This guidance is applicable to devices running Windows 10 Mobile and was developed following testing performed on a Nokia Lumia 950 managed with System Centre Configuration Manager (SCCM) 2012 R2 with the Windows Intune Connector, ADFS 3.0 and Azure Active Directory Sync Services.
It is important to remember that any guidance points given here are just recommendations. None of the suggestions should be seen as being mandatory. They have been suggested as a way of satisfying the 12 security principles.
Risk owners and administrators should agree a configuration which balances the business requirements, usability and security of the platform. This guidance can be consulted for advice where needed.
Risk owners’ summary
To minimise risk when using Windows 10 Mobile as part of a remote working scenario, you should adopt the following architectural choices:
- All data should be routed over a secure VPN to ensure the confidentiality and integrity of the traffic, and to benefit from your organisation’s protective monitoring solutions.
- Your organisation’s application catalogue should be used to distribute in-house and trusted third-party applications.
- Arbitrary third-party application installation from the public store should not be permitted on the device.
When configured in this way, risk owners should be aware of the following technical risks associated with this platform. These technical risks are associated to one of the 12 security principles for end user devices.
|
Associated security principle |
Explanation of risks |
|
Assured data-in-transit protection |
The VPN is unable to negotiate a PRIME or Foundation compliant set of cryptographic algorithms. As such there is a risk that data transiting from the device could be compromised. The VPN has no formal assurance in the UK, and currently does not support some of the mandatory requirements expected from assured VPNs. Without assurance in the VPN there is a risk that data transiting from the device could be compromised. |
|
Assured data-at-rest protection |
Windows 10 Mobile device encryption has no formal assurance in the UK, and does not support some of the mandatory requirements expected from assured full disk encryption products. Without assurance there is a risk that data stored on the device could be compromised. It is not possible to set a passphrase to unlock the disk encryption key. Removable storage media, such as SD cards, are not encrypted by Windows 10 Mobile even when device encryption is enabled. |
|
Device update policy |
Users can choose not to apply device updates if they have not been marked as critical. This may lead to security issues not being patched. |
Administrators’ deployment guide
Overview
To meet the principles outlined in the End User Devices Security Framework, several recommendations are given in the table below.
|
Security Principle |
Recommendation and Explanation |
|
Assured data-in-transit protection |
Use the native IPsec VPN client, with Always On, Allow VPN and Disable Manual Configuration settings. If a Foundation Grade assured VPN client for this platform becomes available, then this assured client should be used instead. |
|
Assured data-at-rest protection |
Use the device’s native data encryption. The data is protected when powered off, but it is not protected when the device is powered on. Email data can be protected whilst the screen is locked. Disable removable storage as non-application data stored on it is not encrypted. |
|
Authentication |
Use a password or PIN to authenticate the user to the device. This password unlocks a key which encrypts certificates and other credentials, giving access to organisation services. |
|
Secure boot |
No configuration is required. |
|
Platform integrity and application sandboxing |
No configuration is required. |
|
Application whitelisting |
The platform relies on application code signing to enforce that only applications from the Windows Store, the Windows Store for Business and other appropriately signed applications are allowed to run. Organisations can establish an application catalogue, giving users access to an approved list of in-house applications. If the Windows Store is enabled, a whitelist can be used to control which applications can be installed. Further restrictions may be placed on functionality within apps (particularly system applications and settings) through Kiosk Mode. Applications can also be restricted at a more granular level, with permissions for specific functionality (e.g. use of the camera) restricted to only approved applications. |
|
Malicious code detection and prevention |
Disable developer-unlocking of devices so that Windows Phone will only run applications from the Store and appropriately signed line-of-business applications from the organisation. Applications hosted in the Windows Phone store are scanned for potentially harmful or malicious activity prior to being made available for download. The organisation app catalogue should only contain approved in-house applications which have been checked for malicious code. Content-based attacks can be filtered by scanning on the email server. |
|
Security policy enforcement |
Disable un-enrolment from the MDM service. Settings applied to the device via the MDM service cannot then be modified or removed by the user. The phone can optionally be configured to prevent the user performing a factory reset. |
|
External interface protection |
Wi-Fi, NFC, Bluetooth, removable storage and USB file transfers can all be disabled. Disabling SD cards will also prevent access to USB removable media when connected to a Display Dock. Disable developer-unlocking of devices to ensure that the Device Portal web interface is not enabled on the device’s network interfaces. |
|
Device updates |
Windows Store apps will automatically download and install updates by default. Configure the device to automatically install updates and prompt the user to reboot at a convenient time. |
|
Event collection |
Windows 10 can log security events which can be remotely retrieved. |
|
Incident response |
Windows 10 Mobile devices can be locked, wiped, and configured remotely by MDM. In the event of a compromised device, a full device wipe is recommended, but it is possible to perform a selective wipe of only organisation data stored in Work Folders and in some organisation apps. |
Recommended network architecture
The diagrams below show recommended ways of integrating Windows Phone devices and server components into an organisation’s network architecture.
Recommended network architecture for Windows Mobile 10 deployments using an online MDM solution
Recommended network architecture for Windows Mobile 10 deployments using an on-premises MDM
Preparation for deployment
To prepare the organisation infrastructure:
- To manage devices, deploy an MDM solution which supports the required settings.
- Build a provisioning package which can join the device to the MDM and apply any configuration which cannot be directly applied by the MDM.
- Procure, deploy and configure other network components, including an approved IPsec VPN gateway.
- Deploy ADFS and a web application proxy if using Workplace Join.
- Deploy a Company Portal app signed with your organisation’s code-signing certificate, or configure the Windows Business Store.
- Set up the configuration profiles for your end-user devices in accordance with the settings later in this guidance. These include VPN profiles and corresponding client certificate profiles using Simple Certificate Enrolment Protocol (SCEP).
Device provisioning steps
To provision each device to your organisation’s infrastructure:
- Assign the policies to users and devices using the MDM management interface.
- Add the mobile user into the MDM and assign the required access groups. If using Intune, this can be done via Azure Active Directory sync (AAD sync), configuring it to federate identity rather than synchronising passwords to the cloud.
- Load the CA certificate and the user’s SSL client certificate onto the device. They should be stored in the machine store – in the TPM if available. Client certificates can be provisioned either by using a SCEP profile, directly from the provisioning terminal or using a provisioning package.
- Apply the provisioning package to the device.
- Supply the device to the user. If a provisioning package is not applied, the user will need to follow enrolment steps, which may include configuring workplace join, enrolling the device on an MDM and installing a company portal app from the company store.
Recommended policies and settings
This section details important security policy settings which are recommended for a Windows 10 Mobile deployment. Other settings (e.g. server address) should be chosen according to the relevant network configuration. It is important to remember that any guidance points given here are just recommendations. None of the suggestions are mandatory. Risk owners and administrators should agree a configuration which balances business requirements, usability and security. Refer to this guidance for advice where needed.
|
Password section |
|
|
Require a password to unlock a mobile device |
Yes |
|
Require a password when the device returns from an idle state |
Yes |
|
Encryption section |
|
|
File encryption on mobile device |
Yes |
|
System section |
|
|
Allow manual unenrollment |
No |
|
Allow manual root certificate installation |
No |
|
Cloud settings |
|
|
Allow Microsoft account |
Disabled |
|
Allow adding non-Microsoft account manually |
Disabled |
|
Allow settings synchronization for Microsoft accounts |
Disabled |
|
Email section |
|
|
Allow non-Microsoft account |
Disabled |
|
Applications section |
|
|
Enable SmartScreen |
Yes |
|
Allow application store |
No |
|
Allow Cortana |
No |
|
Hardware section |
|
|
Allow removable storage |
No |
|
Allow automatic connection to free Wi-Fi hotspots |
No |
|
Allow phone reset |
No |
|
Allow USB connection |
No |
|
Allow AntiTheft mode |
Yes |
|
Allow Wi-Fi hotspot reporting |
Disabled |
|
Updates section |
|
|
Allow automatic updates |
Auto install and reboot at maintenance time |
|
Additional Settings (by OMA-URI suffix) |
|
|
AboveLock/AllowActionCenterNotifications |
0 |
|
AboveLock/AllowToasts |
0 |
|
ApplicationManagement/AllowDeveloperUnlock |
0 |
|
ApplicationManagement/ApplicationRestrictions |
[Permitted app whitelist] |
|
Browser/PreventSmartScreenPromptOverride |
1 |
|
Browser/PreventSmartScreenPromptOverrideForFiles |
1 |
|
Security/RequireRetrieveHealthCertificateOnBoot |
1 |
|
Settings/AllowVPN |
0 |
|
System/AllowExperimentation |
0 |
|
System/AllowTelemetry |
0 |
|
VPN/Policies/ConnectionType |
AlwaysOn |
|
./Vendor/MSFT/WindowsSecurityAuditing/ ConfigurationSettings/EnableSecurityAuditing |
True |
MDM policies can be used to limit the use of features such as Bluetooth, NFC, Camera and geolocation services if required by organisational policy:
|
Hardware section |
|
|
Allow geolocation |
No |
|
Allow NFC |
No |
|
Allow Bluetooth |
No |
|
Allow camera |
No |
Authentication policy
Organisations should have a consistent authentication policy that applies to all users and devices that are used to access their data. You can use the published password guidance to help inform any password policy. Windows Mobile 10 then implements a number of relevant settings that should be set by the administrator to configure the device in line with that authentication policy.
For further guidance on defining an authentication policy, see the EUD Security Guidance: Authentication Policy.
Windows Mobile 10 implements a number of relevant settings that should be set by the administrator:
- Minimum password length
- Number of repeated sign-in failures to allow before the device is wiped
- Minutes of inactivity before screen turns off
- Required password type (including number of character sets)
Hardware Strengthening
In Windows 10 Mobile, the user’s passcode is not used as a source of entropy for data at rest encryption, so improving password entropy provides no additional cryptographic strength against offline attacks.
VPN profile
A VPN profile should be configured to negotiate the following parameters. Some of the configuration must be performed on the VPN server. Where possible, the profile below should be delivered by MDM.
The OMA-URI settings above ensure that the VPN is configured to be in an always-on mode, and that the user cannot manually modify the settings.
VPN profile
|
Setting |
Value(s) |
|
Tunnel Type |
IKEv2 |
|
Authentication Mode |
Use user certificates (provisioned using SCEP) over EAP-TLS |
|
Send all traffic through the VPN |
Yes |
Negotiation parameters
|
Setting |
Value(s) |
|
IKE DH Group |
2 (1024-bit) |
|
IKE Encryption Algorithm |
AES-256 |
|
IKE Hash Algorithm |
SHA-256 |
|
IKE Authentication Method |
RSA X.509 |
|
IPsec Encryption |
AES-256 |
|
IPsec Auth |
SHA-1 |
|
SA Lifetime |
24 Hours |
This configuration differs from that of other End User Devices as Windows 10 Mobile does not support the PRIME and Foundation cryptographic profiles. A secondary VPN server or configuration may therefore need to be configured to run in parallel if other devices are being deployed.
Other considerations
The following points are in addition to the common organisation considerations, and contain specific issues for Windows Mobile 10 deployments.
Windows Store and Windows Store for Business
The configuration given above prevents users installing applications from the Windows Store.
The Windows Store for Business allows organisations to make bulk purchases of apps for their employees. It provides a private store that can include apps from the public Windows Store as well as an organisation’s own Line of Business apps. When combined with a “Require private store only” MDM configuration, this can be an effective way of controlling which apps can be installed on a device.
It is still possible to distribute Line of Business apps using the Company App and Windows Intune or other compliant MDM solutions. These mechanisms usually need access to the Windows Store to install publicly available applications. If the Microsoft account is enabled to provide access to the Store, there are no organisation controls to disable Cloud backup or the ‘Find my Phone’ feature.
Mobile device management
Some of the recommended policies above are only available when using an MDM that supports the Open Mobile Alliance (OMA) device management protocol. For example, SCCM with the Windows Intune Connector.
It is essential that system architects evaluate which policies their MDM solution will allow them to set. MDM solutions that cannot set all the policies specified in the policy recommendations section should not be considered for use.
Provisioning of Windows 10 Mobile devices via MDM solutions which require cloud based interaction are intrinsically dependent on the vendor’s online services. You should consider the risk of placing the security and control of your devices and data at the mercy of a third party.
Cloud services
If you choose to use cloud based services such as OneDrive, you can use our Cloud Security Guidance to help you understand both the benefits and risks of online services. The security claims made for Microsoft consumer services (such as OneDrive) and Microsoft enterprise services (such as OneDrive for Business) may be different.
The Store and default Mail applications will not function if the Microsoft account is disabled as recommended above. Access to corporate email, and organisation apps are not affected by this.
Microsoft Display Dock
Windows 10 Mobile devices are able to function more like a desktop computer when used with a Microsoft Display Dock connected via USB and the Continuum app. The dock can be connected to an external monitor, with optional keyboard and mouse, allowing the phone to run modern apps as if they were running on the desktop version of Windows 10.
This technology will be most safely used when the device is configured as above to disable developer mode and prevent data sync over USB. Procedural controls to only use a corporately-owned Display Dock will reduce the risk further.
The phone has access to any USB drives plugged into the dock when the device is unlocked. This functionality is disabled by same MDM setting that restricts the use of SD cards on the mobile device.
Enterprise Data Protection
Windows 10 Mobile introduces an early version of Enterprise Data Protection (EDP). It is designed to tag enterprise data and apps, and reduce the risk of accidental disclosure of that sensitive data through services which are not controlled by the enterprise. This feature is currently in Beta release (as of July 2016) and can be tested now. Once this feature is fully released later this year, organisations should enable it in production by following the guidance below.
With EDP, Enterprise data is encrypted under lock, which improves the stance of the data at rest security principle. It can protect the decryption key with the device unlock PIN or biometric, which is backed by hardware. Data protected by EDP can be erased by the enterprise without the need to do a full device wipe.
EDP can be run in a number of modes, which can:
– block all data sharing between enterprise and non-enterprise apps
– alert the user before data is copied to a non-enterprise app
– silently audit the data sharing
– disable the sharing restrictions
The following settings were tested on the pre-release version of EDP. They should be applied to devices once EDP is fully released.
|
EDP settings |
|
|
App management mode |
Silent or Off |
|
Allow the user to decrypt data that was created or edited by the configured apps apps |
False |
|
Protect app content when the device is an a locked state for the configured apps |
True |
|
Additional Settings (by OMA-URI suffix) |
|
|
DataProtection/AllowDirectMemoryAccess |
0 |
|
DataProtection/RevokeOnUnenroll |
1 |
Source: NCSC
