Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review BES12 server documentation and configuration settings to determine if the warning banner is using the appropriate designated wording. On the BES12, do the following: 1. Log on to the BES12 console and select the "Settings" tab at the top of the screen. 2. Expand the "General" settings tab on the left pane. 3. Select "Login notices" from the menu in the left pane. 4. Verify the checkbox next to "Enable a login notice for the management console" is checked. 5. Verify the console login notice text exactly matches the requirement text. 6. Verify the checkbox next to "Enable a login notice for the self-service console" is checked. 7. Verify the self-service console login notice text exactly matches the requirement text. If the console notice wording does not exactly match the VulDescription text, this is a finding.
On the BES12, do the following: 1. Log on to the BES12 console and select the "Settings" tab at the top of the screen. 2. Expand the "General" settings tab on the left pane. 3. Select "Login notices" from the menu in the left pane. 4. Click the pencil icon (upper-right corner) to edit the Login notices. 5. Select the checkbox next to "Enable a login notice for the management console". 6. In the "Enable a login notice for the management console" field, type the DoD banner found in the VulDescription. 7. Select the checkbox next to "Enable a login notice for the self-service console". 8. In the "Enable a login notice for the self-service console" field, type the DoD banner found in the VulDescription. 9. Click "Save".
Review the BES12 server configuration settings, and verify the server is configured with the Administrator roles: a. MD user; b. Server primary administrator; c. Security configuration administrator; d. Device user group administrator; and e. Auditor. Note: The roles noted below are the preconfigured roles on the BES12 and have the required capabilities associated with the roles identified in the Requirement statement. On the BES12, do the following: 1. Log on to the BES12 console and select the "Settings" tab at the top of the screen. 2. Expand the "Administrators" tab on the left pane. 3. Select the "Roles" tab on the left pane. 4. Verify there is at least one user assigned to each of the following roles: a. Security Administrator; b. Enterprise Administrator; c. Senior Help Desk; and d. Junior Help Desk. If at least one user is not associated with each of the roles above, this is a finding.
On the BES12, do the following: 1. Log on to the BES12 console and select the "Settings” tab at the top of the screen. 2. Expand the "Administrators" tab on the left pane. 3. Assign the appropriate role to either a user or a group, as directed by the Administrator, as described below: To assign a role to a user: 1. Click "Users". 2. Click the "Add an administrator" icon (upper-right corner). 3. If necessary, search for a user account. 4. Click the name of the user account. 5. In the "Role" drop-down list, click the role that you want to add. 6. Click "Save". To assign a role to a group: 1. Click "Groups". 2. Click the "Add role to user group" icon (upper-right corner). 3. If necessary, search for a user group. 4. Click the name of the user group. 5. In the "Role" drop-down list, click the role that you want to add. 6. Click "Save".
Review the BES12 server configuration settings to determine if the BES12 server is configured to enable all required audit events: a. Failure to push a new application on a managed mobile device; b. Failure to update an existing application on a managed mobile device. Note: If an organization has multiple configuration profiles, the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. On the BES12, do the following: 1. Log on to the BES12 console and select the "Policies and Profiles" tab at the top of the screen. 2. Expand the "IT policies" tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the "Settings" and "BlackBerry" tabs. 5. Scroll down to the "Security and Privacy" group of IT policy rules. 6. Verify "Event logging" is selected. 7. Verify "Error event logging" is selected. If the BES IT policy rules "Event logging" and "Error event logging" are not selected, this is a finding.
On the BES12, do the following: 1. Log on to the BES12 console and select the "Policies and Profiles" tab at the top of the screen. 2. Expand the "IT policies" tab on the left pane. 3. Select and open each IT policy assigned to users in turn. 4. After opening the policy, select the "Settings" and "BlackBerry" tabs. 5. Scroll down to the "Security and Privacy" group of IT policy rules. 6. Select the checkbox next to the IT Policy "Event logging". 7. Select the checkbox next to the IT Policy "Error event logging". 8. Click "Save".
Review the BES12 server configuration settings, and verify the server is configured to leverage the MDM Platform user accounts and groups for BES12 server user identification and authentication. On the BES12, do the following: 1. Log on to the BES12 host server and navigate to the BES12 console. 2. Verify the BES12 server does not prompt for additional authentication before opening the BES12 console. If the BES12 server does not display an Administrator-specified advisory notice and consent warning message regarding use of the server, this is a finding. If the BES12 server prompts for additional authentication before opening the BES12 console, this is a finding.
On the BES12, do the following: Configure constrained delegation for the Microsoft Active Directory account to support single sign-on: 1. Log on to the BES12 host server and use the Windows Server ADSI Edit tool to add the following SPNs for BES12 to the Microsoft Active Directory account: - HTTP/<host_FQDN_or_pool_name> (for example, HTTP/domain123.example.com) - BASPLUGIN111/<host_FQDN_or_pool_name> (for example, BASPLUGIN111/domain123.example.com) NOTE: - If you configured high availability for the management consoles in a BES12 domain, specify the pool name. Otherwise, specify the FQDN of the computer that hosts the management console. - Verify that no other accounts in the Microsoft Active Directory forest have the same SPNs. 2. Open Microsoft Active Directory Users and Computers. 3. In the Microsoft Active Directory account properties, on the "Delegation" tab, select the following options: - Trust this user for delegation to specified services only - Use Kerberos only 4. Add the SPNs from Step 1 to the list of services. Configure single sign-on for BES12: Note: - When you configure single sign-on for BES12, you configure it for the management console and BES12 Self-Service. - If you enable single sign-on for multiple Microsoft Active Directory connections, verify that there are no trust relationships between the Microsoft Active Directory forests. 1. Log on to the BES12 console and select the "Settings” tab at the top of the screen. 2. Expand the "External integration" tab on the left pane. 3. Click "Company directory". 4. In the Configured directory connections section, click the name of a Microsoft Active Directory connection. 5. On the Authentication tab, select the check box next to "Enable Windows single sign-on". 6. Click "Save". Note: BES12 validates the information for Microsoft Active Directory authentication. If the information is invalid, BES12 prompts you to specify the correct information. 7. Click "Close". 8. Restart the BES12 services on each computer that hosts a BES12 instance. 9. Instruct administrators and BES12 Self-Service users to configure their browsers to support single sign-on for BES12.
Review the BES12 server configuration to determine whether the system is locked after 15 minutes. Clock the time on a server to validate that it is correctly enforcing the time period. On the BES12, do the following: 1. Log on to the BES12 console. 2. Note the time and leave the console inactive. Note: During this time, ensure there are no user inputs made to the console, such as mouse movements or keyboard entries. 3. Verify that the console locks after 15 minutes or less of inactivity. If the console does not lock after 15 minutes or less of inactivity, this is a finding.
On the BES12, do the following: 1. Log on to the BES12 host server and navigate to "C:\BlackBerry\BlackBerry Configuration Tool 1.4.0\BES12ConfigTool.exe" to launch the BES12 Configuration Tool. Note: If the BES12 Configuration Tool was not installed in the default directory, you will need to locate the directory with the executable file to launch the application. 2. Select the "BES12 console timeout interval" radio button. 3. Click "Next". 4. Click "Validate" to verify the Database information. 5. In the "Session timeout (seconds)" field, enter "900". 6. Select the checkbox next to "Automatically Restart Services". 7. Click "Update". 8. Verify that the message "BES12 services successfully restarted" is displayed when the process is completed. Note: If the services do not restart automatically, you will have to restart the services manually. 9. Click "Quit" to exit the application. Note: If the BES12 Configuration Tool is not installed on the host system, you will need to download and install the tool on the host server. To download and install the BES12 Configuration Tool, on the BES12, do the following: 1. Log on to the BES12 host server and download and install the BES12 Configuration Tool from: http://swdownloads.blackberry.com/Downloads/entry.do 2. Navigate to "C:\BlackBerry\BlackBerry Configuration Tool 1.4.0\BES12ConfigTool.exe" and launch the BES12 Configuration Tool. Note: If the BES12 Configuration Tool was not installed in the default directory, you will need to locate the directory with the executable file to launch the application. 3. Click "Next". 4. Select the country of use from the drop-down menu. 5. Select the radio button next to "I accept the terms of the license agreement". 6. Click "Next". 7. Select the "BES12 console timeout interval" radio button. 8. Verify the Database Information. 9. Click "Validate". 10. Click "Quit" to exit the application.
Review the implementation of the BES12 server with the site system administrator. Verify a host-based firewall (for example, HBSS) is installed on the Windows server. If the BES12 server is not protected by a DoD-approved firewall, this is a finding.
Protect the BES12 server with a DoD-approved firewall.
Review the implementation of the firewall protecting the BES12 server with the site system administrator. Verify the firewall is configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support the BES12 server. If the firewall protecting the BES12 server is not configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support the BES12 server, this is a finding. Note: Required ports, protocols, and IP address ranges for the BES12 server are found in the Supplemental document.
Configure the DoD-approved firewall to deny all except for ports listed in the STIG Supplemental document.
Review the BES12 server configuration to determine if it is configured to disable a user's capability to perform self-service tasks. On the BES12, do the following: 1. Log on to the BES12 console and select the "Settings" tab at the top of the screen. 2. Expand the "General" settings tab on the left pane. 3. Select "Self-Service" from the menu in the left pane. 4. Verify the check box next to "Allow users to access the self-service console" is not checked. If the checkbox next to "Allow users to access the self-service console" is checked, this is a finding.
On the BES12, do the following: 1. Log on to the BES12 console and select the "Settings” tab at the top of the screen. 2. Expand the General settings tab on the left pane. 3. Select Self-Service from the menu in the left pane. 4. Unselect the checkbox next to "Allow users to access the self-service console". 5. Click "Save".
On the BES12, do the following: 1. Log on to the BES12 console and select the "Settings” tab at the top of the screen. 2. Expand the Infrastructure tab on the left pane. 3. Select Server certificates. 4. In the SSL certificate for consoles and BlackBerry Web Services, click "View details". 5. Verify the issuer's CN is from the DoD root Certificate Authority (CA). If the PKI digital certificate installed on the BES12 Server to support consoles and BlackBerry Web Services authentication is not a DoD PKI issued certificate, this is a finding.
NOTE: Before you begin, you must obtain an SSL certificate signed by the DoD root Certificate Authority (CA). BES12 supports certificates in the PFX format with either a .pfx or .p12 file name extension. If you configure high availability, you must obtain an SSL certificate that uses the name of the BES12 domain. You can find the BES12 domain name in the management console under Settings >> Infrastructure >> BES12 instances. On the BES12, do the following: 1. Log on to the BES12 console and select the "Settings" tab at the top of the screen. 2. Expand the "Infrastructure" tab on the left pane. 3. Select "Server certificates". 4. In the SSL certificate for consoles and BlackBerry Web Services section, click "View details". 3. Click "Replace certificate". 4. Click "Browse". 5. Select the certificate file that you want to use. 6. Click "Open". 7. Type the encryption password. 8. Click "Replace". 9. Restart the BES12 Core service on all servers.