BlackBerry Enterprise Server (version 5.x), Part 2 Security Technical Implementation Guide

U_BlackBerry_Enterprise_Server_5-X_Part2_V2R8_Manual-xccdf.xml

Version/Release Published Filters Downloads Update
V2R8 2015-07-02      
Update existing CKLs to this version of the STIG
BlackBerry Enterprise Server (version 5.x) STIG, Part 2 in XCCDF format. Part 1: BES architecture and training requirements. Part 2: BES configuration requirements. Part 3: BES IT Policy configuration requirements.
Vuln Rule Version CCI Severity Title Description
SV-7462r3_rule WIR1305-01 MEDIUM The BlackBerry MDS Integration Service must not be installed on a production BES. The BlackBerry Enterprise Service MDS Integration Service is a software development platform and should not be installed on a production BES. The service, if not properly configured, can allow unsecured connections between the BlackBerry and BES and between the BES and back-office run-time application servers.System AdministratorInformation Assurance OfficerECSC-1
SV-12377r3_rule WIR1330-01 LOW The Device Transport Key must be configured on the BES for AES encryption. AES encryption provides a higher level of security for BlackBerry data.System AdministratorInformation Assurance OfficerECSC-1
SV-14633r3_rule WIR1300-01 HIGH The BlackBerry wireless email system must be set up with the required system components and software installed on the handheld device. The wireless email server architecture must comply with the DoD environment because approval of the BES is contingent on installation with the correct settings. DoD enclaves could be at risk of penetration or DoD data could be compromised if BES is not installed as required.Information Assurance OfficerECSC-1
SV-17334r3_rule WIR1310-01 HIGH An Application White List software configuration must be assigned to all BES user accounts. The primary BlackBerry malware control is to set up one or more Application White List software configurations on the BES. Every user and group account must be assigned at least one Application White List software configuration. In an Application White List, the use of all non-core applications is denied unless an application is expressly allowed.Information Assurance OfficerSystem AdministratorECSC-1
SV-17336r3_rule WIR1315-01 MEDIUM The BES must be configured to disable the capability of the BES to proxy a user’s authentication to back-office application, web, and content servers. Users must authenticate directly to back-office servers using a USCYBERCOM CTO 07-15Rev1 authorized method. User authentication credentials should not be proxied by the BES, because the BES would then be saving DoD user authentication credentials in its database.System AdministratorInformation Assurance OfficerECSC-1
SV-19929r4_rule WIR1335-01 LOW The BES must be configured to convert HTML and RTF formatted email into text format before sending to a BlackBerry smartphone and prevent the BES from sending email messages with inline images to BlackBerry smartphones. HTML email and inline images in email can contain malware or links to web sites with malware.System AdministratorInformation Assurance OfficerECWN-1
SV-21031r3_rule WIR1300-02 HIGH The BES host-based or appliance firewall must be configured as required. BlackBerry user could get access to unauthorized network resources (application and content servers, etc.) if the BES firewall is not set up as required.System AdministratorInformation Assurance OfficerECSC-1
SV-21090r3_rule WIR1315-03 LOW The BES must be configured to accept only trusted connections to back-office enclave application or web push servers. Push servers are set up to push content to BlackBerry users (e.g., Remedy ticket notification system). Only authorized servers should be able to push content to BlackBerry devices.System AdministratorECSC-1
SV-21091r3_rule WIR1310-04 LOW Non-core applications used on the BlackBerry must be approved. Unapproved applications could include malware or introduce other vulnerabilities to the BlackBerry system and enclave.System AdministratorECSC-1
SV-21092r3_rule WIR1310-03 MEDIUM An Application Control Policy must be assigned to each application listed in any Application White List software configuration assigned to user accounts on the BES. Note: This check applies to BES 4.1.x only. On BES 5, an application control policy is automatically assigned when an application is selected for a software configuration. Applications must only have access to BlackBerry resources (e.g., microphone, address book, browser, email messages, etc.) they need for their function; otherwise, sensitive data could be exposed to unauthorized users or the BlackBerry system could be compromised.Information Assurance OfficerSystem Administrator
SV-21095r3_rule WIR1315-02 MEDIUM Security controls must be set up on the BES for connections to “back-office” servers. Strong access controls to back-office servers are required to ensure DoD data is not exposed to users of the BlackBerry system that are not authorized to access the server.System AdministratorECSC-1
SV-21104r3_rule WIR1320-01 MEDIUM The BlackBerry Bluetooth Smart Card Reader (SCR) used with site PCs must be compliant with requirements. Insecure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.System AdministratorInformation Assurance OfficerECWN-1
SV-21113r3_rule WIR1325-01 LOW Required security controls must be used when BlackBerry Wi-Fi is used by the site to connect to a DoD Wi-Fi network. Required security controls are in Table 2, BlackBerry STIG Configuration Tables. If BlackBerry Wi-Fi controls are not implemented, DoD data can be compromised.System AdministratorECWN-1
SV-21115r3_rule WIR1340-01 HIGH BlackBerry accounts must not be assigned to the default IT policy on the BES or any other non-STIG compliant IT policy. Accounts will only be assigned a STIG compliant IT policy. The BlackBerry default policy on the BES does not include many DoD-required security policies for data encryption, authentication, and access control. DoD enclaves are at risk of data exposure and hacker attack if users are assigned the default (or other non-STIG compliant) IT policy.System AdministratorECSC-1
SV-25372r3_rule WIR1310-02 HIGH Each Application White List software configuration assigned to each user account must be configured with top-level default “disallow” for all applications. Applications must be specifically allowed at a lower level. The primary BlackBerry malware control is to set up an Application White List where the use of all applications is denied unless an application is expressly allowed. Otherwise, malware could be installed on the BlackBerry.Information Assurance OfficerSystem AdministratorECSC-1
SV-25491r2_rule WIR1345-01 MEDIUM Application repositories set up on the BES must be DoD-approved. A DoD application repository must contain only authorized applications and only approved and unaltered versions of those applications. If DoD-approved application repositories are not used, the integrity of applications in the repository would be unknown.System AdministratorInformation Assurance OfficerECWN-1
SV-25492r3_rule WIR1350-01 MEDIUM All user and or group accounts must have an Access Control Rule assigned to the account. The BES MDS Connection Service allows BlackBerry users to search the enclave for files and documents of interest to the user without any authentication requirements to the enclave. Access control requirements of the network can be bypassed.System AdministratorInformation Assurance OfficerECWN-1
SV-25547r3_rule WIR1355-01 MEDIUM The BlackBerry Administration Server (BAS) must be configured for Active Directory authentication with a CTO 07-15Rev1 compliant administrator password. The BAS provides the administrator interface for the BES. CTO 07-15Rev1 requires administrator accounts use either CAC authentication or use complex passwords to ensure storing access control is enforced.System AdministratorInformation Assurance OfficerECWN-1
SV-25764r3_rule WIR1355-02 LOW The key store password for the certificate that the BlackBerry Administration Service (BAS) and BlackBerry Web Desktop Manager (BWDM) use must be changed from the default. The key store password protects the server digital authentication certificates from unauthorized use. Information Assurance OfficerSystem AdministratorECWN-1
SV-25765r3_rule WIR1365-01 LOW The BlackBerry Administration Service must be configured to disable a user from creating an activation password via BWDM. The overall security posture of the BlackBerry system is dependent on strict configuration management controls, including ensuring only authorized BlackBerry devices are being used and authorized devices are provisioned as required. Users must be prohibited from performing the following administrative tasks using the BlackBerry Web Desktop Manager: -Specify an enterprise activation password for a BlackBerry device. -Specify a new device password and lock a device. -Delete all device data and deactivate a device. -Assign a new device to a user account. System AdministratorECWN-1
SV-27296r3_rule WIR1350-02 MEDIUM All Access Control Rules assigned to user and group accounts must be configured to deny access to all file shares. The BES MDS Connection Service allows BlackBerry users to search the enclave for files and documents of interest to the user without any authentication requirements to the enclave. Access control requirements of the network can be bypassed.Information Assurance OfficerSystem AdministratorECWN-1
SV-31616r3_rule WIR1365-02 MEDIUM BlackBerry Web Desktop Manager must be configured to disable a user’s capability to perform self-service tasks. The overall security posture of the BlackBerry system is dependent on strict configuration management controls, including ensuring only authorized BlackBerry devices are being used and authorized devices are provisioned as required. When this configuration is not set as required, users may have the capability to activate unauthorized BlackBerry devices.System AdministratorECWN-1
SV-31617r3_rule WIR1365-03 MEDIUM BlackBerry Web Desktop Manager must be configured to permit users to activate new BlackBerry devices only. The overall security posture of the BlackBerry system is dependent on strict configuration management controls, including ensuring only authorized BlackBerry devices are being used and authorized devices are provisioned as required. When this configuration is not set as required, users may have the capability to activate unauthorized BlackBerry devices.System AdministratorECWN-1
SV-31764r3_rule WIR1355-03 LOW The server PKI digital certificate installed on the BES to support BAS and BWDM authentication must be a DoD PKI issued certificate. A self signed certificate will not be used. When a self-signed PKI certificate is used, a rogue BES can impersonate the DoD BES during SA connections to the BlackBerry Administration Service (BAS) or when a BlackBerry user uses BlackBerry Web Desktop Manager (BWDM) to connect to the BAS. In addition, DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI.IATS-1