Free DISA STIG and SRG Library | Vaulted

IBM MaaS360 v2.3.x MDM Security Technical Implementation Guide

Version 1 Release 2
2018-10-26
U_IBM_MaaS360_v2-3-x_MDM_STIG_V1R2_Manual-xccdf.xml
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Vulnerabilities (9)

Before establishing a user session, the MaaS360 Server must display an administrator-specified advisory notice and consent warning message regarding use of the MaaS360 Server.

Finding ID
M360-01-000100
Rule ID
SV-80121r1_rule
Severity
Cat III
CCE
(None)
Group Title
PP-MDM-201100
CCI
CCI-000048
Target Key
(None)
Documentable
No
Discussion

Note: The advisory notice and consent warning message is not required if the General Purpose OS or Network Device displays an advisory notice and consent warning message when the administrator logs on to the General Purpose OS or Network Device prior to accessing the MaaS360 Server or MaaS360 Server platform. The MaaS360 Server/server platform is required to display the DoD-approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. This ensures the legal requirements for auditing and monitoring are met. The approved DoD text must be used as specified in KS referenced in DoDI 8500.01. The non-bracketed text below must be used without any changes as the warning banner. [A. Use this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner shall be implemented as a click-through banner at logon (to the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating “OK.”] You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. SFR ID: FMT_SMF_EXT.1.1(2) Refinement

Fix Text

Configure the MaaS360 Server to display the appropriate warning banner text. For SaaS this step can only be implemented by IBM Master Administrator. Ensure that "Branding UI", and "Admin Portal Usage Agreement" are enabled. Then the IBM Master Administrator will edit the Terms of Agreement with the text provided by the Department of the Defense. For On-Premise this step can be implemented by the Master Administrator account created by the user. Ensure that "Branding UI", and "Admin Portal Usage Agreement" are enabled. Then the IBM Master Administrator will edit the Terms of Agreement with the text provided by the Department of the Defense.

Check Content

Review the MaaS360 server console configuration to determine if before establishing a user session, the server displays an administrator-specified advisory notice and consent warning message regarding use of the MaaS360 Server. On the MaaS360 console complete the following steps: Have a System Administrator log-in to the portal and verify that the approved DoD Banner is displayed before the user obtains access to the console. If the MaaS360 server does not display an administrator-specified advisory notice and consent warning message regarding use of the MaaS360 Server before establishing a user session, this is a finding.

The MaaS360 Server must be configured with the Administrator roles: a. MD user; b. Server primary administrator; c. Security configuration administrator; d. Device user group administrator; e. Auditor.

Finding ID
M360-01-000700
Rule ID
SV-80123r1_rule
Severity
Cat II
CCE
(None)
Group Title
PP-MDM-202105
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

Having several roles for the MaaS360 Server supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management privileges to one group and security policy privileges to another group. This helps prevent administrators from intentionally or inadvertently altering other settings and configurations they may not understand or approve of, which can weaken overall security and increase the risk of compromise. Roles a. MD user: able to log into the application store and request approved applications b. Server primary administrator: primary administrator for the server, including server installation, configuration, patching, and setting up admin accounts. c. Security configuration administrator: Has the ability to define new policies but not to push them to managed mobile devices. d. Device user group administrator: Has the ability to set up new user accounts, add devices, and push security policies and issue administrative commands to managed mobile devices or MDM agents. e. Auditor: Has the ability to set audit configuration parameters and delete or modify the content of logs. SFR ID: FMT_SMR.1.1(1) Refinement

Fix Text

On the MaaS360 console complete the following steps: 1. For each role do the following 2. Go to Setup >> Roles 3. Select the "Add Role" Button 4. Under "Basic Information" Input the Role Name and Role Description 5. Under "Select Mode of Creation" click on the "Create new" bubble and then click Next 6. Under "Grant Access Rights" select the appropriate rights for the role and then click Save

Check Content

Review the MaaS360 server console and confirm that different roles (administrator, auditor, user) are created with different levels of privileges providing separation of duties for different users/groups. On the MaaS360 console complete the following steps: 1. Go to Setup >> Roles 2. Verify all required roles are listed (Note: Role titles maybe different than listed in the requirement statement) 3. Select applicable role and select "edit", then verify that the role has the appropriate rights based on description in Vulnerability description. If the MaaS360 server does all required roles and the roles do not have appropriate rights, this is a finding.

The MaaS360 Server must be configured to enable all required audit events: Failure to push a new application on a managed mobile device.

Finding ID
M360-01-003800
Rule ID
SV-80125r1_rule
Severity
Cat II
CCE
(None)
Group Title
PP-MDM-203106
CCI
CCI-001571
Target Key
(None)
Documentable
No
Discussion

Failure to generate these audit records makes it more difficult to identify or investigate attempted or successful compromises, potentially causing incidents to last longer than necessary. SFR ID: FAU_GEN.1.1(2) Refinement

Fix Text

Configure the MAS Server to enable all required audit events: Failure to push a new application on a managed mobile device. On the MaaS360 Console complete the following Steps: 1. Navigate to Security >> Policies and select the mobile operating system (iOS, etc.) the MDM policy alerts apply to. 2. Open identified policy and go to device settings >> application compliance. 3. Set "Configure required applications" is set to "yes" and list all new applications 4. Repeat for other MOS as required (for example, Windows Phone, etc.)

Check Content

Review the MaaS360 server console and confirm the server is configured to alert for audit event failures on managed mobile devices. On the MaaS360 Console complete the following Steps: 1. Navigate to Security >> Policies and have system administrator identify which mobile operating system (iOS, etc.) the MDM policy alerts apply to. 2. Open identified policy and go to device settings >> application compliance. 3. Verify that "Configure required applications" is set to "yes" and that all new applications are listed 4. Repeat for other MOS as required (for example, Windows Phone, etc.) If the "Configure required applications" is not set to "yes" or all new applications are not on the list, this is a finding.

The MaaS360 Server must be configured to enable all required audit events: Failure to update an existing application on a managed mobile device.

Finding ID
M360-01-003850
Rule ID
SV-80127r1_rule
Severity
Cat II
CCE
(None)
Group Title
PP-MDM-203106
CCI
CCI-001571
Target Key
(None)
Documentable
No
Discussion

Failure to generate these audit records makes it more difficult to identify or investigate attempted or successful compromises, potentially causing incidents to last longer than necessary. SFR ID: FAU_GEN.1.1(2) Refinement

Fix Text

Configure the MAS Server to enable all required audit events: Failure to update an existing application on a managed mobile device. On the MaaS360 Console complete the following Steps: 1. Navigate to Devices >> Groups 2. Select one or more groups that alert for failure to update an existing application on a managed mobile device. 3. Select "edit" for one of the identified groups and set the two conditions: Condition 1: "Software Installed", "Application Name", "Contains", "<Name of Application>" Condition 2: "Software Installed", "Full Version", "Contains","<latest version of Application>" 4. Navigate to Security >> Compliance Rules 5. Select one or more Rule Set Names that alert for failure to update an existing application on a managed mobile device. 6. Open Rule Set Name and select Enforcement Rules. 7. Set the Application Compliance to enabled and select "Alert" for Enforcement Action 8. Then go to Group Based Rules and assign the rule selected in Step 5 to the group identified in Step 3.

Check Content

Review the MaaS360 server console and confirm the server is configured to alert for audit event failures on managed mobile devices. On the MaaS360 Console complete the following Steps: 1. Navigate to Devices >> Groups 2. Have System Administrator identify one or more groups that alert for failure to update an existing application on a managed mobile device. 3. Select "edit" for one of the identified groups and verify that the two conditions exist: Condition 1: "Software Installed", "Application Name", "Contains", "<Name of Application>" Condition 2: "Software Installed", "Full Version", "Contains","<latest version of Application>" 4. Navigate to Security >> Compliance Rules 5. Have System Administrator identify one or more Rule Set Names that alert for failure to update an existing application on a managed mobile device. 6. Open Rule Set Name and select Enforcement Rules. 7. Verify that Application Compliance is enabled and "Alert" is selected for Enforcement Action 8. Then go to Group Based Rules and verify that the rule selected in Step 5 has been assigned to the group identified in Step 3. If two conditions in device group are not set correctly or application compliance is not enabled and set correctly in the rule set name or the rule is not assigned to the group, this is a finding.

The MaaS360 Server must leverage the MDM Platform user accounts and groups for MaaS360 Server user identification and authentication.

Finding ID
M360-01-005300
Rule ID
SV-80129r1_rule
Severity
Cat II
CCE
(None)
Group Title
PP-MDM-204101
CCI
CCI-000015
Target Key
(None)
Documentable
No
Discussion

A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire MaaS360 Server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the MaaS360 Server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory, Kerberos). SFR ID: FIA

Fix Text

Configure the MaaS360 Server to leverage the MDM Platform user accounts and groups for MaaS360 Server user identification and authentication. On the MaaS360 Console complete the following steps: 1. Navigate to Setup >> Login Settings 2. Select "Configure Federated Single Sign-On" and "Authenticate against Corporate User Directory" 3. For SaaS deployments only install the Cloud Extender: Setup >> Cloud Extender and select "Cloud Extender Online"

Check Content

Review the MaaS360 server console and confirm that the MDM platform accounts are leveraged when users identify and authenticate themselves to the MaaS360 console. On the MaaS360 Console complete the following steps: 1. Navigate to Setup >> Login Settings 2. Verify "Configure Federated Single Sign-On" is checked and "Authenticate against Corporate User Directory" is selected 3. For SaaS deployments only verify the Cloud Extender is installed: Setup >> Cloud Extender and verify "Cloud Extender Online" is checked. If "Configure Federated Single Sign-On" and "Authenticate against Corporate User Directory" are not selected, this is a finding. For SaaS deployments if Cloud Extender is not installed or "Cloud Extender Online" is not checked, this is a finding.

The MaaS360 server platform must be protected by a DoD-approved firewall.

Finding ID
M360-01-010400
Rule ID
SV-80131r1_rule
Severity
Cat II
CCE
(None)
Group Title
PP-MDM-991000
CCI
CCI-000057
Target Key
(None)
Documentable
No
Discussion

Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Unneeded services and processes provide additional threat vectors and avenues of attack to the information system. The MDM server is a critical component of the mobility architecture and must be configured to only those ports, protocols, and services (PPS) necessary to support functionality, all others must be expressly disabled or removed. A DoD-approved firewall implements the required network restrictions. A host-based firewall is appropriate where the MDM server runs on a standalone platform. Network firewalls or other architectures may be preferred where the MDM server runs in a cloud or virtualized solution. SFR ID: FMT_SMF.1.1(1) Refinement

Fix Text

Protect the MaaS360 server with a DoD-approved firewall.

Check Content

Review the implementation of the MaaS360 server with the site system administrator. Verify a host based firewall (for example HBSS) is installed on the Windows server. If the MaaS360 server is not protected by a DoD-approved firewall, this is a finding.

The firewall protecting the MaaS360 server platform must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support MDM server and platform functions.

Finding ID
M360-01-010500
Rule ID
SV-80133r1_rule
Severity
Cat II
CCE
(None)
Group Title
PP-MDM-991000
CCI
CCI-001749
Target Key
(None)
Documentable
No
Discussion

Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations. Since MDM server is a critical component of the mobility architecture and must be configured to only those ports, protocols, and services (PPS) necessary to support functionality, all others must be expressly disabled or removed. A firewall installed on the MDM server provides a protection mechanism to ensure unwanted service requests do not reach the MDM server and outbound traffic is limited to only MDM server functionality. SFR ID: FMT_SMF.1.1(1) Refinement

Fix Text

Configure the DoD-approved firewall to deny all except for ports listed in the STIG Supplemental document.

Check Content

Review the implementation of the firewall protecting the MaaS360 server with the site system administrator. Verify the firewall is configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support the MaaS360 server. If the firewall protecting the MaaS360 server is not configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support the MaaS360 server, this is a finding. Note: Required ports, protocols, and IP address ranges for the MaaS360 MDM are found in the Supplemental document.

The MaaS360 Agent must be configured to alert via the trusted channel to the MaaS360 Server for the following event: change in enrollment status.

Finding ID
M360-01-020400
Rule ID
SV-80135r1_rule
Severity
Cat II
CCE
(None)
Group Title
PP-MDM-202003
CCI
CCI-002699
Target Key
(None)
Documentable
No
Discussion

Alerts providing notification of a change in enrollment state facilitate verification of the correct operation of security functions. When a MaaS360 Server receives such an alert from a MaaS360 Agent, it indicates that the security policy may no longer be enforced on the mobile device. This enables the MDM administrator to take an appropriate remedial action. SFR ID: FAU_ALT_EXT.2.1

Fix Text

Configure the MaaS360 Agent to alert via the trusted channel to the MaaS360 Server for the following event: change in enrollment status On the MaaS360 Console complete the following Steps: 1. Navigate to Security >> Compliance Rules >> Add Rule Set and Create a rule 2. Under Basic Settings >> Select Applicable Platforms select the MOS and under "Event Notification Recipients" input the email for the non-compliant devices/users 3. Under Enforcement Rules >> Select Enforcement Rules ensure the "Enrollment" box is checked and the following boxes are checked: "Trigger Action on Managed Status" all boxes need to be checked, ensure "Enforcement Action" is set to "alert"

Check Content

Review the MaaS360 server configuration to verify the MaaS360 agent alerts the MDM via the trusted channel to the MaaS360 Server for the following event: change in enrollment status. On the MaaS360 Console complete the following Steps: 1. Navigate to Security >> Compliance Rules 2. Have system administrator identify applicable "Change in enrollment status" rule set name 3. Select rule set name in list 4. Under Enforcement Rules, verify the "Enrollment" box is checked, "Trigger Action on Managed Status" (all boxes need to be checked), and "Enforcement Action" is set to "alert". 5. Navigate back to Security >> Compliance Rules and verify that rule set name has been designated as default (confirm check mark) and has "1" as precedence. If there is no "Change in enrollment status" rule set name setup or rules that have been setup are not configured correctly, this is a finding.

Only authorized versions of the IBM MaaS360 server must be used.

Finding ID
M360-01-022200
Rule ID
SV-95683r1_rule
Severity
Cat I
CCE
(None)
Group Title
PP-MDM-991000
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

The IBM MaaS360 V2 server is no longer supported by IBM and therefore, may contain security vulnerabilities. The IBM MaaS360 V2 server is not authorized within the DoD.

Fix Text

Remove all versions of IBM MaaS360 V2 MDM or stop subscribing to a MaaS360 V2 MDM SaaS.

Check Content

Interview ISSO and IBM MaaS360 MDM system administrator. Verify the site is not using the IBM MaaS360 V2 MDM or subscribing to a MaaS360 V2 MDM SaaS. If the site is using the IBM MaaS360 V2 MDM or subscribing to a MaaS360 V2 MDM SaaS, this is a finding.