Windows Phone 8.1 must have a mechanism to restrict capabilities of applications and OS components that leverage cloud storage by blocking access to OneDrive at the firewall level.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-58975	MSWP-81-501411	SV-73405r1_rule		Medium

Description
While backup and collaboration of data is useful from a productivity perspective, if that same data can be shared to public locations through cloud storage services, data leakage scenarios are possible, enabling sensitive data to be shared outside of secure DoD locations. To mitigate these threats, the ability to store or backup data in public cloud areas should be blocked. For Windows Phone 8.1, this requirement is needed to prevent access to cloud services like OneDrive by OS applications and components such as: Office Hub/Applications OneNote Backup SFR ID: FMT_SMF.1.1 #42

Description

While backup and collaboration of data is useful from a productivity perspective, if that same data can be shared to public locations through cloud storage services, data leakage scenarios are possible, enabling sensitive data to be shared outside of secure DoD locations. To mitigate these threats, the ability to store or backup data in public cloud areas should be blocked. For Windows Phone 8.1, this requirement is needed to prevent access to cloud services like OneDrive by OS applications and components such as: Office Hub/Applications OneNote Backup SFR ID: FMT_SMF.1.1 #42

STIG	Date
Microsoft Windows Phone 8.1 Security Technical Implementation Guide	2015-05-13

Details

Check Text ( C-59805r2_chk )
This validation procedure is performed only on the firewall(s) that control VPN Gateway access for mobile devices accessing public OneDrive on the Internet. On the firewall administration console: 1. Ask the firewall administrator to verify that a rule exists that blocks outbound access to OneDrive. 2. Verify there is a rule to block access to all of these domains: ".live.com" ".live.net" ".livefilestore.com" ".1drv.com" If the firewall for the DoD VPN does not have rules prohibiting outbound traffic to ".live.com", ".live.net", ".livefilestore.com", and ".1drv.com", this is a finding.

Check Text ( C-59805r2_chk )

This validation procedure is performed only on the firewall(s) that control VPN Gateway access for mobile devices accessing public OneDrive on the Internet.

On the firewall administration console:
1. Ask the firewall administrator to verify that a rule exists that blocks outbound access to OneDrive.
2. Verify there is a rule to block access to all of these domains:
"*.live.com"
"*.live.net"
"*.livefilestore.com"
"*.1drv.com"

If the firewall for the DoD VPN does not have rules prohibiting outbound traffic to "*.live.com",
"*.live.net",
"*.livefilestore.com", and
"*.1drv.com", this is a finding.

Fix Text (F-64369r2_fix)
Configure firewall settings for the VPN Gateway to terminate inbound traffic from mobile devices accessing public OneDrive on the Internet. Configure the firewall for VPN as follows: 1. Have the firewall administrator add rules that block outbound access to OneDrive. Block access to these domains: ".live.com" ".live.net" ".livefilestore.com" ".1drv.com" This is one of 5 implementation requirements that work together to prevent access to cloud services.

Fix Text (F-64369r2_fix)

Configure firewall settings for the VPN Gateway to terminate inbound traffic from mobile devices accessing public OneDrive on the Internet.

Configure the firewall for VPN as follows:
1. Have the firewall administrator add rules that block outbound access to OneDrive.

Block access to these domains:
"*.live.com"
"*.live.net"
"*.livefilestore.com"
"*.1drv.com"

This is one of 5 implementation requirements that work together to prevent access to cloud services.