Security controls must be set up on the BES for connections to “back-office” servers.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19206	WIR1315-02	SV-21095r2_rule	ECSC-1	Medium

Description
Strong access controls to back-office servers are required to ensure DoD data is not exposed to users of the BlackBerry system that are not authorized to access the server.

STIG	Date
BlackBerry Enterprise Server, Part 2 Security Technical Implementation Guide	2012-10-01

Details

Check Text ( C-23143r2_chk )
Detailed Policy Requirements: If the site provides BlackBerry users access to “back-office” applications and content servers located on the site network enclave, the following controls will be implemented: - All enclave application and content servers that are accessed by BlackBerry users will implement CAC authentication. - The BES host-based firewall is set to block connections to back-office application and content servers unless the server IP address is on the firewall list of trust IP addresses and subnets. Note: BlackBerry back-office application and content servers include J2ME application servers, SOAP web services, and web servers. Check Procedures: Ask the BlackBerry SA if the site provides BlackBerry users access to “back-office” applications and content servers located on the site network enclave. If the response is “Yes”, ask for a list of all enclave servers BlackBerry users can access and then perform the following checks. - Verify CAC authentication has been implemented on each server. Have the Windows reviewer assist with the review of each server. Mark as a finding if CAC authentication has not been implemented on each server. - Verify the BES host-based firewall has been configured as required. This check should have been performed during the review of check WIR1300-02. Confirm this requirement was reviewed.

Check Text ( C-23143r2_chk )

Detailed Policy Requirements:

If the site provides BlackBerry users access to “back-office” applications and content servers located on the site network enclave, the following controls will be implemented:
- All enclave application and content servers that are accessed by BlackBerry users will implement CAC authentication.
- The BES host-based firewall is set to block connections to back-office application and content servers unless the server IP address is on the firewall list of trust IP addresses and subnets.

Note: BlackBerry back-office application and content servers include J2ME application servers, SOAP web services, and web servers.

Check Procedures:

Ask the BlackBerry SA if the site provides BlackBerry users access to “back-office” applications and content servers located on the site network enclave. If the response is “Yes”, ask for a list of all enclave servers BlackBerry users can access and then perform the following checks.

- Verify CAC authentication has been implemented on each server. Have the Windows reviewer assist with the review of each server. Mark as a finding if CAC authentication has not been implemented on each server.
- Verify the BES host-based firewall has been configured as required. This check should have been performed during the review of check WIR1300-02. Confirm this requirement was reviewed.

Fix Text (F-23373r1_fix)
Set up required controls on the BES for connections to “back-office” servers.