UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Windows Phone 8.1 must disable split-tunneling on the VPN client.


Overview

Finding ID Version Rule ID IA Controls Severity
V-58973 MSWP-81-501409 SV-73403r1_rule Medium
Description
Without strong mutual authentication, a mobile device may connect to an unauthorized network. In many cases, the user may falsely believe that the device is connected to an authorized network and then provide authentication credentials and other sensitive information. A strong bidirectional, cryptographically based authentication method over VPN mitigates this risk. For Windows Phone 8.1, this requirement is needed to prevent access to cloud services like OneDrive by OS applications and components such as: Office Hub/Applications OneNote Backup SFR ID: FMT_SMF.1.1 #42
STIG Date
Microsoft Windows Phone 8.1 Security Technical Implementation Guide 2015-05-13

Details

Check Text ( C-59801r1_chk )
This validation procedure is only performed on the MDM system.

1. Ask the MDM administrator to review the current VPN profile for Windows Phone 8.1 devices.
2. Find the setting in the profile that controls the use of "Split Tunneling".
3. Verify that the setting is set to disabled or false.

If the VPN profile's setting for allowing "Split Tunneling" is set to allowed, this is a finding.
Fix Text (F-64367r2_fix)
Configure the MDM system to enforce a VPN profile that sets the connection to be Forced Tunnel.

Configure the MDM settings as follows:
1. Create a new VPN profile, or modify an existing one that has a configuration setting that disables the setting for "Split Tunnel".
2. Deploy the policy to managed devices.