BlackBerry Enterprise Mobility Server 2.x Security Technical Implementation Guide

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]

Details

Version / Release: V1R2

Published: 2018-11-29

Updated At: 2019-01-27 11:43:20

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-93709r1_rule BEMS-00-002600 CCI-000162 MEDIUM The BlackBerry Enterprise Mobility Server (BEMS) must protect log information from any type of unauthorized read access. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to log records provides information an atta
    SV-93711r1_rule BEMS-00-002700 CCI-000163 MEDIUM The BlackBerry Enterprise Mobility Server (BEMS) must protect log information from unauthorized modification. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to log records provides information an atta
    SV-93713r1_rule BEMS-00-002800 CCI-000164 MEDIUM The BlackBerry Enterprise Mobility Server (BEMS) must protect log information from unauthorized deletion. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. Application servers contain admin interfaces that allow readi
    SV-93715r1_rule BEMS-00-003800 CCI-000382 MEDIUM The BlackBerry Enterprise Mobility Server (BEMS) platform must be protected by a DoD-approved firewall. Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Unneeded services and processes provide
    SV-93717r1_rule BEMS-00-003900 CCI-000382 MEDIUM The firewall protecting the BlackBerry Enterprise Mobility Server (BEMS) must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support BEMS functions. Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations. Since BEMS is a critical component of
    SV-93719r1_rule BEMS-00-004000 CCI-000382 MEDIUM The firewall protecting the BlackBerry Enterprise Mobility Server (BEMS) must be configured so that only DoD-approved ports, protocols, and services are enabled. See the DoD Ports, Protocols, Services Management (PPSM) Category Assurance Levels (CAL) list for DoD-approved ports, protocols, and services. All ports, protocols, and services used on DoD networks must be approved and registered via the DoD PPSM process. This is to ensure that a risk assessment has been completed before a new port, protocol, or service is configured on a DoD network and has be
    SV-93721r2_rule BEMS-00-011400 CCI-002418 MEDIUM The BlackBerry Enterprise Mobility Server (BEMS) must protect the confidentiality and integrity of transmitted information through the use of an approved TLS version. Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Tra
    SV-93723r1_rule BEMS-00-011500 CCI-002418 MEDIUM The BlackBerry Enterprise Mobility Server (BEMS) must remove all export ciphers to protect the confidentiality and integrity of transmitted information. During the initial setup of a Transport Layer Security (TLS) connection to the application server, the client sends a list of supported cipher suites in order of preference. The application server will reply with the cipher suite it will use for communica
    SV-93725r1_rule BEMS-00-013300 CCI-000213 MEDIUM The BlackBerry Enterprise Mobility Server (BEMS) must be configured to have at least one user in the following Administrator roles: Server primary administrator, auditor. Having several administrative roles for the BEMS supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management privileges to one group and security policy privileges to another gr
    SV-93727r1_rule BEMS-00-013400 CCI-000764 MEDIUM The BlackBerry Enterprise Mobility Server (BEMS) must be configured to use Windows Authentication for the database connection. To assure accountability and prevent unauthorized access, organizational users must be identified and authenticated. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g.,
    SV-93729r1_rule BEMS-00-013500 CCI-000068 HIGH The BlackBerry Enterprise Mobility Server (BEMS) must be configured to use HTTPS. Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission to web applications. This is usually achieved through the
    SV-93731r1_rule BEMS-00-013600 CCI-002470 MEDIUM The BlackBerry Enterprise Mobility Server (BEMS) must be configured to use DoD certificates for SSL. Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate
    SV-93733r1_rule BEMS-00-013700 CCI-002361 MEDIUM The BlackBerry Enterprise Mobility Server (BEMS) must be configured with an inactivity timeout of 15 minutes or less. A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user t
    SV-93735r1_rule BEMS-00-013800 CCI-000764 MEDIUM If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Authentication for the database connection. To assure accountability and prevent unauthorized access, organizational users must be identified and authenticated. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g.,
    SV-93737r1_rule BEMS-00-013900 CCI-000764 MEDIUM If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Integrated Authentication for the Exchange connection. To assure accountability and prevent unauthorized access, organizational users must be identified and authenticated. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g.,
    SV-93739r1_rule BEMS-00-014000 CCI-000068 MEDIUM If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to Enable SSL LDAP when using LDAP Lookup for users. Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Lay
    SV-93741r1_rule BEMS-00-014100 CCI-000068 MEDIUM If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to Enable SSL LDAP for certificate directory lookup. Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Lay
    SV-93743r1_rule BEMS-00-014200 CCI-000764 MEDIUM If the BlackBerry Connect service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Authentication for the database connection. To assure accountability and prevent unauthorized access, organizational users must be identified and authenticated. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g.,
    SV-93745r1_rule BEMS-00-014300 CCI-001453 MEDIUM If the BlackBerry Connect service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to enable SSL support for BlackBerry Proxy and use only DoD approved certificates. Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Lay
    SV-93747r1_rule BEMS-00-014400 CCI-000764 MEDIUM If the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Authentication for the database connection. To assure accountability and prevent unauthorized access, organizational users must be identified and authenticated. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g.,
    SV-93749r1_rule BEMS-00-014500 CCI-000764 MEDIUM If the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use NTLM authentication. To assure accountability and prevent unauthorized access, organizational users must be identified and authenticated. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g.,
    SV-93751r1_rule BEMS-00-014600 CCI-001453 HIGH If the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use SSL for LDAP lookup to connect to the Office Web App Server (e.g., SharePoint). Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Lay
    SV-93753r1_rule BEMS-00-014700 CCI-000067 MEDIUM If the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to enable audit logs. Logging must be used in order to track system activity, assist in diagnosing system issues, and provide evidence needed for forensic investigations post security incident.