Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Samsung SDS EMM v1.5.x Security Technical Implementation Guide

  • Version/Release: V1R1
  • Published: 2017-01-20
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
a
Before establishing a user session, the Samsung SDS EMM server must display an administrator-specified advisory notice and consent warning message regarding use of the Samsung SDS EMM server.
AC-8 - Low - CCI-000048 - V-73201 - SV-87853r1_rule
RMF Control
AC-8
Severity
Low
CCI
CCI-000048
Version
SEMM-15-000010
Vuln IDs
  • V-73201
Rule IDs
  • SV-87853r1_rule
Note: The advisory notice and consent warning message is not required if the General Purpose OS or Network Device displays an advisory notice and consent warning message when the administrator logs on to the General Purpose OS or Network Device prior to accessing the Samsung SDS EMM server or Samsung SDS EMM server platform. The Samsung SDS EMM server/server platform is required to display the DoD-approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. This ensures the legal requirements for auditing and monitoring are met. The approved DoD text must be used as specified in KS referenced in DoDI 8500.01. The non-bracketed text below must be used without any changes as the warning banner. [A. Use this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner shall be implemented as a click-through banner at logon (to the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating “OK.”] You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. [B. For Blackberries and other PDAs/PEDs with severe character limitations:] I've read & consent to terms in IS user agreem't. SFR ID: FMT_SMF_EXT.1.1(2) Refinement
Checks: C-73303r1_chk

Review Samsung SDS EMM server documentation and configuration settings to determine if the warning banner is using the appropriate designated wording. On the MDM console, do the following: 1) Log in to the Samsung SDS EMM Server Admin Console using a web browser. 2) Go to Settings >> Admin Console >> System and click on the button labeled “Logo / Notification” near the top of the screen. 3) In the “Logo / Notification” window that appears, confirm the text in the Login Notification “Text” is the required DoD banner text. If the warning banner is not set up on the MDM server or wording does not exactly match the requirement text, this is a finding.

Fix: F-79647r1_fix

Configure the MDM server to display the appropriate warning banner text. On the MDM console, do the following: 1) Log into the Samsung SDS EMM Server Admin Console using a web browser. 2) Go to Settings >> Admin Console >> System and click on the button labeled “Logo / Notification” near the top of the screen. 3) In the “Logo / Notification” window that appears, enter required DoD text in the Login Notification “Text” box. 4) Click "Save".

b
The Samsung SDS EMM server must be configured with the Administrator roles: a. MD user; b. Server primary administrator; c. Security configuration administrator; d. Device user group administrator; and e. Auditor.
AU-2 - Medium - CCI-000128 - V-73203 - SV-87855r1_rule
RMF Control
AU-2
Severity
Medium
CCI
CCI-000128
Version
SEMM-15-000070
Vuln IDs
  • V-73203
Rule IDs
  • SV-87855r1_rule
Having several roles for the Samsung SDS EMM server supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management privileges to one group and security policy privileges to another group. This helps prevent administrators from intentionally or inadvertently altering other settings and configurations they may not understand or approve of, which can weaken overall security and increase the risk of compromise. - Server primary administrator: responsible for server installation, initial configuration, and maintenance functions. Responsible for the setup and maintenance of Security configuration administrator and Auditor accounts. - Security configuration administrator: responsible for security configuration of the server, setting up and maintenance of mobile device security policies, defining device user groups, setup and maintenance of device user group administrator accounts, and defining privileges of device user group administrators. - Device user group administrator: responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion. Can only perform administrative functions assigned by the Security configuration administrator. - Auditor: responsible for reviewing and maintaining server and mobile device audit logs. SFR ID: FMT_SMR.1.1(1) Refinement
Checks: C-73305r1_chk

Review the MDM server configuration settings and verify the server is configured with the Administrator roles: a. MD user; b. Server primary administrator; c. Security configuration administrator; d. Device user group administrator; and e. Auditor. This validation procedure is performed on the MDM Administration Console. On the MDM console, do the following to verify that users in the roles MD user exists: 1) Log in to the Samsung SDS EMM Server Admin Console using a web browser. 2) Go to Devices & Users >> Users & Organization. 3) Observe that the user created in the Implementation Guidance is listed on this screen. On the MDM console, do the following to verify that users in the roles (c), (d) and (e) exist: 1) Log in to the Samsung SDS EMM Server Admin Console using a web browser. 2) Go to Settings >> Admin Console >> Administrators. 3) Observe that the user with the Security configuration administrator role is in the list on this screen, that the “Type” column indicates “Super”, and that a modify symbol appears under all of the columns for “App”, “Cert”, “Org”, “Profile”, “Portal”, and “Audit”. 4) Observe that the user with the Device user group administrator role is in the list on this screen, that the “Type” column indicates “Common”, and that a modify symbol appears under all of the columns for “App”, “Cert”, “Org”, “Profile”, “Portal”, and “Audit”. 5) Observe that the user with the Auditor role is in the list on this screen, that the “Type” column indicates “Common”, and that a modify symbol appears only under the “Audit” column. No verification is needed for the Server primary administrator since this role is always automatically created during server install. If the MDM console is not configured with required Administrator roles, this is a finding.

Fix: F-79649r1_fix

Configure the MDM server with the Administrator roles: a. MD user; b. Server primary administrator; c. Security configuration administrator; d. Device user group administrator; and e. Auditor. On the MDM console, do the following to create an MD user: 1) Log in to the Samsung SDS EMM Server Admin Console using a web browser. 2) Go to Devices & Users >> Users & Organization and select the “+” to get a pull-down menu. Select “Add Single User”. 3) Complete fields with user specific information. 4) Click "Save". 5) Click "No" in next dialog box (OK box) to complete setup of user. On the MDM console, do the following to create users in the roles (c), (d), and (e): 1) Log in to the Samsung SDS EMM Server Admin Console using a web browser. 2) Go to Settings >> Admin Console >> Administrators and click on the “+” button near the top of the screen. 3) In the “Add Administrator” window, fill in the following once for each user account being created: a) Choose the “New” radio button. b) Fill in the “Admin ID” and “Admin Name” fields with values for a new user. c) To Create a Security configuration administrator do the following: Set the Type field to “Super”. d) To Create a Device user group administrator do the following: Set the Type field to “Common” and check all of the “Authorization” boxes. e) To Create an Auditor do the following: Set the Type field to “common” and check only the Audit box. 4) Choose “Save” to create the account with the specified role. 5) Click "Yes" in next dialog box (Save box) to complete setup of user. A user in the Server Primary Administrator role is created by defining a Windows Administrator account on the platform running the Samsung SDS EMM server. This is automatically created during server install.

b
The Samsung SDS EMM server must be configured to transfer MD audit logs and Samsung SDS EMM server logs to another server for analysis and reporting.
AU-2 - Medium - CCI-000128 - V-73205 - SV-87857r1_rule
RMF Control
AU-2
Severity
Medium
CCI
CCI-000128
Version
SEMM-15-000320
Vuln IDs
  • V-73205
Rule IDs
  • SV-87857r1_rule
Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. Since the Samsung SDS EMM server has limited capability to store MD log files and perform analysis and reporting of MD log files, the Samsung SDS EMM server must have the capability to transfer log files to an audit log management server. SFR ID: FMT_SMF.1.1(2) Refinement, f
Checks: C-73307r1_chk

The following describes how the MDM server transfers MD audit logs and MDM server logs to another server for analysis and reporting. Ask the system administrator to identify which audit management server Samsung SDS EMM server logs are transferred to. Verify that the audit management server contains records of the MD audit logs and MDM server logs, which have been transferred from the Samsung SDS EMM server. If logs are not automatically transferred periodically, verify logs are transferred manually at least daily. If the Samsung SDS EMM server is not configured to transfer MD audit logs to another server (automatically or manually), this is a finding.

Fix: F-79651r1_fix

The following describes how the MDM server can transfer MD audit logs and MDM server logs to another server for analysis and reporting. This is a manual process that has to be performed by the administrator periodically. To transfer Samsung SDS EMM server logs, on the MDM console, do the following: 1) Log in to the Samsung SDS EMM Server Admin Console using a web browser. 2) Go to Service Overview >> Logs >> Audit Logs. 3) Choose a date and click the "Export" button to export the selected Audit data to a file on the administrator’s workstation. 4) Follow the browser-specific instructions to save the comma-separated values file. To transfer MD audit logs, on the MDM console, do the following: 1) Log in to the Samsung SDS EMM Server Admin Console using a web browser. 2) Go to Service Overview >> Logs >> Device Logs. 3) Choose the desired device in the left side of the “Device Logs” screen. 4) Choose the Export action in the row for the device log to be saved to export the selected MD audit log to a file on the administrator’s workstation. 5) Follow the browser-specific instructions to save the comma-separated values file.

b
The Samsung SDS EMM server or platform must initiate a session lock after a 15-minute period of inactivity.
AC-11 - Medium - CCI-000057 - V-73207 - SV-87859r1_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
SEMM-15-100010
Vuln IDs
  • V-73207
Rule IDs
  • SV-87859r1_rule
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications need to be able to identify when a user's application session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled. This is typically at the operating system-level and results in a system lock but may be at the application-level where the application interface window is secured instead. SFR ID: FMT_SMF.1.1(1) Refinement
Checks: C-73309r1_chk

Review the Samsung SDS EMM server or platform configuration to determine whether the system is locked after 15 minutes. Clock the time on a server to validate that it is correctly enforcing the time period. If the session lock does not occur within 15 minutes of inactivity, this is a finding.

Fix: F-79653r1_fix

To configure the Samsung SDS EMM server or platform to lock the server after 15 minutes of inactivity do the following: 1) Log in to the Samsung SDS EMM Server Admin Console using a web browser. 2) Click the “v” symbol at the top right of the web page to get a pull-down menu. 3) Choose “Configure session timeout”. 4) Set the Session Timeout(min) value to "15". 5) Click on the “Save” button.

b
The Samsung SDS EMM server platform must be protected by a DoD-approved firewall.
CM-7 - Medium - CCI-000382 - V-73209 - SV-87861r1_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
SEMM-15-100040
Vuln IDs
  • V-73209
Rule IDs
  • SV-87861r1_rule
Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Unneeded services and processes provide additional threat vectors and avenues of attack to the information system. The Samsung SDS EMM server is a critical component of the mobility architecture and must be configured to only those ports, protocols, and services (PPS) necessary to support functionality, all others must be expressly disabled or removed. A DoD-approved firewall implements the required network restrictions. A host-based firewall is appropriate where the Samsung SDS EMM server runs on a standalone platform. Network firewalls or other architectures may be preferred where the Samsung SDS EMM server runs in a cloud or virtualized solution. SFR ID: FMT_SMF.1.1(1) Refinement
Checks: C-73311r1_chk

Review the Samsung SDS EMM server platform configuration to determine whether a DoD-approved firewall is installed or if the platform operating system provides a firewall service that can restrict both inbound and outbound traffic by TCP/UDP port and IP address. If there is not a host-based firewall present on the Samsung SDS EMM server platform, this is a finding.

Fix: F-79655r1_fix

Install a DoD-approved firewall.

b
The firewall protecting the Samsung SDS EMM server platform must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support Samsung SDS EMM server and platform functions.
CM-7 - Medium - CCI-000382 - V-73211 - SV-87863r1_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
SEMM-15-100050
Vuln IDs
  • V-73211
Rule IDs
  • SV-87863r1_rule
Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations. Since Samsung SDS EMM server is a critical component of the mobility architecture and must be configured to only those ports, protocols, and services (PPS) necessary to support functionality, all others must be expressly disabled or removed. A firewall installed on the Samsung SDS EMM server provides a protection mechanism to ensure unwanted service requests do not reach the Samsung SDS EMM server and outbound traffic is limited to only Samsung SDS EMM server functionality. SFR ID: FMT_SMF.1.1(1) Refinement
Checks: C-73313r1_chk

Ask the MDM administrator for a list of ports, protocols and IP address ranges necessary to support Samsung SDS EMM server and platform functionality (see the STIG Supplemental document for a list of required ports, protocols, and services). Review the list to determine if the stated required configuration is appropriate. Compare the list against the configuration of the firewall, and identify discrepancies. If the host-based firewall is not configured to support only those ports, protocols, and IP address ranges necessary for operation, this is a finding.

Fix: F-79657r1_fix

Configure the firewall on the Samsung SDS EMM server to only permit ports, protocols, and IP address ranges necessary for operation.

b
The firewall protecting the Samsung SDS EMM server platform must be configured so that all allowed ports, protocols, and services are approved for DoD use (on the DoD Ports, Protocols, Services Management (PPSM) Category Assurance Levels (CAL) list).
CM-7 - Medium - CCI-000382 - V-73213 - SV-87865r1_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
SEMM-15-100060
Vuln IDs
  • V-73213
Rule IDs
  • SV-87865r1_rule
All ports, protocols, and services used on DoD networks must be approved and registered via the DoD Ports, Protocols, Services Management (PPSM) process. This is to insure that a risk assessment has been completed before a new port, protocol, or service is configured on a DoD network and has been approved by proper DoD authorities. Otherwise, the new port, protocol, or service could cause a vulnerability to the DoD network, which could be exploited by an adversary. SFR ID: FMT_SMF.1.1(1) Refinement
Checks: C-73315r1_chk

Ask the MDM administrator for a list of ports, protocols and services that have been configured on the host-based firewall. Verify all allowed ports, protocols, and services are included on the DoD PPSM CAL list. If any allowed ports, protocols, and services on the MDM host-based firewall are not included on the DoD PPSM CAL list, this is a finding.

Fix: F-79659r1_fix

Turn off any ports, protocols, and services on the MDM host-based firewall that are not on the DoD Ports, Protocols, Services Management (PPSM) Category Assurance Levels (CAL) list.

a
The Samsung SDS EMM agent must be configured for the periodicity of reachability events for six hours or less.
SI-6 - Low - CCI-002696 - V-73215 - SV-87867r1_rule
RMF Control
SI-6
Severity
Low
CCI
CCI-002696
Version
SEMM-15-200010
Vuln IDs
  • V-73215
Rule IDs
  • SV-87867r1_rule
Mobile devices that do not enforce security policy or verify the status of the device are vulnerable to a variety of attacks. The key security function of MDM technology is to distribute mobile device security polices in such a manner that they are enforced on managed mobile devices. To accomplish this function, the Samsung SDS EMM agent must verify the status and other key information of the managed device and report that status to the MDM server periodically. SFR ID: FMT_SMF_EXT.3.2
Checks: C-73317r1_chk

Review the MDM agent configuration settings to determine if the agent is configured with a periodicity of reachable events set to six hours or less. This validation procedure is performed on both the Samsung SDS EMM Server Admin Console. 1) Log in to the Samsung SDS EMM Server Admin Console using a web browser. 2) Go to Settings >> Service >> Configuration. 3) For Android: On row 20 verify “Inventory Collection Period for Android (Hrs)” is set to "6" or less. 4) For iOS: On row 21 verify “Inventory Collection Period for iOS (Hrs)” is set to "6" or less. If the periodicity of reachable events is not set to "6" hours or less, this is a finding.

Fix: F-79661r1_fix

Configure the MDM agent periodicity of reachable events to six hours or less. On the MDM console, do the following: 1) Log in to the Samsung SDS EMM Server Admin Console using a web browser. 2) Go to Settings >> Service >> Configuration. 3) For Android: Ensure that row 20 “Inventory Collection Period for Android (Hrs)” shows a value of "6" or less. 4) For iOS: Ensure that row 21 “Inventory Collection Period for iOS (Hrs)” shows a value of "6" or less. 5) Click on the check-mark box in the top left of the "Configuration" screen to "Apply Changes". 6) Click “OK” on the “Notify” save completed window. On the MDM agent, do the following: No actions required on the MDM agent