Any services installed with the BES (for example IIS, SQL, Apache Web Server, etc.) must be reviewed for STIG compliance in accordance with the appropriate SQL, Apache Web Server, or IIS STIGs.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-14199	WIR1210-01	SV-14810r4_rule	ECSC-1	Medium

Description
The server must be compliant with the SQL STIG, Apache Web Server STIG, and/or IIS STIG to ensure the system is not vulnerable to attack resulting in a Denial of Service or compromise of the wireless email server. Note: Some of these services are optional and may not be installed on a specific host server during the BES installation.

STIG	Date
BlackBerry Enterprise Server (version 5.x), Part 1 Security Technical Implementation Guide	2015-07-02

Details

Check Text ( C-11534r5_chk )
Work with the OS reviewer or check VMS for last review of each host BES computer asset. The review should include any services installed on the host server when the BES is installed (for example: SQL server, Apache Web Server, etc.). Note: Some of these services are optional and may not be installed on a specific host server during the BES installation. SRL is an optional install when the BES is installed, while Apache Web server is a required install. The review must also include an Apache Web Server review if BES 5.0 or later is used. (The BlackBerry Administration Service (BAS) on BES 5.x includes an Apache Web Server.) Verify there are no outstanding CAT I findings associated with each server installed when the BES is installed. Note: If IIS is installed on the server, an IIS review must also be performed. a. IIS is required for the Exchange ESM. If a site uses the new MAPI/CDO Tools from Microsoft, then the IIS is not required. See http://www.microsoft.com/downloads/details.aspx?familyid=E17E7F31-079A-43A9-BFF2-0A110307611E&displaylang=en. b. IIS is not required for BlackBerry Enterprise Server. If required reviews have not been performed during a SRR or site self-check, this is a finding.

Check Text ( C-11534r5_chk )

Work with the OS reviewer or check VMS for last review of each host BES computer asset. The review should include any services installed on the host server when the BES is installed (for example: SQL server, Apache Web Server, etc.).

Note: Some of these services are optional and may not be installed on a specific host server during the BES installation. SRL is an optional install when the BES is installed, while Apache Web server is a required install.

The review must also include an Apache Web Server review if BES 5.0 or later is used. (The BlackBerry Administration Service (BAS) on BES 5.x includes an Apache Web Server.)

Verify there are no outstanding CAT I findings associated with each server installed when the BES is installed.

Note: If IIS is installed on the server, an IIS review must also be performed.

a. IIS is required for the Exchange ESM. If a site uses the new MAPI/CDO Tools from Microsoft, then the IIS is not required. See http://www.microsoft.com/downloads/details.aspx?familyid=E17E7F31-079A-43A9-BFF2-0A110307611E&displaylang=en.
b. IIS is not required for BlackBerry Enterprise Server.

If required reviews have not been performed during a SRR or site self-check, this is a finding.

Fix Text (F-23359r2_fix)
The host server where the BlackBerry Enterprise Server (BES) is installed is reviewed in accordance with the appropriate SQL, Apache Web Server, and IIS STIGs if these services are installed when the BES is installed.