Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

BlackBerry Enterprise Mobility Server 3.x Security Technical Implementation Guide

  • Version/Release: V1R2
  • Published: 2023-05-17
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
The BlackBerry Enterprise Mobility Server (BEMS) must protect log information from any type of unauthorized read access.
AU-9 - Medium - CCI-000162 - V-254706 - SV-254706r879576_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
BEMS-03-002600
Vuln IDs
  • V-254706
Rule IDs
  • SV-254706r879576_rule
If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to his or her advantage. Application servers contain admin interfaces that allow reading and manipulation of log records. Therefore, these interfaces should not allow unfettered access to those records. Application servers also write log data to log files stored on the OS, so appropriate file permissions must also be used to restrict access. Log information includes all information (e.g., log records, log settings, transaction logs, and log reports) needed to successfully log information system activity. Application servers must protect log information from unauthorized read access.
Checks: C-58317r861841_chk

Verify BEMS has been configured with the following administrator groups/roles, each group/role has required permissions, and at least one user has been assigned to each Administrator group/role: Server primary administrator, auditor. Procedure for Server Primary Administrator: 1. In the BEMS Dashboard, under "BEMS System Settings", click "BEMS Configuration". 2. Click "Dashboard Administrators". 3. Confirm the Administrator role for the primary server administrator has been assigned the dashboard role of Admin. 4. Verify in Active Directory (AD) at least one member has been assigned to the BEMS administrator group. (Note: Actual group name may be different.) Procedure for Auditor: 1. Verify in AD an auditor group has been set up with at least one member. 2. Browse to the log repository. 3. Right-click on the folder. 4. Select "Properties". 5. Select the "Security" tab. 6. Confirm the auditor security group is listed. If required administrator roles have not been set up on BEMS and at least one user has not been assigned to each role, this is a finding.

Fix: F-58263r861842_fix

Configure BEMS to have at least one user in the following Administrator roles: Server primary administrator, auditor. 1. In the BEMS Dashboard, under "BEMS System Settings", click "BEMS Configuration". 2. Click "Dashboard Administrators". 3. Click "Add Group". 4. In the "Active Directory Security Group" field, type the name of the Microsoft Active Directory security group. 5. Click "Save". 6. Repeat steps 3 through 5 to add additional security groups. 7. For the server primary administrator, the default role of Admin meets the required roles and no additional configuration is needed. 8. For the Auditor role, complete the following steps: - In AD, create a domain auditor group and assign personnel designated as auditors to that group. - Browse to the log repository. - Right-click on the folder. - Select "Properties". - Select the "Security" tab. - Click "Edit". - Click "Add". - Type the name of the user group. - Confirm that only the necessary groups have rights to the folder (CREATOR OWNER, SYSTEM, Administrators, Auditors). - Set proper permissions for auditors (Read, List folder contents, Read & Execute).

b
The BlackBerry Enterprise Mobility Server (BEMS) must protect log information from unauthorized modification.
AU-9 - Medium - CCI-000163 - V-254707 - SV-254707r879577_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000163
Version
BEMS-03-002700
Vuln IDs
  • V-254707
Rule IDs
  • SV-254707r879577_rule
If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to his or her advantage. Application servers contain admin interfaces that allow reading and manipulation of log records. Therefore, these interfaces should not allow unfettered access to those records. Application servers also write log data to log files stored on the OS, so appropriate file permissions must also be used to restrict access. Log information includes all information (e.g., log records, log settings, transaction logs and log reports) needed to successfully log information system activity. Application servers must protect log information from unauthorized modification.
Checks: C-58318r861844_chk

Verify BEMS has been configured with the following administrator groups/roles, each group/role has required permissions, and at least one user has been assigned to each Administrator group/role: Server primary administrator, auditor. Procedure for Server Primary Administrator: 1. In the BEMS Dashboard, under "BEMS System Settings", click "BEMS Configuration". 2. Click "Dashboard Administrators". 3. Confirm the Administrator role for the primary server administrator has been assigned the dashboard role of Admin. 4. Verify in Active Directory (AD) at least one member has been assigned to the BEMS administrator group. (Note: Actual group name may be different.) Procedure for Auditor: 1. Verify in AD an auditor group has been set up with at least one member. 2. Browse to the log repository. 3. Right-click on the folder. 4. Select "Properties". 5. Select the "Security" tab. 6. Confirm the auditor security group is listed. If required administrator roles have not been set up on BEMS and at least one user has not been assigned to each role, this is a finding.

Fix: F-58264r861845_fix

Configure BEMS to have at least one user in the following Administrator roles: Server primary administrator, auditor. 1. In the BEMS Dashboard, under "BEMS System Settings", click "BEMS Configuration". 2. Click "Dashboard Administrators". 3. Click "Add Group". 4. In the "Active Directory Security Group" field, type the name of the Microsoft Active Directory security group. 5. Click "Save". 6. Repeat steps 3 through 5 to add additional security groups. 7. For the server primary administrator, the default role of Admin meets the required roles and no additional configuration is needed. 8. For the Auditor role, complete the following steps: - In AD, create a domain auditor group and assign personnel designated as auditors to that group. - Browse to the log repository. - Right-click on the folder. - Select "Properties". - Select the "Security" tab. - Click "Edit". - Click "Add". - Type the name of the user group. - Confirm that only the necessary groups have rights to the folder (CREATOR OWNER, SYSTEM, Administrators, Auditors). - Set proper permissions for auditors (Read, List folder contents, Read & Execute).

b
The BlackBerry Enterprise Mobility Server (BEMS) must protect log information from unauthorized deletion.
AU-9 - Medium - CCI-000164 - V-254708 - SV-254708r879578_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000164
Version
BEMS-03-002800
Vuln IDs
  • V-254708
Rule IDs
  • SV-254708r879578_rule
If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. Application servers contain admin interfaces that allow reading and manipulation of log records. Therefore, these interfaces should not allow for unfettered access to those records. Application servers also write log data to log files stored on the OS, so appropriate file permissions must also be used to restrict access. Log information includes all information (e.g., log records, log settings, transaction logs, and log reports) needed to successfully log information system activity. Application servers must protect log information from unauthorized deletion.
Checks: C-58319r861847_chk

Verify BEMS has been configured with the following administrator groups/roles, each group/role has required permissions, and at least one user has been assigned to each Administrator group/role: Server primary administrator, auditor. Procedure for Server Primary Administrator: 1. In the BEMS Dashboard, under "BEMS System Settings", click "BEMS Configuration". 2. Click "Dashboard Administrators". 3. Confirm the Administrator role for the primary server administrator has been assigned the dashboard role of Admin. 4. Verify in Active Directory (AD) at least one member has been assigned to the BEMS administrator group. (Note: Actual group name may be different.) Procedure for Auditor: 1. Verify in AD an auditor group has been set up with at least one member. 2. Browse to the log repository. 3. Right-click on the folder. 4. Select "Properties". 5. Select the "Security" tab. 6. Confirm the auditor security group is listed. If required administrator roles have not been set up on BEMS and at least one user has not been assigned to each role, this is a finding.

Fix: F-58265r861848_fix

Configure BEMS to have at least one user in the following Administrator roles: Server primary administrator, auditor. 1. In the BEMS Dashboard, under "BEMS System Settings", click "BEMS Configuration". 2. Click "Dashboard Administrators". 3. Click "Add Group". 4. In the "Active Directory Security Group" field, type the name of the Microsoft Active Directory security group. 5. Click "Save". 6. Repeat steps 3 through 5 to add additional security groups. 7. For the server primary administrator, the default role of Admin meets the required roles and no additional configuration is needed. 8. For the Auditor role, complete the following steps: - In AD, create a domain auditor group and assign personnel designated as auditors to that group. - Browse to the log repository. - Right-click on the folder. - Select "Properties". - Select the "Security" tab. - Click "Edit". - Click "Add". - Type the name of the user group. - Confirm that only the necessary groups have rights to the folder (CREATOR OWNER, SYSTEM, Administrators, Auditors). - Set proper permissions for auditors (Read, List folder contents, Read & Execute).

b
The BlackBerry Enterprise Mobility Server (BEMS) platform must be protected by a DOD-approved firewall.
CM-7 - Medium - CCI-000382 - V-254709 - SV-254709r879588_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
BEMS-03-003800
Vuln IDs
  • V-254709
Rule IDs
  • SV-254709r879588_rule
Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Unneeded services and processes provide additional threat vectors and avenues of attack to the information system. BEMS is a critical component of the mobility architecture and must be configured to enable only those ports, protocols, and services (PPS) necessary to support functionality. All others must be expressly disabled or removed. A DOD-approved firewall implements the required network restrictions. A host-based firewall is appropriate where BEMS runs on a standalone platform. Network firewalls or other architectures may be preferred where BEMS runs in a cloud or virtualized solution.
Checks: C-58320r861850_chk

Review the BEMS configuration to determine whether a DOD-approved firewall is installed or if the platform operating system provides a firewall service that can restrict both inbound and outbound traffic by TCP/UDP port and IP address. If there is not a host-based firewall present on BEMS, this is a finding.

Fix: F-58266r861851_fix

Install a DOD-approved firewall.

b
The firewall protecting the BEMS must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support BEMS functions.
CM-7 - Medium - CCI-000382 - V-254710 - SV-254710r879588_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
BEMS-03-003900
Vuln IDs
  • V-254710
Rule IDs
  • SV-254710r879588_rule
Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations. Since BEMS is a critical component of the mobility architecture and must be configured to enable only those ports, protocols, and services (PPS) necessary to support functionality, all others must be expressly disabled or removed. A firewall installed on BEMS provides a protection mechanism to ensure unwanted service requests do not reach BEMS and outbound traffic is limited to only BEMS functionality.
Checks: C-58321r861853_chk

Ask the BEMS administrator for a list of ports, protocols, and IP address ranges necessary to support BEMS functionality. A list can usually be found in the STIG Supplemental document or MDM product documentation. Compare the list against the configuration of the firewall and identify discrepancies. If the host-based firewall is not configured to support only those ports, protocols, and IP address ranges necessary for operation, this is a finding.

Fix: F-58267r861854_fix

Configure the firewall on BEMS to only permit ports, protocols, and IP address ranges necessary for operation.

b
The firewall protecting the BlackBerry Enterprise Mobility Server (BEMS) must be configured so that only DOD-approved ports, protocols, and services are enabled.
CM-7 - Medium - CCI-000382 - V-254711 - SV-254711r879588_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
BEMS-03-004000
Vuln IDs
  • V-254711
Rule IDs
  • SV-254711r879588_rule
All ports, protocols, and services used on DOD networks must be approved and registered via the DOD PPSM process. This is to ensure that a risk assessment has been completed before a new port, protocol, or service is configured on a DOD network and has been approved by proper DOD authorities. Otherwise, the new port, protocol, or service could cause a vulnerability to the DOD network, which could be exploited by an adversary. See the DOD Ports, Protocols, Services Management (PPSM) Category Assurance Levels (CAL) list for DOD-approved ports, protocols, and services.
Checks: C-58322r861856_chk

Ask the BEMS administrator for a list of ports, protocols, and services that have been configured on the host-based firewall of BEMS or generate the list by inspecting the firewall. Verify all allowed ports, protocols, and services are included on the DOD PPSM CAL list. If any allowed ports, protocols, and services on the MDM host-based firewall are not included on the DOD PPSM CAL list, this is a finding.

Fix: F-58268r861857_fix

Turn off any ports, protocols, and services on the BEMS host-based firewall that are not on the DOD PPSM CAL list.

b
The BlackBerry Enterprise Mobility Server (BEMS) must protect the confidentiality and integrity of transmitted information through the use of an approved TLS version.
SC-8 - Medium - CCI-002418 - V-254712 - SV-254712r879810_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002418
Version
BEMS-03-011400
Vuln IDs
  • V-254712
Rule IDs
  • SV-254712r879810_rule
Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). Transmission of data can take place between the application server and a large number of devices/applications external to the application server. Examples are a web client used by a user, a backend database, a log server, or other application servers in an application server cluster. If data is transmitted unencrypted, the data then becomes vulnerable to disclosure. The disclosure may reveal user identifier/password combinations, website code revealing business logic, or other user personal information. FIPS 140-2 approved TLS versions include TLS V1.0 or greater. TLS must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems.
Checks: C-58323r861859_chk

Verify BEMS has been configured to use only approved versions of TLS as follows: 1. Find the xml file "jetty.xml" located in the BEMS install directory on the BEMS host Windows server. 2. Find the "ExcludeProtocols" field. 3. Verify if unauthorized versions of SSL and TLS are listed in the "jetty.xml" file. <Set name="ExcludeProtocols"> <Array type="java.lang.String"> <Item>TLSv1</Item> <Item>TLSv1.1</Item> <Item>SSL</Item> <Item>SSLv2</Item> <Item>SSLv2Hello</Item> <Item>SSLv3</Item> If BEMS has not been configured to use only approved versions of TLS and the Exclude file does not include all of the above TLS and SSL protocols, this is a finding.

Fix: F-58269r861860_fix

Configure BEMS to use approved versions of TLS. 1. Find the xml file "jetty.xml" located in the BEMS install directory on the BEMS host Windows server. 2. Find the "ExcludeProtocols" field and add all unauthorized versions or SSL and TLS. <Set name="ExcludeProtocols"> <Array type="java.lang.String"> <Item>TLSv1</Item> <Item>TLSv1.1</Item> <Item>SSL</Item> <Item>SSLv2</Item> <Item>SSLv2Hello</Item> <Item>SSLv3</Item> 3. Save the file. 4. Restart the BEMS server.

b
The BlackBerry Enterprise Mobility Server (BEMS) must remove all export ciphers to protect the confidentiality and integrity of transmitted information.
SC-8 - Medium - CCI-002418 - V-254713 - SV-254713r879810_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002418
Version
BEMS-03-011500
Vuln IDs
  • V-254713
Rule IDs
  • SV-254713r879810_rule
During the initial setup of a Transport Layer Security (TLS) connection to the application server, the client sends a list of supported cipher suites in order of preference. The application server will reply with the cipher suite it will use for communication from the client list. If an attacker can intercept the submission of cipher suites to the application server and place, as the preferred cipher suite, a weak export suite, the encryption used for the session becomes easy for the attacker to break, often within minutes to hours.
Checks: C-58324r861862_chk

Verify BEMS has been configured to remove all export ciphers (automatically implemented when BEMS is in FIPS mode). Verify BEMS-03-014800 has been implemented. If BEMS has been configured to use export ciphers, this is a finding.

Fix: F-58270r861863_fix

Configure BEMS to remove all export ciphers. This requirement is met when BEMS is configured in FIPS mode. See BEMS-03-01480.

b
The BlackBerry Enterprise Mobility Server (BEMS) must be configured to have at least one user in the following Administrator roles: Server primary administrator, auditor.
CM-6 - Medium - CCI-000366 - V-254714 - SV-254714r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BEMS-03-013300
Vuln IDs
  • V-254714
Rule IDs
  • SV-254714r879887_rule
Having several administrative roles for the BEMS supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management privileges to one group and security policy privileges to another group. This helps prevent administrators from intentionally or inadvertently altering other settings and configurations they may not understand or approve of, which can weaken overall security and increase the risk of compromise. - Server primary administrator: Responsible for server installation, initial configuration, and maintenance functions. Responsible for the setup and maintenance of security configuration administrator and auditor accounts. - Auditor: Responsible for reviewing and maintaining server and mobile device audit logs.
Checks: C-58325r861865_chk

Verify BEMS has been configured with the following administrator groups/roles, each group/role has required permissions, and at least one user has been assigned to each Administrator group/role: Server primary administrator, auditor. Procedure for Server Primary Administrator: 1. In the BEMS Dashboard, under "BEMS System Settings", click "BEMS Configuration". 2. Click "Dashboard Administrators". 3. Confirm the Administrator role for the primary server administrator has been assigned the dashboard role of Admin. 4. Verify in Active Directory (AD) at least one member has been assigned to the BEMS administrator group. (Note: Actual group name may be different.) Procedure for Auditor: 1. Verify in AD an auditor group has been set up with at least one member. 2. Browse to the log repository. 3. Right-click on the folder. 4. Select "Properties". 5. Select the "Security" tab. 6. Confirm the auditor security group is listed. If required administrator roles have not been set up on BEMS and at least one user has not been assigned to each role, this is a finding.

Fix: F-58271r861866_fix

Configure BEMS to have at least one user in the following Administrator roles: Server primary administrator, auditor. 1. In the BEMS Dashboard, under "BEMS System Settings", click "BEMS Configuration". 2. Click "Dashboard Administrators". 3. Click "Add Group". 4. In the "Active Directory Security Group" field, type the name of the Microsoft Active Directory security group. 5. Click "Save". 6. Repeat steps 3 through 5 to add additional security groups. 7. For the server primary administrator, the default role of Admin meets the required roles and no additional configuration is needed. 8. For the Auditor role, complete the following steps: - In AD, create a domain auditor group and assign personnel designated as auditors to that group. - Browse to the log repository. - Right-click on the folder. - Select "Properties". - Select the "Security" tab. - Click "Edit". - Click "Add". - Type the name of the user group. - Confirm that only the necessary groups have rights to the folder (CREATOR OWNER, SYSTEM, Administrators, Auditors). - Set proper permissions for auditors (Read, List folder contents, Read & Execute).

b
The BlackBerry Enterprise Mobility Server (BEMS) must be configured to use Windows Authentication for the database connection.
IA-2 - Medium - CCI-000764 - V-254715 - SV-254715r879887_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
BEMS-03-013400
Vuln IDs
  • V-254715
Rule IDs
  • SV-254715r879887_rule
To ensure accountability and prevent unauthorized access, organizational users must be identified and authenticated. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations). Users (and any processes acting on behalf of users) are uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the information system without identification or authentication.
Checks: C-58326r861868_chk

Verify BEMS is configured for Windows Authentication for the database connection as follows: In the Database Information dialog box, verify "Windows Authentication" is selected. If "Windows Authentication" is not selected for the BEMS database connection, this is a finding.

Fix: F-58272r861869_fix

Set up Windows Authentication for the database connection on the BEMS console. In the Database Information dialog box, perform the following actions: 1. In the "Host" field, type the instance name of the SQL Server. 2. In the "Database" name field, type the name for the BEMS-Core database. 3. In the "Port" field, type the port number that connects to the SQL Server. 4. Select "Windows Authentication". 5. Click "Next".

c
The BlackBerry Enterprise Mobility Server (BEMS) must be configured to use HTTPS.
AC-17 - High - CCI-000068 - V-254716 - SV-254716r879887_rule
RMF Control
AC-17
Severity
High
CCI
CCI-000068
Version
BEMS-03-013500
Vuln IDs
  • V-254716
Rule IDs
  • SV-254716r879887_rule
Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism to protect the information during transmission to web applications. This is usually achieved through the use of HTTPS.
Checks: C-58327r861871_chk

Verify BEMS has been configured to use HTTPS as follows: 1. In the BEMS Dashboard, under "BEMS System Settings", click "BEMS Configuration". 2. Click "BlackBerry Dynamics". 3. In the Protocol drop-down list, verify "HTTPS" is selected. If HTTPS is not configured on BEMS, this is a finding.

Fix: F-58273r861872_fix

Configure BEMS to use HTTPS as follows: 1. In the BEMS Dashboard, under "BEMS System Settings", click "BEMS Configuration". 2. Click "BlackBerry Dynamics". 3. In the Protocol drop-down list, select "HTTPS".

b
The BlackBerry Enterprise Mobility Server (BEMS) must be configured to use DOD certificates for SSL.
SC-23 - Medium - CCI-002470 - V-254717 - SV-254717r879887_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-002470
Version
BEMS-03-013600
Vuln IDs
  • V-254717
Rule IDs
  • SV-254717r879887_rule
Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established.
Checks: C-58328r861874_chk

Verify a DOD SSL certificate has been installed on BEMS as follows: 1. Open the browser. 2. Browse to the BEMS dashboard. 3. Select SSL certificate and view the certificate. 4. Verify the certificate is a DOD certificate (has the DOD CA listed in the certificate). If the SSL certificate installed on BEMS is not a DOD certificate, this is a finding.

Fix: F-58274r861875_fix

Replace the auto-generated BEMS SSL certificate with a DOD certificate as follows: 1. Generate a CSR request and obtain a certificate from the DOD CA. 2. Import the certificate into the BEMS keystore. 3. Update the certificate passwords in BEMS.

b
The BlackBerry Enterprise Mobility Server (BEMS) must be configured with an inactivity timeout of 15 minutes or less.
AC-12 - Medium - CCI-002361 - V-254718 - SV-254718r879887_rule
RMF Control
AC-12
Severity
Medium
CCI
CCI-002361
Version
BEMS-03-013700
Vuln IDs
  • V-254718
Rule IDs
  • SV-254718r879887_rule
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications need to be able to identify when a user's application session has idled and take action to initiate the session lock.
Checks: C-58329r870239_chk

Verify the BEMS inactivity timeout is set to 15 minutes or less: 1. Find the xml file "jetty.xml" located in the BEMS install directory on the BEMS host Windows server. 2. Find the "maxIdleTime" field. (Note: "idleTimeout" may be the field, depending on the version of BEMS.) 3. Verify it is set to 900 or less (seconds). (Note: time may be in milliseconds, depending on the version of BEMS. In this case, the value would be 900000.) If the BEMS inactivity timeout is not set to 15 minutes (900 seconds) or less, this is a finding.

Fix: F-58275r861878_fix

Configure BEMS with an inactivity timeout of 15 minutes or less. 1. Find the xml file "jetty.xml" located in the BEMS install directory on the BEMS host Windows server. 2. Find the "maxIdleTime" field and set it to 900 or less (seconds). (Note: "idleTimeout" may be the field and time may be in milliseconds, depending on the version of BEMS. In this case, the value would be 900000.) 3. Save the file. 4. Restart the BEMS server.

b
If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Authentication for the database connection.
IA-2 - Medium - CCI-000764 - V-254719 - SV-254719r879887_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
BEMS-03-013800
Vuln IDs
  • V-254719
Rule IDs
  • SV-254719r879887_rule
To assure accountability and prevent unauthorized access, organizational users must be identified and authenticated. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations). Users (and any processes acting on behalf of users) are uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the information system without identification or authentication.
Checks: C-58330r861880_chk

This requirement is not applicable if the Mail service (Push Notifications support for BlackBerry Work) is not enabled on BEMS. Verify the mail service in BEMS is configured for Windows Authentication for the database connection as follows: 1. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Mail". 2. Click "Database". 3. In the "Server" field, type the Microsoft SQL Server host name and instance. 4. In the "Database" field, type the database name. 5. In the Windows Authentication drop-down list, verify "Windows Authentication" is selected. If "Windows Authentication" is not selected for the mail service database connection, this is a finding.

Fix: F-58276r861881_fix

Set up Windows Authentication for the database connection for the mail service in BEMS: 1. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Mail". 2. Click "Database". 3. In the "Server" field, type the Microsoft SQL Server host name and instance. 4. In the "Database" field, type the database name. 5. In the Windows Authentication drop-down list, select "Windows Authentication". 6. Click "Save".

b
If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Integrated Authentication for the Exchange connection.
IA-2 - Medium - CCI-000764 - V-254720 - SV-254720r916412_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
BEMS-03-013900
Vuln IDs
  • V-254720
Rule IDs
  • SV-254720r916412_rule
To ensure accountability and prevent unauthorized access, organizational users must be identified and authenticated. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations). Users (and any processes acting on behalf of users) are uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the information system without identification or authentication.
Checks: C-58331r916410_chk

This requirement is not applicable if the Mail service (Push Notifications support for BlackBerry Work) is not enabled on BEMS. Verify Windows Integrated Authentication for the Exchange connection for the Mail service has been set up in BEMS as follows: *On-Prem email server used at site: 1. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Mail". 2. Click "Microsoft Exchange". 3. Under "Enter Service Account Details", verify "Use Windows Integrated Authentication" has been selected. *O-365 email server used at site: 1. If credential authentication is used by the site: a. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Mail". b. Click "Microsoft Exchange". c. In the "Select Authentication type" section, verify "Credential" authentication type is listed. 2. If client certificate is used at site: a. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Mail". b. Click "Microsoft Exchange". c. In the "Select Authentication type" section, verify "Client Certificate" authentication type is listed. If Windows Integrated Authentication for the Exchange connection for the Mail service has not been set up in BEMS, this is a finding.

Fix: F-58277r916411_fix

Set up Windows Integrated Authentication for the Exchange connection for the Mail service in BEMS: *On-Prem email server used at site: 1. Log on to BEMS with the service account that will be configured. 2. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Mail". 3. Click "Microsoft Exchange". 4. Under "Enter Service Account Details", select the "Use Windows Integrated Authentication" check box. 5. Click "Save". *O-365 email server used at site: Use one of the following procedures based on the authentication type used at the site. 1. Credential a. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Mail". b. Click "Microsoft Exchange". c. In the "Select Authentication type" section, select "Credential" authentication type and complete the associated task to allow BEMS to communicate with Microsoft O365. (This option uses a defined BEMS username and password to authenticate to Microsoft Office 365 using Basic Authentication.) i. In the "Username" field, enter the User Principal Name (UPN) of the BEMS service account. ii. In the "Password" field, enter the password for the service account. 2. Client Certificate a. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Mail". b. Click "Microsoft Exchange". c. In the "Select Authentication type" section, select "Client Certificate" authentication type and complete the associated task to allow BEMS to communicate with Microsoft O365. (This option uses a client certificate to allow the BEMS service account to authenticate to Microsoft Office 365.) i. For the "Upload PFX file", click "Choose File" and select the client certificate file. ii. In the "Enter PFX file Password" field, enter the password for the client certificate.

b
If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to Enable SSL LDAP when using LDAP Lookup for users.
AC-17 - Medium - CCI-000068 - V-254721 - SV-254721r879887_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000068
Version
BEMS-03-014000
Vuln IDs
  • V-254721
Rule IDs
  • SV-254721r879887_rule
Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS) or SSL.
Checks: C-58332r861886_chk

This requirement is not applicable if the Mail service (Push Notifications support for BlackBerry Work) is not enabled on BEMS. Verify Enable SSL LDAP for LDAP Lookup for users for the Mail service is configured in BEMS as follows: 1. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Mail". 2. Click "User Directory Lookup". 3. If the "Enable LDAP Lookup" has been selected, verify the "Enable SSL LDAP" check box is also selected. When LDAP Lookup for user has been configured on BEMS, if Enable SSL LDAP is not configured, this is a finding.

Fix: F-58278r861887_fix

Enable SSL LDAP when using LDAP Lookup for users for the Mail service in BEMS as follows: 1. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Mail". 2. Click "User Directory Lookup". 3. Select the "Enable LDAP Lookup" check box. 4. Select the "Enable SSL LDAP" check box. 5. Click "Save".

b
If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to Enable SSL LDAP for certificate directory lookup.
AC-17 - Medium - CCI-000068 - V-254722 - SV-254722r879887_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000068
Version
BEMS-03-014100
Vuln IDs
  • V-254722
Rule IDs
  • SV-254722r879887_rule
Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS) or SSL.
Checks: C-58333r861889_chk

This requirement is not applicable if the Mail service (Push Notifications support for BlackBerry Work) is not enabled on BEMS. Verify Enable SSL LDAP for LDAP Lookup for certificates for the Mail service is configured in BEMS as follows: 1. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Mail", and then click "Certificate Directory Lookup". 2. If the "Enable LDAP Lookup" has been selected, verify the "Enable SSL LDAP" check box is also selected. When LDAP Lookup for certificates has been configured on BEMS, if Enable SSL LDAP is not configured, this is a finding.

Fix: F-58279r861890_fix

Enable SSL LDAP when using LDAP Lookup for certificates for the Mail service in BEMS as follows: 1. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Mail". 2. Click "Certificate Directory Lookup". 3. Select the "Enable LDAP Lookup" check box. 4. Select the "Enable SSL LDAP" check box. 5. Click "Save".

b
If the BlackBerry Connect service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Authentication for the database connection.
IA-2 - Medium - CCI-000764 - V-254723 - SV-254723r879887_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
BEMS-03-014200
Vuln IDs
  • V-254723
Rule IDs
  • SV-254723r879887_rule
To ensure accountability and prevent unauthorized access, organizational users must be identified and authenticated. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations). Users (and any processes acting on behalf of users) are uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the information system without identification or authentication.
Checks: C-58334r861892_chk

This requirement is not applicable if the BlackBerry Connect service is not enabled on BEMS. Verify the BlackBerry Connect service in BEMS is configured for Windows Authentication for the database connection as follows: 1. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Connect". 2. Click "Database". 3. In the "Database" field, type the database name. 4. In the "Windows Authentication" drop-down list, verify "Windows Authentication" is selected. If "Windows Authentication" is not selected for the BlackBerry Connect database connection, this is a finding.

Fix: F-58280r861893_fix

Set up Windows Authentication for the database connection for the BlackBerry Connect service in BEMS: 1. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Connect". 2. Click "Database". 3. In the "Database" field, type the database name. 4. In the "Windows Authentication" drop-down list, select "Windows Authentication". 5. Click "Save".

b
If the BlackBerry Connect service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to enable SSL support for BlackBerry Proxy and use only DOD approved certificates.
AC-17 - Medium - CCI-001453 - V-254724 - SV-254724r879887_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-001453
Version
BEMS-03-014300
Vuln IDs
  • V-254724
Rule IDs
  • SV-254724r879887_rule
Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS) or SSL. Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established.
Checks: C-58335r861895_chk

This requirement is not applicable if the BlackBerry Connect service is not enabled on BEMS. Verify SSL is enabled for the BlackBerry Connect service and a DOD certificate is used as follows: 1. Browse to FQDN of the BEMS Connect server(s) on port 8082. 2. Click on the SSL certificate to verify it has been issued by the DOD CA. 3. Repeat steps 1 and 2 for each BEMS server that has the Connect service added to it. If SSL is not enabled for BlackBerry Connect and if the SSL certificate is not a DOD CA issued certificate, this is a finding.

Fix: F-58281r861896_fix

Configure BlackBerry Connect to enable SSL with a DOD certificate. 1. Submit a CSR request to the DOD CA. 2. In BEMS Select "SSL Certificate". 3. Select "Choose File" and select the new SSL Certificate and type the "Password". 4. Configure BlackBerry Connect to send the request over SSL (see page 20 of the BEMS Configuring the BlackBerry Connect Service document). 5. Configure Connect to use SSL with BlackBerry Proxy (see page 20 of the BEMS Configuring the BlackBerry Connect Service document).

b
If the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Authentication for the database connection.
IA-2 - Medium - CCI-000764 - V-254725 - SV-254725r879887_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
BEMS-03-014400
Vuln IDs
  • V-254725
Rule IDs
  • SV-254725r879887_rule
To ensure accountability and prevent unauthorized access, organizational users must be identified and authenticated. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations). Users (and any processes acting on behalf of users) are uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the information system without identification or authentication.
Checks: C-58336r861898_chk

This requirement is not applicable if the BlackBerry Docs service is not enabled on BEMS. Verify the BlackBerry Docs service in BEMS is configured for Windows Authentication for the database connection as follows: 1. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Docs". 2. Click "Database". 3. In the "Database" field, type the database name. 4. In the Windows Authentication drop-down list, verify "Windows Authentication" is selected. If "Windows Authentication" is not selected for the BlackBerry Docs database connection, this is a finding.

Fix: F-58282r861899_fix

Set up Windows Authentication for the database connection for the BlackBerry Docs service in BEMS: 1. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Docs". 2. Click "Database". 3. In the "Database" field, type the database name. 4. In the Windows Authentication drop-down list, select "Windows Authentication". 5. Click "Save".

b
If the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use NTLM authentication.
IA-2 - Medium - CCI-000764 - V-254726 - SV-254726r879887_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
BEMS-03-014500
Vuln IDs
  • V-254726
Rule IDs
  • SV-254726r879887_rule
To ensure accountability and prevent unauthorized access, organizational users must be identified and authenticated. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations). Users (and any processes acting on behalf of users) are uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the information system without identification or authentication.
Checks: C-58337r861901_chk

This requirement is not applicable if the BlackBerry Docs service is not enabled on BEMS. Verify NTLM authentication is enabled for the BlackBerry Docs service as follows: 1. In the BEMS Dashboard, under "Good Services Configuration", click "Docs". 2. Click "Web Proxy". 3. Select "Use Web Proxy". 4. In the Proxy Server Authentication Type drop-down list, verify "NTLM authentication" is selected. If NTLM authentication is not enabled for the BlackBerry Docs service, this is a finding.

Fix: F-58283r861902_fix

Configure NTLM authentication for the BlackBerry Docs service as follows: 1. In the BEMS Dashboard, under "Good Services Configuration", click "Docs". 2. Click "Web Proxy". 3. Select the "Use Web Proxy". 4. In the Proxy Server Authentication Type drop-down list, select "NTLM authentication". 5. Click "Save".

c
If the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use SSL for LDAP lookup to connect to the Office Web App Server (e.g., SharePoint).
AC-17 - High - CCI-001453 - V-254727 - SV-254727r879887_rule
RMF Control
AC-17
Severity
High
CCI
CCI-001453
Version
BEMS-03-014600
Vuln IDs
  • V-254727
Rule IDs
  • SV-254727r879887_rule
Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS) or SSL.
Checks: C-58338r861904_chk

This requirement is not applicable if the BlackBerry Docs service is not enabled on BEMS. Verify the BlackBerry Docs service is configured to use SSL for LDAP Lookup to connect to the Office Web App Server (e.g., SharePoint) as follows: 1. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Docs". 2. Click "Settings". 3. Verify "Use SSL for LDAP" is selected. If SSL for LDAP is not enabled for the BlackBerry Docs service, this is a finding.

Fix: F-58284r861905_fix

This requirement is not applicable if the BlackBerry Docs service is not enabled on BEMS. Configure the BlackBerry Docs service to use SSL for LDAP Lookup to connect to the Office Web App Server (e.g., SharePoint) as follows: 1. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Docs". 2. Click "Settings". 3. Select the "Enable Kerberos Constrained Delegation" check box to allow Docs to use Kerberos constrained delegation. 4. Enter each of the Microsoft SharePoint Online domains that will be made available. 5. Enter the URL for the approved Office Web App Server. 6. Provide the Microsoft Active Directory user domains (separated by commas) and then enter the corresponding LDAP Port. 7. Select the "Use SSL for LDAP" check box. 8. Click "Save".

b
If the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to enable audit logs.
AC-17 - Medium - CCI-000067 - V-254728 - SV-254728r879887_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000067
Version
BEMS-03-014700
Vuln IDs
  • V-254728
Rule IDs
  • SV-254728r879887_rule
Logging must be used to track system activity, assist in diagnosing system issues, and provide evidence needed for forensic investigations post security incident.
Checks: C-58339r861907_chk

This requirement is not applicable if the BlackBerry Docs service is not enabled on BEMS. Verify audit logging is enabled for the BlackBerry Docs service as follows: 1. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Docs". 2. Click "Audit". 3. On the "Audit Settings" tab, verify "Enable Audit Logs" is selected. If audit logging is not enabled for the BlackBerry Docs service, this is a finding.

Fix: F-58285r861908_fix

Enable audit logging for the BlackBerry Docs service as follows: 1. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Docs". 2. Click "Audit". 3. On the "Audit Settings" tab, select the "Enable Audit Logs" check box. 4. Click "Save".

b
The BlackBerry Enterprise Mobility Server (BEMS) server must be configured to enable FIPS mode.
IA-7 - Medium - CCI-000803 - V-254729 - SV-254729r879616_rule
RMF Control
IA-7
Severity
Medium
CCI
CCI-000803
Version
BEMS-03-014800
Vuln IDs
  • V-254729
Rule IDs
  • SV-254729r879616_rule
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised due to weak algorithms. In addition, the application must be configured to use the FIPS version of all cryptographic algorithms and modules.
Checks: C-58340r861910_chk

Verify FIPS Mode is enabled for BEMS. 1. Under BEMS Systems Settings select "BEMS Configuration". 2. Select "FIPS Mode". 3. Confirm "Enable FIPS Mode for Cluster" has been selected. If "Enable FIPS Mode for Cluster" is not selected, this is a finding.

Fix: F-58286r861911_fix

Enable FIPS Mode for BEMS. 1. In the BEMS Dashboard, under "BEMS Configuration", click "FIPS Mode". 2. Check the box "Enable FIPS Mode for Cluster". 3. Click "Save".

b
If the BlackBerry Connect service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to enable the Web Proxy.
CM-6 - Medium - CCI-000366 - V-254730 - SV-254730r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BEMS-03-014900
Vuln IDs
  • V-254730
Rule IDs
  • SV-254730r879887_rule
The web proxy provides a secure gateway for the BlackBerry Connect service so that BEMS can securely connect to the internet.
Checks: C-58341r861913_chk

This requirement is not applicable if the Connect service is not enabled on BEMS. Verify that Web Proxy Configuration has been configured. 1. Under "BlackBerry Services Configuration" select "Connect". 2. Select "Web Proxy". 3. Confirm "Use Web Proxy" has been checked. If "Use Web Proxy" has not been selected, this is a finding.

Fix: F-58287r861914_fix

Configure Web Proxy Configuration for the Connect service. 1. In the BEMS dashboard under "BlackBerry Services Configuration" click "Connect". 2. Click "Web Proxy". 3. Check the box for "Use Web Proxy". 4. Add "Proxy Address". 5. Add "Proxy Port". 6. Set "Proxy Server Authentication Type" to "Digest".

a
If the BlackBerry Presence service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured with the whitelisting control to limit presence subscriptions to only single domain/tenant.
CM-6 - Low - CCI-000366 - V-254731 - SV-254731r879887_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
BEMS-03-015000
Vuln IDs
  • V-254731
Rule IDs
  • SV-254731r879887_rule
Whitelisting in Presence subscriptions is used to control which internal and federated environments can be subscribed to. Presence subscriptions should be limited to only DOD environments to control who has access to presence information on DOD users. This is an operational security (OPSEC) issue.
Checks: C-58342r861916_chk

This requirement is not applicable if the Presence service is not enabled on BEMS. Verify that Domain whitelisting has been configured. 1. Under the BlackBerry Service Configuration select "Presence". 2. Select "Settings". 3. Confirm "Enable domain whitelisting" has been checked. If "Enable domain whitelisting" is not selected, this is a finding.

Fix: F-58288r861917_fix

Configure Domain Whitelisting for the Presence service. 1. Under the BlackBerry Service Configuration select "Presence". 2. Select "Settings". 3. Confirm "Enable domain whitelisting" has been checked. 4. Click the plus sign and add the domain to whitelist.

b
If the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to enable the proxy server authentication type (if a proxy is used).
CM-6 - Medium - CCI-000366 - V-254732 - SV-254732r879887_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
BEMS-03-015100
Vuln IDs
  • V-254732
Rule IDs
  • SV-254732r879887_rule
The web proxy provides a secure gateway for the BlackBerry Docs service so that BEMS can securely connect to enterprise servers.
Checks: C-58343r861919_chk

This requirement is not applicable if the Docs service for BEMS is not enabled. Verify that the authentication type is set to NTLM if a web proxy is used. 1. Under the "BlackBerry Services Configuration", select "Docs". 2. Under the "Proxy Server Authentication Type", ensure "NTLM" is Selected. If "NTLM" is not selected, this is a finding.

Fix: F-58289r861920_fix

Configure the Docs Web Proxy Authentication type within BEMS. 1. Under the "BlackBerry Services Configuration", select "Docs". 2. Select "Web Proxy Configuration". 3. Under "Proxy Server Authentication Type" Select "NTLM".