BlackBerry Enterprise Server (version 5.x), Part 1 Security Technical Implementation Guide
| Version 2 Release 9 |
| 2016-10-28 |
| U_BlackBerry_Enterprise_Server_5-X_Part1_V2R9_Manual-xccdf.xml |
| BlackBerry Enterprise Server (version 5.x) STIG, Part 1 in XCCDF format. Part 1: BES architecture and training requirements. Part 2: BES configuration requirements. Part 3: BES IT Policy configuration requirements. |
Vulnerabilities (4)
Onset Technologies METAmessage software must not be installed on DoD BlackBerry devices or on the BES.
Discussion
Onset Technologies METAmessage software is production software which may introduce a virus or other malicious code on the system. This software is not approved for use on DoD systems.
Fix Text
Remove Onset Technologies METAmessage software installed on DoD BlackBerry devices or on the BES.
Check Content
Perform the following procedures on the BES and a sample of BlackBerry devices (use 2-3 devices for a random sample) as appropriate. Check a sample of BlackBerry devices (Settings >> Options >> Advanced Options >> Applications) to ensure the METAmessage application is not loaded on the BlackBerry device. On the BES, have the BlackBerry Administrator show that the BES Application White List does not contain the application. This review should be performed at the same time checks WIR1310-01, WIR1310-02, and WIR1310-03 are reviewed so work is not duplicated. View the list of applications assigned to 3-4 samples Application White List software configurations assigned to users. Verify METAmessage is not listed. The METAmessage application allows the user to open and create Microsoft Office files, such as MS Word or Excel attachments or documents. These documents can then be sent via email, saved, or printed. This application presents a security risk and is not allowed for use in DoD. Verify this software application is not used by interviewing the ISSO or reviewing a sampling of the devices.
Responsibility
System Administrator
IA Controls
ECWN-1
Only the BlackBerry Enterprise Server (BES) email solution must be used.
Discussion
If the required BlackBerry system is not used, DoD networks are at risk of being penetrated or DoD data could be exposed.
Fix Text
Only the BlackBerry Enterprise Server (BES) email solution is used.
Check Content
Detailed Policy Requirements: Only the BlackBerry Enterprise Server (BES) email solution must be used in the DoD. The BlackBerry Desktop Redirector, BlackBerry Connect, BlackBerry Express, and BlackBerry Professional Services Software are not authorized for use. Note: The purpose of this requirement is to ensure a STIG compliant IT policy is enforced on all DoD BlackBerry devices. This requirement applies to the DoD (primary) email account received on the BlackBerry device. All DoD BlackBerry devices must be managed via a STIG-compliant IT policy pushed from a BES. Required/approved versions of the BES are as follows: BES 5.0.4 (or later version). Note: An Authorizing Official (AO) may authorize users to connect BlackBerry devices to additional, secondary email accounts (e.g., Verizon email) based on mission needs. Use IT Policy rule Allow Other Message Services, Service Exclusivity policy group to control connections to secondary email accounts. Check Procedures: Interview ISSO and BlackBerry system administrator. - Verify the BES is part of the site’s BlackBerry architecture and the site uses a BES to manage site BlackBerry devices. - Verify BES Express is not used. Interview BES admin. - Determine if the site authorizes users to connect BlackBerry devices to additional, secondary or personal email accounts (e.g., Verizon email, BlackBerry Internet Service (BIS)) based on mission needs. If yes, verify the AO (or designee) has approved this service. Ask to see documentation of AO approval.
Responsibility
Information Assurance Officer
IA Controls
ECSC-1
Any services installed with the BES (for example IIS, SQL, Apache Web Server, etc.) must be reviewed for STIG compliance in accordance with the appropriate SQL, Apache Web Server, or IIS STIGs.
Discussion
The server must be compliant with the SQL STIG, Apache Web Server STIG, and/or IIS STIG to ensure the system is not vulnerable to attack resulting in a Denial of Service or compromise of the wireless email server. Note: Some of these services are optional and may not be installed on a specific host server during the BES installation.
Fix Text
The host server where the BlackBerry Enterprise Server (BES) is installed is reviewed in accordance with the appropriate SQL, Apache Web Server, and IIS STIGs if these services are installed when the BES is installed.
Check Content
Work with the OS reviewer or check VMS for last review of each host BES computer asset. The review should include any services installed on the host server when the BES is installed (for example: SQL server, Apache Web Server, etc.). Note: Some of these services are optional and may not be installed on a specific host server during the BES installation. SRL is an optional install when the BES is installed, while Apache Web server is a required install. The review must also include an Apache Web Server review if BES 5.0 or later is used. (The BlackBerry Administration Service (BAS) on BES 5.x includes an Apache Web Server.) Verify there are no outstanding CAT I findings associated with each server installed when the BES is installed. Note: If IIS is installed on the server, an IIS review must also be performed. a. IIS is required for the Exchange ESM. If a site uses the new MAPI/CDO Tools from Microsoft, then the IIS is not required. See http://www.microsoft.com/downloads/details.aspx?familyid=E17E7F31-079A-43A9-BFF2-0A110307611E&displaylang=en. b. IIS is not required for BlackBerry Enterprise Server. If required reviews have not been performed during a SRR or site self-check, this is a finding.
Responsibility
System Administrator
IA Controls
ECSC-1
Required version of the BlackBerry Enterprise Server (BES) must be installed.
Discussion
Earlier versions of the BES have security vulnerabilities. CYBERCOM IAVA directs all DoD installations upgrade to required version due to BlackBerry ending support for version 4.1.6 and 4.1.7 as of 2 July 2011.
Fix Text
The BlackBerry Enterprise Server (BES) version is 5.0.4 or later.
Check Content
Interview ISSO and BlackBerry system administrator. Verify the BES is one of the required/approved versions. Required/approved versions of the BES are: BES 5.0.4 (or later version). From the BlackBerry Manager, select "Help" to view the version number.
Responsibility
System Administrator
IA Controls
ECSC-1