Mobile Email Management (MEM) Server Security Technical Implementation Guide (STIG)

U_MEM_Server_V1R2_manual-xccdf.xml

This STIG provides technical security controls required for the use of a MEM server that manages mobile email from/to mobile devices in the DoD environment. The requirements listed in this benchmark apply to any DoD iOS implementation when iOS devices process sensitive DoD information, connect to a DoD network or network connected PC, or provide service to a DoD email system. The requirements can be implemented in an application server separate from the MDM server or included in the MDM server. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]
Details

Version / Release: V1R2

Published: 2013-05-08

Updated At: 2018-09-23 04:04:14

Actions

Download

Filter

Vuln Rule Version CCI Severity Title Description
SV-30809r2_rule WIR-WMS-GD-001 MEDIUM The required mobile device management server version (or later) must be used. Earlier versions of the MDM server may have security vulnerabilities or not have required security features implemented. Therefore, sensitive DoD data could be exposed if required security features are not implemented on site-managed mobile devices.System AdministratorECSC-1
SV-30810r2_rule WIR-WMS-GD-002 MEDIUM The host server where the mobile management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Tomcat, IIS, etc.). The host server where the mobile management server is installed must be compliant with the Windows STIG and applicable application STIGs to ensure the system is not vulnerable to attack resulting in a Denial of Service or compromise of the management server.System AdministratorInformation Assurance OfficerECSC-1
SV-30812r2_rule WIR-WMS-GD-004 HIGH The host server where the mobile management server is installed must have a host-based or appliance firewall, which must be configured as required. A mobile device user could get access to unauthorized network resources (application and content servers, etc.) via the communications link between the mobile device and mobile management server if the server host firewall is not set up as required. HBSS is usually used to satisfy this requirement.System AdministratorInformation Assurance OfficerECSC-1
SV-32013r2_rule WIR-WMS-GD-010 LOW The PKI digital certificate installed on mobile management servers for server authentication must be a DoD PKI-issued certificate. When a self-signed PKI certificate is used, a rogue mobile management server can impersonate the DoD mobile management server. DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI.System AdministratorIATS-1
SV-33591r2_rule WIR-WMS-GD-011 HIGH Authentication on system administration accounts for mobile management servers must be configured to support CTO 07-15 Rev 1 requirements. CTO 07-15 Rev 1 requires administrator accounts use either CAC authentication or use complex passwords to ensure strong access control is enforced. This is best enforced by requiring the server support AD authentication.System AdministratorInformation Assurance OfficerIAIA-1, IATS-1
SV-43122r1_rule WIR-WMS-MEM-01 LOW The MEM client must provide users with the option to deny acceptance of a certificate when the certificates revocation status cannot be verified. When the certificate revocation status cannot be verified, the email sender's identity cannot be verified and the user must have the capability to accept or deny the certificate and act on the email content based on sensitivity of the email content and mission needs.System AdministratorIAKM-1, IAKM-2
SV-43123r1_rule WIR-WMS-MEM-02 MEDIUM The MEM client must alert the user if it receives a public-key certificate issued from an untrusted certificate authority. When the public-key certificate is issued from an untrusted certificate authority, the certificate cannot be trusted and the recipient must have the capability to accept or deny the certificate and act on the email content based on sensitivity of the email content and mission needs. System AdministratorIAKM-1, IAKM-2
SV-43125r1_rule WIR-WMS-MEM-03 LOW The MEM client must alert the user if it receives an invalid public-key certificate. When the public-key certificate is invalid, the certificate cannot be trusted and the recipient must have the capability to accept or deny the certificate and act on the email content based on sensitivity of the email content and mission needs.System AdministratorIAKM-1, IAKM-2
SV-43127r1_rule WIR-WMS-MEM-04 LOW The MEM client must not accept certificate revocation information without verifying its authenticity. When the public-key certificate has been identified as revoked but the revocation authenticity cannot be verified, the revocation cannot be trusted and the recipient must have the capability to accept or deny the certificate and act on the email content based on sensitivity of the email content and mission needs. System AdministratorIAKM-1, IAKM-2
SV-43128r1_rule WIR-WMS-MEM-05 MEDIUM The MEM client must verify user digital certificate when performing PKI transactions. The trust of any PKI operation is contingent on the certificate chain. Authentication and encryption services based on PKI would be untrusted if the certificate chain is not verified.System AdministratorIAKM-1, IAKM-2
SV-43134r1_rule WIR-WMS-MEM-07 LOW The MEM client must alert the user if it receives an unverified public-key certificate. When the public-key certificate is unverified certificate, the certificate cannot be trusted and the recipient must have the capability to accept or deny the certificate and act on the email content based on sensitivity of the email content and mission needs. System AdministratorIAKM-1, IAKM-2
SV-43135r1_rule WIR-WMS-MEM-08 MEDIUM All data (including email and attachments) sent over the wireless link between the mobile email client and MEM server located on the DoD network must be encrypted using AES. AES is the DoD standard for unclassified data encryption. When other encryption algorithms are used (non-type-1) the level of trust that sensitive DoD data cannot be compromised is not available. System AdministratorECCT-1
SV-43136r1_rule WIR-WMS-MEM-09 MEDIUM The MEM server and client must encrypt all data using a FIPS 140-2 validated cryptographic module. FIPS 140-2 validated encryption is the DoD standard for unclassified data encryption. When non-FIPS validated encryption modules are used (other than Type 1) the required level of trust that sensitive DoD data cannot be compromised is not available. System AdministratorECCT-1
SV-43137r1_rule WIR-WMS-MEM-10 MEDIUM The MEM client must be capable of providing S/MIME v3 (or later version) encryption of email. Sensitive DoD data could be exposed if the required setting is not configured on the Good server. If S/MIME support is not configured on the server, the user will not be able to view critical encrypted email or be able to encrypt email with sensitive DoD information. System AdministratorECCT-1
SV-43138r1_rule WIR-WMS-MEM-11 LOW The MEM client S/MIME must be fully interoperable with DoD PKI. Without DoD PKI interoperability, the S/MIME feature would not work and could not meet DoD S/MIME requirements. System AdministratorECCT-1
SV-43139r1_rule WIR-WMS-MEM-12 MEDIUM The MEM client S/MIME encryption algorithm must support both 3DES and AES. DES and AES are the DoD standard for unclassified data encryption based on DoD PKI certificates. AES is preferred but some DoD CACs only support the 3DES encryption algorithm. When other encryption algorithms are used (non-type-1) the level of trust that sensitive DoD data cannot be compromised is not available.System AdministratorECCT-1
SV-43140r1_rule WIR-WMS-MEM-13 MEDIUM The MEM client S/MIME cryptographic module must be FIPS 140-2 validated. FIPS 140-2 validated encryption is the DoD standard for unclassified data encryption. When non-FIPS validated encryption modules are used (other than Type 1) the level of trust that sensitive DoD data cannot be compromised is not available. System AdministratorECCT-1
SV-43141r1_rule WIR-WMS-MEM-14 LOW The MEM client must provide the capability to save public certificates of contacts in an acceptable method. This capability is required to support S/MIME encryption of email. Without S/MIME, end-to-end data encryption is not possible and sensitive DoD data could be compromised.System AdministratorIAKM-1
SV-43142r1_rule WIR-WMS-MEM-15 LOW The MEM client must not cache the certificate status of signed emails that have been received on the handheld device beyond the expiration period of the revocation data. If the revocation status of the certificate is not cached, the email client would need to retrieve the status every time a user opens a signed email, which would cause a usability issue of the mobile email feature and possibly cause the user to begin to ignore the status of signing certificates in received email.System AdministratorIAKM-1
SV-43143r1_rule WIR-WMS-MEM-16 MEDIUM The MEM client must set the Smart Card or Certificate Store Password caching timeout period to no more than 120 minutes, if Smart Card or Certificate Store Password caching is available. The certificate/key store contents must not remain unencrypted indefinitely; otherwise, the encryption keys and PKI certificates stored in the store could be compromised. The store must re-encrypt contents of the store on or before the required timeout period. System AdministratorECCR-1
SV-43144r1_rule WIR-WMS-MEM-17 MEDIUM The MEM client must provide the mobile device user the capability to digitally sign and/or encrypt outgoing email messages using software or hardware based digital certificates. The email client must support signing and encrypting email using both software and hardware PKI certificates so that the DoD can use either certificate form factor based on current policy, security threats, and mission needs. System AdministratorIAKM-1
SV-43145r1_rule WIR-WMS-MEM-18 MEDIUM The MEM client must provide the mobile device user the capability to decrypt incoming email messages using software or hardware based digital certificates. The email client must support signing operations (verifying digital signatures) and decrypting email using both software and hardware PKI certificates so that the DoD can use either certificate form factor based on current policy, security threat, and mission needs.System AdministratorIAKM-1
SV-43146r1_rule WIR-WMS-MEM-19 MEDIUM The MEM client must provide a mechanism to provide certificate validation through a trusted OCSP, CRL, or SCVP. Certificate validation is a key requirement of a robust PKI; therefore, the mobile email server must support all DoD accepted processes for distributing certificate status information.System AdministratorIAKM-1
SV-43147r1_rule WIR-WMS-MEM-20 LOW The MEM client must provide a noticeable warning to the user if the CRL, SCVP, or OCSP server cannot be contacted or the revocation data provided cannot be verified. Certificate validation is a key requirement of a robust PKI; therefore, the user must be notified if the status of a certificate on a signed email cannot be verified.System AdministratorIAKM-1
SV-43148r1_rule WIR-WMS-MEM-21 LOW The MEM client must support retrieving encryption certificates not stored in the local trust anchor store for S/MIME purposes. S/MIME operations cannot be performed if the device user cannot access public encryption certificates for email recipients; therefore, if encryption certificates are not stored in the contacts list or other local certificate store, S/MIME must be able to retrieve the certificates from the GAL, GDS, or other non-local DoD sources.System AdministratorIAKM-1
SV-43149r1_rule WIR-WMS-MEM-22 MEDIUM The MEM client must support SHA2 or later signing operations. SHA2 or later signing is required because earlier signing algorithms have been compromised and do not provide the required level of trust. System AdministratorIAKM-1
SV-43150r1_rule WIR-WMS-MEM-23 LOW The MEM client must either block or convert all active content in email (HTML, RTF, etc.) to text before the email is forwarded to the mobile device. HTML email and inline images in email can contain malware or links to websites with malware. System AdministratorDCMC-1
SV-43151r1_rule WIR-WMS-MEM-24 LOW The MEM client must support SHA2 signature verification. SHA2 or later signing is required because earlier signing algorithms have been compromised and do not provide the required level of trust. System AdministratorIAKM-1
SV-43152r1_rule WIR-WMS-MEM-25 MEDIUM All email sent to the mobile device must be managed by the mobile email server. Desktop or Internet controlled email redirection are not authorized. Desktop or Internet controlled mobile email redirection does not allow the mobile email to be managed by a mobile email management server; therefore, email security policies cannot be enforced.System AdministratorECWN-1
SV-43153r1_rule WIR-WMS-MEM-26 LOW The MEM client must enable a system administrator to select which data fields in the contacts data base will be available to applications outside of the contact database. Sensitive contact information could be exposed to unauthorized people. System AdministratorECAN-1
SV-43637r1_rule WIR-WMS-MDM-03 LOW The master AES encryption key used to encrypt data between the management server and the agent on the mobile device must be changed every 30 days or less. There are two primary methods for generating the encryption key used to encrypt data between the management server and the server agent installed on the mobile device. The first method is to use a shared secret and the second is to generate the master encryption key based on PKI key generation. When a shared secret is used, if the master encryption key is not rotated periodically, and it is compromised, all future data sent between the mobile management server and the agent located on the mobile device would be compromised. Limiting the compromise to no more than a specific period of data is a security best practice.System AdministratorIAKM-1