Check: KNOX-09-001365
Samsung Android OS 9 with Knox 3.x COPE Use Case KPE(Legacy) Deployment STIG:
KNOX-09-001365
(in versions v1 r5 through v1 r1)
Title
Samsung Android Workspace must be configured to not enable Microsoft Exchange ActiveSync (EAS) password recovery. This requirement is not applicable if not using Microsoft EAS. (Cat II impact)
Discussion
Password Recovery is a feature of Microsoft EAS. Exceeding the Password Attempts limit triggers the Lock screen to open a Password Recovery Mode. This feature must be disabled for a Samsung Android device to be in the NIAP-certified Common Criteria (CC) mode of operation. If Microsoft EAS Password Recovery is enabled, the Samsung device will be out of compliance with the CC Mode configuration. This requirement is configured on the Exchange server. It is the responsibility of the DoD mobile service provider to ensure that the Exchange server has been configured in compliance with the requirement. SFR ID: FMT_SMF_EXT.1.1 #47
Check Content
Verify that the Microsoft EAS Password Recovery has been disabled on the Exchange server. If on the Microsoft EAS server "password recovery" is not disabled, this is a finding.
Fix Text
Configure Samsung Android Workspace to not enable Microsoft EAS Password Recovery. The DoD mobile service provider should verify that the Exchange server is configured to disable Microsoft EAS Password Recovery.
Additional Identifiers
Rule ID: SV-217834r388482_rule
Vulnerability ID: V-217834
Group Title: PP-MDF-991000
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |