Free DISA STIG and SRG Library | Vaulted

BlackBerry Enterprise Server (version 5.x), Part 2 Security Technical Implementation Guide

Version 2 Release 9
2016-10-28
U_BlackBerry_Enterprise_Server_5-X_Part2_V2R9_Manual-xccdf.xml
BlackBerry Enterprise Server (version 5.x) STIG, Part 2 in XCCDF format. Part 1: BES architecture and training requirements. Part 2: BES configuration requirements. Part 3: BES IT Policy configuration requirements.

Vulnerabilities (24)

The BlackBerry MDS Integration Service must not be installed on a production BES.

Finding ID
WIR1305-01
Rule ID
SV-7462r3_rule
Severity
Cat II
CCE
(None)
Group Title
Do not install the BlackBerry MDS IS on the BES
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The BlackBerry Enterprise Service MDS Integration Service is a software development platform and should not be installed on a production BES. The service, if not properly configured, can allow unsecured connections between the BlackBerry and BES and between the BES and back-office run-time application servers.

Fix Text

The BlackBerry MDS Integration Service will not be installed on the BES.

Check Content

Detailed Policy Requirements: The MDS Integration Service must not be installed on a production BES. It should be installed only on a development or test BES when required for software development. Check Procedures: Check to see if the BlackBerry MDS Integration Service is installed on the production BES by looking at the left side of the BlackBerry Administration Server (BAS). Servers and components >> BlackBerry Solution topology >> BlackBerry Domain >> Component view. See if the “MDS Integration Service” is installed.

Responsibility

Information Assurance Officer

The Device Transport Key must be configured on the BES for AES encryption.

Finding ID
WIR1330-01
Rule ID
SV-12377r3_rule
Severity
Cat III
CCE
(None)
Group Title
Device Transport Key on the BES set for AES
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

AES encryption provides a higher level of security for BlackBerry data.

Fix Text

The Device Transport Key will be configured on the BES for AES encryption.

Check Content

Work with the BlackBerry SA to view the BES configuration setting. In the Supported Encryption Algorithms section, verify that "AES" or "Triple DES and AES" is selected. -BAS >> Server and components menu >> BlackBerry solution topology >> BlackBerry Server. -Click on a server instance. -Check Encryption Algorithm setting. Verify the setting is correct. Note: The following BlackBerry devices have BlackBerry Handheld Software versions earlier than 4.0, which uses 3DES encryption instead of AES: 5820, 5810, 5790, 957, 950, 857, and 850. These older BlackBerry devices should not be used in the DoD since they cannot support some required BlackBerry security features.

Responsibility

System Administrator

The BlackBerry wireless email system must be set up with the required system components and software installed on the handheld device.

Finding ID
WIR1300-01
Rule ID
SV-14633r3_rule
Severity
Cat I
CCE
(None)
Group Title
Install BES using approved architecture
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The wireless email server architecture must comply with the DoD environment because approval of the BES is contingent on installation with the correct settings. DoD enclaves could be at risk of penetration or DoD data could be compromised if BES is not installed as required.

Fix Text

The ISSO will ensure the BES is installed and configured using either the BlackBerry Network architecture or the BlackBerry Segmented architecture.

Check Content

Detailed Policy Requirements: The BlackBerry wireless email system must be set up with the required system components and software installed on the handheld device. - The BES is installed and configured using either the architecture shown in Figure 2-1 (non-segmented architecture) or alternate segmented architecture shown in Figure 2-2 in the BlackBerry STIG Overview. - The BES and all other systems providing BlackBerry services (e.g., email server and LDAP server) are protected behind a corporate firewall. - The BES has a host-based firewall (e.g., McAfee Personal Firewall, Norton Personal Firewall) and/or dedicated hardware firewall. It is recommended that a BES site use the pre-configured, STIG compliant, IT policy that is provided with the STIG. This method increases compliance and reduces the chance of required configuration settings not being configured correctly. Check Procedures: Interview the ISSO and system administrator and review system network diagrams. Verify logical connectivity complies with the requirements of one of the approved architectures (view Figure 2-1 or Figure 2-2 of the BlackBerry STIG Overview) to see example architectures. Verify the BES Windows Server has a host-based firewall installed or an appliance firewall has been installed between the BES and the network. If the BES architecture is not configured as required with required firewalls, this is a finding.

Responsibility

Information Assurance Officer

An Application White List software configuration must be assigned to all BES user accounts.

Finding ID
WIR1310-01
Rule ID
SV-17334r3_rule
Severity
Cat I
CCE
(None)
Group Title
Assign Application White List to all users
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The primary BlackBerry malware control is to set up one or more Application White List software configurations on the BES. Every user and group account must be assigned at least one Application White List software configuration. In an Application White List, the use of all non-core applications is denied unless an application is expressly allowed.

Fix Text

An application White List software configuration must be assigned to all BES user accounts.

Check Content

Check the BES to see if an Application White List software configuration has been assigned to each BES user account. Note: Section 3.2.5.2 of the BlackBerry STIG Overview has instructions for setting up an Application White List software configuration and assigning it to a user or a group account. For BES 5.0: -BAS >> BlackBerry solution management >> User >> Manage users -Select at least 20 user accounts from different offices or sites on the BES at random and complete the following: **Click on the user account name. **Click on the "Software configuration" tab. **Note the name of the software configuration assigned to the user (this will be the assigned "Application White List"). The name should be in a similar format to the following: "DISA Application White List 1". If any user account has not been assigned an Application White List software configuration, this is a finding. Note: The required configuration of the Application White List will be verified in checks WIR1310-02 and WIR1310-03.

Responsibility

System Administrator

The BES must be configured to disable the capability of the BES to proxy a user’s authentication to back-office application, web, and content servers. Users must authenticate directly to back-office servers using a USCYBERCOM CTO 07-15Rev1 authorized method.

Finding ID
WIR1315-01
Rule ID
SV-17336r3_rule
Severity
Cat II
CCE
(None)
Group Title
BES authentication to back-office servers
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

User authentication credentials should not be proxied by the BES, because the BES would then be saving DoD user authentication credentials in its database.

Fix Text

The BES must be configured to disable the capability of the BES to proxy a user’s authentication to back-office application, web, and content servers.

Check Content

Verify the site BES has been configured to require BlackBerry users to authenticate directly with enclave application and content servers. - On the BAS, go to Servers and components >> BlackBerry Solution topology >> BlackBerry Domain >> MDS Connection Service. -Click "Edit components". -Select the "HTTP" tab. -In the "Authentication support" enabled drop-down list, verify "No" has been selected. If the configuration setting is not correct, this is a finding. Exception: When a site Internet Proxy is set to require user authentication, the configuration setting above will cause a loss of Internet connectivity. In this case only, the "Support HTTP Authentication" setting should be set to TRUE, and then, when prompted, enter no value for the user authentication information (this will cause the BES to prompt for the user's authentication credentials whenever an Internet connection is requested). When a site uses authentication on the Internet proxy, the reviewer should verify the required setting for "Support HTTP Authentication" and then have users show on their BlackBerry they have to enter their Internet Proxy authentication credentials whenever they try to connect to the Internet.

Responsibility

System Administrator

The BES must be configured to convert HTML and RTF formatted email into text format before sending to a BlackBerry smartphone and prevent the BES from sending email messages with inline images to BlackBerry smartphones.

Finding ID
WIR1335-01
Rule ID
SV-19929r4_rule
Severity
Cat III
CCE
(None)
Group Title
BES will block HTML/RTF email
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

HTML email and inline images in email can contain malware or links to web sites with malware.

Fix Text

Configure the BES to: - Convert HTML and RTF formatted email into text format before sending to a BlackBerry smartphone; and - Prevent the BES from sending email messages with inline images to BlackBerry smartphones.

Check Content

Verify the BES has been configured correctly. BAS >> Servers and components >> Component view >> Email >> Messaging tab. Verify "Rich content turned on" is set to "False". Verify "Automatic downloading of inline images turned on" is set to "False". If the BES is not configured as required, this is a finding. Note: The BES configurations described in this check cannot block HTML and RTF formatted email or inline images for BlackBerry devices with BlackBerry handheld software versions earlier than 4.5.

Responsibility

System Administrator

The BES host-based or appliance firewall must be configured as required.

Finding ID
WIR1300-02
Rule ID
SV-21031r3_rule
Severity
Cat I
CCE
(None)
Group Title
Configure BES firewall as required
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

BlackBerry user could get access to unauthorized network resources (application and content servers, etc.) if the BES firewall is not set up as required.

Fix Text

The BES host-based or appliance firewall is configured as required.

Check Content

Detailed Policy Requirements: The BES host-based or appliance firewall must be configured as required. The BES firewall is configured with the following rules: - Deny all except when explicitly authorized. - Internal traffic from the BES is limited to internal systems used to host the BlackBerry services (e.g., email and LDAP servers) and AO-approved back-office application and content servers. Communications with other services, clients, and/or servers are not authorized. - Internet traffic from the BES is limited to only those specified BlackBerry services (e.g., BlackBerry SRP server, OCSP, SSL/TLS, HTTP, and LDAP). All outbound connections are initiated by the BlackBerry system and/or service. - Firewall settings listed in Section 3.13 of the BlackBerry STIG Overview will be implemented, including blocking connections to web proxy servers and back-office application and content servers unless the server Internet Protocol (IP) address is on the firewall list of trust IP addresses and subnets. Note: At the minimum, the IP address of the site Internet proxy server must be listed so the BlackBerry Browser can connect to the Internet. Note: The HBSS firewall can be used to meet these requirements if one or more firewall rules have been set up on the firewall as described above. Check Procedures: Verify the firewall configuration meets approved architecture configuration requirements (or have the network reviewer do the review of the firewall). Use Table 3-5 in the BlackBerry STIG Overview when using the non-segmented architecture and Tables 3-6 and 3-7 when using the segmented architecture for required firewall rules. Verify the firewall is configured to block connections to internal servers unless the server IP address is included on the list of trusted networks. IP addresses of the enclave web proxy server and authorized back-office application and content servers that the BES connects to should be included on this list. If a list of trusted networks by IP address is not configured on the BES host-based firewall, this is a finding.

Responsibility

System Administrator

The BES must be configured to accept only trusted connections to back-office enclave application or web push servers. Push servers are set up to push content to BlackBerry users (e.g., Remedy ticket notification system).

Finding ID
WIR1315-03
Rule ID
SV-21090r3_rule
Severity
Cat III
CCE
(None)
Group Title
BES set up for trusted connect to servers
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Only authorized servers should be able to push content to BlackBerry devices.

Fix Text

The BES must be configured to accept only trusted connections to back-office enclave application or web push servers.

Check Content

Verify the site has configured the BES to require trusted connections to push enclave application or web servers, using the following procedure: -On the BAS, go to Servers and components >> BlackBerry Solution topology >> BlackBerry Domain >> MDS Connection Service. -Click "Edit components". -Click the "HTTPS" tab. -Verify "Allow Untrusted Servers" is set to "No". -Click the "TLS" tab. -Verify "Allow Untrusted Servers" is set to "No". If any of these settings are not correct, this is a finding. Verify a keystore file has been set up (webserver.keystore) at the following location on the BES: <drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\webserver. Look for the keystore file. - If the keystore file is not found, this is a finding.

Responsibility

System Administrator

Non-core applications used on the BlackBerry must be approved.

Finding ID
WIR1310-04
Rule ID
SV-21091r3_rule
Severity
Cat III
CCE
(None)
Group Title
Use approved BlackBerry applications
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Unapproved applications could include malware or introduce other vulnerabilities to the BlackBerry system and enclave.

Fix Text

Comply with DoD policy.

Check Content

Detailed Policy Requirements: All applications listed in each Application White list must be approved by either the AO or by the IT configuration control board that reviews and approves workstation applications. Recommend sites use the same or similar process used to approve desktop applications to select, review, test, and approve BlackBerry applications. Check Procedures: For each Application White list assigned to BES user accounts, verify the site has documentation showing the applications are approved by the AO (or who the AO has designated as the approval authority for the site).

Responsibility

System Administrator

An Application Control Policy must be assigned to each application listed in any Application White List software configuration assigned to user accounts on the BES. Note: This check applies to BES 4.1.x only. On BES 5, an application control policy is automatically assigned when an application is selected for a software configuration.

Finding ID
WIR1310-03
Rule ID
SV-21092r3_rule
Severity
Cat II
CCE
(None)
Group Title
Application Control Policy
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Applications must only have access to BlackBerry resources (e.g., microphone, address book, browser, email messages, etc.) they need for their function; otherwise, sensitive data could be exposed to unauthorized users or the BlackBerry system could be compromised.

Fix Text

Set up the required Applications Control Policies.

Check Content

Detailed Policy Requirements: An Application Control Policy must be set up on the BES for each application listed in an Application White List software configuration on the BES. For mandatory applications, the Application Control Policy should have the "Disposition" rule set to "Required". Check Procedures: Use the list of Application White List software configurations assigned to user accounts developed in Check WIR1310-01. Step 1: Determine the list of assigned Application Control Policies. For each Application White List software configuration assigned to a user, complete the following: - In the BlackBerry Manager, click "BlackBerry Domain" in the left pane. - Click "Software Configurations" tab. - In the Configuration Name list, double-click on one of the software configurations that was assigned to a BES User Group. - Expand the Application Software tree. - Determine if an Application Control Policy has been assigned to each application listed in the tree under the Application Software group. If an Application Control Policy has been assigned, note the name of the Application Control Policy. (Note: If an Application Control Policy has not been assigned to an application, this has the effect of denying the use of the application on site managed BlackBerry devices.) Step 2: Verify each Application Control Policy is configured as required. For each application listed under the Application Software group (for each software configuration), verify the Application Control Policy is compliant with the policy in Table C-4 of the BlackBerry STIG Overview. Use the following procedure to verify each Application Control Policy is configured correctly. - In the BlackBerry Manager, in the left pane, click "BlackBerry Domain". - On the "Software Configurations" tab, click "Manage Applications Policies". - For each Application Control Policy identified in Step 1, double click the policy to open it and verify it has been configured as required in Table C-4 of the BlackBerry STIG Overview. If any Application Control Policy is not configured as required, this is a finding. Identify the Application White List software configuration, Application Control Policy, and application in the VMS remarks. Remember to do the above steps for each Application White List software configuration. Findings comments in VMS should identify the Application White List software configuration and/or application not compliant.

Responsibility

System Administrator

Security controls must be set up on the BES for connections to “back-office” servers.

Finding ID
WIR1315-02
Rule ID
SV-21095r3_rule
Severity
Cat II
CCE
(None)
Group Title
BlackBerry back-office connections
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Strong access controls to back-office servers are required to ensure DoD data is not exposed to users of the BlackBerry system that are not authorized to access the server.

Fix Text

Set up required controls on the BES for connections to "back-office" servers.

Check Content

Detailed Policy Requirements: If the site provides BlackBerry users access to "back-office" applications and content servers located on the site network enclave, the following controls will be implemented: - All enclave application and content servers that are accessed by BlackBerry users will implement CAC authentication. - The BES host-based firewall is set to block connections to back-office application and content servers unless the server IP address is on the firewall list of trust IP addresses and subnets. Note: BlackBerry back-office application and content servers include J2ME application servers, SOAP web services, and web servers. Check Procedures: Ask the BlackBerry SA if the site provides BlackBerry users access to "back-office" applications and content servers located on the site network enclave. If the response is "Yes", ask for a list of all enclave servers BlackBerry users can access and then perform the following checks. - Verify CAC authentication has been implemented on each server. Have the Windows reviewer assist with the review of each server. If CAC authentication has not been implemented on each server, this is a finding. - Verify the BES host-based firewall has been configured as required. This check should have been performed during the review of check WIR1300-02. Confirm this requirement was reviewed.

Responsibility

System Administrator

The BlackBerry Bluetooth Smart Card Reader (SCR) used with site PCs must be compliant with requirements.

Finding ID
WIR1320-01
Rule ID
SV-21104r3_rule
Severity
Cat II
CCE
(None)
Group Title
Bluetooth SCR usage with PC is compliant
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Insecure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.

Fix Text

Comply with BlackBerry Bluetooth SCR use with site PC requirements.

Check Content

Detailed Policy Requirements: When the BlackBerry Bluetooth SCR is used as a PC SCR, the following requirements must be followed: - Separate BlackBerry Account Groups should be created: One for users that are authorized to use the BlackBerry SCR with their PCs and one for users that are NOT authorized to use the BlackBerry SCR with their PCs. Check Procedures: Interview the ISSO and wireless email system administrator. Determine if use of the BlackBerry SCR with site PCs has been approved. If Yes, verify the following requirements are met: - Verify separate BlackBerry Account Groups have been created: One for users that are authorized to use the BlackBerry SCR with their PCs and one for users that are NOT authorized to use the BlackBerry SCR with their PCs (or do not have a BlackBerry SCR). - In the BAS, under BlackBerry solution management, select Group >> Manage groups. - Check Group Description and have BES Admin show required user groups. Note: Recommend two BlackBerry account groups be created: 1. BlackBerry users with a SCR, but not authorized to use the SCR to connect to their PC. 2. BlackBerry users with a SCR and authorized to use the SCR to connect to their PC.

Responsibility

Information Assurance Officer

Required security controls must be used when BlackBerry Wi-Fi is used by the site to connect to a DoD Wi-Fi network. Required security controls are in Table 2, BlackBerry STIG Configuration Tables.

Finding ID
WIR1325-01
Rule ID
SV-21113r3_rule
Severity
Cat III
CCE
(None)
Group Title
Wi-Fi security controls
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

If BlackBerry Wi-Fi controls are not implemented, DoD data can be compromised.

Fix Text

Required security controls used when BlackBerry Wi-Fi is used by the site to connect to a DoD Wi-Fi network.

Check Content

Ask the BlackBerry system administrator if the site uses BlackBerry Wi-Fi to connect to DoD WLAN. If yes, verify the following actions have occurred: 1. Determine which BlackBerry users have been approved to use BlackBerry Wi-Fi to connect to the DoD WLAN. Ask the ISSO or BlackBerry SA for names of site BlackBerry users that have been authorized to use BlackBerry Wi-Fi Service. 2. Verify these users have been assigned a WLAN Configuration Set (profile). Verify that authorized users have been assigned a WLAN profile as follows (select two or three users to check). - On the BAS, in the BlackBerry solution management box, expand "User" and click on "Manage users". Then, click on search in the center screen. A list of all users assigned to the BES will be available. - Click the user account to verify a WLAN profile has been assigned. - Click on the "WLAN configuration" tab. - Look to see the name of the WLAN configuration (profile) that has been assigned to the user (if any). -Verify each assigned WLAN Configuration Set (profile) is configured as required. The required configuration is listed in Table C-2 of the BlackBerry STIG Overview (see procedure below). 3. Verify each assigned WLAN Configuration Set (profile) is configured as required. The required configuration is listed in Table C-2 of the BlackBerry STIG Overview (see procedure below). If any user accounts authorized for WLAN do not have a WLAN configuration assigned to the account, this is a finding. The setup of each WLAN Configuration Set on the BES can be viewed as follows: - BAS >> BlackBerry solution management box >> Policy >> WLAN configuration >> Manage WLAN configurations. - For each listed WLAN configuration to be checked, click on the configuration, then click on the "WLAN configuration data" tab. - Verify rules are set as shown in Table C-2 (only rules with "Required" settings need to be verified). If the WLAN profile has not been configured as required, this is a finding.

Responsibility

System Administrator

BlackBerry accounts must not be assigned to the default IT policy installed on the BES or any other non-STIG compliant IT policy. Accounts will only be assigned a STIG compliant IT policy.

Finding ID
WIR1340-01
Rule ID
SV-21115r4_rule
Severity
Cat I
CCE
(None)
Group Title
User accounts assigned to STIG compliant IT policy
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The BlackBerry default policy installed on the BES does not include many DoD-required security policies for data encryption, authentication, and access control. DoD enclaves are at risk of data exposure and hacker attack if users are assigned to a non-STIG compliant IT policy.

Fix Text

User accounts will only be assigned a STIG compliant IT policy.

Check Content

Detailed Policy Requirements: 1. Separate STIG compliant IT policies will be set up on the BES: one for users that have been issued an approved Bluetooth headset/handsfree device and one for users that have not been issued an approved Bluetooth headset/handsfree device. 2. All user accounts will be assigned to a STIG compliant IT policy. Check Procedures: Interview the BlackBerry system administrator. Ask the administrator to identify the default IT policy installed on the BES (usually labeled "Default") and any other non-STIG compliant IT policies set up on the BES. View the list of IT policies set up on the BES as follows: BAS >> BlackBerry solution management box >> Policy >> Manage IT policies Verify no users are assigned to the default IT policy or any other non-STIG IT policy by performing the following steps for each policy. For the default IT policy: - Click on the policy name. - Click on "View users with IT policy". - Click "Search". A list of all users assigned to the policy will be shown. - Determine if any users have been assigned to the default or other non-STIG compliant IT policy. If any users have been assigned to the default IT policy, this is a finding. Note: If the default IT policy has been configured to be STIG compliant, the severity of this specific finding may be downgraded to a CAT II. For the non-STIG compliant policies, look at each IT policy listed under “Manage IT policies” to be checked: - Click on the policy name. - Click on "View users with IT policy". - Click "Search". A list of all users assigned to the policy will be shown. - Click on the "IT Policy Name" column heading to sort the list of users by IT policy. - Determine if any users have been assigned to the non-STIG compliant IT policy. If any users have been assigned to the non-STIG compliant IT policy, this is a finding. Note: IT policies identified by the BES administrator as STIG compliant should be reviewed to verify compliance when reviewing the WIR14xx series of checks.

Responsibility

System Administrator

Each Application White List software configuration assigned to each user account must be configured with top-level default “disallow” for all applications. Applications must be specifically allowed at a lower level.

Finding ID
WIR1310-02
Rule ID
SV-25372r3_rule
Severity
Cat I
CCE
(None)
Group Title
Set default Disallow on Application White List
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The primary BlackBerry malware control is to set up an Application White List where the use of all applications is denied unless an application is expressly allowed. Otherwise, malware could be installed on the BlackBerry.

Fix Text

Each Application White List software configuration assigned to each user account must be configured with top level default “disallow” for all applications.

Check Content

Verify for each Application White List software configuration identified in check WIR1310-01 that a "Deny All" policy has been assigned to the software configuration. (This configuration stops the execution of any application not specifically allowed.) -BAS >> BlackBerry solution management >> Software >> Manage software configurations -For each software configuration listed (all Application White List software configurations will be in this list), click on the software configuration and verify "Disposition for unlisted applications" is set to "Disallowed" and disposition for "Application control policy for unlisted applications" is set to "Standard Unlisted Disallowed". Note: If the site has followed the procedures for setting up an Application White List found in Section 3.2.5.2 of the BlackBerry STIG Overview, the "Deny All" Application Control Policy will have the following title: "Disallowed Application". (The title of the Application Control Policy is not important; verify the policy is configured as required.) If any Application Control Policy is not configured as required, this is a finding.

Responsibility

System Administrator

Application repositories set up on the BES must be DoD-approved.

Finding ID
WIR1345-01
Rule ID
SV-25491r2_rule
Severity
Cat II
CCE
(None)
Group Title
Application repositories
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

A DoD application repository must contain only authorized applications and only approved and unaltered versions of those applications. If DoD-approved application repositories are not used, the integrity of applications in the repository would be unknown.

Fix Text

Application repositories will be located on a DoD-controlled server within a DoD enclave.

Check Content

If no application repositories are set up, this check is Not Applicable. Talk to the site BES administrator. Determine if the site has set up an application repository. If yes, verify the repository is DoD-approved. If the repository is not DoD-approved, this is a finding.

Responsibility

Information Assurance Officer

All user and or group accounts must have an Access Control Rule assigned to the account.

Finding ID
WIR1350-01
Rule ID
SV-25492r3_rule
Severity
Cat II
CCE
(None)
Group Title
Disable BES MDS CS document search -01
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The BES MDS Connection Service allows BlackBerry users to search the enclave for files and documents of interest to the user without any authentication requirements to the enclave. Access control requirements of the network can be bypassed.

Fix Text

The BES MDS Connection Service will be configured to disable browsing on the enclave for files and documents of interest. Each user and group account is assigned an Access Control Rule.

Check Content

Detailed Policy Requirements: The BES must be configured so that all network file share access by BlackBerry users has been blocked. A high-level "deny all" Access Control Rule policy must be set up and assigned to each user or group account. Check Procedures: Verify all user and group accounts have been assigned an Access Control Rule. On the BES, do the following: Select at least 20 user/group accounts at random from different offices/sites. Go to each selected user/group account: BAS >> BlackBerry solution management >> User >> Manage users >> select user >> Access control rules tab. Verify each user has been assigned an Access Control Rule. Write down the name of each Access Control Rule assigned to each account (the settings of each rule will be verified in WIR1350-02). If any user or group account has not been assigned an Access Control Rule, this is a finding.

Responsibility

System Administrator

The BlackBerry Administration Server (BAS) must be configured for Active Directory authentication with a CTO 07-15Rev1 compliant administrator password.

Finding ID
WIR1355-01
Rule ID
SV-25547r3_rule
Severity
Cat II
CCE
(None)
Group Title
BlackBerry Administration Server Authentication
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The BAS provides the administrator interface for the BES. CTO 07-15Rev1 requires administrator accounts use either CAC authentication or use complex passwords to ensure storing access control is enforced.

Fix Text

Set up the BAS for Active Directory authentication.

Check Content

Verify the BAS is configured to require Active Directory authentication for system administrators and users. To verify Active Directory Authentication is enabled, use the following procedure: Launch the BlackBerry Administration Service. On the Servers and components menu, expand BlackBerry Solution Topology >> BlackBerry Domain >> Component view. Click "BlackBerry Administration Service". Click on the "Microsoft Active Directory authentication" tab. Verify username, password, and user domain fields have been entered for the BAS Active Directory account. Note: It is recommended that Single Sign-On Authentication also be selected on the Microsoft Active Directory authentication tab, but this may not be possible for all BES installations.

Responsibility

System Administrator

The key store password for the certificate that the BlackBerry Administration Service (BAS) and BlackBerry Web Desktop Manager (BWDM) use must be changed from the default.

Finding ID
WIR1355-02
Rule ID
SV-25764r3_rule
Severity
Cat III
CCE
(None)
Group Title
BAS and BWDM key store password
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The key store password protects the server digital authentication certificates from unauthorized use.

Fix Text

The key store password for the certificate that the BlackBerry Administration Service (BAS) and BlackBerry Web Desktop Manager (BWDM) use must be changed from the default.

Check Content

Determine if the BAS and BWDM key store password have been changed from the default. The password must meet the requirements of CTO 07-15Rev1: 15 characters in length and the password complexity is a case-sensitive character mix of upper case letters, lower case letters, numbers, and special characters, including at least one of each. Start >> Programs >> BlackBerry Enterprise Server >> BlackBerry server Configuration. On the Administration service – Cacerts keystore tab, check the length of the current password and ask the BES admin if a complex password was used. If either the length or complexity requirements are not met, this is a finding.

Responsibility

System Administrator

The BlackBerry Administration Service must be configured to disable a user from creating an activation password via BWDM.

Finding ID
WIR1365-01
Rule ID
SV-25765r3_rule
Severity
Cat III
CCE
(None)
Group Title
BWDM activation password
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The overall security posture of the BlackBerry system is dependent on strict configuration management controls, including ensuring only authorized BlackBerry devices are being used and authorized devices are provisioned as required. Users must be prohibited from performing the following administrative tasks using the BlackBerry Web Desktop Manager: -Specify an enterprise activation password for a BlackBerry device. -Specify a new device password and lock a device. -Delete all device data and deactivate a device. -Assign a new device to a user account.

Fix Text

Configure the BlackBerry Administration Service to disable a user from performing administrative tasks on the BES.

Check Content

Verify the BAS has been configured to disable users from performing administrative tasks on the BES. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution Topology >> BlackBerry Domain >> Component view. Click "BlackBerry Administration Service". Click "Edit component". On the "BlackBerry Web Desktop Manager Information" tab, verify "Allow users to perform self-service tasks" is set to "No". If not set as required, this is a finding.

Responsibility

System Administrator

All Access Control Rules assigned to user and group accounts must be configured to deny access to all file shares.

Finding ID
WIR1350-02
Rule ID
SV-27296r3_rule
Severity
Cat II
CCE
(None)
Group Title
Disable BES MDS CS document search -02
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The BES MDS Connection Service allows BlackBerry users to search the enclave for files and documents of interest to the user without any authentication requirements to the enclave. Access control requirements of the network can be bypassed.

Fix Text

The BES MDS Connection Service will be configured to disable browsing on the enclave for files and documents of interest. Each access control rule assigned to user and group accounts has been set up with a "Deny" URL pattern.

Check Content

Detailed Policy Requirements: The BES must be configured so that all network file share access by BlackBerry users has been blocked. A high-level "deny all" Access Control Rule policy must be set up and assigned to each user or group account. Check Procedures: 1. Verify that all domain URL Pattern has been configured on the BES as follows: BAS >> Servers and components >> BlackBerry Domain >> Component view >> MDS Connection service >> Pull URL pattern tab. Note: the Description (name of the TCP URL pattern) that has the following pattern: \\*.*\*. If no TCP URL pattern is configured as indicated, this is a finding. 2. Verify all access control rules identified in check WIR1350-02 have been set up with a URL pattern with the "Deny" rule. BAS >> Servers and components >> BlackBerry Domain >> Component view >> MDS Connection service >> Access control rules tab. View each Access Control Rule. Note: If the URL Pattern identified in Step 1 has been assigned to each rule and the "Allowed" configuration has been set to "Deny". If no "Deny" URL pattern has been set up on the BES for each rule, this is a finding.

Responsibility

System Administrator

BlackBerry Web Desktop Manager must be configured to disable a user’s capability to perform self-service tasks.

Finding ID
WIR1365-02
Rule ID
SV-31616r3_rule
Severity
Cat II
CCE
(None)
Group Title
BWDM self-service tasks
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The overall security posture of the BlackBerry system is dependent on strict configuration management controls, including ensuring only authorized BlackBerry devices are being used and authorized devices are provisioned as required. When this configuration is not set as required, users may have the capability to activate unauthorized BlackBerry devices.

Fix Text

The BlackBerry Administration Service is configured to disable a user from performing self-service tasks via BWDM.

Check Content

Verify the BAS has been configured to disable users from performing self-service tasks. BAS >> Servers and components >> BlackBerry solution topology >> BlackBerry Domain >> Components view >> BlackBerry Administration service Select the "BlackBerry Web Desktop Manager Information" tab. Verify "Allow users to perform self service tasks" is set to "No". If not set as required, this is a finding.

Responsibility

System Administrator

BlackBerry Web Desktop Manager must be configured to permit users to activate new BlackBerry devices only.

Finding ID
WIR1365-03
Rule ID
SV-31617r3_rule
Severity
Cat II
CCE
(None)
Group Title
BWDM new device activation
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The overall security posture of the BlackBerry system is dependent on strict configuration management controls, including ensuring only authorized BlackBerry devices are being used and authorized devices are provisioned as required. When this configuration is not set as required, users may have the capability to activate unauthorized BlackBerry devices.

Fix Text

BlackBerry Administration Service is configured to permit users to activate new BlackBerry devices only via BWDM.

Check Content

Verify the BAS has been configured to permit users to activate new BlackBerry devices only. BAS >> Servers and components >> BlackBerry solution topology >> BlackBerry Domain >> Components view >> BlackBerry Administration service Select the "BlackBerry Web Desktop Manager Information" tab. Verify "Allow user wireline activation" has been set to "Activate Unused PINs only". If not set as required, this is a finding.

Responsibility

System Administrator

The server PKI digital certificate installed on the BES to support BAS and BWDM authentication must be a DoD PKI issued certificate. A self signed certificate will not be used.

Finding ID
WIR1355-03
Rule ID
SV-31764r3_rule
Severity
Cat III
CCE
(None)
Group Title
BES server PKI certificate
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

When a self-signed PKI certificate is used, a rogue BES can impersonate the DoD BES during SA connections to the BlackBerry Administration Service (BAS) or when a BlackBerry user uses BlackBerry Web Desktop Manager (BWDM) to connect to the BAS. In addition, DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI.

Fix Text

Use a DoD-issued digital certificate on the BES to support BAS and BWDM authentication.

Check Content

Verify a DoD server certificate has been installed on the BES and the self-signed certificate, available as an option during the setup of the BES, has not been installed. Ask the BlackBerry Administrator to access the BAS login console using Internet Explorer. Verify no certificate error occurs. Click the "Lock" icon next to the address bar then select "view certificates". On the "General" tab, verify the "Issued to:" and "Issued by:" fields do not show the same value. Then on the "Certification Path" tab, verify the top certificate is a trusted DoD Root certificate authority (e.g., DoD Root CA 2) and the certificate status field states "This certificate is OK". Remediation: If a certificate error occurs either the default self-signed certificate is still installed, the BlackBerry Enterprise Server has not been rebooted since the DoD-issued certificate has been installed, or the computer accessing the BAS does not have the DoD Root and Intermediate certificate authorities installed. The reviewer can select the "Continue to this website" option and follow the same procedure above. If the certificate is issued from an approved DoD PKI, ask the BlackBerry Administrator to run InstallRoot on the computer accessing the BAS. Otherwise, have the BlackBerry Administrator follow the procedures outlined in the STIG to request/install a certificate issued from a trusted DoD PKI.