acceptedBlackBerry Enterprise Server (version 5.x), Part 1 Security Technical Implementation GuideBlackBerry Enterprise Server (version 5.x) STIG, Part 1 in XCCDF format.
Part 1: BES architecture and training requirements.
Part 2: BES configuration requirements.
Part 3: BES IT Policy configuration requirements.
DISA, Field Security OperationsSTIG.DOD.MILRelease: 3 Benchmark Date: 26 Apr 20132I - Mission Critial Classified<ProfileDescription></ProfileDescription>I - Mission Critial Public<ProfileDescription></ProfileDescription>I - Mission Critial Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>METAmessage not installed on BlackBerry device<GroupDescription></GroupDescription>WIR1050-01 Onset Technologies METAmessage software must not be installed on DoD BlackBerry devices or on the BES.
<VulnDiscussion>Onset Technologies METAmessage software is production software which may introduce a virus or other malicious code on the system. This software is not approved for use on DoD systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECWN-1</IAControls>VMS Target Blackberry Enterprise ServerDISA FSOVMS TargetBlackberry Enterprise Server853Remove Onset Technologies METAmessage software installed on DoD BlackBerry devices or on the BES.
Perform the following procedures on the BES and a sample of BlackBerry devices (use 2-3 devices for a random sample) as appropriate.
Check a sample of BlackBerry devices (Settings>Options>Advanced Options>Applications) to ensure the METAmessage application is not loaded on the BlackBerry device.
On the BES, have the BlackBerry Administrator show that the BES Application White List does not contain the application. This review should be performed at the same time checks WIR1310-01, WIR1310-02, and WIR1310-03 are reviewed so work is not duplicated.
View the list of applications assigned to 3-4 samples Application White List software configurations assigned to users. Verify METAmessage is not listed.
The METAmessage application allows the user to open and create Microsoft Office files, such as MS Word or Excel attachments or documents. These documents can then be sent via email, saved, or printed. This application presents a security risk and is not allowed for use in DoD. Verify this software application is not used by interviewing the IAO or reviewing a sampling of the devices.
BlackBerry BES email solution must be used<GroupDescription></GroupDescription>WIR1200-01 Only the BlackBerry Enterprise Server (BES) email solution is used. <VulnDiscussion> If the required BlackBerry system is not used, DoD networks are at risk of being penetrated or DoD data could be exposed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>VMS Target Blackberry Enterprise ServerDISA FSOVMS TargetBlackberry Enterprise Server853Only the BlackBerry Enterprise Server (BES) email solution is used. Detailed Policy Requirements:
Only the BlackBerry Enterprise Server (BES) email solution must be used in the DoD. The BlackBerry Desktop Redirector, BlackBerry Connect, BlackBerry Express, and BlackBerry Professional Services Software are not authorized for use.
Note: The purpose of this requirement is to ensure a STIG compliant IT policy is enforced on all DoD BlackBerry devices. This requirement applies to the DoD (primary) email account received on the BlackBerry device. All DoD BlackBerry devices must be managed via a STIG-compliant IT policy pushed from a BES.
Required/approved versions of the BES are as follows:
BES 5.0.2 with Maintenance Release 2 and Interim Security Software Update 2 (or later version).
Note: A Designated Approval Authority (DAA) may authorize users to connect BlackBerry devices to additional, secondary email accounts (e.g., Verizon email) based on mission needs. Use IT Policy rule Allow Other Message Services, Service Exclusivity policy group to control connections to secondary email accounts.
Check Procedures:
Interview IAO and BlackBerry system administrator.
- Verify the BES is part of the site’s BlackBerry architecture and the site uses a BES to manage site BlackBerry devices.
- Verify BES Express is not used. Interview BES admin.
- Determine if the site authorizes users to connect BlackBerry devices to additional, secondary or personal email accounts (e.g., Verizon email, BlackBerry Internet Service (BIS)) based on mission needs. If yes, verify the DAA (or designee) has approved this service. Ask to see documentation of DAA approval.
BES host server is STIG compliant<GroupDescription></GroupDescription>WIR1210-01The host server where the BlackBerry Enterprise Server (BES) is installed must be hardened in accordance with the appropriate SQL, Apache Web Server, and IIS STIGs when required. <VulnDiscussion>Wireless email services are installed on a Windows Server. The server must be compliant with the Windows STIG, SQL STIG, Apache Web Server STIG, and IIS STIG to ensure the system is not vulnerable to attack resulting in a Denial of Service or compromise of the wireless email server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>VMS Target Blackberry Enterprise ServerDISA FSOVMS TargetBlackberry Enterprise Server853The host server where the BlackBerry Enterprise Server (BES) is installed is hardened in accordance with the appropriate SQL, Apache Web Server, and IIS STIGs when required. Work with the OS reviewer or check VMS for last review of each host BES computer asset. The review should include the SQL server where the BES database is hosted. The review must also include an Apache Web Server review if BES 5.0 or later is used. (The BlackBerry Administration Service (BAS) on BES 5.x includes an Apache Web Server.)
Verify there are no outstanding CAT I findings associated with each server.
Note: If IIS is installed on the server, an IIS review must also be performed.
a. IIS is required for the Exchange ESM. If a site uses the new MAPI/CDO Tools from Microsoft, then the IIS is not required. See http://www.microsoft.com/downloads/details.aspx?familyid=E17E7F31-079A-43A9-BFF2-0A110307611E&displaylang=en.
b. IIS is not required for BlackBerry Enterprise Server.
Mark as a finding if CAT I findings are open for the host computer operating system or if an SRR or site self-check was not performed for the host computers.
Required BlackBerry BES version used<GroupDescription></GroupDescription>WIR1200-02Required version of the BlackBerry Enterprise Server (BES) must be installed.<VulnDiscussion>Earlier versions of the BES have security vulnerabilities. CYBERCOM IAVA directs all DoD installations upgrade to required version due to RIM ending support for version 4.1.6 and 4.1.7 as of 2 July 2011.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>VMS Target Blackberry Enterprise ServerDISA FSOVMS TargetBlackberry Enterprise Server853The BlackBerry Enterprise Server (BES) version is 5.0.2 or later.Interview IAO and BlackBerry system administrator. Verify the BES is one of the required/approved versions.
Required/approved versions of the BES are:
BES 5.0.2 (or later version).
From the BlackBerry Manager, select Help to view the version number.