Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Verify BEMS has been configured with the following administrator groups/roles, each group/role has required permissions, and at least one user has been assigned to each Administrator group/role: Server primary administrator, auditor. Procedure for Server Primary Administrator: 1. In the BEMS Dashboard, under "BEMS System Settings", click "BEMS Configuration". 2. Click "Dashboard Administrators". 3. Confirm the Administrator role for the primary server administrator has been assigned the dashboard role of Admin. 4. Verify in AD at least one member has been assigned to the BEMS administrator group. (Note: Actual group name may be different.) Procedure for Auditor: 1. Verify in AD an auditor group has been set up with at least one member. 2. Browse to the log repository. 3. Right-click on the folder. 4. Select "Properties". 5. Select the "Security" tab. 6. Confirm the auditor security group is listed. If required administrator roles have not been set up on BEMS and at least one user has not been assigned to each role, this is a finding.
Configure BEMS to have at least one user in the following Administrator roles: Server primary administrator, auditor. 1. In the BEMS Dashboard, under "BEMS System Settings", click "BEMS Configuration". 2. Click "Dashboard Administrators". 3. Click "Add Group". 4. In the "Active Directory Security Group" field, type the name of the Microsoft Active Directory security group. 5. Click "Save". 6. Repeat steps 3 to 5 to add additional security groups. 7. For the server primary administrator, the default role of Admin meets the required roles and no additional configuration is needed. 8. For the Auditor role, complete the following steps: - In active directory, create a domain auditor group and assign personnel designated as auditors to that group. - Browse to the log repository. - Right-click on the folder. - Select "Properties". - Select the "Security" tab. - Click "Edit". - Click "Add". - Type in name of the user group. - Confirm that only the necessary groups have rights to the folder (CREATOR OWNER, SYSTEM, Administrators, Auditors). - Set proper permissions for auditors (Read, List folder contents, Read & Execute).
Verify BEMS has been configured with the following administrator groups/roles, each group/role has required permissions, and at least one user has been assigned to each Administrator group/role: Server primary administrator, auditor. Procedure for Server Primary Administrator: 1. In the BEMS Dashboard, under "BEMS System Settings", click "BEMS Configuration". 2. Click "Dashboard Administrators". 3. Confirm the Administrator role for the primary server administrator has been assigned the dashboard role of Admin. 4. Verify in AD at least one member has been assigned to the BEMS administrator group. (Note: Actual group name may be different.) Procedure for Auditor: 1. Verify in AD an auditor group has been set up with at least one member. 2. Browse to the log repository. 3. Right-click on the folder. 4. Select "Properties". 5. Select the "Security" tab. 6. Confirm the auditor security group is listed. If required administrator roles have not been set up on BEMS and at least one user has not been assigned to each role, this is a finding.
Configure BEMS to have at least one user in the following Administrator roles: Server primary administrator, auditor. 1. In the BEMS Dashboard, under "BEMS System Settings", click "BEMS Configuration". 2. Click "Dashboard Administrators". 3. Click "Add Group". 4. In the "Active Directory Security Group" field, type the name of the Microsoft Active Directory security group. 5. Click "Save". 6. Repeat steps 3 to 5 to add additional security groups. 7. For the server primary administrator, the default role of Admin meets the required roles and no additional configuration is needed. 8. For the Auditor role, complete the following steps: - In active directory, create a domain auditor group and assign personnel designated as auditors to that group. - Browse to the log repository. - Right-click on the folder. - Select "Properties". - Select the "Security" tab. - Click "Edit". - Click "Add". - Type in name of the user group. - Confirm that only the necessary groups have rights to the folder (CREATOR OWNER, SYSTEM, Administrators, Auditors). - Set proper permissions for auditors (Read, List folder contents, Read & Execute).
Verify BEMS has been configured with the following administrator groups/roles, each group/role has required permissions, and at least one user has been assigned to each Administrator group/role: Server primary administrator, auditor. Procedure for Server Primary Administrator: 1. In the BEMS Dashboard, under "BEMS System Settings", click "BEMS Configuration". 2. Click "Dashboard Administrators". 3. Confirm the Administrator role for the primary server administrator has been assigned the dashboard role of Admin. 4. Verify in AD at least one member has been assigned to the BEMS administrator group. (Note: Actual group name may be different.) Procedure for Auditor: 1. Verify in AD an auditor group has been set up with at least one member. 2. Browse to the log repository. 3. Right-click on the folder. 4. Select "Properties". 5. Select the "Security" tab. 6. Confirm the auditor security group is listed. If required administrator roles have not been set up on BEMS and at least one user has not been assigned to each role, this is a finding.
Configure BEMS to have at least one user in the following Administrator roles: Server primary administrator, auditor. 1. In the BEMS Dashboard, under "BEMS System Settings", click "BEMS Configuration". 2. Click "Dashboard Administrators". 3. Click "Add Group". 4. In the "Active Directory Security Group" field, type the name of the Microsoft Active Directory security group. 5. Click "Save". 6. Repeat steps 3 to 5 to add additional security groups. 7. For the server primary administrator, the default role of Admin meets the required roles and no additional configuration is needed. 8. For the Auditor role, complete the following steps: - In active directory, create a domain auditor group and assign personnel designated as auditors to that group. - Browse to the log repository. - Right-click on the folder. - Select "Properties". - Select the "Security" tab. - Click "Edit". - Click "Add". - Type in name of the user group. - Confirm that only the necessary groups have rights to the folder (CREATOR OWNER, SYSTEM, Administrators, Auditors). - Set proper permissions for auditors (Read, List folder contents, Read & Execute).
Review the BEMS configuration to determine whether a DoD-approved firewall is installed or if the platform operating system provides a firewall service that can restrict both inbound and outbound traffic by TCP/UDP port and IP address. If there is not a host-based firewall present on BEMS, this is a finding.
Install a DoD-approved firewall.
Ask the BEMS administrator for a list of ports, protocols, and IP address ranges necessary to support BEMS functionality. A list can usually be found in the STIG Supplemental document or MDM product documentation. Compare the list against the configuration of the firewall and identify discrepancies. If the host-based firewall is not configured to support only those ports, protocols, and IP address ranges necessary for operation, this is a finding.
Configure the firewall on BEMS to only permit ports, protocols, and IP address ranges necessary for operation.
Ask the BEMS administrator for a list of ports, protocols, and services that have been configured on the host-based firewall of BEMS or generate the list by inspecting the firewall. Verify all allowed ports, protocols, and services are included on the DoD PPSM CAL list. If any allowed ports, protocols, and services on the MDM host-based firewall are not included on the DoD PPSM CAL list, this is a finding.
Turn off any ports, protocols, and services on the BEMS host-based firewall that are not on the DoD PPSM CAL list.
Verify BEMS has been configured to use only approved versions of TLS as follows: 1. Find the xml file "jetty.xml" located in the BEMS install directory on the BEMS host Windows server. 2. Find the "ExcludeProtocols" field. 3. Verify if unauthorized versions of SSL and TLS are listed in the "jetty.xml" file. If BEMS has not been configured to use only approved versions of TLS, this is a finding.
Configure BEMS to use approved versions of TLS. 1. Find the xml file "jetty.xml" located in the BEMS install directory on the BEMS host Windows server. 2. Find the "ExcludeProtocols" field and add all unauthorized versions or SSL and TLS. <Set name="ExcludeProtocols"> <Array type="java.lang.String"> <Item>TLSv1</Item> <Item>TLSv1.1</Item> <Item>SSL</Item> <Item>SSLv2</Item> <Item>SSLv2Hello</Item> <Item>SSLv3</Item> 3. Save the file. 4. Restart the BEMS server.
Verify BEMS has been configured to remove all export ciphers: 1. Find the xml file "jetty.xml" located in the BEMS install directory on the BEMS host Windows server. 2. Find the "AllowCiphersSuites" field. 3. Verify if any export ciphers are listed in the "jetty.xml" file. Verify only approved cypher suites are included. (See NIST SP 800-53r2 for a list of approved TLS suites.) If BEMS has been configured to use export ciphers, this is a finding.
Configure BEMS to remove all export ciphers. 1. Find the xml file "jetty.xml" located in the BEMS install directory on the BEMS host Windows server. 2. Find the "AllowCiphersSuites" field and remove all cipher suites that are not approved. (See NIST SP 800-53r2 for a list of approved TLS suites.) 3. Save file. 4. Restart the BEMS server.
Verify BEMS has been configured with the following administrator groups/roles, each group/role has required permissions, and at least one user has been assigned to each Administrator group/role: Server primary administrator, auditor. Procedure for Server Primary Administrator: 1. In the BEMS Dashboard, under "BEMS System Settings", click "BEMS Configuration". 2. Click "Dashboard Administrators". 3. Confirm the Administrator role for the primary server administrator has been assigned the dashboard role of Admin. 4. Verify in AD at least one member has been assigned to the BEMS administrator group. (Note: Actual group name may be different.) Procedure for Auditor: 1. Verify in AD an auditor group has been set up with at least one member. 2. Browse to the log repository. 3. Right-click on the folder. 4. Select "Properties". 5. Select the "Security" tab. 6. Confirm the auditor security group is listed. If required administrator roles have not been set up on BEMS and at least one user has not been assigned to each role, this is a finding.
Configure BEMS to have at least one user in the following Administrator roles: Server primary administrator, auditor. 1. In the BEMS Dashboard, under "BEMS System Settings", click "BEMS Configuration". 2. Click "Dashboard Administrators". 3. Click "Add Group". 4. In the "Active Directory Security Group" field, type the name of the Microsoft Active Directory security group. 5. Click "Save". 6. Repeat steps 3 to 5 to add additional security groups. 7. For the server primary administrator, the default role of Admin meets the required roles and no additional configuration is needed. 8. For the Auditor role, complete the following steps: - In active directory, create a domain auditor group and assign personnel designated as auditors to that group. - Browse to the log repository. - Right-click on the folder. - Select "Properties". - Select the "Security" tab. - Click "Edit". - Click "Add". - Type in name of the user group. - Confirm that only the necessary groups have rights to the folder (CREATOR OWNER, SYSTEM, Administrators, Auditors). - Set proper permissions for auditors (Read, List folder contents, Read & Execute).
Verify BEMS is configured for Windows Authentication for the database connection as follows: In the Database Information dialog box, verify "Windows Authentication" is selected. If "Windows Authentication" is not selected for the BEMS database connection, this is a finding.
Set up Windows Authentication for the database connection on the BEMS console. In the Database Information dialog box, perform the following actions: 1. In the "Host" field, type the instance name of your SQL Server. 2. In the "Database" name field, type the name for the BEMS-Core database. 3. In the "Port" field, type the port number that connects to the SQL Server. 4. Select "Windows Authentication". 5. Click "Next".
Verify BEMS has been configured to use HTTPS as follows: 1. In the BEMS Dashboard, under "BEMS System Settings", click "BEMS Configuration". 2. Click "BlackBerry Dynamics". 3. In the Protocol drop-down list, verify "HTTPS" is selected. If HTTPS is not configured on BEMS, this is a finding.
Configure BEMS to use HTTPS as follows: 1. In the BEMS Dashboard, under "BEMS System Settings", click "BEMS Configuration". 2. Click "BlackBerry Dynamics". 3. In the Protocol drop-down list, select "HTTPS".
Verify a DoD SSL certificate has been installed on BEMS as follows: 1. Open the browser. 2. Browse to the BEMS dashboard. 3. Select SSL certificate and view the certificate. 4. Verify the certificate is a DoD certificate (has the DoD CA listed in the certificate). If the SSL certificate installed on BEMS is not a DoD certificate, this is a finding.
Replace the auto-generated BEMS SSL certificate with a DoD certificate as follows: 1. Generate a CSR request and obtain a certificate from the DoD CA. 2. Import the certificate into the BEMS keystore. 3. Update the certificate passwords in BEMS.
Verify the BEMS inactivity timeout is set to 15 minutes or less as follows: 1. Find the xml file "jetty.xml" located in the BEMS install directory on the BEMS host Windows server. 2. Find the "maxIdleTime" field. (Note: “idelTimeout” may be the field, depending on the version of BEMS) 3. Verify it is set to 900 or less (seconds). (Note: time may be in milliseconds, depending on the version of BEMS. In this case, the value is 900000.) If the BEMS inactivity timeout is not set to 15 minutes (900 seconds) or less, this is a finding.
Configure BEMS with an inactivity timeout of 15 minutes or less. 1. Find the xml file "jetty.xml" located in the BEMS install directory on the BEMS host Windows server. 2. Find the "maxIdleTime" field and set it to 900 or less (seconds). (Note: “idelTimeout” may be the field and time may be in milliseconds, depending on the version of BEMS. In this case, the value is 900000.) 3. Save the file. 4. Restart the BEMS server.
This requirement is not applicable if the Mail service (Push Notifications support for BlackBerry Work) is not enabled on BEMS. Verify the mail service in BEMS is configured for Windows Authentication for the database connection as follows: 1. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Mail". 2. Click "Database". 3. In the "Server" field, type the Microsoft SQL Server host name and instance. 4. In the "Database" field, type the database name. 5. In the Windows Authentication drop-down list, verify "Windows Authentication" is selected. If "Windows Authentication" is not selected for the mail service database connection, this is a finding.
Set up Windows Authentication for the database connection for the mail service in BEMS: 1. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Mail". 2. Click "Database". 3. In the "Server" field, type the Microsoft SQL Server host name and instance. 4. In the "Database" field, type the database name. 5. In the Windows Authentication drop-down list, select "Windows Authentication". 6. Click "Save".
This requirement is not applicable if the Mail service (Push Notifications support for BlackBerry Work) is not enabled on BEMS. Verify Windows Integrated Authentication for the Exchange connection for the Mail service has been set up in BEMS as follows: 1. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Mail". 2. Click "Microsoft Exchange". 3. Under "Enter Service Account Details", verify "Use Windows Integrated Authentication" has been selected. If Windows Integrated Authentication for the Exchange connection for the Mail service has not been set up in BEMS, this is a finding.
Set up Windows Integrated Authentication for the Exchange connection for the Mail service in BEMS: 1. Log on to BEMS with the service account that will be configured. 2. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Mail". 3. Click "Microsoft Exchange". 4. Under "Enter Service Account Details", select the "Use Windows Integrated Authentication" check box. 5. Click "Save".
This requirement is not applicable if the Mail service (Push Notifications support for BlackBerry Work) is not enabled on BEMS. Verify Enable SSL LDAP for LDAP Lookup for users for the Mail service is configured in BEMS as follows: 1. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Mail". 2. Click "User Directory Lookup". 3. If the "Enable LDAP Lookup" has been selected, verify the "Enable SSL LDAP" check box is also selected. When LDAP Lookup for user has been configured on BEMS, if Enable SSL LDAP is not configured, this is a finding.
Enable SSL LDAP when using LDAP Lookup for users for the Mail service in BEMS as follows: 1. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Mail". 2. Click "User Directory Lookup". 3. Select the "Enable LDAP Lookup" check box. 4. Select the "Enable SSL LDAP" check box. 5. Click "Save".
This requirement is not applicable if the Mail service (Push Notifications support for BlackBerry Work) is not enabled on BEMS. Verify Enable SSL LDAP for LDAP Lookup for certificates for the Mail service is configured in BEMS as follows: 1. In the BEMS Dashboard, under BlackBerry Services Configuration, click mail and then click Certificate Directory Lookup 2. If the Enable LDAP Lookup has been selected, verify the Enable SSL LDAP check box is also selected. When LDAP Lookup for certificates has been configured on BEMS, if Enable SSL LDAP is not configured, this is a finding.
Enable SSL LDAP when using LDAP Lookup for certificates for the Mail service in BEMS as follows: 1. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Mail". 2. Click "Certificate Directory Lookup". 3. Select the "Enable LDAP Lookup" check box. 4. Select the "Enable SSL LDAP" check box. 5. Click "Save".
This requirement is not applicable if the BlackBerry Connect service is not enabled on BEMS. Verify the BlackBerry Connect service in BEMS is configured for Windows Authentication for the database connection as follows: 1. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Connect". 2. Click "Database". 3. In the "Database" field, type the database name. 4. In the Windows Authentication drop-down list, verify "Windows Authentication" is selected. If "Windows Authentication" is not selected for the BlackBerry Connect database connection, this is a finding.
Set up Windows Authentication for the database connection for the BlackBerry Connect service in BEMS: 1. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Connect". 2. Click "Database". 3. In the "Database" field, type the database name. 4. In the Windows Authentication drop-down list, select "Windows Authentication". 5. Click "Save".
This requirement is not applicable if the BlackBerry Connect service is not enabled on BEMS. Verify SSL is enabled for the BlackBerry Connect service and a DoD certificate is used as follows: 1. Browse to FQDN of the BEMS Connect server(s) on port 8082. 2. Click on the SSL certificate to verify it has been issued by the DoD CA. 3. Repeat steps 1 and 2 for each BEMS server that has the Connect service added to it. If SSL is not enabled for BlackBerry Connect and if the SSL certificate is not a DoD CA issued certificate, this is a finding.
Configure BlackBerry Connect to enable SSL with a DoD certificate. 1. Submit a CSR request to the DoD CA. 2. Import the DoD certificate to the computer that hosts BEMS. 3. Bind the SSL certificate to the Connect SSL port. 4. Add the new certificate information to the BEMS configuration file. 5. Configure BlackBerry Connect to send requests over SSL. 6. Configure Connect to use SSL with BlackBerry Proxy.
This requirement is not applicable if the BlackBerry Docs service is not enabled on BEMS. Verify the BlackBerry Docs service in BEMS is configured for Windows Authentication for the database connection as follows: 1. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Docs". 2. Click "Database". 3. In the "Database" field, type the database name. 4. In the Windows Authentication drop-down list, verify "Windows Authentication" is selected. If "Windows Authentication" is not selected for the BlackBerry Docs database connection, this is a finding.
Set up Windows Authentication for the database connection for the BlackBerry Docs service in BEMS: 1. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Docs". 2. Click "Database". 3. In the "Database" field, type the database name. 4. In the Windows Authentication drop-down list, select "Windows Authentication". 5. Click "Save".
This requirement is not applicable if the BlackBerry Docs service is not enabled on BEMS. Verify NTLM authentication is enabled for the BlackBerry Docs service as follows: 1. In the BEMS Dashboard, under "Good Services Configuration", click "Docs". 2. Click "Web Proxy". 3. Select "Use Web Proxy". 4. In the Proxy Server Authentication Type drop-down list, verify "NTLM authentication" is selected. If NTLM authentication is not enabled for the BlackBerry Docs service, this is a finding.
Configure NTLM authentication for the BlackBerry Docs service as follows: 1. In the BEMS Dashboard, under "Good Services Configuration", click "Docs". 2. Click "Web Proxy". 3. Select the "Use Web Proxy". 4. In the Proxy Server Authentication Type drop-down list, select "NTLM authentication". 5. Click "Save".
This requirement is not applicable if the BlackBerry Docs service is not enabled on BEMS. Verify the BlackBerry Docs service is configured to use SSL for LDAP Lookup to connect to the Office Web App Server (e.g., SharePoint) as follows: 1. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Docs". 2. Click "Settings". 3. Verify "Use SSL for LDAP" is selected. If SSL for LDAP is not enabled for the BlackBerry Docs service, this is a finding.
This requirement is not applicable if the BlackBerry Docs service is not enabled on BEMS. Configure the BlackBerry Docs service to use SSL for LDAP Lookup to connect to the Office Web App Server (e.g., SharePoint) as follows: 1. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Docs". 2. Click "Settings". 3. Select the "Enable Kerberos Constrained Delegation" check box to allow Docs to use Kerberos constrained delegation. 4. Enter each of the Microsoft SharePoint Online domains you plan to make available. 5. Enter the URL for your approved Office Web App Server. 6. Provide your Microsoft Active Directory user domains (separated by commas) and then enter the corresponding LDAP Port. 7. Select the "Use SSL for LDAP" check box. 8. Click "Save".
This requirement is not applicable if the BlackBerry Docs service is not enabled on BEMS. Verify audit logging is enabled for the BlackBerry Docs service as follows: 1. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Docs". 2. Click "Audit". 3. On the "Audit Settings" tab, verify "Enable Audit Logs" is selected. If audit logging is not enabled for the BlackBerry Docs service, this is a finding.
Enable audit logging for the BlackBerry Docs service as follows: 1. In the BEMS Dashboard, under "BlackBerry Services Configuration", click "Docs". 2. Click "Audit". 3. On the "Audit Settings" tab, select the "Enable Audit Logs" check box. 4. Click "Save".