Mobile Application Management (MAM) Server Security Technical Implementation Guide (STIG)

  • Version/Release: V1R2
  • Published: 2013-05-08
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This STIG provides technical security controls required for the use of a MAM server to manage applications installed on mobile devices in the DoD environment. The requirements listed in this benchmark apply to any DoD iOS implementation when iOS devices process sensitive DoD information, connect to a DoD network or network connected PC, or provide service to a DoD email system. The requirements can be implemented in an application server separate from the MDM server or included in the MDM server. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.
b
The required mobile device management server version (or later) must be used.
Medium - V-24972 - SV-30809r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-WMS-GD-001
Vuln IDs
  • V-24972
Rule IDs
  • SV-30809r2_rule
Earlier versions of the MDM server may have security vulnerabilities or not have required security features implemented. Therefore, sensitive DoD data could be exposed if required security features are not implemented on site-managed mobile devices.System AdministratorECSC-1
Checks: C-31225r6_chk

On the mobile device management server, determine the version number of the server. The exact procedure will vary, depending on the mobile device management product used. -Verify the server version is the latest available version and includes the latest patches available. Talk to the site system administrator and view the vendor's web site to determine the correct version number. -Mark as a finding if the server version is not as required.

Fix: F-27612r3_fix

Upgrade to required (or later) mobile device management server version.

b
The host server where the mobile management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Tomcat, IIS, etc.).
Medium - V-24973 - SV-30810r2_rule
RMF Control
Severity
Medium
CCI
Version
WIR-WMS-GD-002
Vuln IDs
  • V-24973
Rule IDs
  • SV-30810r2_rule
The host server where the mobile management server is installed must be compliant with the Windows STIG and applicable application STIGs to ensure the system is not vulnerable to attack resulting in a Denial of Service or compromise of the management server.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-31226r5_chk

Work with the OS Reviewer or check VMS for last review of each host server where a mobile management server is installed. This includes the host server for the MDM, MAM, MDIS, and MEM servers. The review should include the SQL server, Apache Tomcat, and IIS, if installed. Mark as a finding if the previous or current OS review of the Windows server did not include the SQL or other applications included with the management server.

Fix: F-27613r2_fix

Conduct required STIG reviews of the OS and all installed applications on the host server.

c
The host server where the mobile management server is installed must have a host-based or appliance firewall, which must be configured as required.
High - V-24975 - SV-30812r2_rule
RMF Control
Severity
High
CCI
Version
WIR-WMS-GD-004
Vuln IDs
  • V-24975
Rule IDs
  • SV-30812r2_rule
A mobile device user could get access to unauthorized network resources (application and content servers, etc.) via the communications link between the mobile device and mobile management server if the server host firewall is not set up as required. HBSS is usually used to satisfy this requirement.System AdministratorInformation Assurance OfficerECSC-1
Checks: C-31229r7_chk

The host server host-based or appliance firewall must be configured as required. The server firewall is configured with the following rules: -Deny all except when explicitly authorized. -Internal traffic from the server is limited to internal systems used to host the smartphone services (e.g., email and LDAP servers) and approved back-office application and content servers. Communications with other services, clients, and/or servers are not authorized. -Internet traffic from the server is limited to only specified services (e.g., Good NOC server, OCSP, SSL/TLS, HTTP, and LDAP). All outbound connections are initiated by the mobile management server and/or service. -Firewall settings listed in the STIG Technology Overview or the vendor's installation manual will be implemented, including blocking connections to web proxy servers and back-office application and content servers unless the server Internet Protocol (IP) address is on the firewall list of trusted IP addresses and subnets. Note: At a minimum, the IP address of the site Internet proxy server must be listed so the Good secure browser can connect to the Internet. Note: The HBSS firewall can be used to meet these requirements if one or more firewall rules have been set up on the firewall as described above. Check Procedures: -Verify the firewall configuration meets approved architecture configuration requirements (or have the Network Reviewer do the review of the firewall). -Verify the firewall is configured to block connections to internal servers unless the server IP address is included on the list of trusted networks. IP addresses of the enclave web proxy server and authorized back-office application and content servers the server connects to should be included on this list. - Mark as a finding if the IP addresses configured on the server host-based firewall are not on the list of trusted networks.

Fix: F-27616r2_fix

Install the management server host-based or appliance firewall and configure as required.

a
The PKI digital certificate installed on mobile management servers for server authentication must be a DoD PKI-issued certificate.
Low - V-25754 - SV-32013r2_rule
RMF Control
Severity
Low
CCI
Version
WIR-WMS-GD-010
Vuln IDs
  • V-25754
Rule IDs
  • SV-32013r2_rule
When a self-signed PKI certificate is used, a rogue mobile management server can impersonate the DoD mobile management server. DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI.System AdministratorIATS-1
Checks: C-32242r9_chk

Verify a DoD server certificate has been installed on the mobile management server and that the self-signed certificate, available as an option during the setup of the wireless email management server, has not been installed. The check procedure will depend on the mobile management server product used. Mark as a finding if a DoD server certificate has not been installed on the mobile device management server. For the Good Technology server follow these procedures: -Ask the SA to access the Good server using Internet Explorer. Verify no certificate error occurs. -Click the Lock icon next to the address bar, then select “view certificates”. On the General tab, verify the “Issued to:” and “Issued by:” fields do not show the same value. Then on the Certification Path tab, verify the top certificate is a trusted DoD Root certificate authority (e.g., DoD Root CA 2) and the certificate status field states “This certificate is OK”. If a certificate error occurs, either the default self-signed certificate is still installed, the Good server has not been rebooted since the DoD-issued certificate has been installed, or the computer accessing the Good server does not have the DoD Root and Intermediate certificate authorities installed. The reviewer can select the “Continue to this website” option and follow the same procedure above. If the certificate is issued from an approved DoD PKI, ask the SA to run InstallRoot on the computer accessing the Good server. Otherwise, have the SA follow the procedures outlined in the STIG to request/install a certificate issued from a trusted DoD PKI.

Fix: F-28607r3_fix

Use a DoD-issued digital certificate on the mobile management server.

c
Authentication on system administration accounts for mobile management servers must be configured to support CTO 07-15 Rev 1 requirements.
High - V-26564 - SV-33591r2_rule
RMF Control
Severity
High
CCI
Version
WIR-WMS-GD-011
Vuln IDs
  • V-26564
Rule IDs
  • SV-33591r2_rule
CTO 07-15 Rev 1 requires administrator accounts use either CAC authentication or use complex passwords to ensure strong access control is enforced. This is best enforced by requiring the server support AD authentication.System AdministratorInformation Assurance OfficerIAIA-1, IATS-1
Checks: C-34053r4_chk

Review the admin accounts settings on the mobile management server to verify CTO 07-15 Rev 1 required authentication is enabled for admin accounts. The check procedure will depend on the mobile management server product used. Mark as a finding if site admin accounts do not meet the requirements.

Fix: F-29731r2_fix

Configure required authentication on system administration accounts for mobile management servers.

b
The MAM server must be able to obtain applications from a DoD- managed application store.
Medium - V-32767 - SV-43113r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-WMS-MAM-01
Vuln IDs
  • V-32767
Rule IDs
  • SV-43113r1_rule
Applications installed on the device must come from approved sources to ensure the security baseline of the device is not compromised by the application, otherwise sensitive DoD data and the enclave could be at risk of being compromised because the security baseline of the device has been compromised. If the MAM obtains applications from unauthorized sources, the application could contain malware and modify the security baseline of the mobile device, which may result in the exposure of sensitive DoD data.System AdministratorDCSQ-1
Checks: C-41101r4_chk

The MAM server must only host DoD approved applications. Verify the MAM server can obtain applications from a DoD-managed application store. Talk to the site system administrator and have them show this capability exists in the MAM server. Also, review MAM product documentation. Note: It may be possible that a DoD app store includes some or all MAM server requirements. If all required MAM functions are found in the DoD app store, this check is not applicable. Mark as a finding if the MAM server does not have required features.

Fix: F-36649r2_fix

Use an MAM product that is able to obtain applications from a DoD-managed application store.

a
The MAM server must install required applications on managed mobile devices.
Low - V-32768 - SV-43114r1_rule
RMF Control
Severity
Low
CCI
Version
WIR-WMS-MAM-02
Vuln IDs
  • V-32768
Rule IDs
  • SV-43114r1_rule
Some required applications are used to implement required security controls, which affect the security baseline of the device. If the security baseline is not maintained, sensitive DoD data and the enclave could be at risk of being compromised because the security baseline of the device has been compromised. System AdministratorDCPR-1
Checks: C-41102r4_chk

Verify the MAM server can install required applications on managed mobile devices. The MAM should not install applications on the mobile device without user acceptance of the installation. Talk to the site system administrator and have them show this capability exists in the MAM server. Also, review MAM product documentation. Mark as a finding if the MAM server does not have required features.

Fix: F-36650r2_fix

Use a MAM product that can install required applications on managed mobile devices and does not install applications on the mobile device without user acceptance of the installation.

c
The MAM server must manage a list of authorized applications (white list) by device account and by group account.
High - V-32769 - SV-43115r1_rule
RMF Control
Severity
High
CCI
Version
WIR-WMS-MAM-03
Vuln IDs
  • V-32769
Rule IDs
  • SV-43115r1_rule
Application white list enforcement ensures only authorized applications are installed on managed mobile devices. An unauthorized application could contain malware. In addition, the white list feature ensures malware from an email attachment or from a web site has not been installed on the device.System AdministratorDCPR-1
Checks: C-41103r7_chk

Verify the MAM server can manage a list of authorized applications (white list) by device account and by group account. Talk to the site system administrator and have them show this capability exists in the MAM server. Also, review MAM product documentation. Mark as a finding if the MAM server does not have required features and is not configured as required.

Fix: F-36651r5_fix

Use a MAM product that can manage a list of authorized applications (white list) by device account and by group account.

b
The MAM server must be configured to prohibit the removal of required applications on managed devices or alert and take a predefined action if required applications have been removed.
Medium - V-32770 - SV-43116r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-WMS-MAM-04
Vuln IDs
  • V-32770
Rule IDs
  • SV-43116r1_rule
Some required applications are used to implement required security controls, which affect the security baseline of the device. If the security baseline is not maintained, sensitive DoD data and the enclave could be at risk of being compromised because the security baseline of the device has been compromised.System AdministratorDCPR-1
Checks: C-41104r7_chk

Interview the IAM/IAO and obtain a list of required applications. These are applications that must be present on managed devices. Note the list of applications may be different for different groups of users. Verify the MAM server has been configured to prohibit the removal of required applications on managed devices or alert and take a predefined action if required applications have been removed. Talk to the site system administrator and have them show this capability has been configured on the MAM server. Also, review MAM product documentation. Mark as a finding if the MAM server is not configured to prohibit the removal of required applications on managed devices or alert and take a predefined action if required applications have been removed. Note that it also a finding if the MAM server does not have required capabilities.

Fix: F-36652r4_fix

Configure the MAM server to prohibit the removal of required applications on managed devices or alert and take a predefined action if required applications have been removed.

c
The MAM server must scan the list of installed applications on managed mobile devices every 6 hours or less to determine if unapproved applications are installed.
High - V-32771 - SV-43117r1_rule
RMF Control
Severity
High
CCI
Version
WIR-WMS-MAM-05
Vuln IDs
  • V-32771
Rule IDs
  • SV-43117r1_rule
An unauthorized application could contain malware or be a malware application. System AdministratorECAT-1
Checks: C-41105r8_chk

Note: For some implementations, this requirement may be accomplished by the MDM server rather than the MAM server. If that is the case for the system under review, perform the following procedure for the MDM server instead of the MAM server: -Verify the MAM server scans the list of installed applications on managed mobile devices on a predefined periodic basis (at least every 6 hours). The MAM server must be able to scan for both managed and unmanaged applications in both work and non-work environments on the device (if the device supports more than one environment). -Talk to the site system administrator and have them show these capabilities exist in the MAM server. Also, review MAM product documentation. Mark as a finding if the MAM server does not have required features.

Fix: F-36653r4_fix

Use a MAM product that scans the list of installed applications on managed mobile devices on a predefined periodic basis.

b
The MAM server must manage the installation of updates and patches for installed applications on managed mobile devices.
Medium - V-32772 - SV-43118r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-WMS-MAM-07
Vuln IDs
  • V-32772
Rule IDs
  • SV-43118r1_rule
Timely installation of application patches is a key mitigation action against compromise of an IT system by known attack methods. System AdministratorDCPR-1
Checks: C-41141r3_chk

Verify the MAM server manages the installation of updates and patches for installed applications on managed mobile devices. Talk to the site system administrator and have them show this capability exists in the MAM server. Also, review MAM product documentation. Mark as a finding if the MAM server does not have required features.

Fix: F-36689r2_fix

Use a MAM product that manages the installation of updates and patches for installed applications on managed mobile devices.

b
The MAM server must allow the inspection of installed applications on managed mobile devices.
Medium - V-32774 - SV-43120r1_rule
RMF Control
Severity
Medium
CCI
Version
WIR-WMS-MAM-08
Vuln IDs
  • V-32774
Rule IDs
  • SV-43120r1_rule
The MAM must be able to determine key attributes of managed applications to ensure only authorized applications are installed on the device.System AdministratorDCPR-1
Checks: C-41107r7_chk

Verify the MAM server allows the inspection of key attributes (name and version) of installed applications on managed mobile devices. Talk to the site system administrator and have them show this capability exists in the MAM server and is enabled. Also, review MAM product documentation. Mark as a finding if the MAM server does not have required features.

Fix: F-36655r4_fix

Use a MAM product that allows the inspection of installed applications on managed mobile devices, and ensure the feature is enabled.

a
The master AES encryption key used to encrypt data between the management server and the agent on the mobile device must be changed every 30 days or less.
Low - V-33231 - SV-43637r1_rule
RMF Control
Severity
Low
CCI
Version
WIR-WMS-MDM-03
Vuln IDs
  • V-33231
Rule IDs
  • SV-43637r1_rule
There are two primary methods for generating the encryption key used to encrypt data between the management server and the server agent installed on the mobile device. The first method is to use a shared secret and the second is to generate the master encryption key based on PKI key generation. When a shared secret is used, if the master encryption key is not rotated periodically, and it is compromised, all future data sent between the mobile management server and the agent located on the mobile device would be compromised. Limiting the compromise to no more than a specific period of data is a security best practice.System AdministratorIAKM-1
Checks: C-41503r3_chk

This requirement applies to any mobile management server, including the MDM, MAM, MDIS, and MEM. If PKI-based encryption key generation is used between the management server and the agent on the mobile device, this check is not applicable. Work with the server system administrator and determine how the encryption key is generated. If a shared secret is used between the management server and the agent on the mobile device, view the configuration of the master encryption key on the server. Verify AES is used for the master encryption key and it is set to rotate at least every 30 days. Mark as a finding if the master encryption key is not rotated at least every 30 days or AES encryption is not used.

Fix: F-37140r1_fix

Use an AES master encryption key and set it to rotate at least every 30 days.

c
The MAM server must take predefined actions if unapproved applications are found after a scan of managed mobile devices.
High - V-34417 - SV-45051r1_rule
RMF Control
Severity
High
CCI
Version
WIR-WMS-MAM-06
Vuln IDs
  • V-34417
Rule IDs
  • SV-45051r1_rule
An unauthorized application could contain malware or be a malware application. If the malware is not removed in a timely manner, DoD data and the enclave could be at risk of being compromised because the security baseline of the device has been compromised.System AdministratorECAT-1
Checks: C-42428r2_chk

Note: For some implementations, this requirement may be accomplished by the MDM server rather than the MAM server. If that is the case for the system under review, perform the following procedure for the MDM server: -Verify the MAM server is configured so if a finding occurs during a scan, the server alerts the system administrator and disables or isolates unauthorized applications. -Verify the MAM server has the capability to be configured by the system administrator to automatically delete unauthorized applications or wipe the mobile device after an unauthorized application is found. (These are optional settings that are recommended, but not required to be set by the system administrator.) -Talk to the site system administrator and have them show these capabilities exist in the MAM server. Also, review MAM product documentation. Mark as a finding if the MAM server does not have required features.

Fix: F-38462r1_fix

Use a MAM product that takes predefined actions if unapproved applications are found on managed mobile devices after a scan.