| V-58947 | High | Windows Phone 8.1 must be configured to enable data-at-rest protection for removable storage media or to disable the removable storage media. | The operating system must ensure the data being written to the mobile device's removable media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to... |
| V-58945 | High | Windows Phone 8.1 must be configured to enable data-at-rest protection for built-in storage media. | The operating system must ensure the data being written to the mobile device's built-in storage media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to... |
| V-59025 | Medium | Windows Phone 8.1 must be running build 8.10.15116 or higher (GDR2). | Throughout ongoing operating system development, Windows Phone has a process of MOS updates to add new features including improved enterprise and security capabilities as well as fixes to issues... |
| V-58973 | Medium | Windows Phone 8.1 must disable split-tunneling on the VPN client. | Without strong mutual authentication, a mobile device may connect to an unauthorized network. In many cases, the user may falsely believe that the device is connected to an authorized network and... |
| V-58971 | Medium | Windows Phone 8.1 must be designed to implement protected and secure OS Updates. | MOS updates and upgrades are an essential part of the life cycle of modern smartphones and generally occur annually. OS updates need to be a trusted process to prevent compromise of OS code,... |
| V-58959 | Medium | Windows Phone 8.1 must be configured to implement the management setting:
Disable the capability for a user to manually unenroll from MDM management. | The use of an MDM allows an organization to assign values to security-related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls... |
| V-58975 | Medium | Windows Phone 8.1 must have a mechanism to restrict capabilities of applications and OS components that leverage cloud storage by blocking access to OneDrive at the firewall level. | While backup and collaboration of data is useful from a productivity perspective, if that same data can be shared to public locations through cloud storage services, data leakage scenarios are... |
| V-58955 | Medium | Windows Phone 8.1 must be configured to implement the management setting:
Not allow the device unlock password to contain more than two sequential or repeating characters (e.g., 456, aaa). | Password complexity or strength refers to how difficult it is to determine a password using a dictionary or brute-force attack. Passwords with sequential or repeating numbers or alphabetic... |
| V-58977 | Medium | Windows Phone 8.1 must require an Always On VPN session when used. | Without strong mutual authentication, a mobile device may connect to an unauthorized network. In many cases, the user may falsely believe that the device is connected to an authorized network and... |
| V-58957 | Medium | Windows Phone 8.1 must be configured to implement the management setting: Disable the capability of the Cortana personal assistant A.I. to be functional when the device is locked. | When a mobile device is locked, there should be no access to its protected/sensitive data since it could enable unauthorized people with physical access to the device to bring up and view... |
| V-58951 | Medium | Windows Phone 8.1 must be configured to implement the management setting:
Disable the capability of being able to show notifications in the Action Center while a device is locked. | When a mobile device is locked, there should be no access to its protected/sensitive data since it could enable unauthorized people with physical access to the device to bring up and view... |
| V-58953 | Medium | Windows Phone 8.1 must be configured to implement the management setting:
Disable the ability of users to be able to manually turn off the VPN. | For consumer use, the ability to turn off or suspend a VPN connection may be useful in cases of bypassing server issues or decreasing battery utilization, but, in a DoD environment, a VPN... |
| V-58937 | Medium | Windows Phone 8.1 must be configured to disable USB mass storage mode. | This data transfer capability could allow users to transfer sensitive DoD data onto unauthorized USB storage devices, thus leading to the compromise of this DoD data.
SFR ID: FMT_SMF.1.1 #42 |
| V-58935 | Medium | Windows Phone 8.1 must be configured to enforce an application installation policy through an application whitelist specifying a set of allowed applications and versions. | Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to... |
| V-58933 | Medium | Windows Phone 8.1 must be configured to enforce an application installation policy by specifying one or more authorized application repositories. | Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing... |
| V-58931 | Medium | Windows Phone 8.1 must be configured to disable developer modes. | Developer modes circumvent certain security measures, so their use for standard operation is not recommended. Developer modes may increase the likelihood of compromise of confidentiality,... |
| V-58979 | Medium | Windows Phone 8.1 must have a mechanism to restrict capabilities of applications and OS components that leverage cloud storage by disabling the Backup feature. | While backup and collaboration of data is useful from a productivity perspective, if that same data can be shared to public locations through cloud storage services, data leakage scenarios are... |
| V-58961 | Medium | Windows Phone 8.1 must be configured to implement the management setting:
Disable the sharing of Office documents through service providers like email and cloud. | Generally, when doing document collaboration, it is useful, from a productivity perspective, to be able to share those documents with peers who can review and edit those documents. But, if those... |
| V-58963 | Medium | Windows Phone 8.1 must be configured to implement the management setting:
Disable the capability for syncing settings such as the theme, application settings, Internet Explorer sites visited, and cached passwords to Microsoft OneDrive cloud storage. | A public cloud backup feature may gather a user's information, such as PII, or sensitive documents. With this feature enabled, sensitive information will be backed up to the manufacturer's servers... |
| V-58965 | Medium | Windows Phone 8.1 must be configured to implement the management setting:
Disallow the sharing of device telemetry captured as a result of crashes and other logging processes. | Applications and OS processes have a capability to have telemetry data called Software Quality Metrics (SQM) that can send software instrumentation metrics to the SQM service and to the client to... |
| V-58967 | Medium | Windows Phone 8.1 must be configured to implement the management setting:
Employ mobile device management services to centrally manage security-relevant configuration and policy settings. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-58941 | Medium | Windows Phone 8.1 must be configured to lock the display after 15 minutes (or less) of inactivity. | The screen lock time-out must be set to a value that helps protect the device from unauthorized access. Having a too-long time-out would increase the window of opportunity for adversaries who gain... |
| V-58949 | Low | Before establishing a user session, Windows Phone 8.1 must display an administrator-specified advisory notice and consent warning banner regarding use of Windows Phone 8.1. | The operating system is required to display the DoD-approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent... |
| V-58939 | Low | Windows Phone 8.1 must be configured to prohibit more than 10 consecutive failed authentication attempts. | Users must not be able to override the system policy on the maximum number of consecutive failed authentication attempts because this could allow them to raise the maximum, thus giving adversaries... |
| V-58943 | Low | Windows Phone 8.1 must be configured to enforce a minimum password length of 6 characters. | Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. The ability to crack a password is a function of how many attempts an adversary is... |
