Check: KNOX-09-001375
Samsung Android OS 9 with Knox 3.x COPE Use Case KPE(Legacy) Deployment STIG:
KNOX-09-001375
(in versions v1 r5 through v1 r1)
Title
Samsung Android must be configured to not enable Microsoft Exchange ActiveSync (EAS) password recovery. This requirement is not applicable if not using Microsoft EAS. (Cat II impact)
Discussion
Password Recovery is a feature of Microsoft EAS. Exceeding the Password Attempts limit triggers the Lock screen to open a Password Recovery Mode. This feature must be disabled for a Samsung Android device to be in the NIAP-certified Common Criteria (CC) mode of operation. If Microsoft EAS password recovery is enabled, the Samsung device will be out of compliance with the CC Mode configuration. This requirement is configured on the Exchange server. It is the responsibility of the DoD mobile service provider to ensure the Exchange server has been configured in compliance with the requirement. The requirement is only applicable if using Microsoft Exchange ActiveSync in the device (personal side). SFR ID: FMT_SMF_EXT.1.1 #47
Check Content
Verify that the Microsoft EAS password recovery has been disabled on the Exchange server. If on the Microsoft EAS server "password recovery" is not disabled, this is a finding.
Fix Text
Configure Samsung Android to not enable Microsoft EAS password recovery. The DoD mobile service provider should verify that the Exchange server is configured to disable Microsoft EAS password recovery.
Additional Identifiers
Rule ID: SV-217835r388482_rule
Vulnerability ID: V-217835
Group Title: PP-MDF-991000
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |