UCF ID: 00751 |
Control Type: Configuration |
Status: Live |
Supporting and supported controls
This control directly supports:
- • Establish and maintain documentation for controlling the network configuration. [UCF Control ID 00530]
There are no supporting controls.
Authority documents complied with:
DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4, § 2.2 (WIR2230), § 3.12, § 3.12.1, § 3.12.2, § 3.12.3, App B.3 Row "Restrict WiFi"; DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3, § 2.2 (WIR3230), App B.1 Row “Enable WiFi”, § 3.10, § 3.10.1, § 3.10.2, § 3.10.3; Common Configuration Enumeration: Unique Identifiers for Common System Configuration Issues: Windows Vista, 5.20100428, CCE-4627-6
System Configuration Guidance
The required permissions for the WLAN AutoConfig service should be assigned. [CCE-4627-6, Common Configuration Enumeration: Unique Identifiers for Common System Configuration Issues: Windows Vista, 5.20100428]
Other Configuration Guidance
§ 2.2 (WIR2230) The Mobile WiFi Service selected should be approved by the DAA prior to use; should not be authorized for connections to hotel or public WiFi hotspots; should allow only home users whose WLAN system is configured as WPA2 Personal to use the WiFi service; should train users on how to use the WiFi service; should include the user responsibilities and WiFi services in the user agreement; and a security review on the WiFi Service should be performed by the organization every 12 months. If WiFi is not authorized, the Trust Digital server should have WiFi disabled.
§ 3.12 WiFi support is available on many smartphones. Windows Mobile Messaging supports WiFi Internet connections to the Exchange server if the WiFi configuration setting is enabled on the Trust Digital server and cellular service is not available. If WiFi service is disabled on the Trust Digital server, WiFi connections are disabled on all site managed WM (Windows Mobile) devices.
§ 3.12.1 CAC authentication must be used for the EAP-TLS handshake when a WLAN connection is established, since software certificates cannot be used on Windows Mobile smartphones. By design, a Trust Digital managed Windows Mobile device supports client side EAP-TLS CAC authentication to WLAN systems, DoD networks, and web sites.
§ 3.12.2 Connections to public hotspots, including hotel hotspots are prohibited.
§ 3.12.3 Connections to home WLAN systems can be used when cellular service is not available inside or outside the home. It is recommended that prior to the DAA granting approval, switching to an alternate cellular carrier be considered. Connection can also be used when the home WLAN system is configured according to DoD requirements requiring that WPA2 Personal security is implemented on the home WLAN system.
App B.3 Row "Restrict WiFi", located under Policy Manager/Resource Settings, should select with a mark in the check box if WiFi is not approved by site DAA. Do not check box if WiFi is approved by site DAA. [§ 2.2 (WIR2230), § 3.12, § 3.12.1, § 3.12.2, § 3.12.3, App B.3 Row "Restrict WiFi", DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4]
§ 2.2 (WIR3230) If Windows Mobile WiFi Service is authorized for use, the following conditions apply; the DAA has to approve the service; connections to DoD infrastructure WLANs and hotel and public WiFi hotspots are not allowed; connections to home WLANs can be approved by the DAA; site SSP includes Windows Mobile access via approved WLAN systems; Windows Mobile users approved to use their home WLAN to receive Good mobile email should configure their WLAN to use WPA2 Personal; users who do not have the WPA2 option available, will not be authorized to use the home connection option; should train users on how to use the WiFi service; a User Agreement containing acknowledgment on when and where WM WiFi services can be used and user responsibilities; if WiFi service is not authorized by the DAA, the GMM server should by configured to disable WiFi.
App B.1 Row “Enable WiFi” under Options Tab - Network Communications, should be set to Check if WiFi service is authorized by DAA and not checked if WiFi service is not authorized.
§ 3.10 WiFi support is available on many smartphones. Good Mobile Messaging supports WiFi Internet connections to the Good Network Operations Center (NOC) if the WiFi configuration setting is enabled on the GMM server and cellular service is not available. If WiFi service is disabled on the GMM server, WiFi connections are disabled on all site managed WM devices.
§ 3.10.1 Windows Mobile smartphone with Good Mobile Messaging does not support EAP-TLS authentication using a CAC, or CAC authentication, to a DoD network after the WLAN connection is authenticated. Therefore, a Windows Mobile smartphone with Good Mobile Messaging cannot be used to connect to a DoD enterprise WLAN.
§ 3.10.2 Connections to public hotspots, including hotel hotspots is prohibited. Requirements listed in the draft DoD remote access policy for connections is public internet access points cannot be currently met and FIPS 140-2 connections are not available.
§ 3.10.3 Connections to home WLAN systems can be used under the following conditions:
− The DAA has approved this service when cellular service is not available inside or outside the home. It is recommended that prior to the DAA granting approval, switching to an alternate cellular carrier be considered.
− The home WLAN system is configured according to DoD requirements:
− WPA2 Personal security is implemented on the home WLAN system.
The Good software will automatically use the Internet connection to the Good NOC if cellular service is not available. [§ 2.2 (WIR3230), App B.1 Row “Enable WiFi”, § 3.10, § 3.10.1, § 3.10.2, § 3.10.3, DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.