UCF STIG Viewer Logo

BlackBerry Enterprise Server (version 5.x), Part 3 Security Technical Implementation Guide


Overview

Date Finding Count (111)
2014-06-11 CAT I (High): 5 CAT II (Med): 46 CAT III (Low): 60
STIG Description
BlackBerry Enterprise Server (version 5.x) STIG, Part 3 in XCCDF format. Part 1: BES architecture and training requirements. Part 2: BES configuration requirements. Part 3: BES IT Policy configuration requirements.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-3545 High BlackBerry devices must be protected by authenticated login procedures to unlock the device. Either CAC or Password authentication is required. IT Policy rule “Password Required” (Device Only policy group) must be set to “Yes” or “True”.
V-19243 High BlackBerry devices must be protected by authenticated login procedures to unlock the device. IT Policy rule Reset to Factory Defaults on Wipe (Security policy group) must be set as required.
V-19235 High BlackBerry devices must be protected by authenticated login procedures to unlock the device. IT Policy rule “User Can Disable Passwords” (Device Only policy group) must be set as required.
V-19234 High BlackBerry devices must be protected by authenticated login procedures to unlock the device. Either CAC or Password authentication is required. IT Policy rule “Minimum Password Length” (Device Only policy group) must be set as required.
V-19239 High BlackBerry devices must be protected by authenticated login procedures to unlock the device. IT Policy rule “Set Maximum Password Attempts” (Password policy group) must be set as required.
V-30767 Medium BES IT Policy rule is configured as required. IT Policy rule “BlackBerry Playbook Log Submission” (Companion Devices policy group) must be set as required.
V-19767 Medium BlackBerrys with removable memory cards (e.g., MicroSD) must be compliant with requirements. IT Policy rule "External File System Encryption Level" (Security policy group) must be set as required.
V-14198 Medium BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Bluetooth” (Bluetooth policy group) must be set as required.
V-26507 Medium BES Bluetooth controls must be compliant with requirements. IT Policy rule “Minimum Encryption Key Length” (Bluetooth Only policy group) must be set as required.
V-19775 Medium BES IT Policy rule must be configured as required. IT Policy rule “Disable User Initiated Activation With Public BlackBerry MDS Integration Service” (BlackBerry MDS Integration Service policy group) must be set as required.
V-19278 Medium BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable SIM Access Profile” (Bluetooth Only policy group) must be set as required.
V-19273 Medium BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Advanced Audio Distribution Profile” (Bluetooth Only policy group) must be set as required.
V-40410 Medium IT Policy rule Enforce FIPS Mode of Operation (Security policy group) must be set as required.
V-19271 Medium BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Dial-Up Networking” (Bluetooth Only policy group) must be set as required.
V-25874 Medium BES IT Policy rule must be configured as required. IT Policy rule “Disable App World” (BlackBerry App World policy group) must be set as required.
V-25878 Medium BES IT Policy rule must be configured as required. IT Policy rule “Content Protection Usage” (Security policy group) must be set as required.
V-25879 Medium BES IT Policy rule is configured as required. IT Policy rule “Disable Browsing Of Remote Shared Folders” (Security policy group) must be set as required.
V-19274 Medium BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Audio/Video Remote Control Profile” (Bluetooth Only policy group) must be set as required.
V-19272 Medium BES Bluetooth controls must be compliant with requirements. IT Policy rule “Force CHAP Authentication Bluetooth Link” (Bluetooth Only policy group) must be set as required.
V-22050 Medium IT Policy rule “Encryption on On-Board Device Memory Media Files” (Security policy group) must be set as required.
V-19307 Medium Security requirements for Instant Messaging (IM) must be followed. IT Policy rule “Allow Public IM Services” (Service Exclusivity policy group) must be set as required.
V-19306 Medium Security requirements for Instant Messaging (IM) must be followed. IT Policy rule “Allow Public ICQ Services” (Service Exclusivity policy group) must be set as required.
V-19268 Medium BES Bluetooth controls must be compliant with requirements. IT Policy rule “Require Encryption” (Bluetooth Only policy group) must be set as required.
V-19269 Medium BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable File Transfer” (Bluetooth Only policy group) must be set as required.
V-19265 Medium BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Wireless Bypass” (Bluetooth Only policy group) must be set as required.
V-19260 Medium BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Serial Port Profile” (Bluetooth Only policy group) must be set as required.
V-19261 Medium BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Discoverable Mode” (Bluetooth Only policy group) must be set as required.
V-22048 Medium IT Policy rule “Allow Discovery by User” (MDS Integration Service policy group) must be set as required.
V-22049 Medium IT Policy rule “Disable BlackBerry App World” (Security policy group) must be set as required.
V-19318 Medium IT Policy rule “Maximum Number of PC Pairings (BlackBerry Smart Card Reader policy group) must be set as required.
V-19259 Medium BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Handsfree Profile” (Bluetooth Only policy group) must be set as required.
V-19258 Medium BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Headset Profile” (Bluetooth Only policy group) must be set as required.
V-19257 Medium BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Pairing” (Bluetooth Only policy group) must be set as required.
V-19244 Medium All PDAs and smartphones must display the required banner during device unlock/logon. The IT Policy rule “Lock Owner Info” must be set as required.
V-19245 Medium All PDAs and smartphones must display the required banner during device unlock/ logon. The IT Policy rule “Set Owner Info” must be set as required.
V-19725 Medium IT Policy rule “FIPS Level” (Security policy group) must be set as required.
V-19724 Medium IT Policy rule Allow Split-Pipe Connections (Security policy group) must be set as required.
V-19728 Medium IT Policy rule “Force Content Protection of Master Keys” (Security policy group) must be set as required.
V-14478 Medium Wireless email device users must not install or remove applications and/or software on their handheld device unless under the direction and supervision of an authorized system administrator. IT Policy rule “Show Application Loader” (Desktop-Only policy group) must be is set as required.
V-19238 Medium BlackBerry devices must be protected by authenticated login procedures to unlock the device. IT Policy rule “Set Password Timeout” (Password policy group) must be set as required.
V-19739 Medium BES IT Policy rule must be configured as required. IT Policy rule “Verify BlackBerry MDS Integration Service Certificate” (BlackBerry MDS Integration Service policy group) must be set as required.
V-30295 Medium BES IT Policy rule is configured as required. IT Policy rule “Application Restriction List” (BlackBerry App World policy group) must be set as required.
V-19740 Medium BES IT Policy rule must be configured as required. IT Policy rule “Disable Activation With Public BlackBerry MDS Integration Service” (BlackBerry MDS Integration Service policy group) must be set as required.
V-19747 Medium BES IT Policy rule must be configured as required. IT Policy rule “Desktop Allow Device Switch” (Desktop policy group) must be set as required.
V-11876 Medium IT Policy rule “Maximum Security Timeout” (Device-Only policy group) must be set as required.
V-37374 Medium IT Policy rule Disable Data Exchange for Mobile Hotspot Mode must be set as required.
V-37375 Medium BES IT Policy rule must be configured as required. IT Policy rule Media Card Format on Device Wipe (Security policy group) must be set as required.
V-37372 Medium BlackBerry devices must be protected by authenticated login procedures to unlock the device. Either CAC or Password authentication is required. The device password must not contain more than two sequential characters or more than two repeating characters.
V-37373 Medium BES Bluetooth controls must be compliant with requirements. IT Policy rule Human Interface Device Profile (Bluetooth Only policy group) must be set as required.
V-37378 Medium BES IT Policy rule is configured as required. IT Policy rule Public Channel Downloads (BlackBerry App World policy group) must be set as required.
V-12164 Medium Data-at-Rest encryption (Content Protection) must be enabled on BlackBerry devices. IT Policy rule “Content Protection Strength” (Security policy group) must be set as required.
V-19282 Low Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other message required by DoD policy. IT Policy rule “Disable Revoked Certificate Use” (Security policy group) must be set as required.
V-19283 Low Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule “Disable Key Store Low Security” (Security policy group) must be set as required.
V-19286 Low Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule “Disable Weak Certificate Use” (Security policy group) must be set as required.
V-19287 Low Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule “Certificate Status Maximum Expiry Time” (Security policy group) must be set as required.
V-19284 Low Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule “Certificate Status Cache Timeout” (Security policy group) must be set as required.
V-19285 Low Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule “Disable Invalid Certificate Use” (Security policy group) must be set as required.
V-19288 Low Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule “Disable Unverified CRLs” (Security policy group) must be set as required.
V-19289 Low Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule “S/MIME Minimum Strong RSA Key Length” (S/MIME Application policy group) must be set as required.
V-19276 Low BES Bluetooth controls must be compliant with requirements. IT Policy rule “Limit Discoverable Time” (Bluetooth Only policy group) must be set as required.
V-19270 Low BES Bluetooth controls must be compliant with requirements. IT Policy rule “Require LED Connection Indicator” (Bluetooth Only policy group) must be set as required.
V-25873 Low BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Message Access Profile” (Bluetooth policy group) must be set as required.
V-25876 Low BES IT Policy rule must be configured as required. IT Policy rule “Category Restriction Rule” (BlackBerry App World policy group) must be set as required.
V-25877 Low BES IT Policy rule must be configured as required. IT Policy rule “Disable Application Purchasing” (BlackBerry App World policy group) must be set as required.
V-25875 Low BES IT Policy rule is configured as required. IT Policy rule “Application Restriction Rule” (BlackBerry App World policy group) will be set as required.
V-22051 Low IT Policy rule Allow Network Address Book Sync (Service Exclusivity policy group) must be set as required.
V-22053 Low IT Policy rule “Disable organizer data access for social networking applications” (RIM Value-Added Applications policy group) must be set as required.
V-22052 Low IT Policy rule “Allow User Feedback” (User Feedback policy group) must be set as required.
V-19305 Low Security requirements for Instant Messaging (IM) must be followed. IT Policy rule “Allow Public AIM Services” (Service Exclusivity policy group) must be set as required.
V-19304 Low Security requirements for Instant Messaging (IM) must be followed. IT Policy rule “Allow Public Yahoo! Messenger Services” (Service Exclusivity policy group) must be set as required.
V-19309 Low Security requirements for Instant Messaging (IM) must be followed. IT Policy rule “Allow Public WLM Services” (Service Exclusivity policy group) must be set as required.
V-19308 Low Security requirements for Instant Messaging (IM) must be followed. IT Policy rule “Allow Public Google Talk Services” (Service Exclusivity policy group) must be set as required.
V-19264 Low BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Desktop Connectivity” (Bluetooth Only policy group) must be set as required.
V-19266 Low BES Bluetooth controls must be compliant with requirements. IT Policy rule “Require Password for Enabling Bluetooth Support” (Bluetooth Only policy group) must be set as required.
V-19267 Low BES Bluetooth controls must be compliant with requirements. IT Policy rule “Require Password for Discoverable Mode” (Bluetooth Only policy group) must be set as required.
V-19263 Low BES Bluetooth controls must be compliant with requirements. IT Policy rule “Disable Address Book Transfer” (Bluetooth Only policy group) will be set as required.
V-25880 Low BES IT Policy rule is configured as required. IT Policy rule Allow Web-Based Software Loading (Security policy group) must be set as required.
V-19315 Low IT Policy rule “Maximum Bluetooth Range (BlackBerry Smart Card Reader policy group) must be set as required.
V-22047 Low IT Policy rule “Allow BlackBerry Desktop Software Statistics” (Desktop policy group) must be set as required.
V-19718 Low IT Policy rule “Force Load Count” (Desktop-Only policy group) must be set as required.
V-19719 Low IT Policy rule “Force Load Message” (Desktop-Only policy group) must be set as required.
V-19317 Low IT Policy rule “Maximum PC Disconnect Timeout (BlackBerry Smart Card Reader policy group) must be set as required.
V-19242 Low BlackBerry devices must be protected by authenticated login procedures to unlock the device. IT Policy rule “Forbidden Passwords” (Password policy group) must be set as required.
V-19240 Low BlackBerry devices must be protected by authenticated login procedures to unlock the device. IT Policy rule “Suppress Password Echo” (Password policy group) must be set as required.
V-19721 Low IT Policy rule “Set Owner Name” (Common policy group) must be set as required.
V-19723 Low IT Policy rule “Keystore Password Maximum Timeout” (Security policy group) must be set as required.
V-19727 Low IT Policy rule “Minimal Encryption Key Store Security Level” (Security policy group) must be set as required.
V-19726 Low IT Policy rule “Minimal Signing Key Store Security Level” (Security policy group) must be set as required.
V-19729 Low IT Policy rule “Force LED Blinking When Microphone Is On” (Security policy group) must be set as required.
V-19337 Low All Internet browsers must be disabled and removed from the BlackBerry device except for the BlackBerry internet browser. IT Policy rule “Allow IBS Browser” (Browser policy group) is set as required.
V-19738 Low BES IT Policy rule must be configured as required. IT Policy rule “Allow Application Download Services” (Browser policy group) must be set as required.
V-19736 Low BES IT Policy rule must be configured as required. IT Policy rule Require FIPS Ciphers (TLS policy group) must be set as required.
V-19737 Low BES IT Policy rule must be configured as required. IT Policy rule Require FIPS Ciphers (WTLS Application policy group) must be set as required.
V-19734 Low BES IT Policy rule must be configured as required. IT Policy rule “Security Transcoder Cod File Hashes” (Security policy group) must be set as required.
V-19733 Low BES IT Policy rule must be configured as required. IT Policy rule “Disable Public Photo Sharing Applications” (Security group policy) must be set as required.
V-19731 Low IT Policy rule “Password Required for Application Download” (Security policy group) must be set as required.
V-19343 Low All Internet browsers must be disabled from the BlackBerry device except for the BlackBerry Internet browser. IT Policy rule “Allow Other Browser Services” (Services Exclusivity policy group) is set as required.
V-19746 Low BES IT Policy rule must be configured as required. IT Policy rule “Disable Carrier Directory” (Application Center policy group) must be set as required.
V-19745 Low BES IT Policy rule must be configured as required. IT Policy rule “Disable Application Center” (Application Center policy group) must be set as required.
V-37376 Low BES IT Policy rule is configured as required. IT Policy rule Application Installation Methods (Security policy group) must be set as required.
V-37377 Low BES IT Policy rule is configured as required. IT Policy rule Media Server (Media Server policy group) must be set as required.
V-19295 Low Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule “S/MIME Allowed Encryption Types” (S/MIME Application policy group) must be set as required.
V-19294 Low Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule “Entrust Messaging Server (EMS) Email Address” (S/MIME Application policy group) must be set as required.
V-19291 Low Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule “S/MIME Minimum Strong ECC Key Length” (S/MIME Application policy group) must be to “163”.
V-19290 Low Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule “S/MIME Minimum Strong DH Key Length” (S/MIME Application policy group) must be set as required.
V-19293 Low Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule “S/MIME Minimum Strong DSA Key Length” (S/MIME Application policy group) must be set as required.
V-19292 Low Site BlackBerry devices must be provisioned so users can digitally sign and encrypt e-mail notifications or any other email required by DoD policy. IT Policy rule “S/MIME Allowed Content Ciphers” (S/MIME Application policy group) must be set as required.
V-16058 Low IT Policy rule Disable Wi-Fi must be set as required.
V-19753 Low BES IT Policy rule must be configured as required. IT Policy rule “Disallow File Transfer Types” (Instant Messaging policy group) must be set as required.
V-19754 Low BES IT Policy rule must be configured as required. IT Policy rule “Disable BlackBerry Unite! Applications” (BlackBerry Unite! policy group) must be set as required.
V-19755 Low BES IT Policy rule must be configured as required. IT Policy rule “Disable Download Manager” (BlackBerry Unite! policy group) must be set as required.