The mobile operating system must not permit a user to disable the password-protected lock feature on the device.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
KNOX-01-000400	KNOX-01-000400	KNOX-01-000400_rule		Medium

Description
If the user is able to disable the password-protected lock feature, the user can change the configuration of the device to allow access without a password. The modified configuration would enable an adversary with access to the device to obtain DoD information and possibly other information resources on other systems. An operating system that does not allow a user to disable this feature mitigates the risk of this attack. In cases in which the mobile operating system relies on another application for protected data storage (e.g., if FIPS 140-2 validated encryption for unclassified use is not native to the device), then this requirement applies to both the device lock password and the password to the data storage application.

Description

If the user is able to disable the password-protected lock feature, the user can change the configuration of the device to allow access without a password. The modified configuration would enable an adversary with access to the device to obtain DoD information and possibly other information resources on other systems. An operating system that does not allow a user to disable this feature mitigates the risk of this attack. In cases in which the mobile operating system relies on another application for protected data storage (e.g., if FIPS 140-2 validated encryption for unclassified use is not native to the device), then this requirement applies to both the device lock password and the password to the data storage application.

STIG	Date
Samsung Knox Android 1.0 STIG	2013-05-03

Details

Check Text ( C-KNOX-01-000400_chk )
This check procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. The result from the KNOX-01-000200 check procedure on the MDM Administration Console may be used here since both involve checking the password length setting. Check that the appropriate setting is configured on the MDM server. For example, on the Fixmo Sentinel Administration Console: 1. Ask the MDM administrator to display the "Min Length" setting in the "Android Password Restrictions" rule. 2. Verify the configured value is greater than 0. Note: By setting password length to a number greater than 0, the mobile operating system prevents the user from being able to disable the password. On the Samsung Knox Android Device: 1. Open the device settings. 2. Select "Lock Screen". 3. Select "Screen lock". 4. Enter current password. 5. Verify the "None" option cannot be selected. If the "Min Length" setting is null or 0, or if the MOS allows the user to disable the password-protected lock feature, this is a finding.

Check Text ( C-KNOX-01-000400_chk )

This check procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. The result from the KNOX-01-000200 check procedure on the MDM Administration Console may be used here since both involve checking the password length setting.

Check that the appropriate setting is configured on the MDM server.

For example, on the Fixmo Sentinel Administration Console:
1. Ask the MDM administrator to display the "Min Length" setting in the "Android Password Restrictions" rule.
2. Verify the configured value is greater than 0.
Note: By setting password length to a number greater than 0, the mobile operating system prevents the user from being able to disable the password.

On the Samsung Knox Android Device:
1. Open the device settings.
2. Select "Lock Screen".
3. Select "Screen lock".
4. Enter current password.
5. Verify the "None" option cannot be selected.

If the "Min Length" setting is null or 0, or if the MOS allows the user to disable the password-protected lock feature, this is a finding.

Fix Text (F-KNOX-01-000400_fix)
Configure the operating system to prohibit a user from disabling the password-protected lock feature. For example, on the Fixmo Sentinel Administration Console, set the "Min Length" to a number greater than 0 in the "Android Password Restrictions" rule. NOTE: By setting password length to a number greater than 0, the mobile operating system prevents the user from being able to disable the password.

Fix Text (F-KNOX-01-000400_fix)

Configure the operating system to prohibit a user from disabling the password-protected lock feature.

For example, on the Fixmo Sentinel Administration Console, set the "Min Length" to a number greater than 0 in the "Android Password Restrictions" rule.

NOTE: By setting password length to a number greater than 0, the mobile operating system prevents the user from being able to disable the password.