Windows 10 Mobile must enforce an application installation policy by specifying an application whitelist.

From Microsoft Windows 10 Mobile Security Technical Implementation Guide

Part of PP-MDF-201007

Associated with: CCI-000366 CCI-001806

SV-84705r1_rule Windows 10 Mobile must enforce an application installation policy by specifying an application whitelist.

Vulnerability discussion

Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications.The application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core applications (included in the operating system (OS) by the OS vendor) and pre-installed applications (provided by the MD vendor and wireless carrier), or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications.SFR ID: FMT_SMF_EXT.1.1 #10b

Check content

Review Windows 10 Mobile configuration settings to determine if the mobile device has an application whitelist configured. If feasible, use a spare device to determine if an application whitelist is configured. This validation procedure is performed on both the MDM administration console and the Windows 10 Mobile device. On the MDM administration console: 1. Display policy area for managing allowed applications. 2. Verify a policy exists that creates an application whitelist of allowed applications. 3. Verify all applications on the list of whitelisted applications have been approved by the Authorizing Official (AO). 4. Verify the application whitelist policy has been deployed to the target devices under management on the MDM console. 5. This list can be empty if no applications have been approved. See the STIG supplemental document for additional information. On the Windows 10 Mobile device: 1. Go to "All apps" page. From the Start page swipe left to reveal. 2. If the whitelist policy has been successfully deployed the majority of apps listed should have a dimmed appearance and have the text "Unavailable" under each restricted application. 3. Look for several apps that are not included in the application whitelist. 4. Determine if any app can be launched by tapping on its icon. 5. Verify that the app both has the text "Unavailable" under its title and that when launched this text appears on a pop-up page: "This app is disabled by your enterprise policy". If the application whitelist policy doesn't exist or doesn't only contain authorized applications or hasn't been deployed to targeted devices under enrollment or on the device any non-whitelisted app can be launched, this is a finding.

Fix text

Setup an Application whitelist (authorized apps) using an MDM for Windows 10 Mobile. Deploy the policy on managed devices. This will provide an authorized repository of applications which can be installed on a managed user's device.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer