The BlackBerry Administration Server (BAS) must be configured for Active Directory authentication using the CAC or for BAS authentication with a CTO 07-15Rev1 compliant administrator password. In addition, service accounts will not be used by administrators to log into the BAS.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22102	WIR1355-01	SV-25547r3_rule	ECWN-1	Medium

Description
The BAS provides the administrator interface for the BES. CTO 07-15Rev1 requires administrator accounts use either CAC authentication or use complex passwords to ensure storing access control is enforced.

STIG	Date
BlackBerry Enterprise Server, Part 2 Security Technical Implementation Guide	2011-07-14

Details

Check Text ( C-27032r2_chk )
1. Determine if the site is using BES version 5.0.2 or later. -If yes, verify system administrators (SAs) are using AD authentication (called Single Sign-On Authentication in the BES admin guide). If yes, there is no finding. Note: User authentication via CAC is supported in BES 5.0.2 and later, via Single Sign-On Authentication. The user will not need to enter their CAC PIN because they have already authenticated to the network via CAC authentication, which is verified during the connection process to the BAS. To verify Single Sign-On Authentication is enabled, use the following procedure: -Launch the BlackBerry Administration Service. On the Servers and components menu, expand BlackBerry Solution Topology > BlackBerry Domain > Component view. -Click BlackBerry Administration Service. -On the Microsoft Active Directory authentication tab, click Edit component. -In the Login Domain section, in the Single sign-on authentication for BlackBerry Administration Service turned on drop-down list, verify Yes has been selected. Mark as a finding if BES 5.0.2 is installed and Single Sign-On Authentication is not enabled. 2. If BES 5.0.2 or later is not used, the system admin must log into the BAS using BAS authentication and the account password must be compliant with CTO 07-15 Rv1. Verify BAS is configured to require system admin accounts use 14+ character complex passwords (at least 2 of the following: upper case letter, lower case letter, and number; special characters are not supported) and the password is changed every 60 days. -BAS > Servers and components > Blackberry solution topology > BlackBerry Domain > Components > Blackberry Administration service -Look at the Security settings box. -Verify minimum password length is set to 14 or more. -Verify Password expiry (days) is set to 60 or less. Mark as a finding if BAS authentication is used and the account password is not configured for required length, or required complexity, or required expiration duration. 3. Talk to the BES system administrator and verify he/she is aware that service accounts should not be used to log into the BAS (except for system maintenance functions).

Check Text ( C-27032r2_chk )

1. Determine if the site is using BES version 5.0.2 or later.

-If yes, verify system administrators (SAs) are using AD authentication (called Single Sign-On Authentication in the BES admin guide). If yes, there is no finding.

Note: User authentication via CAC is supported in BES 5.0.2 and later, via Single Sign-On Authentication. The user will not need to enter their CAC PIN because they have already authenticated to the network via CAC authentication, which is verified during the connection process to the BAS.

To verify Single Sign-On Authentication is enabled, use the following procedure:
-Launch the BlackBerry Administration Service. On the Servers and components menu, expand BlackBerry Solution Topology > BlackBerry Domain > Component view.
-Click BlackBerry Administration Service.
-On the Microsoft Active Directory authentication tab, click Edit component.
-In the Login Domain section, in the Single sign-on authentication for BlackBerry Administration Service turned on drop-down list, verify Yes has been selected.

Mark as a finding if BES 5.0.2 is installed and Single Sign-On Authentication is not enabled.

2. If BES 5.0.2 or later is not used, the system admin must log into the BAS using BAS authentication and the account password must be compliant with CTO 07-15 Rv1. Verify BAS is configured to require system admin accounts use 14+ character complex passwords (at least 2 of the following: upper case letter, lower case letter, and number; special characters are not supported) and the password is changed every 60 days.

-BAS > Servers and components > Blackberry solution topology > BlackBerry Domain > Components > Blackberry Administration service

-Look at the Security settings box.

-Verify minimum password length is set to 14 or more.

-Verify Password expiry (days) is set to 60 or less.

Mark as a finding if BAS authentication is used and the account password is not configured for required length, or required complexity, or required expiration duration.

3. Talk to the BES system administrator and verify he/she is aware that service accounts should not be used to log into the BAS (except for system maintenance functions).

Fix Text (F-23383r1_fix)
The BlackBerry Administration Server (BAS) must be configured for Active Directory (AD) authentication using the CAC or for BAS authentication with a CTO 07-15Rev1 compliant administrator password. In addition, service accounts will not be used by administrators to log into the BAS.