acceptedWindows Phone 6.5 (with Good Mobility Suite) Security Technical Implementation GuideThis STIG contains technical security controls required for the use of Windows Phone 6.5 devices in the DoD environment when managed by the Good Mobility Suite.
DISA, Field Security OperationsSTIG.DOD.MILRelease: 2 Benchmark Date: 28 Oct 20111I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>Remote access VPN - FIPS 140-2<GroupDescription></GroupDescription>WIR-MOS-WP-034-01The VPN client on wireless clients (PDAs, smartphones) used for remote access to DoD networks must be FIPS 140-2 validated. This check is not applicable if the installed VPN client is not used for remote access to DoD networks. <VulnDiscussion>DoD data could be compromised if transmitted data is not secured with a compliant VPN. FIPS validation provides a level of assurance that the encryption of the device has been securely implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECWN-1</IAControls>Comply with policy requirement.This check is not applicable if the installed VPN client is not used for remote access to DoD networks.
Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices.
Review VPN client specification sheets and FIPS 140-2 certificate.
Verify the devices have a VPN client installed and is FIPS 140-2 validated. Check the NIST certificate for the mobile OS or VPN client.
Mark as a finding if the VPN is not FIPS 140-2 validatedRemote access VPN - AES encryption<GroupDescription></GroupDescription>WIR-MOS-WP-034-02All wireless PDA clients used for remote access to DoD networks must have a VPN that supports AES encryption. This check is not applicable if the installed VPN client is not used for remote access to DoD networks.
<VulnDiscussion>DoD data could be compromised if transmitted data is not secured with a compliant VPN.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Comply with policy requirement.This check is not applicable if the installed VPN client is not used for remote access to DoD networks.
Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Review VPN client specification sheets. Verify AES encryption is enabled for the VPN client.
Mark as a finding if AES is not supported or is not enabledRemote access VPN - CAC authentication<GroupDescription></GroupDescription>WIR-MOS-WP-034-03All wireless PDA clients used for remote access to DoD networks must have a VPN supporting CAC authentication. This check is not applicable if the installed VPN client is not used for remote access to DoD networks.
<VulnDiscussion>DoD data could be compromised if transmitted data is not secured with a compliant VPN.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Comply with policy requirement.This check is not applicable if the installed VPN client is not used for remote access to DoD networks.
Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Verify the VPN client supports CAC authentication to the DoD network (recommend asking the site wireless device administrator to demo this capability). Mark as a finding if CAC authentication is not supported.Remote access VPN - split tunneling<GroupDescription></GroupDescription>WIR-MOS-WP-034-04All wireless PDA client VPNs must have split tunneling disabled. This check is not applicable if the installed VPN client is not used for remote access to DoD networks.
<VulnDiscussion>DoD data could be compromised if transmitted data is not secured with a compliant VPN. Split tunneling could allow connections from non-secure Internet sites to access data on the DoD network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Comply with policy requirement.This check is not applicable if the installed VPN client is not used for remote access to DoD networks.
Interview the IAO and/or site wireless device administrator and inspect a sample (3-4) of site devices. Check to see if the VPN has a setting to disable split tunneling. Verify split tunneling has been disabled.
Mark not applicable if the VPN is not used for remote access to a DoD networkUse approved smartphone software versions<GroupDescription></GroupDescription>WIR-MOS-WP-001Smartphone devices must have required operating system software versions installed.<VulnDiscussion>Required security features are not available in earlier OS versions. In addition, there are known vulnerabilities in earlier versions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1, ECWN-1</IAControls>Install required OS version.-Verify the Windows Phone version 6.5 or later:
--Log into the Windows Phone.
--Go to Settings > General > About >Version.
-Verify the Good App version is 6.0.1.x or later:
--Log into the Windows Phone device.
--Launch the Good app and enter login info.
--Go to Preferences > About.
Mark as a finding if either version is not as required.
Use approved SCR software version<GroupDescription></GroupDescription>WIR-MOS-WP-002Smart Card Readers (SCRs) used with smartphone must have required software version installed.<VulnDiscussion>Required security features are not available in earlier software versions. In addition, there may be known vulnerabilities in earlier versions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>Install required SCR software version. Verify the following:
For the Apriva SCR, the firmware is 03.30.08 or later and the SCR driver is 01.05.06 or later.
For the BAL SCR, the firmware is 1.3.4.12 or later.
User auto-signature on email<GroupDescription></GroupDescription>WIR-MOS-WP-004If smartphone email auto signatures are used, the signature message must not disclose that the email originated from a smartphone (e.g., “Sent From My Wireless Handheld”). <VulnDiscussion>The disclaimer message may give information which may key an attacker in on the device. This is primarily an OPSEC issue. This setting was directed by the CYBERCOM.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>Ensure the smartphone email auto-signature message does not disclose the email originated from a smartphone or a mobile device (e.g., “Sent From My Wireless Handheld”). Verify the auto-signature, if used, meets requirements.
-Check a random sample of 3-4 devices.
-On the handheld, launch the Good client and go to Preferences > Signature.
Mark as a finding if the device has been configured with an auto-signature and signature states the email originated from a smartphone.
Mobile operating system apps approved<GroupDescription></GroupDescription>WIR-MOS-WP-006-01All non-core applications on the smartphone must be approved by the DAA or Command IT Configuration Control Board. <VulnDiscussion>Non-approved applications can contain malware. Approved applications should be reviewed and tested by the approving authority to ensure they do not contain malware, spyware, or have unexpected features (e.g., send private information to a web site, track user actions, connect to a non-DoD management server).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls>DCCB-1, ECWN-1</IAControls>Have DAA or Command IT CCB review and approve all non-core applications on mobile OS devices. -Select 3-4 random devices managed by the site to review.
-Make a list of non-core applications on each device.
--Have the user log into the device. View all App icons on the home screen or in folders on the home screen.
--If an App is not in the list of core Apps (see below), then note the name of the App.
--Verify the site has written approval to use the App from the DAA or site IT CCB.
-Mark as a finding if any App has not been approved.
A list of standard core Windows Phone 6.5 device Apps can be found in the STIG Configuration Tables document.
Note: The DAA or IT CCB should also indicate if location services are approved for any approved applications, including core applications (e.g., camera, maps, etc.).
Core applications are applications that are included in the smartphone operating system. Applications added by the wireless carrier are not considered core applications. All non-core applications on the smartphone must be approved by the DAA or the Command IT Configuration Control Board.Required logon banner<GroupDescription></GroupDescription>WIR-MOS-WP-007All smartphones must display the required banner during device unlock/ logon. <VulnDiscussion>DoD CIO memo requires all PDAs, BlackBerrys, and smartphones to have a consent banner displayed during logon/device unlock to ensure users understand their responsibilities to safeguard DoD data. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWM-1</IAControls>Display the required banner during device unlock/logon. The following banner is required:
“I've read & consent to terms in IS user agreem't.”
Check Procedure: Verify that when the Good App is launched the banner is displayed on the screen. The banner must exactly match the required phrase.