Mobile Device Integrity Scanning (MDIS) Server Security Technical Implementation Guide (STIG)

U_MDIS_Server_V1R2_manual-xccdf.xml

This STIG provides technical security controls required for the use of a mobile MDIS server to audit the integrity of mobile devices in the DoD environment. The requirements listed in this benchmark apply to any DoD iOS implementation when iOS devices process sensitive DoD information, connect to a DoD network or network connected PC, or provide service to a DoD email system. The requirements can be implemented in an application server separate from the MDM server or included in the MDM server. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]
Details

Version / Release: V1R2

Published: 2013-05-08

Updated At: 2018-09-23 04:04:10

Actions

Download

Filter

Vuln Rule Version CCI Severity Title Description
SV-30809r2_rule WIR-WMS-GD-001 MEDIUM The required mobile device management server version (or later) must be used. Earlier versions of the MDM server may have security vulnerabilities or not have required security features implemented. Therefore, sensitive DoD data could be exposed if required security features are not implemented on site-managed mobile devices.System AdministratorECSC-1
SV-30810r2_rule WIR-WMS-GD-002 MEDIUM The host server where the mobile management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Tomcat, IIS, etc.). The host server where the mobile management server is installed must be compliant with the Windows STIG and applicable application STIGs to ensure the system is not vulnerable to attack resulting in a Denial of Service or compromise of the management server.System AdministratorInformation Assurance OfficerECSC-1
SV-30812r2_rule WIR-WMS-GD-004 HIGH The host server where the mobile management server is installed must have a host-based or appliance firewall, which must be configured as required. A mobile device user could get access to unauthorized network resources (application and content servers, etc.) via the communications link between the mobile device and mobile management server if the server host firewall is not set up as required. HBSS is usually used to satisfy this requirement.System AdministratorInformation Assurance OfficerECSC-1
SV-32013r2_rule WIR-WMS-GD-010 LOW The PKI digital certificate installed on mobile management servers for server authentication must be a DoD PKI-issued certificate. When a self-signed PKI certificate is used, a rogue mobile management server can impersonate the DoD mobile management server. DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI.System AdministratorIATS-1
SV-33591r2_rule WIR-WMS-GD-011 HIGH Authentication on system administration accounts for mobile management servers must be configured to support CTO 07-15 Rev 1 requirements. CTO 07-15 Rev 1 requires administrator accounts use either CAC authentication or use complex passwords to ensure strong access control is enforced. This is best enforced by requiring the server support AD authentication.System AdministratorInformation Assurance OfficerIAIA-1, IATS-1
SV-43094r1_rule WIR-WMS-MDIS-01 MEDIUM The results and mitigation actions from MDIS server on site managed mobile OS devices must be maintained by the site for at least 6 months (1 year recommended). Scan results must be maintained so auditors can verify mitigation actions have been completed, so a scan can be compared to a previous scan, and to determine if there are any security vulnerability trends for site-managed mobile OS devices.System AdministratorECAT-1
SV-43095r1_rule WIR-WMS-MDIS-02 HIGH Mitigation actions must be implemented based on integrity validation scan findings. If mitigation actions are not implemented after a scan finding, DoD data and the enclave could be at risk of being compromised because the security baseline of the device has been compromised. The IAO should determine the appropriate mitigation action based on the scan finding report and any other analysis performed by site Information Assurance (IA) staff. It is expected that the system administrator or IAO will approve all mitigation actions before they are implemented, including those implemented by the server (for example, device wipe).System AdministratorECWN-1
SV-43099r1_rule WIR-WMS-MDIS-06 HIGH The MDIS server must alert when it identifies malicious code on managed mobile devices. Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on the DoD network. Alerting is required to ensure proper management oversight is provided to timely mitigation actions to reduce the effect of the compromise. System AdministratorECAT-1
SV-43100r2_rule WIR-WMS-MDIS-07 HIGH The MDIS server must provide a near real-time alert when any compromise or potential compromise indicators occurs. Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on the DoD network. Timely alerting is required to ensure proper management oversight is provided to mitigation actions to reduce the effect of the compromise. Compromise indicators include the following: -Unauthorized software on the device. -Jailbroken or rooted device. -Changes in file structure or files on the device. -Unexpected changes in applications installed on the device. -Integrity check failure of all operating system files, device drivers, and security enforcement mechanisms at device startup.System AdministratorECAT-1
SV-43101r1_rule WIR-WMS-MDIS-08 MEDIUM The MDIS server must provide notifications regarding suspicious events to an organization defined list of response personnel, including the IAO and system administrator, who are identified by name and/or by role. Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on the DoD network. Timely alerting is required to ensure proper management oversight is provided to mitigation actions to reduce the effect of the compromise. System AdministratorECAT-1, ECAT-2
SV-43104r1_rule WIR-WMS-MDIS-11 HIGH The MDIS server must verify the integrity of all operating system files, device drivers, and security enforcement mechanisms at startup and at least every six hours thereafter, using one or more DoD-approved cryptographic mechanisms that compare attributes of the operating system configuration to a known good baseline. Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on the DoD network. Analysis has determined scans must be performed at least every 6 hours. iOS 6 scans all operating system files, device drivers, and security enforcement mechanisms at startup, so the first part of this requirement is met by default. iOS 6 does not repeat the system scan every 6 hours. If a third-party application is not used to scan all operating system files, device drivers, and security enforcement mechanisms every six hours there is a finding and the Severity should be downgraded to CAT II.System AdministratorDCSS-2
SV-43105r1_rule WIR-WMS-MDIS-12 HIGH The MDIS agent must not be capable of being disabled or controlled by the user or other mobile device application. The integrity of the device security baseline would be compromised if the MDIS agent could be disabled by the user or an application. System AdministratorECTP-1
SV-43107r1_rule WIR-WMS-MDIS-14 MEDIUM The MDIS server must base recommended mitigations for findings on the identified risk level of the finding. Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on the DoD network. Since the MDIS is an automated capability, the server must be able to determine the severity of the finding and provide a recommended mitigation to ensure timely action to mitigate the finding.System AdministratorECAR-1
SV-43108r1_rule WIR-WMS-MDIS-15 HIGH The MDIS agent must operate separate and independent of the management of the mobile devices security policy. One of the key capabilities of the MDIS feature is the capability to determine if the device has been compromised. To ensure integrity of the feature, the MDIS must not be modified by any device management feature, and must be able to monitor the compliance of device management.System AdministratorECTP-1
SV-43109r1_rule WIR-WMS-MDIS-16 HIGH The MDIS server must identify changes in file structure and files on the mobile device. Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on the DoD network. File structure changes are a key indicator of possible device compromise. System AdministratorECAR-1
SV-43110r1_rule WIR-WMS-MDIS-17 HIGH The MDIS server must identify unexpected changes in applications installed on the mobile device. Detection of possible compromise of a DoD mobile device is a key security control to insure the compromise does not result in the exposure of sensitive DoD data or lead to a successful attack on the DoD network. Application changes are a key indicator of possible device compromise. System AdministratorECAR-1
SV-43111r1_rule WIR-WMS-MDIS-18 MEDIUM The MDIS server must have the capability to maintain change history of individual devices. Scan results must be maintained so auditors can verify mitigation actions have been completed, so a scan can be compared to a previous scan, and to determine if there are any security vulnerability trends for site managed mobile OS devices.System AdministratorECAT-1
SV-43637r1_rule WIR-WMS-MDM-03 LOW The master AES encryption key used to encrypt data between the management server and the agent on the mobile device must be changed every 30 days or less. There are two primary methods for generating the encryption key used to encrypt data between the management server and the server agent installed on the mobile device. The first method is to use a shared secret and the second is to generate the master encryption key based on PKI key generation. When a shared secret is used, if the master encryption key is not rotated periodically, and it is compromised, all future data sent between the mobile management server and the agent located on the mobile device would be compromised. Limiting the compromise to no more than a specific period of data is a security best practice.System AdministratorIAKM-1