UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

All Access Control Rules assigned to user and group accounts must be configured to deny access to all file shares.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22703 WIR1350-02 SV-27296r2_rule ECWN-1 Medium
Description
The BES MDS Connection Service allows BlackBerry users to search the enclave for files and documents of interest to the user without any authentication requirements to the enclave. Access control requirements of the network can be bypassed.
STIG Date
BlackBerry Enterprise Server, Part 2 Security Technical Implementation Guide 2012-02-02

Details

Check Text ( C-28411r2_chk )
Detailed Policy Requirements:

The BES must be configured so that all network file share access by BlackBerry users has been blocked. A high-level “deny all” Access Control Rule policy must be set up and assigned to each user or group account.

Check Procedures:

1. Verify that all domain URL Pattern has been configured on the BES as follows.

- BAS > Servers and components > BlackBerry Domain > Component view > MDS Connection service > Pull URL pattern tab.
Note: the Description (name of the TCP URL pattern) that has the following pattern: \\*.*\*.

-Mark as a finding if no TCP URL pattern is configured as indicated.

2. Verify all access control rules identified in check WIR1350-02 have been set up with a URL pattern with the “Deny” rule.

-BAS > Servers and components > BlackBerry Domain > Component view > MDS Connection service > Access control rules tab.

-View each Access Control Rule.

Note if the URL Pattern identified in Step 1 has been assigned to each rule and the “Allowed” configuration has been set to “Deny”.

-Mark as a finding if no “Deny” URL pattern has been set up on the BES for each rule.
Fix Text (F-24537r2_fix)
The BES MDS Connection Service will be configured to disable browsing on the enclave for files and documents of interest. Each access control rule assigned to user and group accounts has been set up with a "Deny" URL pattern.