UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Windows Phone 8.1 must have a mechanism to restrict capabilities of applications and OS components that leverage cloud storage by blocking access to OneDrive at the firewall level.


Overview

Finding ID Version Rule ID IA Controls Severity
V-58975 MSWP-81-501411 SV-73405r1_rule Medium
Description
While backup and collaboration of data is useful from a productivity perspective, if that same data can be shared to public locations through cloud storage services, data leakage scenarios are possible, enabling sensitive data to be shared outside of secure DoD locations. To mitigate these threats, the ability to store or backup data in public cloud areas should be blocked. For Windows Phone 8.1, this requirement is needed to prevent access to cloud services like OneDrive by OS applications and components such as: Office Hub/Applications OneNote Backup SFR ID: FMT_SMF.1.1 #42
STIG Date
Microsoft Windows Phone 8.1 Security Technical Implementation Guide 2015-05-13

Details

Check Text ( C-59805r2_chk )
This validation procedure is performed only on the firewall(s) that control VPN Gateway access for mobile devices accessing public OneDrive on the Internet.

On the firewall administration console:
1. Ask the firewall administrator to verify that a rule exists that blocks outbound access to OneDrive.
2. Verify there is a rule to block access to all of these domains:
"*.live.com"
"*.live.net"
"*.livefilestore.com"
"*.1drv.com"

If the firewall for the DoD VPN does not have rules prohibiting outbound traffic to "*.live.com",
"*.live.net",
"*.livefilestore.com", and
"*.1drv.com", this is a finding.
Fix Text (F-64369r2_fix)
Configure firewall settings for the VPN Gateway to terminate inbound traffic from mobile devices accessing public OneDrive on the Internet.

Configure the firewall for VPN as follows:
1. Have the firewall administrator add rules that block outbound access to OneDrive.

Block access to these domains:
"*.live.com"
"*.live.net"
"*.livefilestore.com"
"*.1drv.com"

This is one of 5 implementation requirements that work together to prevent access to cloud services.