Each Application White List software configuration assigned to each user account must be configured with top-level default “disallow” for all applications. Applications must be specifically allowed at a lower level.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22042	WIR1310-02	SV-25372r1_rule	ECSC-1	High

Description
The primary BlackBerry malware control is to set up an Application White List where the use of all applications is denied unless an application is expressly allowed. Otherwise, malware could be installed on the BlackBerry.

STIG	Date
BlackBerry Enterprise Server, Part 2 Security Technical Implementation Guide	2011-07-14

Details

Check Text ( C-26913r1_chk )
Verify for each Application White List software configuration identified in check WIR1310-01 that a “Deny All” policy has been assigned to the software configuration. (This configuration stops the execution of any application not specifically allowed.) For BES 5 -BAS > BlackBerry solution management > Software > Manage software configurations. -For each software configuration listed (all Application White List software configurations will be in this list), click on the software configuration and verify “Disposition for unlisted applications” is set to “Disallowed” and disposition for “Application control policy for unlisted applications” is set to “Standard Unlisted Disallowed.” For BES 4.1.x Step 1: - In the BlackBerry Manager, click BlackBerry Domain in the left pane. - Click Software Configurations tab. - In the Configuration Name list, double click on each Application White List software configuration (in turn) that was assigned to a user account. - Expand the Application Software tree. - Write down the name of the Application Control Policy that has been assigned to the upper level Application Software group. It will be listed in the Policy column to the right of the Delivery column. -Mark as a finding if an Application Control Policy has not been assigned to any Application Software group for each software configuration. Step 2: Verify each Application Control Policy identified in Step 1 has been configured with a “Deny All” policy. - In the BlackBerry Manager, in the left pane, click BlackBerry Domain - On the Software Configurations tab, click Manage Application Policies. - For each application control policy identified in Step 1, double click the policy to open it and verify it has been configured exactly like Figure 3.1 in the BlackBerry STIG Overview. Note: If the site has followed the procedures for setting up an Application White List found in Section 3.2.5.2 of the BlackBerry STIG Overview, the "Deny All" Application Control Policy will have the following title: "Disallowed Application." (The title of the Application Control Policy is not important; verify the policy is configured as required.) Mark as a finding if any Application Control Policy is not configured as required.

Check Text ( C-26913r1_chk )

Verify for each Application White List software configuration identified in check WIR1310-01 that a “Deny All” policy has been assigned to the software configuration. (This configuration stops the execution of any application not specifically allowed.)

For BES 5
-BAS > BlackBerry solution management > Software > Manage software configurations.

-For each software configuration listed (all Application White List software configurations will be in this list), click on the software configuration and verify “Disposition for unlisted applications” is set to “Disallowed” and disposition for “Application control policy for unlisted applications” is set to “Standard Unlisted Disallowed.”

For BES 4.1.x
Step 1:
- In the BlackBerry Manager, click BlackBerry Domain in the left pane.
- Click Software Configurations tab.
- In the Configuration Name list, double click on each Application White List software configuration (in turn) that was assigned to a user account.
- Expand the Application Software tree.
- Write down the name of the Application Control Policy that has been assigned to the upper level Application Software group. It will be listed in the Policy column to the right of the Delivery column.
-Mark as a finding if an Application Control Policy has not been assigned to any Application Software group for each software configuration.

Step 2: Verify each Application Control Policy identified in Step 1 has been configured with a “Deny All” policy.

- In the BlackBerry Manager, in the left pane, click BlackBerry Domain
- On the Software Configurations tab, click Manage Application Policies.
- For each application control policy identified in Step 1, double click the policy to open it and verify it has been configured exactly like Figure 3.1 in the BlackBerry STIG Overview.

Note: If the site has followed the procedures for setting up an Application White List found in Section 3.2.5.2 of the BlackBerry STIG Overview, the "Deny All" Application Control Policy will have the following title: "Disallowed Application." (The title of the Application Control Policy is not important; verify the policy is configured as required.)

Mark as a finding if any Application Control Policy is not configured as required.

Fix Text (F-23366r1_fix)
Each Application White List software configuration assigned to each user account must be configured with top level default “disallow” for all applications.