All Access Control Rules assigned to user and group accounts must be configured to deny access to all file shares.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22703	WIR1350-02	SV-27296r3_rule		Medium

Description
The BES MDS Connection Service allows BlackBerry users to search the enclave for files and documents of interest to the user without any authentication requirements to the enclave. Access control requirements of the network can be bypassed.

STIG	Date
BlackBerry Enterprise Server (version 5.x), Part 2 Security Technical Implementation Guide	2016-09-08

Details

Check Text ( C-28411r3_chk )
Detailed Policy Requirements: The BES must be configured so that all network file share access by BlackBerry users has been blocked. A high-level "deny all" Access Control Rule policy must be set up and assigned to each user or group account. Check Procedures: 1. Verify that all domain URL Pattern has been configured on the BES as follows: BAS >> Servers and components >> BlackBerry Domain >> Component view >> MDS Connection service >> Pull URL pattern tab. Note: the Description (name of the TCP URL pattern) that has the following pattern: \\.\*. If no TCP URL pattern is configured as indicated, this is a finding. 2. Verify all access control rules identified in check WIR1350-02 have been set up with a URL pattern with the "Deny" rule. BAS >> Servers and components >> BlackBerry Domain >> Component view >> MDS Connection service >> Access control rules tab. View each Access Control Rule. Note: If the URL Pattern identified in Step 1 has been assigned to each rule and the "Allowed" configuration has been set to "Deny". If no "Deny" URL pattern has been set up on the BES for each rule, this is a finding.

Check Text ( C-28411r3_chk )

Detailed Policy Requirements:

The BES must be configured so that all network file share access by BlackBerry users has been blocked. A high-level "deny all" Access Control Rule policy must be set up and assigned to each user or group account.

Check Procedures:

1. Verify that all domain URL Pattern has been configured on the BES as follows:

BAS >> Servers and components >> BlackBerry Domain >> Component view >> MDS Connection service >> Pull URL pattern tab.

Note: the Description (name of the TCP URL pattern) that has the following pattern: \\*.*\*.

If no TCP URL pattern is configured as indicated, this is a finding.

2. Verify all access control rules identified in check WIR1350-02 have been set up with a URL pattern with the "Deny" rule.

BAS >> Servers and components >> BlackBerry Domain >> Component view >> MDS Connection service >> Access control rules tab.

View each Access Control Rule.

Note: If the URL Pattern identified in Step 1 has been assigned to each rule and the "Allowed" configuration has been set to "Deny".

If no "Deny" URL pattern has been set up on the BES for each rule, this is a finding.

Fix Text (F-24537r2_fix)
The BES MDS Connection Service will be configured to disable browsing on the enclave for files and documents of interest. Each access control rule assigned to user and group accounts has been set up with a "Deny" URL pattern.