Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-19206 | WIR1315-02 | SV-21095r3_rule | ECSC-1 | Medium |
Description |
---|
Strong access controls to back-office servers are required to ensure DoD data is not exposed to users of the Blackberry system that are not authorized to access the server. |
STIG | Date |
---|---|
BlackBerry Enterprise Server, Part 2 Security Technical Implementation Guide | 2011-07-14 |
Check Text ( C-23143r3_chk ) |
---|
Detailed Policy Requirements: If the site provides BlackBerry users access to “back-office” applications and content servers located on the site network enclave, the following controls will be implemented: - All enclave application and content servers that are accessed by BlackBerry users will implement CAC authentication. - The BES host-based firewall is set to block connections to back-office application and content servers unless the server IP address is on the firewall list of trust IP addresses and subnets. Note: BlackBerry back-office application and content servers include J2ME application servers, SOAP web services, and web servers. Check Procedures: Ask the BlackBerry SA if the site provides BlackBerry users access to “back-office” applications and content servers located on the site network enclave. If the response is “Yes”, ask for a list of all enclave servers BlackBerry users can access and then perform the following checks: - Verify CAC authentication has been implemented on each server. Have the Windows reviewer assist with the review of each server. Mark as a finding if CAC authentication has not been implemented on each server. - Verify the BES host-based firewall has been configured as required. This check should have been performed during the review of check WIR1300-02. Confirm this requirement was reviewed. |
Fix Text (F-23373r1_fix) |
---|
Set up required controls on the BES for connections to “back-office” servers. |