Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

BlackBerry Enterprise Server (version 5.x), Part 2 Security Technical Implementation Guide

  • Version/Release: V2R8
  • Published: 2015-07-02
  • Released: 2015-07-24
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

BlackBerry Enterprise Server (version 5.x) STIG, Part 2 in XCCDF format. Part 1: BES architecture and training requirements. Part 2: BES configuration requirements. Part 3: BES IT Policy configuration requirements.
b
The BlackBerry MDS Integration Service must not be installed on a production BES.
Medium - V-7078 - SV-7462r3_rule
RMF Control
Severity
Medium
CCI
Version
WIR1305-01
Vuln IDs
  • V-7078
Rule IDs
  • SV-7462r3_rule
The BlackBerry Enterprise Service MDS Integration Service is a software development platform and should not be installed on a production BES. The service, if not properly configured, can allow unsecured connections between the BlackBerry and BES and between the BES and back-office run-time application servers.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-17396r3_chk

Detailed Policy Requirements: The MDS Integration Service must not be installed on a production BES. It should be installed only on a development or test BES when required for software development. Check Procedures: Check to see if the BlackBerry MDS Integration Service is installed on the production BES by looking at the left side of the BlackBerry Administration Server (BAS). Servers and components >> BlackBerry Solution topology >> BlackBerry Domain >> Component view. See if the “MDS Integration Service” is installed.

Fix: F-23363r1_fix

The BlackBerry MDS Integration Service will not be installed on the BES.

a
The Device Transport Key must be configured on the BES for AES encryption.
Low - V-11877 - SV-12377r3_rule
RMF Control
Severity
Low
CCI
Version
WIR1330-01
Vuln IDs
  • V-11877
Rule IDs
  • SV-12377r3_rule
AES encryption provides a higher level of security for BlackBerry data.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-26018r3_chk

Work with the BlackBerry SA to view the BES configuration setting. In the Supported Encryption Algorithms section, verify that "AES" or "Triple DES and AES" is selected. -BAS >> Server and components menu >> BlackBerry solution topology >> BlackBerry Server. -Click on a server instance. -Check Encryption Algorithm setting. Verify the setting is correct. Note: The following BlackBerry devices have BlackBerry Handheld Software versions earlier than 4.0, which uses 3DES encryption instead of AES: 5820, 5810, 5790, 957, 950, 857, and 850. These older BlackBerry devices should not be used in the DoD since they cannot support some required BlackBerry security features.

Fix: F-23377r1_fix

The Device Transport Key will be configured on the BES for AES encryption.

c
The BlackBerry wireless email system must be set up with the required system components and software installed on the handheld device.
High - V-14022 - SV-14633r3_rule
RMF Control
Severity
High
CCI
Version
WIR1300-01
Vuln IDs
  • V-14022
Rule IDs
  • SV-14633r3_rule
The wireless email server architecture must comply with the DoD environment because approval of the BES is contingent on installation with the correct settings. DoD enclaves could be at risk of penetration or DoD data could be compromised if BES is not installed as required.Information Assurance OfficerECSC-1
Checks: C-14979r3_chk

Detailed Policy Requirements: The BlackBerry wireless email system must be set up with the required system components and software installed on the handheld device. - The BES is installed and configured using either the architecture shown in Figure 2-1 (non-segmented architecture) or alternate segmented architecture shown in Figure 2-2 in the BlackBerry STIG Overview. - The BES and all other systems providing BlackBerry services (e.g., email server and LDAP server) are protected behind a corporate firewall. - The BES has a host-based firewall (e.g., McAfee Personal Firewall, Norton Personal Firewall) and/or dedicated hardware firewall. It is recommended that a BES site use the pre-configured, STIG compliant, IT policy that is provided with the STIG. This method increases compliance and reduces the chance of required configuration settings not being configured correctly. Check Procedures: Interview the ISSO and system administrator and review system network diagrams. Verify logical connectivity complies with the requirements of one of the approved architectures (view Figure 2-1 or Figure 2-2 of the BlackBerry STIG Overview) to see example architectures. Verify the BES Windows Server has a host-based firewall installed or an appliance firewall has been installed between the BES and the network. If the BES architecture is not configured as required with required firewalls, this is a finding.

Fix: F-13504r3_fix

The ISSO will ensure the BES is installed and configured using either the BlackBerry Network architecture or the BlackBerry Segmented architecture.

c
An Application White List software configuration must be assigned to all BES user accounts.
High - V-16341 - SV-17334r3_rule
RMF Control
Severity
High
CCI
Version
WIR1310-01
Vuln IDs
  • V-16341
Rule IDs
  • SV-17334r3_rule
The primary BlackBerry malware control is to set up one or more Application White List software configurations on the BES. Every user and group account must be assigned at least one Application White List software configuration. In an Application White List, the use of all non-core applications is denied unless an application is expressly allowed.Information Assurance OfficerSystem AdministratorECSC-1
Checks: C-14175r3_chk

Check the BES to see if an Application White List software configuration has been assigned to each BES user account. Note: Section 3.2.5.2 of the BlackBerry STIG Overview has instructions for setting up an Application White List software configuration and assigning it to a user or a group account. For BES 5.0: -BAS >> BlackBerry solution management >> User >> Manage users -Select at least 20 user accounts from different offices or sites on the BES at random and complete the following: **Click on the user account name. **Click on the "Software configuration" tab. **Note the name of the software configuration assigned to the user (this will be the assigned "Application White List"). The name should be in a similar format to the following: "DISA Application White List 1". If any user account has not been assigned an Application White List software configuration, this is a finding. Note: The required configuration of the Application White List will be verified in checks WIR1310-02 and WIR1310-03.

Fix: F-23364r1_fix

An application White List software configuration must be assigned to all BES user accounts.

b
The BES must be configured to disable the capability of the BES to proxy a user’s authentication to back-office application, web, and content servers. Users must authenticate directly to back-office servers using a USCYBERCOM CTO 07-15Rev1 authorized method.
Medium - V-16343 - SV-17336r3_rule
RMF Control
Severity
Medium
CCI
Version
WIR1315-01
Vuln IDs
  • V-16343
Rule IDs
  • SV-17336r3_rule
User authentication credentials should not be proxied by the BES, because the BES would then be saving DoD user authentication credentials in its database.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-17397r3_chk

Verify the site BES has been configured to require BlackBerry users to authenticate directly with enclave application and content servers. - On the BAS, go to Servers and components >> BlackBerry Solution topology >> BlackBerry Domain >> MDS Connection Service. -Click "Edit components". -Select the "HTTP" tab. -In the "Authentication support" enabled drop-down list, verify "No" has been selected. If the configuration setting is not correct, this is a finding. Exception: When a site Internet Proxy is set to require user authentication, the configuration setting above will cause a loss of Internet connectivity. In this case only, the "Support HTTP Authentication" setting should be set to TRUE, and then, when prompted, enter no value for the user authentication information (this will cause the BES to prompt for the user's authentication credentials whenever an Internet connection is requested). When a site uses authentication on the Internet proxy, the reviewer should verify the required setting for "Support HTTP Authentication" and then have users show on their BlackBerry they have to enter their Internet Proxy authentication credentials whenever they try to connect to the Internet.

Fix: F-23372r1_fix

The BES must be configured to disable the capability of the BES to proxy a user’s authentication to back-office application, web, and content servers.

a
The BES must be configured to convert HTML and RTF formatted email into text format before sending to a BlackBerry smartphone and prevent the BES from sending email messages with inline images to BlackBerry smartphones.
Low - V-18394 - SV-19929r4_rule
RMF Control
Severity
Low
CCI
Version
WIR1335-01
Vuln IDs
  • V-18394
Rule IDs
  • SV-19929r4_rule
HTML email and inline images in email can contain malware or links to web sites with malware.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-23186r4_chk

Verify the BES has been configured correctly. BAS >> Servers and components >> Component view >> Email >> Messaging tab. Verify "Rich content turned on" is set to "False". Verify "Automatic downloading of inline images turned on" is set to "False". If the BES is not configured as required, this is a finding. Note: The BES configurations described in this check cannot block HTML and RTF formatted email or inline images for BlackBerry devices with BlackBerry handheld software versions earlier than 4.5.

Fix: F-23378r2_fix

Configure the BES to: - Convert HTML and RTF formatted email into text format before sending to a BlackBerry smartphone; and - Prevent the BES from sending email messages with inline images to BlackBerry smartphones.

c
The BES host-based or appliance firewall must be configured as required.
High - V-19192 - SV-21031r3_rule
RMF Control
Severity
High
CCI
Version
WIR1300-02
Vuln IDs
  • V-19192
Rule IDs
  • SV-21031r3_rule
BlackBerry user could get access to unauthorized network resources (application and content servers, etc.) if the BES firewall is not set up as required.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-23119r3_chk

Detailed Policy Requirements: The BES host-based or appliance firewall must be configured as required. The BES firewall is configured with the following rules: - Deny all except when explicitly authorized. - Internal traffic from the BES is limited to internal systems used to host the BlackBerry services (e.g., email and LDAP servers) and AO-approved back-office application and content servers. Communications with other services, clients, and/or servers are not authorized. - Internet traffic from the BES is limited to only those specified BlackBerry services (e.g., BlackBerry SRP server, OCSP, SSL/TLS, HTTP, and LDAP). All outbound connections are initiated by the BlackBerry system and/or service. - Firewall settings listed in Section 3.13 of the BlackBerry STIG Overview will be implemented, including blocking connections to web proxy servers and back-office application and content servers unless the server Internet Protocol (IP) address is on the firewall list of trust IP addresses and subnets. Note: At the minimum, the IP address of the site Internet proxy server must be listed so the BlackBerry Browser can connect to the Internet. Note: The HBSS firewall can be used to meet these requirements if one or more firewall rules have been set up on the firewall as described above. Check Procedures: Verify the firewall configuration meets approved architecture configuration requirements (or have the network reviewer do the review of the firewall). Use Table 3-5 in the BlackBerry STIG Overview when using the non-segmented architecture and Tables 3-6 and 3-7 when using the segmented architecture for required firewall rules. Verify the firewall is configured to block connections to internal servers unless the server IP address is included on the list of trusted networks. IP addresses of the enclave web proxy server and authorized back-office application and content servers that the BES connects to should be included on this list. If a list of trusted networks by IP address is not configured on the BES host-based firewall, this is a finding.

Fix: F-23362r1_fix

The BES host-based or appliance firewall is configured as required.

a
The BES must be configured to accept only trusted connections to back-office enclave application or web push servers. Push servers are set up to push content to BlackBerry users (e.g., Remedy ticket notification system).
Low - V-19201 - SV-21090r3_rule
RMF Control
Severity
Low
CCI
Version
WIR1315-03
Vuln IDs
  • V-19201
Rule IDs
  • SV-21090r3_rule
Only authorized servers should be able to push content to BlackBerry devices.System AdministratorECSC-1
Checks: C-23137r3_chk

Verify the site has configured the BES to require trusted connections to push enclave application or web servers, using the following procedure: -On the BAS, go to Servers and components >> BlackBerry Solution topology >> BlackBerry Domain >> MDS Connection Service. -Click "Edit components". -Click the "HTTPS" tab. -Verify "Allow Untrusted Servers" is set to "No". -Click the "TLS" tab. -Verify "Allow Untrusted Servers" is set to "No". If any of these settings are not correct, this is a finding. Verify a keystore file has been set up (webserver.keystore) at the following location on the BES: <drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\webserver. Look for the keystore file. - If the keystore file is not found, this is a finding.

Fix: F-23374r1_fix

The BES must be configured to accept only trusted connections to back-office enclave application or web push servers.

a
Non-core applications used on the BlackBerry must be approved.
Low - V-19202 - SV-21091r3_rule
RMF Control
Severity
Low
CCI
Version
WIR1310-04
Vuln IDs
  • V-19202
Rule IDs
  • SV-21091r3_rule
Unapproved applications could include malware or introduce other vulnerabilities to the BlackBerry system and enclave.System AdministratorECSC-1
Checks: C-23139r3_chk

Detailed Policy Requirements: All applications listed in each Application White list must be approved by either the AO or by the IT configuration control board that reviews and approves workstation applications. Recommend sites use the same or similar process used to approve desktop applications to select, review, test, and approve BlackBerry applications. Check Procedures: For each Application White list assigned to BES user accounts, verify the site has documentation showing the applications are approved by the AO (or who the AO has designated as the approval authority for the site).

Fix: F-11479r1_fix

Comply with DoD policy.

b
An Application Control Policy must be assigned to each application listed in any Application White List software configuration assigned to user accounts on the BES. Note: This check applies to BES 4.1.x only. On BES 5, an application control policy is automatically assigned when an application is selected for a software configuration.
Medium - V-19203 - SV-21092r3_rule
RMF Control
Severity
Medium
CCI
Version
WIR1310-03
Vuln IDs
  • V-19203
Rule IDs
  • SV-21092r3_rule
Applications must only have access to BlackBerry resources (e.g., microphone, address book, browser, email messages, etc.) they need for their function; otherwise, sensitive data could be exposed to unauthorized users or the BlackBerry system could be compromised.Information Assurance OfficerSystem Administrator
Checks: C-23140r4_chk

Detailed Policy Requirements: An Application Control Policy must be set up on the BES for each application listed in an Application White List software configuration on the BES. For mandatory applications, the Application Control Policy should have the "Disposition" rule set to "Required". Check Procedures: Use the list of Application White List software configurations assigned to user accounts developed in Check WIR1310-01. Step 1: Determine the list of assigned Application Control Policies. For each Application White List software configuration assigned to a user, complete the following: - In the BlackBerry Manager, click "BlackBerry Domain" in the left pane. - Click "Software Configurations" tab. - In the Configuration Name list, double-click on one of the software configurations that was assigned to a BES User Group. - Expand the Application Software tree. - Determine if an Application Control Policy has been assigned to each application listed in the tree under the Application Software group. If an Application Control Policy has been assigned, note the name of the Application Control Policy. (Note: If an Application Control Policy has not been assigned to an application, this has the effect of denying the use of the application on site managed BlackBerry devices.) Step 2: Verify each Application Control Policy is configured as required. For each application listed under the Application Software group (for each software configuration), verify the Application Control Policy is compliant with the policy in Table C-4 of the BlackBerry STIG Overview. Use the following procedure to verify each Application Control Policy is configured correctly. - In the BlackBerry Manager, in the left pane, click "BlackBerry Domain". - On the "Software Configurations" tab, click "Manage Applications Policies". - For each Application Control Policy identified in Step 1, double click the policy to open it and verify it has been configured as required in Table C-4 of the BlackBerry STIG Overview. If any Application Control Policy is not configured as required, this is a finding. Identify the Application White List software configuration, Application Control Policy, and application in the VMS remarks. Remember to do the above steps for each Application White List software configuration. Findings comments in VMS should identify the Application White List software configuration and/or application not compliant.

Fix: F-19819r1_fix

Set up the required Applications Control Policies.

b
Security controls must be set up on the BES for connections to “back-office” servers.
Medium - V-19206 - SV-21095r3_rule
RMF Control
Severity
Medium
CCI
Version
WIR1315-02
Vuln IDs
  • V-19206
Rule IDs
  • SV-21095r3_rule
Strong access controls to back-office servers are required to ensure DoD data is not exposed to users of the BlackBerry system that are not authorized to access the server.System AdministratorECSC-1
Checks: C-23143r3_chk

Detailed Policy Requirements: If the site provides BlackBerry users access to "back-office" applications and content servers located on the site network enclave, the following controls will be implemented: - All enclave application and content servers that are accessed by BlackBerry users will implement CAC authentication. - The BES host-based firewall is set to block connections to back-office application and content servers unless the server IP address is on the firewall list of trust IP addresses and subnets. Note: BlackBerry back-office application and content servers include J2ME application servers, SOAP web services, and web servers. Check Procedures: Ask the BlackBerry SA if the site provides BlackBerry users access to "back-office" applications and content servers located on the site network enclave. If the response is "Yes", ask for a list of all enclave servers BlackBerry users can access and then perform the following checks. - Verify CAC authentication has been implemented on each server. Have the Windows reviewer assist with the review of each server. If CAC authentication has not been implemented on each server, this is a finding. - Verify the BES host-based firewall has been configured as required. This check should have been performed during the review of check WIR1300-02. Confirm this requirement was reviewed.

Fix: F-23373r2_fix

Set up required controls on the BES for connections to "back-office" servers.

b
The BlackBerry Bluetooth Smart Card Reader (SCR) used with site PCs must be compliant with requirements.
Medium - V-19215 - SV-21104r3_rule
RMF Control
Severity
Medium
CCI
Version
WIR1320-01
Vuln IDs
  • V-19215
Rule IDs
  • SV-21104r3_rule
Insecure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-23152r5_chk

Detailed Policy Requirements: When the BlackBerry Bluetooth SCR is used as a PC SCR, the following requirements must be followed: - Separate BlackBerry Account Groups should be created: One for users that are authorized to use the BlackBerry SCR with their PCs and one for users that are NOT authorized to use the BlackBerry SCR with their PCs. Check Procedures: Interview the ISSO and wireless email system administrator. Determine if use of the BlackBerry SCR with site PCs has been approved. If Yes, verify the following requirements are met: - Verify separate BlackBerry Account Groups have been created: One for users that are authorized to use the BlackBerry SCR with their PCs and one for users that are NOT authorized to use the BlackBerry SCR with their PCs (or do not have a BlackBerry SCR). - In the BAS, under BlackBerry solution management, select Group >> Manage groups. - Check Group Description and have BES Admin show required user groups. Note: Recommend two BlackBerry account groups be created: 1. BlackBerry users with a SCR, but not authorized to use the SCR to connect to their PC. 2. BlackBerry users with a SCR and authorized to use the SCR to connect to their PC.

Fix: F-23375r1_fix

Comply with BlackBerry Bluetooth SCR use with site PC requirements.

a
Required security controls must be used when BlackBerry Wi-Fi is used by the site to connect to a DoD Wi-Fi network. Required security controls are in Table 2, BlackBerry STIG Configuration Tables.
Low - V-19224 - SV-21113r3_rule
RMF Control
Severity
Low
CCI
Version
WIR1325-01
Vuln IDs
  • V-19224
Rule IDs
  • SV-21113r3_rule
If BlackBerry Wi-Fi controls are not implemented, DoD data can be compromised.System AdministratorECWN-1
Checks: C-23162r3_chk

Ask the BlackBerry system administrator if the site uses BlackBerry Wi-Fi to connect to DoD WLAN. If yes, verify the following actions have occurred: 1. Determine which BlackBerry users have been approved to use BlackBerry Wi-Fi to connect to the DoD WLAN. Ask the ISSO or BlackBerry SA for names of site BlackBerry users that have been authorized to use BlackBerry Wi-Fi Service. 2. Verify these users have been assigned a WLAN Configuration Set (profile). Verify that authorized users have been assigned a WLAN profile as follows (select two or three users to check). - On the BAS, in the BlackBerry solution management box, expand "User" and click on "Manage users". Then, click on search in the center screen. A list of all users assigned to the BES will be available. - Click the user account to verify a WLAN profile has been assigned. - Click on the "WLAN configuration" tab. - Look to see the name of the WLAN configuration (profile) that has been assigned to the user (if any). -Verify each assigned WLAN Configuration Set (profile) is configured as required. The required configuration is listed in Table C-2 of the BlackBerry STIG Overview (see procedure below). 3. Verify each assigned WLAN Configuration Set (profile) is configured as required. The required configuration is listed in Table C-2 of the BlackBerry STIG Overview (see procedure below). If any user accounts authorized for WLAN do not have a WLAN configuration assigned to the account, this is a finding. The setup of each WLAN Configuration Set on the BES can be viewed as follows: - BAS >> BlackBerry solution management box >> Policy >> WLAN configuration >> Manage WLAN configurations. - For each listed WLAN configuration to be checked, click on the configuration, then click on the "WLAN configuration data" tab. - Verify rules are set as shown in Table C-2 (only rules with "Required" settings need to be verified). If the WLAN profile has not been configured as required, this is a finding.

Fix: F-23376r1_fix

Required security controls used when BlackBerry Wi-Fi is used by the site to connect to a DoD Wi-Fi network.

c
BlackBerry accounts must not be assigned to the default IT policy on the BES or any other non-STIG compliant IT policy. Accounts will only be assigned a STIG compliant IT policy.
High - V-19226 - SV-21115r3_rule
RMF Control
Severity
High
CCI
Version
WIR1340-01
Vuln IDs
  • V-19226
Rule IDs
  • SV-21115r3_rule
The BlackBerry default policy on the BES does not include many DoD-required security policies for data encryption, authentication, and access control. DoD enclaves are at risk of data exposure and hacker attack if users are assigned the default (or other non-STIG compliant) IT policy.System AdministratorECSC-1
Checks: C-23164r3_chk

Detailed Policy Requirements: 1. Separate STIG compliant IT policies will be set up on the BES: one for users that have been issued an approved Bluetooth headset/handsfree device and one for users that have not been issued an approved Bluetooth headset/handsfree device. 2. All user accounts will be assigned to a STIG compliant IT policy. Check Procedures: Interview the BlackBerry system administrator. Ask the administrator to identify the default IT policy on the BES (usually labeled "Default") and any other non-STIG compliant IT policies set up on the BES. View the list of IT policies set up on the BES as follows: BAS >> BlackBerry solution management box >> Policy >> Manage IT policies Verify no users are assigned to the default IT policy or any other non-STIG IT policy by performing the following steps for each policy. For the default IT policy and other non-STIG compliant policies, look at each IT policy listed under Manage IT policies to be checked: - Click on the policy name. - Click on "View users with IT policy". - Click "Search". A list of all users assigned to the policy will be shown. - Click on the "IT Policy Name" column heading to sort the list of users by IT policy. - Determine if any users have been assigned to the default or other non-STIG compliant IT policy. If yes, this is a finding. Note: IT policies identified by the BES administrator as STIG compliant should be reviewed to verify compliance when reviewing the WIR14xx series of checks.

Fix: F-23379r1_fix

User accounts will only be assigned a STIG compliant IT policy.

c
Each Application White List software configuration assigned to each user account must be configured with top-level default “disallow” for all applications. Applications must be specifically allowed at a lower level.
High - V-22042 - SV-25372r3_rule
RMF Control
Severity
High
CCI
Version
WIR1310-02
Vuln IDs
  • V-22042
Rule IDs
  • SV-25372r3_rule
The primary BlackBerry malware control is to set up an Application White List where the use of all applications is denied unless an application is expressly allowed. Otherwise, malware could be installed on the BlackBerry.Information Assurance OfficerSystem AdministratorECSC-1
Checks: C-26913r3_chk

Verify for each Application White List software configuration identified in check WIR1310-01 that a "Deny All" policy has been assigned to the software configuration. (This configuration stops the execution of any application not specifically allowed.) -BAS >> BlackBerry solution management >> Software >> Manage software configurations -For each software configuration listed (all Application White List software configurations will be in this list), click on the software configuration and verify "Disposition for unlisted applications" is set to "Disallowed" and disposition for "Application control policy for unlisted applications" is set to "Standard Unlisted Disallowed". Note: If the site has followed the procedures for setting up an Application White List found in Section 3.2.5.2 of the BlackBerry STIG Overview, the "Deny All" Application Control Policy will have the following title: "Disallowed Application". (The title of the Application Control Policy is not important; verify the policy is configured as required.) If any Application Control Policy is not configured as required, this is a finding.

Fix: F-23366r1_fix

Each Application White List software configuration assigned to each user account must be configured with top level default “disallow” for all applications.

b
Application repositories set up on the BES must be DoD-approved.
Medium - V-22055 - SV-25491r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR1345-01
Vuln IDs
  • V-22055
Rule IDs
  • SV-25491r2_rule
A DoD application repository must contain only authorized applications and only approved and unaltered versions of those applications. If DoD-approved application repositories are not used, the integrity of applications in the repository would be unknown.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-27006r2_chk

If no application repositories are set up, this check is Not Applicable. Talk to the site BES administrator. Determine if the site has set up an application repository. If yes, verify the repository is DoD-approved. If the repository is not DoD-approved, this is a finding.

Fix: F-23380r1_fix

Application repositories will be located on a DoD-controlled server within a DoD enclave.

b
All user and or group accounts must have an Access Control Rule assigned to the account.
Medium - V-22056 - SV-25492r3_rule
RMF Control
Severity
Medium
CCI
Version
WIR1350-01
Vuln IDs
  • V-22056
Rule IDs
  • SV-25492r3_rule
The BES MDS Connection Service allows BlackBerry users to search the enclave for files and documents of interest to the user without any authentication requirements to the enclave. Access control requirements of the network can be bypassed.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-27011r4_chk

Detailed Policy Requirements: The BES must be configured so that all network file share access by BlackBerry users has been blocked. A high-level "deny all" Access Control Rule policy must be set up and assigned to each user or group account. Check Procedures: Verify all user and group accounts have been assigned an Access Control Rule. On the BES, do the following: Select at least 20 user/group accounts at random from different offices/sites. Go to each selected user/group account: BAS >> BlackBerry solution management >> User >> Manage users >> select user >> Access control rules tab. Verify each user has been assigned an Access Control Rule. Write down the name of each Access Control Rule assigned to each account (the settings of each rule will be verified in WIR1350-02). If any user or group account has not been assigned an Access Control Rule, this is a finding.

Fix: F-23381r2_fix

The BES MDS Connection Service will be configured to disable browsing on the enclave for files and documents of interest. Each user and group account is assigned an Access Control Rule.

b
The BlackBerry Administration Server (BAS) must be configured for Active Directory authentication with a CTO 07-15Rev1 compliant administrator password.
Medium - V-22102 - SV-25547r3_rule
RMF Control
Severity
Medium
CCI
Version
WIR1355-01
Vuln IDs
  • V-22102
Rule IDs
  • SV-25547r3_rule
The BAS provides the administrator interface for the BES. CTO 07-15Rev1 requires administrator accounts use either CAC authentication or use complex passwords to ensure storing access control is enforced.System AdministratorInformation Assurance OfficerECWN-1
Checks: C-27032r3_chk

Verify the BAS is configured to require Active Directory authentication for system administrators and users. To verify Active Directory Authentication is enabled, use the following procedure: Launch the BlackBerry Administration Service. On the Servers and components menu, expand BlackBerry Solution Topology >> BlackBerry Domain >> Component view. Click "BlackBerry Administration Service". Click on the "Microsoft Active Directory authentication" tab. Verify username, password, and user domain fields have been entered for the BAS Active Directory account. Note: It is recommended that Single Sign-On Authentication also be selected on the Microsoft Active Directory authentication tab, but this may not be possible for all BES installations.

Fix: F-23383r2_fix

Set up the BAS for Active Directory authentication.

a
The key store password for the certificate that the BlackBerry Administration Service (BAS) and BlackBerry Web Desktop Manager (BWDM) use must be changed from the default.
Low - V-22164 - SV-25764r3_rule
RMF Control
Severity
Low
CCI
Version
WIR1355-02
Vuln IDs
  • V-22164
Rule IDs
  • SV-25764r3_rule
The key store password protects the server digital authentication certificates from unauthorized use. Information Assurance OfficerSystem AdministratorECWN-1
Checks: C-27174r3_chk

Determine if the BAS and BWDM key store password have been changed from the default. The password must meet the requirements of CTO 07-15Rev1: 15 characters in length and the password complexity is a case-sensitive character mix of upper case letters, lower case letters, numbers, and special characters, including at least one of each. Start >> Programs >> BlackBerry Enterprise Server >> BlackBerry server Configuration. On the Administration service – Cacerts keystore tab, check the length of the current password and ask the BES admin if a complex password was used. If either the length or complexity requirements are not met, this is a finding.

Fix: F-23382r2_fix

The key store password for the certificate that the BlackBerry Administration Service (BAS) and BlackBerry Web Desktop Manager (BWDM) use must be changed from the default.

a
The BlackBerry Administration Service must be configured to disable a user from creating an activation password via BWDM.
Low - V-22165 - SV-25765r3_rule
RMF Control
Severity
Low
CCI
Version
WIR1365-01
Vuln IDs
  • V-22165
Rule IDs
  • SV-25765r3_rule
The overall security posture of the BlackBerry system is dependent on strict configuration management controls, including ensuring only authorized BlackBerry devices are being used and authorized devices are provisioned as required. Users must be prohibited from performing the following administrative tasks using the BlackBerry Web Desktop Manager: -Specify an enterprise activation password for a BlackBerry device. -Specify a new device password and lock a device. -Delete all device data and deactivate a device. -Assign a new device to a user account. System AdministratorECWN-1
Checks: C-27175r3_chk

Verify the BAS has been configured to disable users from performing administrative tasks on the BES. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution Topology >> BlackBerry Domain >> Component view. Click "BlackBerry Administration Service". Click "Edit component". On the "BlackBerry Web Desktop Manager Information" tab, verify "Allow users to perform self-service tasks" is set to "No". If not set as required, this is a finding.

Fix: F-23385r2_fix

Configure the BlackBerry Administration Service to disable a user from performing administrative tasks on the BES.

b
All Access Control Rules assigned to user and group accounts must be configured to deny access to all file shares.
Medium - V-22703 - SV-27296r3_rule
RMF Control
Severity
Medium
CCI
Version
WIR1350-02
Vuln IDs
  • V-22703
Rule IDs
  • SV-27296r3_rule
The BES MDS Connection Service allows BlackBerry users to search the enclave for files and documents of interest to the user without any authentication requirements to the enclave. Access control requirements of the network can be bypassed.Information Assurance OfficerSystem AdministratorECWN-1
Checks: C-28411r3_chk

Detailed Policy Requirements: The BES must be configured so that all network file share access by BlackBerry users has been blocked. A high-level "deny all" Access Control Rule policy must be set up and assigned to each user or group account. Check Procedures: 1. Verify that all domain URL Pattern has been configured on the BES as follows: BAS >> Servers and components >> BlackBerry Domain >> Component view >> MDS Connection service >> Pull URL pattern tab. Note: the Description (name of the TCP URL pattern) that has the following pattern: \\*.*\*. If no TCP URL pattern is configured as indicated, this is a finding. 2. Verify all access control rules identified in check WIR1350-02 have been set up with a URL pattern with the "Deny" rule. BAS >> Servers and components >> BlackBerry Domain >> Component view >> MDS Connection service >> Access control rules tab. View each Access Control Rule. Note: If the URL Pattern identified in Step 1 has been assigned to each rule and the "Allowed" configuration has been set to "Deny". If no "Deny" URL pattern has been set up on the BES for each rule, this is a finding.

Fix: F-24537r2_fix

The BES MDS Connection Service will be configured to disable browsing on the enclave for files and documents of interest. Each access control rule assigned to user and group accounts has been set up with a "Deny" URL pattern.

b
BlackBerry Web Desktop Manager must be configured to disable a user’s capability to perform self-service tasks.
Medium - V-25430 - SV-31616r3_rule
RMF Control
Severity
Medium
CCI
Version
WIR1365-02
Vuln IDs
  • V-25430
Rule IDs
  • SV-31616r3_rule
The overall security posture of the BlackBerry system is dependent on strict configuration management controls, including ensuring only authorized BlackBerry devices are being used and authorized devices are provisioned as required. When this configuration is not set as required, users may have the capability to activate unauthorized BlackBerry devices.System AdministratorECWN-1
Checks: C-31957r3_chk

Verify the BAS has been configured to disable users from performing self-service tasks. BAS >> Servers and components >> BlackBerry solution topology >> BlackBerry Domain >> Components view >> BlackBerry Administration service Select the "BlackBerry Web Desktop Manager Information" tab. Verify "Allow users to perform self service tasks" is set to "No". If not set as required, this is a finding.

Fix: F-28376r2_fix

The BlackBerry Administration Service is configured to disable a user from performing self-service tasks via BWDM.

b
BlackBerry Web Desktop Manager must be configured to permit users to activate new BlackBerry devices only.
Medium - V-25431 - SV-31617r3_rule
RMF Control
Severity
Medium
CCI
Version
WIR1365-03
Vuln IDs
  • V-25431
Rule IDs
  • SV-31617r3_rule
The overall security posture of the BlackBerry system is dependent on strict configuration management controls, including ensuring only authorized BlackBerry devices are being used and authorized devices are provisioned as required. When this configuration is not set as required, users may have the capability to activate unauthorized BlackBerry devices.System AdministratorECWN-1
Checks: C-31958r3_chk

Verify the BAS has been configured to permit users to activate new BlackBerry devices only. BAS >> Servers and components >> BlackBerry solution topology >> BlackBerry Domain >> Components view >> BlackBerry Administration service Select the "BlackBerry Web Desktop Manager Information" tab. Verify "Allow user wireline activation" has been set to "Activate Unused PINs only". If not set as required, this is a finding.

Fix: F-28377r2_fix

BlackBerry Administration Service is configured to permit users to activate new BlackBerry devices only via BWDM.

a
The server PKI digital certificate installed on the BES to support BAS and BWDM authentication must be a DoD PKI issued certificate. A self signed certificate will not be used.
Low - V-25548 - SV-31764r3_rule
RMF Control
Severity
Low
CCI
Version
WIR1355-03
Vuln IDs
  • V-25548
Rule IDs
  • SV-31764r3_rule
When a self-signed PKI certificate is used, a rogue BES can impersonate the DoD BES during SA connections to the BlackBerry Administration Service (BAS) or when a BlackBerry user uses BlackBerry Web Desktop Manager (BWDM) to connect to the BAS. In addition, DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI.IATS-1
Checks: C-32097r4_chk

Verify a DoD server certificate has been installed on the BES and the self-signed certificate, available as an option during the setup of the BES, has not been installed. Ask the BlackBerry Administrator to access the BAS login console using Internet Explorer. Verify no certificate error occurs. Click the "Lock" icon next to the address bar then select "view certificates". On the "General" tab, verify the "Issued to:" and "Issued by:" fields do not show the same value. Then on the "Certification Path" tab, verify the top certificate is a trusted DoD Root certificate authority (e.g., DoD Root CA 2) and the certificate status field states "This certificate is OK". Remediation: If a certificate error occurs either the default self-signed certificate is still installed, the BlackBerry Enterprise Server has not been rebooted since the DoD-issued certificate has been installed, or the computer accessing the BAS does not have the DoD Root and Intermediate certificate authorities installed. The reviewer can select the "Continue to this website" option and follow the same procedure above. If the certificate is issued from an approved DoD PKI, ask the BlackBerry Administrator to run InstallRoot on the computer accessing the BAS. Otherwise, have the BlackBerry Administrator follow the procedures outlined in the STIG to request/install a certificate issued from a trusted DoD PKI.

Fix: F-28492r2_fix

Use a DoD-issued digital certificate on the BES to support BAS and BWDM authentication.