Windows 10 Mobile must protect data at rest on removable storage media.

From Microsoft Windows 10 Mobile Security Technical Implementation Guide

Part of PP-MDF-201012

Associated with: CCI-001199

SV-84719r2_rule Windows 10 Mobile must protect data at rest on removable storage media.

Vulnerability discussion

The MOS must ensure the data being written to the mobile device's removable media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read removable media directly, thereby circumventing operating system controls. Encrypting the data ensures confidentiality is protected even when the operating system is not running.SFR ID: FMT_SMF_EXT.1.1 #26

Check content

Review Windows 10 Mobile configuration settings to determine if data in the mobile device's removable storage media is encrypted. If feasible, use a spare device to confirm that data-at-rest protection is enabled for removable storage media. This validation procedure is performed on both the MDM administration console and the Windows 10 Mobile device. On the MDM administration console: 1. Ask the MDM administrator to verify the phone compliance policy. 2. Find the setting for "require storage cards to be encrypted". 3. Verify the setting for requiring require storage card encryption is enforced. On a Windows 10 Mobile device that contains a microSD slot and has a microSD card inserted: 1. Launch "Settings". 2. Tap on "Update & security" and then tap on "Device encryption". 3. Under the section called "Device encryption" there are two settings, the first one is for enforcing encryption on main device storage and the second which controls encryption of removable storage cards like SD cards. For this control examine the second setting for SD cards. 4. Verify that the device encryption for SD cards setting is toggled to "On". If the MDM does not have a policy enforcement that enforces the encryption of removable storage (SD) cards, this is a finding.

Fix text

Configure the MDM system to enforce a policy which configures the "require storage cards to be encrypted" policy to be enabled for Windows 10 Mobile devices. Deploy the MDM policy to managed devices.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer