask the MDM administrator to verify the phone compliance policy. 2. Find the setting for "sync settings to OneDrive". 3. Verify that setting restriction is turned off/disallowed. On the Windows Phone mobile device: 1. Launch "Settings". 2. Find and tap on "sync my settings". 3. Verify that no settings toggles are visible, and there should be a sentence that says: "Disabled by policy". If the MDM does not have the allow "sync settings to OneDrive" policy disabled, or, if the "Disabled by policy" message does not appear in the specified location on the "sync my settings" screen of the phone, this is a finding.

Check Text ( C-59793r1_chk )

This validation procedure is performed on both the MDM administration console and the Windows Phone mobile device. It assumes you have an existing device time-out policy in place that will lock the device after a certain period.

On the MDM administration console:
1. Ask the MDM administrator to verify the phone compliance policy.
2. Find the setting for "sync settings to OneDrive".
3. Verify that setting restriction is turned off/disallowed.

On the Windows Phone mobile device:
1. Launch "Settings".
2. Find and tap on "sync my settings".
3. Verify that no settings toggles are visible, and there should be a sentence that says: "Disabled by policy".

If the MDM does not have the allow "sync settings to OneDrive" policy disabled, or, if the "Disabled by policy" message does not appear in the specified location on the "sync my settings" screen of the phone, this is a finding.

Fix Text (F-64357r2_fix)
Configure the MDM system to require the "sync settings to OneDrive" policy to be disabled for Windows Phone devices. Deploy the MDM policy to managed devices.