UCF STIG Viewer Logo

BlackBerry Enterprise Server (version 5.x), Part 2 Security Technical Implementation Guide


Overview

Date Finding Count (24)
2016-09-08 CAT I (High): 5 CAT II (Med): 11 CAT III (Low): 8
STIG Description
BlackBerry Enterprise Server (version 5.x) STIG, Part 2 in XCCDF format. Part 1: BES architecture and training requirements. Part 2: BES configuration requirements. Part 3: BES IT Policy configuration requirements.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-19192 High The BES host-based or appliance firewall must be configured as required.
V-14022 High The BlackBerry wireless email system must be set up with the required system components and software installed on the handheld device.
V-19226 High BlackBerry accounts must not be assigned to the default IT policy installed on the BES or any other non-STIG compliant IT policy. Accounts will only be assigned a STIG compliant IT policy.
V-22042 High Each Application White List software configuration assigned to each user account must be configured with top-level default “disallow” for all applications. Applications must be specifically allowed at a lower level.
V-16341 High An Application White List software configuration must be assigned to all BES user accounts.
V-22703 Medium All Access Control Rules assigned to user and group accounts must be configured to deny access to all file shares.
V-22055 Medium Application repositories set up on the BES must be DoD-approved.
V-22056 Medium All user and or group accounts must have an Access Control Rule assigned to the account.
V-19203 Medium An Application Control Policy must be assigned to each application listed in any Application White List software configuration assigned to user accounts on the BES. Note: This check applies to BES 4.1.x only. On BES 5, an application control policy is automatically assigned when an application is selected for a software configuration.
V-19206 Medium Security controls must be set up on the BES for connections to “back-office” servers.
V-25430 Medium BlackBerry Web Desktop Manager must be configured to disable a user’s capability to perform self-service tasks.
V-25431 Medium BlackBerry Web Desktop Manager must be configured to permit users to activate new BlackBerry devices only.
V-19215 Medium The BlackBerry Bluetooth Smart Card Reader (SCR) used with site PCs must be compliant with requirements.
V-22102 Medium The BlackBerry Administration Server (BAS) must be configured for Active Directory authentication with a CTO 07-15Rev1 compliant administrator password.
V-16343 Medium The BES must be configured to disable the capability of the BES to proxy a user’s authentication to back-office application, web, and content servers. Users must authenticate directly to back-office servers using a USCYBERCOM CTO 07-15Rev1 authorized method.
V-7078 Medium The BlackBerry MDS Integration Service must not be installed on a production BES.
V-19202 Low Non-core applications used on the BlackBerry must be approved.
V-19201 Low The BES must be configured to accept only trusted connections to back-office enclave application or web push servers. Push servers are set up to push content to BlackBerry users (e.g., Remedy ticket notification system).
V-25548 Low The server PKI digital certificate installed on the BES to support BAS and BWDM authentication must be a DoD PKI issued certificate. A self signed certificate will not be used.
V-11877 Low The Device Transport Key must be configured on the BES for AES encryption.
V-18394 Low The BES must be configured to convert HTML and RTF formatted email into text format before sending to a BlackBerry smartphone and prevent the BES from sending email messages with inline images to BlackBerry smartphones.
V-22165 Low The BlackBerry Administration Service must be configured to disable a user from creating an activation password via BWDM.
V-22164 Low The key store password for the certificate that the BlackBerry Administration Service (BAS) and BlackBerry Web Desktop Manager (BWDM) use must be changed from the default.
V-19224 Low Required security controls must be used when BlackBerry Wi-Fi is used by the site to connect to a DoD Wi-Fi network. Required security controls are in Table 2, BlackBerry STIG Configuration Tables.