Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-16343 | WIR1315-01 | SV-17336r6_rule | ECSC-1 | Medium |
Description |
---|
User authentication credentials should not be proxied by the BES, because the BES would then be saving DoD user authentication credentials in its database. |
STIG | Date |
---|---|
BlackBerry Enterprise Server, Part 2 Security Technical Implementation Guide | 2011-07-14 |
Check Text ( C-17397r4_chk ) |
---|
Verify the site BES has been configured to require BlackBerry users to authenticate directly with enclave application and content servers. For BES 5.0 - On the BAS, go to Servers and components > BlackBerry Solution topology > BlackBerry Domain > MDS Connection Service. -Click Edit components. -Select the HTTP tab. -In the Authentication support enabled drop-down list, verify “No” has been selected. For BES 4.1.x - In the BlackBerry Manager, in the left pane, click the BlackBerry MDS Connection Service in the left pane. - On the Connection Service tab, click Edit Properties. - In the left pane, click HTTP. - Click Support HTTP Authentication. - Verify False is set as the Support HTTP Authentication setting. Mark as a finding if the configuration setting is not correct. Exception: When a site Internet Proxy is set to require user authentication, the configuration setting above will cause a loss of Internet connectivity. In this case only, the "Support HTTP Authentication" setting should be set to TRUE, and then, when prompted, enter no value for the user authentication information (this will cause the BES to prompt for the user's authentication credentials whenever an Internet connection is requested). When a site uses authentication on the Internet proxy, the reviewer should verify the required setting for "Support HTTP Authentication" and then have users show on their Blackberry they have to enter their Internet Proxy authentication credentials whenever they try to connect to the Internet. |
Fix Text (F-23372r1_fix) |
---|
The BES must be configured to disable the capability of the BES to proxy a user’s authentication to back-office application, web, and content servers. |