The Enterprise Server Policy must be enabled to restrict which Blackberry devices can connect to the Blackberry Enterprise Server (BES). This requirement is for BES 5.x only.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22166	WIR1360-01	SV-25766r2_rule	ECWN-1	Low

Description
The overall security posture of the Blackberry system is dependent on strict configuration management controls, including ensuring only authorized Blackberry devices are being used and authorized devices are provisioned as required. Setting up and properly configuring the Enterprise Server Policy restricts activation to only Blackberry devices where the BES system administrator has listed the PIN of the device in the Enterprise Server Policy. The user or site can then activate the authorized device either via a wireless connection or network connection using BlackBerry Desktop Manager or BlackBerry Web Desktop Manager (BWDM).

Description

The overall security posture of the Blackberry system is dependent on strict configuration management controls, including ensuring only authorized Blackberry devices are being used and authorized devices are provisioned as required. Setting up and properly configuring the Enterprise Server Policy restricts activation to only Blackberry devices where the BES system administrator has listed the PIN of the device in the Enterprise Server Policy. The user or site can then activate the authorized device either via a wireless connection or network connection using BlackBerry Desktop Manager or BlackBerry Web Desktop Manager (BWDM).

STIG	Date
BlackBerry Enterprise Server, Part 2 Security Technical Implementation Guide	2011-07-14

Details

Check Text ( C-27176r1_chk )
Verify the Enterprise Server Policy is configured to restrict which Blackberry devices can connect to the BES. Step 1 -BAS > Servers and components > Blackberry solution topology > BlackBerry Domain > Components view > Component view -Click “BlackBerry Enterprise Server.” -Click “Turn on Enterprise Service Policy” and verify under the Enterprise Service Policy box it shows “Turned on.” Mark as a finding if not set as required. Step 2 -BAS > Servers and components > Blackberry solution topology > BlackBerry Domain > Components view > Component view. -Click “BlackBerry Enterprise Server.” -Click “Edit component.” -In the Enterprise Service Policy section, review the list of BlackBerry PINs in the “Allowed” drop-down list. -Ask the System Administrator to describe the procedure used to remove non-active devices from the list as soon as users move to a new device. The PIN should be removed within 48 hours after the user has activated their new BlackBerry. Mark as a finding if no procedure exists. Step 3 -BAS > BlackBerry solution management menu > expand User -Click Manage users. -For 20+ users selected from different offices or sites managed by the BES, do the following: -Search for a user account and click on the account, then -Click on the component information tab. -In the Blackberry Enterprise Server information section, for the “Enterprise service policy override,” verify “True” is not listed. Mark as a finding if not set as required.

Check Text ( C-27176r1_chk )

Verify the Enterprise Server Policy is configured to restrict which Blackberry devices can connect to the BES.

Step 1
-BAS > Servers and components > Blackberry solution topology > BlackBerry Domain > Components view > Component view

-Click “BlackBerry Enterprise Server.”

-Click “Turn on Enterprise Service Policy” and verify under the Enterprise Service Policy box it shows “Turned on.”

Mark as a finding if not set as required.

Step 2
-BAS > Servers and components > Blackberry solution topology > BlackBerry Domain > Components view > Component view.

-Click “BlackBerry Enterprise Server.”

-Click “Edit component.”

-In the Enterprise Service Policy section, review the list of BlackBerry PINs in the “Allowed” drop-down list.

-Ask the System Administrator to describe the procedure used to remove non-active devices from the list as soon as users move to a new device. The PIN should be removed within 48 hours after the user has activated their new BlackBerry.

Mark as a finding if no procedure exists.

Step 3
-BAS > BlackBerry solution management menu > expand User

-Click Manage users.

-For 20+ users selected from different offices or sites managed by the BES, do the following:

-Search for a user account and click on the account, then

-Click on the component information tab.

-In the Blackberry Enterprise Server information section, for the “Enterprise service policy override,” verify “True” is not listed.

Mark as a finding if not set as required.

Fix Text (F-23384r1_fix)
The Enterprise Server Policy must be enabled to restrict which Blackberry devices can connect to the Blackberry Enterprise Server (BES).