Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-16343 | WIR1315-01 | SV-17336r3_rule | Medium |
Description |
---|
User authentication credentials should not be proxied by the BES, because the BES would then be saving DoD user authentication credentials in its database. |
STIG | Date |
---|---|
BlackBerry Enterprise Server (version 5.x), Part 2 Security Technical Implementation Guide | 2016-09-08 |
Check Text ( C-17397r3_chk ) |
---|
Verify the site BES has been configured to require BlackBerry users to authenticate directly with enclave application and content servers. - On the BAS, go to Servers and components >> BlackBerry Solution topology >> BlackBerry Domain >> MDS Connection Service. -Click "Edit components". -Select the "HTTP" tab. -In the "Authentication support" enabled drop-down list, verify "No" has been selected. If the configuration setting is not correct, this is a finding. Exception: When a site Internet Proxy is set to require user authentication, the configuration setting above will cause a loss of Internet connectivity. In this case only, the "Support HTTP Authentication" setting should be set to TRUE, and then, when prompted, enter no value for the user authentication information (this will cause the BES to prompt for the user's authentication credentials whenever an Internet connection is requested). When a site uses authentication on the Internet proxy, the reviewer should verify the required setting for "Support HTTP Authentication" and then have users show on their BlackBerry they have to enter their Internet Proxy authentication credentials whenever they try to connect to the Internet. |
Fix Text (F-23372r1_fix) |
---|
The BES must be configured to disable the capability of the BES to proxy a user’s authentication to back-office application, web, and content servers. |