Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

BlackBerry Enterprise Server (version 5.x), Part 1 Security Technical Implementation Guide

  • Version/Release: V2R8
  • Published: 2015-07-02
  • Released: 2015-07-24
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

BlackBerry Enterprise Server (version 5.x) STIG, Part 1 in XCCDF format. Part 1: BES architecture and training requirements. Part 2: BES configuration requirements. Part 3: BES IT Policy configuration requirements.
c
Onset Technologies METAmessage software must not be installed on DoD BlackBerry devices or on the BES.
High - V-11870 - SV-12370r3_rule
RMF Control
Severity
High
CCI
Version
WIR1050-01
Vuln IDs
  • V-11870
Rule IDs
  • SV-12370r3_rule
Onset Technologies METAmessage software is production software which may introduce a virus or other malicious code on the system. This software is not approved for use on DoD systems.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-11491r4_chk

Perform the following procedures on the BES and a sample of BlackBerry devices (use 2-3 devices for a random sample) as appropriate. Check a sample of BlackBerry devices (Settings >> Options >> Advanced Options >> Applications) to ensure the METAmessage application is not loaded on the BlackBerry device. On the BES, have the BlackBerry Administrator show that the BES Application White List does not contain the application. This review should be performed at the same time checks WIR1310-01, WIR1310-02, and WIR1310-03 are reviewed so work is not duplicated. View the list of applications assigned to 3-4 samples Application White List software configurations assigned to users. Verify METAmessage is not listed. The METAmessage application allows the user to open and create Microsoft Office files, such as MS Word or Excel attachments or documents. These documents can then be sent via email, saved, or printed. This application presents a security risk and is not allowed for use in DoD. Verify this software application is not used by interviewing the ISSO or reviewing a sampling of the devices.

Fix: F-23346r1_fix

Remove Onset Technologies METAmessage software installed on DoD BlackBerry devices or on the BES.

c
Only the BlackBerry Enterprise Server (BES) email solution must be used.
High - V-14021 - SV-14632r3_rule
RMF Control
Severity
High
CCI
Version
WIR1200-01
Vuln IDs
  • V-14021
Rule IDs
  • SV-14632r3_rule
If the required BlackBerry system is not used, DoD networks are at risk of being penetrated or DoD data could be exposed.Information Assurance OfficerECSC-1
Checks: C-11486r4_chk

Detailed Policy Requirements: Only the BlackBerry Enterprise Server (BES) email solution must be used in the DoD. The BlackBerry Desktop Redirector, BlackBerry Connect, BlackBerry Express, and BlackBerry Professional Services Software are not authorized for use. Note: The purpose of this requirement is to ensure a STIG compliant IT policy is enforced on all DoD BlackBerry devices. This requirement applies to the DoD (primary) email account received on the BlackBerry device. All DoD BlackBerry devices must be managed via a STIG-compliant IT policy pushed from a BES. Required/approved versions of the BES are as follows: BES 5.0.4 (or later version). Note: An Authorizing Official (AO) may authorize users to connect BlackBerry devices to additional, secondary email accounts (e.g., Verizon email) based on mission needs. Use IT Policy rule Allow Other Message Services, Service Exclusivity policy group to control connections to secondary email accounts. Check Procedures: Interview ISSO and BlackBerry system administrator. - Verify the BES is part of the site’s BlackBerry architecture and the site uses a BES to manage site BlackBerry devices. - Verify BES Express is not used. Interview BES admin. - Determine if the site authorizes users to connect BlackBerry devices to additional, secondary or personal email accounts (e.g., Verizon email, BlackBerry Internet Service (BIS)) based on mission needs. If yes, verify the AO (or designee) has approved this service. Ask to see documentation of AO approval.

Fix: F-23356r1_fix

Only the BlackBerry Enterprise Server (BES) email solution is used.

b
Any services installed with the BES (for example IIS, SQL, Apache Web Server, etc.) must be reviewed for STIG compliance in accordance with the appropriate SQL, Apache Web Server, or IIS STIGs.
Medium - V-14199 - SV-14810r4_rule
RMF Control
Severity
Medium
CCI
Version
WIR1210-01
Vuln IDs
  • V-14199
Rule IDs
  • SV-14810r4_rule
The server must be compliant with the SQL STIG, Apache Web Server STIG, and/or IIS STIG to ensure the system is not vulnerable to attack resulting in a Denial of Service or compromise of the wireless email server. Note: Some of these services are optional and may not be installed on a specific host server during the BES installation.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-11534r5_chk

Work with the OS reviewer or check VMS for last review of each host BES computer asset. The review should include any services installed on the host server when the BES is installed (for example: SQL server, Apache Web Server, etc.). Note: Some of these services are optional and may not be installed on a specific host server during the BES installation. SRL is an optional install when the BES is installed, while Apache Web server is a required install. The review must also include an Apache Web Server review if BES 5.0 or later is used. (The BlackBerry Administration Service (BAS) on BES 5.x includes an Apache Web Server.) Verify there are no outstanding CAT I findings associated with each server installed when the BES is installed. Note: If IIS is installed on the server, an IIS review must also be performed. a. IIS is required for the Exchange ESM. If a site uses the new MAPI/CDO Tools from Microsoft, then the IIS is not required. See http://www.microsoft.com/downloads/details.aspx?familyid=E17E7F31-079A-43A9-BFF2-0A110307611E&displaylang=en. b. IIS is not required for BlackBerry Enterprise Server. If required reviews have not been performed during a SRR or site self-check, this is a finding.

Fix: F-23359r2_fix

The host server where the BlackBerry Enterprise Server (BES) is installed is reviewed in accordance with the appropriate SQL, Apache Web Server, and IIS STIGs if these services are installed when the BES is installed.

c
Required version of the BlackBerry Enterprise Server (BES) must be installed.
High - V-19191 - SV-21030r3_rule
RMF Control
Severity
High
CCI
Version
WIR1200-02
Vuln IDs
  • V-19191
Rule IDs
  • SV-21030r3_rule
Earlier versions of the BES have security vulnerabilities. CYBERCOM IAVA directs all DoD installations upgrade to required version due to BlackBerry ending support for version 4.1.6 and 4.1.7 as of 2 July 2011.System AdministratorECSC-1
Checks: C-23118r3_chk

Interview ISSO and BlackBerry system administrator. Verify the BES is one of the required/approved versions. Required/approved versions of the BES are: BES 5.0.4 (or later version). From the BlackBerry Manager, select "Help" to view the version number.

Fix: F-23357r2_fix

The BlackBerry Enterprise Server (BES) version is 5.0.4 or later.