Windows 10 Mobile must be configured to implement the management setting: Require a password be used before unlocking a Windows 10 Mobile device.

From Microsoft Windows 10 Mobile Security Technical Implementation Guide

Part of PP-MDF-991000

Associated with: CCI-000366

SV-84753r1_rule Windows 10 Mobile must be configured to implement the management setting: Require a password be used before unlocking a Windows 10 Mobile device.

Vulnerability discussion

Passwords provide a form of access control that prevents unauthorized individuals from accessing computing resources and sensitive data. Passwords may also be a source of entropy for generation of key encryption or data encryption keys. If a password is not required to access data, then this data is accessible to any adversary who obtains physical possession of the device. Requiring that a password be successfully entered before the mobile device data is unencrypted mitigates this risk.SFR ID: FMT_SMF_EXT.1.1 #1

Check content

Review Windows 10 Mobile configuration settings to determine if the mobile device requires that a password be entered before the device is unlocked. If feasible, use a spare device to test if a password is required to unlock it. This validation procedure is performed on both the MDM administration console and the Windows 10 Mobile device. Check whether the appropriate setting is configured on the MDM. Administration Console: 1. Ask the MDM administrator to display the "Password" setting in the MDM console. 2. Verify the settings for requiring a password is enforced. On the Windows 10 Mobile device: 1. Power down the device. 2. Power back up the device. 3. Verify that once the device powers up that the lockscreen is displayed and when you swipe up, the "Enter PIN" screen is shown and a PIN is required to access the device. If the MDM does not set the policy for requiring a password or if on the phone a password/PIN is not required to access the device, this is a finding.

Fix text

Configure the MDM system to enforce a password is required before unlocking a device. Deploy the policy on managed devices.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer