UCF STIG Viewer Logo

BlackBerry Enterprise Server, Part 2 Security Technical Implementation Guide


Overview

Date Finding Count (25)
2011-07-14 CAT I (High): 5 CAT II (Med): 11 CAT III (Low): 9
STIG Description
BlackBerry Enterprise Server STIG, Part 2 in XCCDF format. Part 1: BES architecture and training requirements. Part 2: BES configuration requirements. Part 3: BES IT Policy configuration requirements.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-19192 High The BES host-based or appliance firewall is configured as required.
V-14022 High The BlackBerry wireless email system is set up with the required system components and software installed on the handheld device.
V-19226 High Blackberry accounts will not be assigned to the default IT policy on the BES or any other non-STIG compliant IT policy. Accounts will only be assigned a STIG compliant IT policy.
V-22042 High Each Application White List software configuration assigned to each user account must be configured with top-level default “disallow” for all applications. Applications must be specifically allowed at a lower level.
V-16341 High An Application White List software configuration must be assigned to all BES user accounts.
V-22703 Medium All Access Control Rules assigned to user and group accounts must be configured to deny access to all file shares.
V-22055 Medium Application repositories will be located on a DoD-controlled server within a DoD enclave. If not set up, this check is Not Applicable.
V-22056 Medium All user and or group accounts must have an Access Control Rule assigned to the account.
V-19203 Medium An Application Control Policy must be assigned to each application listed in any Application White List software configuration assigned to user accounts on the BES. Note: This check applies to BES 4.1.x only. On BES 5, an application control policy is automatically assigned when an application is selected for a software configuration.
V-19206 Medium Security controls required on the BES for connections to “back-office” servers.
V-25430 Medium Blackberry Web Desktop Manager will be configured to disable a user’s capability to perform self-service tasks. This check applies to only BES 5.x.
V-25431 Medium Blackberry Web Desktop Manager will be configured to permit users to activate new BlackBerry devices only. This check applies to only BES 5.x.
V-19215 Medium The BlackBerry Bluetooth Smart Card Reader (SCR) used with site PCs must be compliant with requirements.
V-22102 Medium The BlackBerry Administration Server (BAS) must be configured for Active Directory authentication using the CAC or for BAS authentication with a CTO 07-15Rev1 compliant administrator password. In addition, service accounts will not be used by administrators to log into the BAS.
V-16343 Medium The BES must be configured to disable the capability of the BES to proxy a user’s authentication to back-office application, web, and content servers. Users must authenticate directly to back-office servers using a USCYBERCOM CTO 07-15Rev1 authorized method.
V-7078 Medium The BlackBerry MDS Integration Service will not be installed on a production BES.
V-19202 Low Non-core applications used on the BlackBerry will be approved.
V-19201 Low The BES must be configured to accept only trusted connections to back-office enclave application or web push servers. Push servers are set up to push content to BlackBerry users (e.g., Remedy ticket notification system).
V-25548 Low The server PKI digital certificate installed on the BES to support BAS and BWDM authentication will be a DoD PKI issued certificate. A self signed certificate will not be used.
V-11877 Low The Device Transport Key will be configured on the BES for AES encryption.
V-18394 Low The BES is configured to: - Convert HTML and RTF formatted email into text format before sending to a BlackBerry smartphone. - Prevent the BES from sending email messages with inline images to BlackBerry smartphones.
V-22165 Low The Blackberry Administration Service must be configured to disable a user from creating an activation password via BWDM. This requirement applies only to BES 5.x.
V-22164 Low The key store password for the certificate that the BlackBerry Administration Service (BAS) and Blackberry Web Desktop Manager (BWDM) use must be changed from the default. This check applies only to BES 5.x.
V-22166 Low The Enterprise Server Policy must be enabled to restrict which Blackberry devices can connect to the Blackberry Enterprise Server (BES). This requirement is for BES 5.x only.
V-19224 Low Required security controls used when BlackBerry Wi-Fi is used by the site to connect to a DoD Wi-Fi network. Required security controls are in Table 2, BlackBerry STIG Configuration Tables.