Samsung Android must be configured to not enable Microsoft Exchange ActiveSync (EAS) password recovery. This requirement is not applicable if not using Microsoft EAS.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-93931 | KNOX-09-001375 | SV-104017r1_rule | Medium |
| Description |
|---|
| Password Recovery is a feature of Microsoft EAS. Exceeding the Password Attempts limit triggers the Lock screen to open a Password Recovery Mode. This feature must be disabled for a Samsung Android device to be in the NIAP-certified Common Criteria (CC) mode of operation. If Microsoft EAS password recovery is enabled, the Samsung device will be out of compliance with the CC Mode configuration. This requirement is configured on the Exchange server. It is the responsibility of the DoD mobile service provider to ensure the Exchange server has been configured in compliance with the requirement. The requirement is only applicable if using Microsoft Exchange ActiveSync in the device (personal side). SFR ID: FMT_SMF_EXT.1.1 #47 |
| STIG | Date |
|---|---|
| Samsung Android OS 9 with Knox 3.x COPE Use Case KPE(Legacy) Deployment Security Technical Implementation Guide | 2019-10-01 |
Details
| Check Text ( C-93249r1_chk ) |
|---|
| Verify that the Microsoft EAS password recovery has been disabled on the Exchange server. If on the Microsoft EAS server "password recovery" is not disabled, this is a finding. |
| Fix Text (F-100179r1_fix) |
|---|
| Configure Samsung Android to not enable Microsoft EAS password recovery. The DoD mobile service provider should verify that the Exchange server is configured to disable Microsoft EAS password recovery. |