UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The BES must be configured to disable the capability of the BES to proxy a user’s authentication to back-office application, web, and content servers. Users must authenticate directly to back-office servers using a USCYBERCOM CTO 07-15Rev1 authorized method.


Overview

Finding ID Version Rule ID IA Controls Severity
V-16343 WIR1315-01 SV-17336r2_rule ECSC-1 Medium
Description
User authentication credentials should not be proxied by the BES, because the BES would then be saving DoD user authentication credentials in its database.
STIG Date
BlackBerry Enterprise Server (version 5.x), Part 2 Security Technical Implementation Guide 2013-03-14

Details

Check Text ( C-17397r2_chk )
Verify the site BES has been configured to require BlackBerry users to authenticate directly with enclave application and content servers.

- On the BAS, go to Servers and components > BlackBerry Solution topology > BlackBerry Domain > MDS Connection Service.
-Click Edit components.
-Select the HTTP tab.
-In the Authentication support enabled drop-down list, verify “No” has been selected.

Mark as a finding if the configuration setting is not correct.

Exception: When a site Internet Proxy is set to require user authentication, the configuration setting above will cause a loss of Internet connectivity. In this case only, the "Support HTTP Authentication" setting should be set to TRUE, and then, when prompted, enter no value for the user authentication information (this will cause the BES to prompt for the user's authentication credentials whenever an Internet connection is requested).

When a site uses authentication on the Internet proxy, the reviewer should verify the required setting for "Support HTTP Authentication" and then have users show on their BlackBerry they have to enter their Internet Proxy authentication credentials whenever they try to connect to the Internet.
Fix Text (F-23372r1_fix)
The BES must be configured to disable the capability of the BES to proxy a user’s authentication to back-office application, web, and content servers.