MSFT-11-002000 - Microsoft Android 11 must be configured to enable encryption for data at rest on removable storage media or alternately, the use of removable storage media must be disabled.

Information

The Microsoft Android device must ensure the data being written to the mobile device's removable media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read removable media directly, thereby circumventing operating system controls. Encrypting the data ensures confidentiality is protected even when the operating system is not running.

SFR ID: FMT_SMF_EXT.1.1 #21, #47f

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Configure the Microsoft Android 11 device to disable use of removable storage media.

On the EMM console:
1. Open 'Set user restrictions'.
2. Toggle 'Disallow usb file transfer' to 'On'.
3. Toggle 'Disallow mount physical media' to 'On'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Android_11_FY24M07_STIG.zip

Item Details

Category: ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-6(10), 800-53|SC-28, CAT|I, CCI|CCI-001199, CCI|CCI-002235, Rule-ID|SV-255211r958552_rule, STIG-ID|MSFT-11-002000, Vuln-ID|V-255211

Plugin: MDM

Control ID: 9f2d63aa86f8c19e941eaaeb93f9197ecfb4cde6ca2983c46472cc241e0a03d4