View STIG - BlackBerry BES 12.5.x MDM Security Technical Implementation Guide V1R3

a

Before establishing a user session, the BES12 server must display an administrator-specified advisory notice and consent warning message regarding use of the BES12 server.

AC-8 - Low - CCI-000048 - V-68685 - SV-83175r2_rule

RMF Control

AC-8

Severity

Low

CCI

CCI-000048

Version

BS12-3X-000100

Vuln IDs

V-68685

Rule IDs

SV-83175r2_rule

Note: The advisory notice and consent warning message is not required if the General Purpose OS or Network Device displays an advisory notice and consent warning message when the administrator logs on to the General Purpose OS or Network Device prior to accessing the MDM server or MDM Server platform. The MDM server/server platform is required to display the DoD-approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. This ensures the legal requirements for auditing and monitoring are met. The approved DoD text must be used as specified in KS referenced in DoDI 8500.01. The non-bracketed text below must be used without any changes as the warning banner. [A. Use this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner must be implemented as a click-through banner at logon (to the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating “OK”.] You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. SFR ID: FMT_SMF_EXT.1.1(2) Refinement

Checks: C-69189r1_chk

Review BES12 server documentation and configuration settings to determine if the warning banner is using the appropriate designated wording. On the BES12, do the following: 1. Log on to the BES12 console and select the "Settings" tab at the top of the screen. 2. Expand the "General" settings tab on the left pane. 3. Select "Login notices" from the menu in the left pane. 4. Verify the checkbox next to "Enable a login notice for the management console" is checked. 5. Verify the console login notice text exactly matches the requirement text. 6. Verify the checkbox next to "Enable a login notice for the self-service console" is checked. 7. Verify the self-service console login notice text exactly matches the requirement text. If the console notice wording does not exactly match the VulDescription text, this is a finding.

Fix: F-74807r1_fix

On the BES12, do the following: 1. Log on to the BES12 console and select the "Settings" tab at the top of the screen. 2. Expand the "General" settings tab on the left pane. 3. Select "Login notices" from the menu in the left pane. 4. Click the pencil icon (upper-right corner) to edit the Login notices. 5. Select the checkbox next to "Enable a login notice for the management console". 6. In the "Enable a login notice for the management console" field, type the DoD banner found in the VulDescription. 7. Select the checkbox next to "Enable a login notice for the self-service console". 8. In the "Enable a login notice for the self-service console" field, type the DoD banner found in the VulDescription. 9. Click "Save".

b

The BES12 server must be configured with the Administrator roles: a. MD user b. Server primary administrator c. Security configuration administrator d. Device user group administrator e. Auditor.

CM-6 - Medium - CCI-000366 - V-68687 - SV-83177r2_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

BS12-3X-000700

Vuln IDs

V-68687

Rule IDs

SV-83177r2_rule

Having several roles for the MDM server supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management privileges to one group and security policy privileges to another group. This helps prevent administrators from intentionally or inadvertently altering other settings and configurations they may not understand or approve of, which can weaken overall security and increase the risk of compromise. Roles a. MD user: able to log onto the application store and request approved applications b. Server primary administrator: primary administrator for the server, including server installation, configuration, patching, and setting up admin accounts c. Security configuration administrator: has the ability to define new policies but not to push them to managed mobile devices d. Device user group administrator: has the ability to set up new user accounts, add devices, push security policies, and issue administrative commands to managed mobile devices or MDM agents e. Auditor: has the ability to set audit configuration parameters and delete or modify the content of logs SFR ID: FMT_SMR.1.1(1) Refinement

Checks: C-69191r2_chk

Review the BES12 server configuration settings, and verify the server is configured with the Administrator roles: a. MD user; b. Server primary administrator; c. Security configuration administrator; d. Device user group administrator; and e. Auditor. Note: The intent of the requirement is that there be separate people performing each administrator role. Note: The roles noted below are the preconfigured roles on the BES12 and have the required capabilities associated with the roles identified in the Requirement statement. On the BES12, do the following: 1. Log on to the BES12 console and select the "Settings" tab at the top of the screen. 2. Expand the "Administrators" tab on the left pane. 3. Select the "Roles" tab on the left pane. 4. Verify there is at least one user assigned to each of the following roles: a. Security Administrator; b. Enterprise Administrator; c. Senior Help Desk; and d. Junior Help Desk. If at least one user is not associated with each of the roles above, this is a finding.

Fix: F-74809r2_fix

On the BES12, do the following: 1. Log on to the BES12 console and select the "Settings” tab at the top of the screen. 2. Expand the "Administrators" tab on the left pane. 3. Assign the appropriate role to either a user or a group, as directed by the Administrator, as described below: To assign a role to a user: 1. Click "Users". 2. Click the "Add an administrator" icon (upper-right corner). 3. If necessary, search for a user account. 4. Click the name of the user account. 5. In the "Role" drop-down list, click the role that you want to add. 6. Click "Save". To assign a role to a group: 1. Click "Groups". 2. Click the "Add role to user group" icon (upper-right corner). 3. If necessary, search for a user group. 4. Click the name of the user group. 5. In the "Role" drop-down list, click the role that you want to add. 6. Click "Save". Note: The intent of the requirement is that there be separate people performing each administrator role.

b

The BES12 server must be configured to enable all required audit events: a. Failure to push a new application on a managed mobile device; b. Failure to update an existing application on a managed mobile device.

AU-2 - Medium - CCI-000129 - V-68689 - SV-83179r2_rule

RMF Control

AU-2

Severity

Medium

CCI

CCI-000129

Version

BS12-3X-003900

Vuln IDs

V-68689

Rule IDs

SV-83179r2_rule

Failure to generate these audit records makes it more difficult to identify or investigate attempted or successful compromises, potentially causing incidents to last longer than necessary. SFR ID: FAU_GEN.1.1(2) Refinement

Checks: C-69193r1_chk

Review the BES12 server configuration settings to determine if the BES12 server is configured to enable all required audit events: a. Failure to push a new application on a managed mobile device; b. Failure to update an existing application on a managed mobile device. Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES12, do the following: 1. Log on to the BES12 console and select the "Policies and Profiles" tab at the top of the screen. 2. Expand the "IT policies" tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the "Settings" and "BlackBerry" tabs. 5. Scroll down to the "Security and Privacy" group of IT policy rules. 6. Verify "Event logging" is selected. 7. Verify "Error event logging" is selected. If the BES IT policy rules "Event logging" and "Error event logging" are not selected, this is a finding.

Fix: F-74811r1_fix

On the BES12, do the following: 1. Log on to the BES12 console and select the "Policies and Profiles" tab at the top of the screen. 2. Expand the "IT policies" tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the "Settings" and "BlackBerry" tabs. 5. Scroll down to the "Security and Privacy" group of IT policy rules. 6. Select the checkbox next to the IT Policy "Event logging". 7. Select the checkbox next to the IT Policy "Error event logging". 8. Click "Save".

b

The BES12 server must leverage the BES12 Platform user accounts and groups for BES12 server user identification and authentication.

AC-2 - Medium - CCI-000015 - V-68691 - SV-83181r2_rule

RMF Control

AC-2

Severity

Medium

CCI

CCI-000015

Version

BS12-3X-005400

Vuln IDs

V-68691

Rule IDs

SV-83181r2_rule

A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire MDM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the MDM server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos). SFR ID: FIA

Checks: C-69195r1_chk

Review the BES12 server configuration settings, and verify the server is configured to leverage the MDM Platform user accounts and groups for BES12 server user identification and authentication. On the BES12, do the following: 1. Log on to the BES12 host server and navigate to the BES12 console. 2. Verify the BES12 server does not prompt for additional authentication before opening the BES12 console. If the BES12 server does not display an Administrator-specified advisory notice and consent warning message regarding use of the server, this is a finding. If the BES12 server prompts for additional authentication before opening the BES12 console, this is a finding.

Fix: F-74813r1_fix

On the BES12, do the following: Configure constrained delegation for the Microsoft Active Directory account to support single sign-on: 1. Log on to the BES12 host server and use the Windows Server ADSI Edit tool to add the following SPNs for BES12 to the Microsoft Active Directory account: - HTTP/<host_FQDN_or_pool_name> (for example, HTTP/domain123.example.com) - BASPLUGIN111/<host_FQDN_or_pool_name> (for example, BASPLUGIN111/domain123.example.com) NOTE: - If you configured high availability for the management consoles in a BES12 domain, specify the pool name. Otherwise, specify the FQDN of the computer that hosts the management console. - Verify that no other accounts in the Microsoft Active Directory forest have the same SPNs. 2. Open Microsoft Active Directory Users and Computers. 3. In the Microsoft Active Directory account properties, on the "Delegation" tab, select the following options: - Trust this user for delegation to specified services only - Use Kerberos only 4. Add the SPNs from Step 1 to the list of services. Configure single sign-on for BES12: Note: - When you configure single sign-on for BES12, you configure it for the management console and BES12 Self-Service. - If you enable single sign-on for multiple Microsoft Active Directory connections, verify that there are no trust relationships between the Microsoft Active Directory forests. 1. Log on to the BES12 console and select the "Settings” tab at the top of the screen. 2. Expand the "External integration" tab on the left pane. 3. Click "Company directory". 4. In the Configured directory connections section, click the name of a Microsoft Active Directory connection. 5. On the Authentication tab, select the check box next to "Enable Windows single sign-on". 6. Click "Save". Note: BES12 validates the information for Microsoft Active Directory authentication. If the information is invalid, BES12 prompts you to specify the correct information. 7. Click "Close". 8. Restart the BES12 services on each computer that hosts a BES12 instance. 9. Instruct administrators and BES12 Self-Service users to configure their browsers to support single sign-on for BES12.

b

The BES12 server must initiate a session lock after a 15-minute period of inactivity.

AC-11 - Medium - CCI-000057 - V-68693 - SV-83183r2_rule

RMF Control

AC-11

Severity

Medium

CCI

CCI-000057

Version

BS12-3X-100100

Vuln IDs

V-68693

Rule IDs

SV-83183r2_rule

A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications need to be able to identify when a user's application session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled. This is typically at the operating system level and results in a system lock but may be at the application level where the application interface window is secured instead. SFR ID: FMT_SMF.1.1(1) Refinement

Checks: C-69197r1_chk

Review the BES12 server configuration to determine whether the system is locked after 15 minutes. Clock the time on a server to validate that it is correctly enforcing the time period. On the BES12, do the following: 1. Log on to the BES12 console. 2. Note the time and leave the console inactive. Note: During this time, ensure there are no user inputs made to the console, such as mouse movements or keyboard entries. 3. Verify that the console locks after 15 minutes or less of inactivity. If the console does not lock after 15 minutes or less of inactivity, this is a finding.

Fix: F-74815r1_fix

On the BES12, do the following: 1. Log on to the BES12 host server and navigate to "C:\BlackBerry\BlackBerry Configuration Tool 1.4.0\BES12ConfigTool.exe" to launch the BES12 Configuration Tool. Note: If the BES12 Configuration Tool was not installed in the default directory, you will need to locate the directory with the executable file to launch the application. 2. Select the "BES12 console timeout interval" radio button. 3. Click "Next". 4. Click "Validate" to verify the Database information. 5. In the "Session timeout (seconds)" field, enter "900". 6. Select the checkbox next to "Automatically Restart Services". 7. Click "Update". 8. Verify that the message "BES12 services successfully restarted" is displayed when the process is completed. Note: If the services do not restart automatically, you will have to restart the services manually. 9. Click "Quit" to exit the application. Note: If the BES12 Configuration Tool is not installed on the host system, you will need to download and install the tool on the host server. To download and install the BES12 Configuration Tool, on the BES12, do the following: 1. Log on to the BES12 host server and download and install the BES12 Configuration Tool from: http://swdownloads.blackberry.com/Downloads/entry.do 2. Navigate to "C:\BlackBerry\BlackBerry Configuration Tool 1.4.0\BES12ConfigTool.exe" and launch the BES12 Configuration Tool. Note: If the BES12 Configuration Tool was not installed in the default directory, you will need to locate the directory with the executable file to launch the application. 3. Click "Next". 4. Select the country of use from the drop-down menu. 5. Select the radio button next to "I accept the terms of the license agreement". 6. Click "Next". 7. Select the "BES12 console timeout interval" radio button. 8. Verify the Database Information. 9. Click "Validate". 10. Click "Quit" to exit the application.

b

The BES12 server platform must be protected by a DoD-approved firewall.

CM-7 - Medium - CCI-000382 - V-68695 - SV-83185r2_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000382

Version

BS12-3X-100400

Vuln IDs

V-68695

Rule IDs

SV-83185r2_rule

Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Unneeded services and processes provide additional threat vectors and avenues of attack to the information system. The MDM server is a critical component of the mobility architecture and must be configured to only those ports, protocols, and services (PPS) necessary to support functionality, all others must be expressly disabled or removed. A DoD-approved firewall implements the required network restrictions. A host-based firewall is appropriate where the MDM server runs on a standalone platform. Network firewalls or other architectures may be preferred where the MDM server runs in a cloud or virtualized solution. SFR ID: FMT_SMF.1.1(1) Refinement

Checks: C-69199r1_chk

Review the implementation of the BES12 server with the site system administrator. Verify a host-based firewall (for example, HBSS) is installed on the Windows server. If the BES12 server is not protected by a DoD-approved firewall, this is a finding.

Fix: F-74817r1_fix

Protect the BES12 server with a DoD-approved firewall.

b

The firewall protecting the BES12 server platform must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support BES12 server and platform functions.

CM-7 - Medium - CCI-000382 - V-68697 - SV-83187r2_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000382

Version

BS12-3X-100500

Vuln IDs

V-68697

Rule IDs

SV-83187r2_rule

Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations. Since MDM server is a critical component of the mobility architecture and must be configured to only those ports, protocols, and services (PPS) necessary to support functionality, all others must be expressly disabled or removed. A firewall installed on the MDM server provides a protection mechanism to ensure unwanted service requests do not reach the MDM server and outbound traffic is limited to only MDM server functionality. SFR ID: FMT_SMF.1.1(1) Refinement

Checks: C-69201r1_chk

Review the implementation of the firewall protecting the BES12 server with the site system administrator. Verify the firewall is configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support the BES12 server. If the firewall protecting the BES12 server is not configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support the BES12 server, this is a finding. Note: Required ports, protocols, and IP address ranges for the BES12 server are found in the Supplemental document.

Fix: F-74819r1_fix

Configure the DoD-approved firewall to deny all except for ports listed in the STIG Supplemental document.

b

The BES12 server must be configured to disable a users capability to perform self-service tasks.

CM-6 - Medium - CCI-000366 - V-68703 - SV-83193r2_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

BS12-3X-100800

Vuln IDs

V-68703

Rule IDs

SV-83193r2_rule

The security posture of a BlackBerry device or the DoD BlackBerry service could be compromised if users are able to perform self-service tasks, including activating unauthorized devices. In the DoD environment, strict configuration management of the security posture is required to protect sensitive DoD data and network security. SFR ID: FMT

Checks: C-69209r1_chk

Review the BES12 server configuration to determine if it is configured to disable a user's capability to perform self-service tasks. On the BES12, do the following: 1. Log on to the BES12 console and select the "Settings" tab at the top of the screen. 2. Expand the "General" settings tab on the left pane. 3. Select "Self-Service" from the menu in the left pane. 4. Verify the check box next to "Allow users to access the self-service console" is not checked. If the checkbox next to "Allow users to access the self-service console" is checked, this is a finding.

Fix: F-74825r1_fix

On the BES12, do the following: 1. Log on to the BES12 console and select the "Settings” tab at the top of the screen. 2. Expand the General settings tab on the left pane. 3. Select Self-Service from the menu in the left pane. 4. Unselect the checkbox next to "Allow users to access the self-service console". 5. Click "Save".

b

The server PKI digital certificate installed on the BES12 Server to support Consoles and BlackBerry Web Services authentication must be a DoD PKI issued certificate. A self-signed certificate will not be used.

CM-6 - Medium - CCI-000366 - V-68705 - SV-83195r2_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

BS12-3X-101100

Vuln IDs

V-68705

Rule IDs

SV-83195r2_rule

When a self-signed PKI certificate is used, a rogue BDS server can impersonate the DoD BDS server during SA connections to the BAS or when a BlackBerry user uses BWDM to connect to the BAS. In addition, DoDI 8520-02 requires that PKI certificates come from a trusted DoD PKI. SFR ID: FIA

Checks: C-69211r1_chk

On the BES12, do the following: 1. Log on to the BES12 console and select the "Settings” tab at the top of the screen. 2. Expand the Infrastructure tab on the left pane. 3. Select Server certificates. 4. In the SSL certificate for consoles and BlackBerry Web Services, click "View details". 5. Verify the issuer's CN is from the DoD root Certificate Authority (CA). If the PKI digital certificate installed on the BES12 Server to support consoles and BlackBerry Web Services authentication is not a DoD PKI issued certificate, this is a finding.

Fix: F-74827r1_fix

NOTE: Before you begin, you must obtain an SSL certificate signed by the DoD root Certificate Authority (CA). BES12 supports certificates in the PFX format with either a .pfx or .p12 file name extension. If you configure high availability, you must obtain an SSL certificate that uses the name of the BES12 domain. You can find the BES12 domain name in the management console under Settings >> Infrastructure >> BES12 instances. On the BES12, do the following: 1. Log on to the BES12 console and select the "Settings" tab at the top of the screen. 2. Expand the "Infrastructure" tab on the left pane. 3. Select "Server certificates". 4. In the SSL certificate for consoles and BlackBerry Web Services section, click "View details". 3. Click "Replace certificate". 4. Click "Browse". 5. Select the certificate file that you want to use. 6. Click "Open". 7. Type the encryption password. 8. Click "Replace". 9. Restart the BES12 Core service on all servers.

BlackBerry BES 12.5.x MDM Security Technical Implementation Guide

Compare

View

Checks: C-69189r1_chk

Fix: F-74807r1_fix

Checks: C-69191r2_chk

Fix: F-74809r2_fix

Checks: C-69193r1_chk

Fix: F-74811r1_fix

Checks: C-69195r1_chk

Fix: F-74813r1_fix

Checks: C-69197r1_chk

Fix: F-74815r1_fix

Checks: C-69199r1_chk

Fix: F-74817r1_fix

Checks: C-69201r1_chk

Fix: F-74819r1_fix

Checks: C-69209r1_chk

Fix: F-74825r1_fix

Checks: C-69211r1_chk

Fix: F-74827r1_fix