Windows Phone 8.1 must disable split-tunneling on the VPN client.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-58973 | MSWP-81-501409 | SV-73403r1_rule | Medium |
| Description |
|---|
| Without strong mutual authentication, a mobile device may connect to an unauthorized network. In many cases, the user may falsely believe that the device is connected to an authorized network and then provide authentication credentials and other sensitive information. A strong bidirectional, cryptographically based authentication method over VPN mitigates this risk. For Windows Phone 8.1, this requirement is needed to prevent access to cloud services like OneDrive by OS applications and components such as: Office Hub/Applications OneNote Backup SFR ID: FMT_SMF.1.1 #42 |
| STIG | Date |
|---|---|
| Microsoft Windows Phone 8.1 Security Technical Implementation Guide | 2015-05-13 |
Details
| Check Text ( C-59801r1_chk ) |
|---|
| This validation procedure is only performed on the MDM system. 1. Ask the MDM administrator to review the current VPN profile for Windows Phone 8.1 devices. 2. Find the setting in the profile that controls the use of "Split Tunneling". 3. Verify that the setting is set to disabled or false. If the VPN profile's setting for allowing "Split Tunneling" is set to allowed, this is a finding. |
| Fix Text (F-64367r2_fix) |
|---|
| Configure the MDM system to enforce a VPN profile that sets the connection to be Forced Tunnel. Configure the MDM settings as follows: 1. Create a new VPN profile, or modify an existing one that has a configuration setting that disables the setting for "Split Tunnel". 2. Deploy the policy to managed devices. |