acceptedGood Mobility Suite Server (Apple iOS 4) Interim Security Configuration Guide (ISCG)This ISCG provides technical security controls required for the use of the Good Mobility Suite with Apple iOS 4 devices (iPhone, iPad, and iPod touch) in the DoD environment.DISA, Field Security OperationsSTIG.DOD.MILRelease: 1 Benchmark Date: 20 Oct 20111I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>Required smartphone management server version used<GroupDescription></GroupDescription>WIR-WMS-GD-001The required smartphone management server or later version must be used.<VulnDiscussion>Earlier versions of the smartphone management server may have security vulnerabilities or have not implemented required security features. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>Upgrade to required (or later) server version. The required Good Mobile Control (GMC) server version is 1.0.3.95 or later.
Click on the Settings tab in the console to view the GMC Version.
The required Good Mobile Messaging (GMM) server version is 6.0.3.46 or later.
Click on the Servers tab in the console to view the GMM server version.
If either server version is not as required, mark as a finding.
Smartphone management server STIG compliant<GroupDescription></GroupDescription>WIR-WMS-GD-002The host server where the smartphone management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Web Server, Apache Tomcat, IIS, etc.). <VulnDiscussion>Wireless email services are installed on a Windows Server. The server must be compliant with the Windows STIG and applicable Application STIGs to ensure the system is not vulnerable to attack resulting in a Denial of Service or compromise of the wireless email server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>Ensure all applications installed on the host server are STIG compliant.Work with the OS Reviewer or check VMS for last review of each host Good computer asset. The review should include the SQL server and Apache Tomcat.
Mark as a finding if the previous or current OS review of the Windows server did not include a review of the SQL server and Apache Tomcat. If IIS is installed, the review should also include IIS.Smartphone management server architecture<GroupDescription></GroupDescription>WIR-WMS-GD-003The smartphone management server email system must be set up with the required system components in the required network architecture. <VulnDiscussion>The wireless email server architecture must comply with the DoD environment because approval of the smartphone management server is contingent on installation with the correct settings. DoD enclaves could be at risk of penetration or DoD data could be compromised if the smartphone management server is not installed as required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>Install required smartphone management server components in required network architecture.Verify the Good servers (Good Mobile Control server and Good Mobile Messaging server) are installed with all required components. See the STIG Technology Overview, section 2 for more information.
Mark as a finding if the Good server components are not installed in the enclave with the email server.
Configure smartphone management server firewall<GroupDescription></GroupDescription>WIR-WMS-GD-004The smartphone management server host-based or appliance firewall must be installed and configured as required.<VulnDiscussion>A smartphone user could get access to unauthorized network resources (application and content servers, etc.) if the smartphone management server host firewall is not set up as required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>Install the smartphone management server host-based or appliance firewall and configure as required. The Good server host-based or appliance firewall must be configured as required.
The Good server firewall is configured with the following rules:
- Deny all except when explicitly authorized.
- Internal traffic from the Good server is limited to internal systems used to host the smartphone services (e.g., email and LDAP servers) and approved back-office application and content servers. Communications with other services, clients, and/or servers are not authorized.
- Internet traffic from the Good server is limited to only those specified smartphone services (e.g., Good NOC server, OCSP, SSL/TLS, HTTP, and LDAP). All outbound connections are initiated by the Good server and/or service.
- Firewall settings listed in the STIG/ISCG Technology Overview will be implemented, including blocking connections to web proxy servers and back-office application and content servers unless the server Internet Protocol (IP) address is on the firewall list of trusted IP addresses and subnets.
Note: At a minimum, the IP address of the site Internet proxy server must be listed so the Good secure browser can connect to the Internet.
Note: The HBSS firewall can be used to meet these requirements if one or more firewall rules have been set up on the firewall as described above.
Check Procedures:
-Verify the firewall configuration meets approved architecture configuration requirements (or have the Network Reviewer do the review of the firewall).
-Verify the firewall is configured to block connections to internal servers unless the server IP address is included on the list of trusted networks. IP addresses of the enclave web proxy server and authorized back-office application and content servers the Good server connects to should be included on this list.
-Mark as a finding if a list of trusted networks by IP address is not configured on the Good server host-based firewall.
Connections to back-office servers<GroupDescription></GroupDescription>WIR-WMS-GD-005Security controls must be implemented on the smartphone management server for connections to back-office servers and applications.<VulnDiscussion>The secure connection from the smartphone to the smartphone management server can be used by the smartphone user to connect to back-office servers and applications located on the enclave network. These connections bypass network authentication controls setup on the enclave. Strong access controls to back-office servers are required to ensure DoD data is not exposed to users of the smartphone system that are not authorized to access the back-office servers and applications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>Set up required controls on the smartphone management server for connections to back-office servers. Detailed Policy requirements
Access to internal Intranet sites via the Good Browser must be blocked.
Check Procedures
Verify a local security policy has been set up on the Good server to block access to Intranet sites via the Good browser.
1. On the Windows host server for the Good Mobile Messaging Server, browse to Start Menu > Administrative Tools > Local Security Policies.
2. Within Local Security Policies right click on IP Security Policies on Local Computer.
3. Open the policy and verify the following setting has been configured:
-Activate the default response rule is unchecked.
4. Go to the properties of the security policy and verify the following rules are included:
a. Allow access from the GMM Server to the Default Gateway.
b. Allow access from the GMM Server to the DNS Servers.
c. Allow access from the GMM Server to the Exchange Servers.
d. Allow access from remote workstations to GMM Server in case Terminal Services will be used to manage the server remotely.
e. Deny access to everything else.
Verify the IP Security policy has been assigned to the Windows server.
Mark as a finding if a local security policy has not been set up on the Good server to block access to Internet sites via the good browser or if the policy has not been configured as required.
Block HTML/RTF email<GroupDescription></GroupDescription>WIR-WMS-GD-006The smartphone management server must be configured to control HTML and RTF formatted email.
<VulnDiscussion>HTML email and inline images in email can contain malware or links to web sites with malware.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Configure the smartphone management server to:
- Convert HTML and RTF formatted email into text format before sending to a smartphone.
- Prevent the smartphone management server from sending email messages with inline images to smartphones.Detailed Requirements:
- Convert HTML and RTF formatted email into text format before sending to a smartphone.
- Prevent the smartphone management server from sending email messages with inline images to smartphones.
Verify the following Windows registry setting is set on the Good server:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GoodLinkServer\parameters\sync]
"htmlEmail"="1"
Mark as a finding if the Windows registry key is not configured as required.User accounts assigned to STIG compliant policy<GroupDescription></GroupDescription>WIR-WMS-GD-007Smartphone user accounts must not be assigned to the default security/IT policy. <VulnDiscussion>The smartphone default security/IT policy on the smartphone management server does not include most DoD required security policies for data encryption, authentication, and access control. DoD enclaves are at risk of data exposure and hacker attack if users are assigned the default (or other non-STIG compliant) security/IT policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>User accounts will only be assigned a STIG compliant security/IT policy.User accounts will only be assigned a STIG-compliant security/IT policy.
Determine which policy sets on the Good server user accounts have been assigned to using the following procedures:
-Have the SA identify any non STIG-compliant policy sets and STIG-compliant policy sets on the server by using the following procedures:
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy set on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non STIG-compliant policy sets be deleted except for a "Provisioning" policy set, which is used for initial setup and software update of the Android device.
Note: Other checks will be used to verify the policy sets identified as STIG-compliant are configured correctly.
Verify all users are assigned to a STIG policy set.
--Log into the Good Mobile Control console.
--Click on the Handhelds tab.
Mark as a finding if any user account is assigned a policy set identified as not STIG-compliant.
Re-challenge for CAC PIN<GroupDescription></GroupDescription>WIR-GMMS-004“Re-challenge for CAC PIN every” must be set.<VulnDiscussion>A user’s CAC PIN or software certificate PIN is cached in memory on the device for a short period of time so a user does not have to re-enter his/her PIN every time the user’s digital certificates are required for an S/MIME operation. The cached memory is cleared after a set period of time to limit exposure of the digital certificates to unauthorized use. Otherwise, a hacker may be able to gain access to the device while the PIN is still cached in memory and access the Good application and gain access to sensitive DoD information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECSC-1</IAControls>Set the “Re-challenge for CAC PIN every” to checked and set to required value.This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone devices and click on Handheld Authentication on the left side.
-Verify “Re-challenge for CAC PIN every” is checked and set to 60 minutes or less.
(Note: 15 minutes or less is the recommended setting.)
Mark as a finding if “Re-challenge for CAC PIN every” is not checked and not set to the required value.
Set handheld password to expire as required<GroupDescription></GroupDescription>WIR-WMS-GD-009-01Handheld password must be set as required.<VulnDiscussion>Long used passwords are more susceptible to being compromised by a hacker, which could lead to a possible compromise of the iPhone/iPad and sensitive DoD data stored on the iPhone/iPad.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1, IAIA-1</IAControls>Set handheld password as required.This check is Not Applicable if “Authenticate with CAC PIN” is checked.
This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Handheld Authentication on the left side.
-Verify “After X invalid password attempts:” is set to 10 or less.
Mark as a finding if “After X invalid password attempts:” is not set to 10 or less.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Handheld Authentication on the left side.
-Verify “Expire password after” is set to 90 days or less.
Disallow previously used passwords<GroupDescription></GroupDescription>WIR-WMS-GD-009-02Previously used passwords must be disallowed for security/email client on smartphone.<VulnDiscussion>Previously used passwords are more susceptible to being compromised by a hacker, which could lead to a possible compromise of the smartphone and sensitive DoD data stored on the smartphone.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1, IAIA-1</IAControls>Disallow previously used passwords.This check is not applicable if “Authenticate with CAC PIN” is checked.
This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Handheld Authentication on the left side.
-Verify “Disallow previously used passwords” is set to 3 or more.
Mark as a finding if “Disallow previously used passwords” is not set to 3 or more.
Password minimum length<GroupDescription></GroupDescription>WIR-WMS-GD-009-03Password minimum length must be set as required for the smartphone security/email client.<VulnDiscussion>Short passwords can be easily determined by various password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1, IAIA-1</IAControls>Require password minimum length is set as required.This check is not applicable if “Authenticate with CAC PIN” is checked.
This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Handheld Authentication on the left side.
-Verify “Require minimum length of” is set to 8 or more for the STIG/ISCG Policy Set.
Mark as a finding if “Require minimum length of” is not set to 8 or more for the STIG/ISCG Policy Set.
Disallow repeated password characters<GroupDescription></GroupDescription>WIR-WMS-GD-009-04Repeated password characters must be disallowed for the Good app.<VulnDiscussion>Repeated password characters reduces the strength of a password to withstand attacks by password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1, IAIA-1</IAControls>Disallow repeated password characters.This check is not applicable if “Authenticate with CAC PIN” is checked.
This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Handheld Authentication on the left side.
-Verify “Disallow repeated characters after” is set to 1 or 2.
Mark as a finding if “Disallow repeated characters after” is not set to 1 or 2.
Maximum invalid password attempts<GroupDescription></GroupDescription>WIR-WMS-GD-009-06Maximum invalid password attempts must be set as required for the smartphone security/email client.<VulnDiscussion>A hacker with unlimited attempts can determine the password of a smartphone within a few minutes using password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1, IAIA-1</IAControls>Set the maximum invalid password attempts as required.This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Handheld Authentication on the left side.
-Verify “After X invalid password attempts:” is set to 10 or less.
Mark as a finding if “After X invalid password attempts:” is not set to 10 or less.
Wipe handheld data after maximum password attempts<GroupDescription></GroupDescription>WIR-WMS-GD-009-07Data must be wiped after maximum password attempts reached for the smartphone security/email client.<VulnDiscussion>A hacker with unlimited attempts can determine the password of a smartphone within a few minutes using password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1, IAIA-1</IAControls>Wipe handheld data after maximum password attempts have been reached.This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Handheld Authentication on the left side.
-Verify “After X invalid password attempts:” is set to 10 or less.
Mark as a finding if “After X invalid password attempts:” is not set to 10 or less.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Handheld Authentication on the left side.
-Verify “Wipe handheld data” is selected.
Mark as a finding if “Wipe handheld data” is not selected.
Lock handheld when idle<GroupDescription></GroupDescription>WIR-WMS-GD-009-05Inactivity lock must be set as required for the smartphone security/email client.<VulnDiscussion>Sensitive DoD data could be exposed to unauthorized viewing or use if lost or stolen smartphone screen was not locked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>PESL-1</IAControls>Set the handheld inactivity lock as required.This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Handheld Authentication on the left side.
-Verify “Require password when idle for more than” is set to 15 minutes or less.
Mark as a finding if “Require password when idle for more than” is not set to 15 minutes or less.
.Screen capture<GroupDescription></GroupDescription>WIR-GMMS-006-01"Do not allow data to be copied from the Good application" must be checked.<VulnDiscussion>Sensitive data could be saved in the non-FIPS 140-2 validated area of memory on the smartphone, which would violate DoD policy and may expose sensitive DoD data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECCR-1</IAControls>Check "Do not allow data to be copied from the Good application" in the Good console. This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Messaging on the left side.
-Verify “Do not allow data to be copied from the Good application” is checked.
Mark as a finding if “Do not allow data to be copied from the Good application” is not checked.
Expire OTA PIN<GroupDescription></GroupDescription>WIR-GMMS-008The Over-The-Air (OTA) device provisioning PIN must have expiration set.<VulnDiscussion>The time period that a device can be provisioned via Over-The-Air (OTA) provisioning needs to be controlled to ensure unauthorized people do not have the capability to setup rogue devices on the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Set the Over-the-Air (OTA) device provisioning PIN as required. This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Provisioning on the left side.
-Verify “OTA Provisioning PIN expires after” is checked and is set to 7 days or less.
Mark as a finding if “OTA Provisioning PIN expires after” is not checked or is not set to 7 days or less.
Do not allow OTA Provisioning PIN reuse<GroupDescription></GroupDescription>WIR-GMMS-009OTA Provisioning PIN reuse must not be allowed.<VulnDiscussion>The reuse of the OTA PIN can allow a hacker to provision an unauthorized device on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Do not allow OTA Provisioning PIN reuse.This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Provisioning on the left side.
-Verify “Allow OTA Provisioning PIN reuse” is unchecked.
Mark as a finding if “Allow OTA Provisioning PIN reuse” is checked.
Enable iPhone Configuration<GroupDescription></GroupDescription>WIR-GMMS-011The Good server must be configured to push an iPhone configuration profile to each managed iPhone.<VulnDiscussion>Sensitive DoD data could be compromised if a security profile is not installed on DoD iPhone/iPad/iPod touch devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>The Good server is configured to push and enable an iPhone configuration profile.This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the iOS devices, click on iPhone Configuration on the left side, and then click the General tab.
-Verify “Enable iPhone Configuration” is checked.
Allow only approved smartphone hardware versions<GroupDescription></GroupDescription>WIR-GMMS-iOS-010-01A compliance rule must be set up in the server defining required smartphone hardware versions. <VulnDiscussion>Older devices do not support required security features.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Set up compliance rules in the server defining required smartphone hardware versions. This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select a policy set to review and click on the policy.
-On the left tab, select Compliance Manager.
-Verify the “iOS Hardware Verification” rule is listed. (Note that the rule title does not have to be exact.)
-Open the rule by checking the box next to the rule, then click on Edit.
-Verify the following are set:
Platform: iPhone Check to Run: Hardware Model Verification
-Verify the following are checked:
**iPhone 3GS
**iPhone 4
**Verizon iPhone 4
**iPad
**Wi-Fi iPad2
**AT&T (GSM) iPad2
**Verizon (CDMA) iPad2
**iPod touch 3rd Generation
**iPod touch 4th Generation
-Verify "Failure Action" is set to "Quit Good for Enterprise".
-Verify "Check Every" is set to "1 hour".
Mark as a finding if the “Android Hardware Verification” rule has not been set up or is not configured as required.
Implement jailbreak / rooting detection<GroupDescription></GroupDescription>WIR-GMMS-iOS-010-03A compliance rule must be setup in the server implementing jailbreak detection on smartphones. Devices will be wiped if they have been jailbroken.<VulnDiscussion>DoD-required security policies can be bypassed on jailbroken smartphone . Jailbroken devices can expose sensitive DoD data to unauthorized people and could lead to a network attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Set up compliance rules in the server implementing jailbreak detection. Devices will be wiped if they have been jail broken. This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select a policy set to review and click on the policy.
-On the left tab, select Compliance Manager.
-Verify the "iOS Jailbreak Detection" rule is listed. (Note that the rule title does not have to be exact.)
-Open the rule by checking the box next to the rule, then click on Edit.
-Verify the following are set as indicated:
Platform: iPhone
Check to Run: Jailbreak/Rooted Detection
-Verify "Failure Action" is set to "Wipe Enterprise Data".
-Verify "Check Every" is set to "1 hour".
Mark as a finding if the “Android Jailbreak Detection” rule has not been set up or is not configured as required.
Contacts synchronization<GroupDescription></GroupDescription>WIR-GMMS-007If access is enabled to the Good app contacts lists by the smartphone, the list of contact information must be limited. <VulnDiscussion>Sensitive contact information could be exposed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>If access is enabled to the Good app contacts lists by the smartphone OS, limit contact information to only default fields: First name, Last name, Work number, Mobile number, and Pager number.This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
- Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Messaging section on the left side.
-If “Enable access to Good Contacts” is checked, click on the Choose Fields button and verify only the following fields are checked: first name, last name, work number, mobile number, and pager number.
Mark as a finding if “Enable access to Good Contacts” is checked and more than the following fields are checked: first name, last name, work number, mobile number, and pager number.
Password access to the Good app<GroupDescription></GroupDescription>WIR-GMMS-001Password access to the Good app on the smartphone must be enabled. <VulnDiscussion>A hacker could gain access to sensitive data in the smartphone application and gain an attack vector to the enclave if the password access control/authentication feature of the application is not enabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1, IAIA-1</IAControls>Password access to the Good app on the smartphone shall be enabled. This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Handheld section on the left side.
-Verify S/MIME with password-protected lock screen or CAC PIN (Enables S/MIME) is checked.
Mark as a finding if S/MIME with password-protected lock screen or CAC PIN (Enables S/MIME) is not checked.
Wireless email management server PKI certificate<GroupDescription></GroupDescription>WIR-WMS-GD-010The PKI digital certificate installed on the wireless email management server must be a DoD PKI-issued certificate. <VulnDiscussion>When a self signed PKI certificate is used, a rogue wireless email management server can impersonate the DoD wireless email management server. DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>IATS-1</IAControls>Use a DoD issued digital certificate on the wireless email management server.Verify that a DoD server certificate has been installed on the Good wireless email management server and that the self-signed certificate, available as an option during the setup of the wireless email management server, has not been installed.
Ask the SA to access the Good server using Internet Explorer. Verify no certificate error occurs. Click the Lock icon next to the address bar then select “view certificates”. On the General tab, verify the “Issued to:” and “Issued by:” fields do not show the same value. Then on the Certification Path tab, verify the top certificate is a trusted DoD Root certificate authority (e.g., DoD Root CA 2) and the certificate status field states “This certificate is OK”.
If a certificate error occurs, either the default self-signed certificate is still installed, the Good server has not been rebooted since the DoD issued certificate has been installed, or the computer accessing the Good server does not have the DoD Root and Intermediate certificate authorities installed. The reviewer can select the “Continue to this website” option and follow the same procedure above. If the certificate is issued from an approved DoD PKI, ask the SA to run InstallRoot on the computer accessing the Good server. Otherwise, have the SA follow the procedures outlined in the STIG/ISCG to request/install a certificate issued from a trusted DoD PKI.
Mark as a finding if a DoD server certificate has not been installed on the Good wireless email management server or that the self-signed certificate has been installed.
Password complexity<GroupDescription></GroupDescription>WIR-WMS-GD-009-08Password complexity must be set as required.<VulnDiscussion>Non-complex passwords can be easily determined by various password hacking tools, which could lead to unauthorized access to the smartphone and exposure to sensitive DoD data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1, IAIA-1</IAControls>Set password complexity as required. This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Handheld Authentication on the left side.
-Verify “Do not allow sequential numbers” is checked for the STIG/ISCG Policy Set.
S/MIME configuration<GroupDescription></GroupDescription>WIR-GMMS-012S/MIME must be enabled on the Good server. <VulnDiscussion>Sensitive DoD data could be exposed if the required setting is not configured on the Good server. If S/MIME support is not configured on the server, the user will not be able to view critical encrypted email or be able to encrypt email with sensitive DoD information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECCR-1</IAControls>Enable S/MIME on the Good server.This is a Good server configuration check.
Log into the Good server management interface, select the Setting tab, and open the Secure Messaging (S/MIME) section.
Verify Enable Secure Messaging (S/MIME) is checked.
Mark as a finding if Enable Secure Messaging (S/MIME) is not checked.
Enable Good App authentication<GroupDescription></GroupDescription>WIR-GMMS-002Either CAC or password authentication must be enabled for user access to the Good app on the smartphone.<VulnDiscussion>Sensitive DoD data is saved inside the Good app and could be exposed if strong authentication is not implemented. The Good application stores sensitive DoD information. A hacker with access to the smartphone could easily gain access to the Good application if the required authentication control is not set.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>IAIA-1</IAControls>Set user authentication on the Good app on the smartphone to either CAC or password authentication. This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the mobile OS device devices and click on Handheld Authentication on the left side.
-Verify either “Authenticate with CAC PIN” or “Authenticate with password” is selected.
Mark as a finding if either of the required settings is not configured in the policy.
CAC authentication configuration setting<GroupDescription></GroupDescription>WIR-GMMS-003“Require CAC to be present” must be set.<VulnDiscussion>Sensitive DoD data is saved inside the Good app and could be exposed if strong authentication is not implemented. The Good applications stores sensitive DoD information. A hacker with access to the smartphone could easily gain access to the Good application if the required authentication control is not set.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>IAIA-1</IAControls>Set “Require CAC to be present” to required value. This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Handheld Authentication on the left side.
- If “Authenticate with CAC PIN” is checked (CAC authentication is required) verify “Require CAC to be present” is also checked. Note: if “Authenticate with CAC PIN” is not checked, then “Require CAC to be present” does not need to be checked.
Mark as a finding if not not set as required.
Good app password setting<GroupDescription></GroupDescription>WIR-WMS-GD-009-09“Require both letters and numbers” must be set as required for the smartphone security/email client.<VulnDiscussion>Sensitive DoD data is saved inside the Good app and could be exposed if strong authentication is not implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls></IAControls>Set “Require both letters and numbers” as required for the Good app.This check is not applicable if “Authenticate with CAC PIN” is checked.
This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Handheld Authentication on the left side.
-Verify “Require both letters and numbers” is checked.
Mark as a finding if “Require both letters and numbers” is not checked.
Good app password setting<GroupDescription></GroupDescription>WIR-WMS-GD-009-10“Do not allow sequential numbers” must be set as required for the smartphone security/email client.<VulnDiscussion>Sensitive DoD data is saved inside the Good app and could be exposed if strong authentication is not implemented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>IAIA-1</IAControls>Set “Do not allow sequential numbers” as required for the Good app.This check is not applicable if “Authenticate with CAC PIN” is checked.
This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Handheld Authentication on the left side.
-Verify “Do not allow sequential numbers” is checked.
Mark as a finding if “Do not allow sequential numbers” is not checked.
Wireless management server authentication<GroupDescription></GroupDescription>WIR-WMS-GD-011Authentication on system administration accounts for wireless management servers must be configured.<VulnDiscussion>CTO 07-15Rev1 requires administrator accounts use either CAC authentication or use complex passwords to ensure strong access control is enforced.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>IAIA-1, IATS-1</IAControls>Configure required authentication on system administration accounts for wireless management servers.Detailed Policy Requirements:
One of the following authentications methods must be enforced for system administrator accounts:
1. CAC authentication.
2. The account password must be compliant with CTO 07-15 Rev1.
–Password must be a 14+ character complex password consisting of at least 2 of the following: upper case letter, lower case letter, numbers, and special characters. The password must be changed every 60 days.
Check Procedures:
The Good messaging server uses Active Directory authentication for admin accounts to the management console. Site admin accounts are usually set up with a user ID/password authentication rather than CAC authentication. Therefore, verify the site AD is set up to require admin accounts to use passwords meeting the requirements of CTO 07-15Rev1. Discuss with the Network and AD reviewer and site IAO to verify compliance.
Mark as a finding if site admin accounts do not meet the requirements.
Allow only approved Good client versions<GroupDescription></GroupDescription>WIR-GMMS-iOS-010-04A compliance rule must be set up on the server defining required Good client versions. <VulnDiscussion>Older software versions do not support required security features.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECWN-1</IAControls>Set up a compliance rule to check the version of the Good client.This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select a policy set to review and click on the policy.
-On the left tab, select Compliance Manager.
-Verify the “iOS Client Version Verification” rule is listed. (Note that the rule title does not have to be exact.)
-Open the rule by checking the box next to the rule, then click on Edit.
-Verify the following are set:
Platform: iPhone Check to Run: Hardware Model Verification
-Verify the client version checked is at least 1.8.1.
-Verify "Failure Action" is set to "Quit Good for Enterprise".
-Verify "Check Every" is set to "1 hour".
Mark as a finding if the “Client Version Verification” rule has not been set up or is not configured as required.
Data transfer<GroupDescription></GroupDescription>WIR-GMMS-006-02"Do not allow data to be copied into the Good application" must be checked in the Good security policy for the handheld.<VulnDiscussion>Malware could be copied into the secure Good sandbox on the smartphone, which would put sensitive data at risk of being compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><IAControls>ECCR-1</IAControls>Check "Do not allow data to be copied into the Good application" in the Good console.This is a Good security policy set check. Recommend all checks related to Good security policy set rules be reviewed using the following procedure.
1. Make a list of all Good security policy sets assigned to smartphone user accounts on the Good server using the following procedure:
-Have the SA identify any non STIG/ISCG-compliant policy sets and STIG/ISCG-compliant policy sets on the server.
--Log into the Good Mobile Control console.
--Click on the Policies tab.
--View all policy sets on the server.
-Note: STIG-compliant policy sets should be identified as such in the policy title. Examples are as follows: ISCG_iOS_Policy_Set, STIG_WM6-5_Policy_Set, or STIG_Android_Policy_Set. It is recommended that all non-STIG/ISCG policy sets be deleted.
2. Select each policy set users are assigned to, and in turn, verify the required settings are in the policy set.
-Note: If there is a finding, note the name of the non STIG/ISCG-compliant policy set in the Findings Details section in VMS/Component Provided Tracking Database.
-Launch the Good Mobile Control Web console and click on the Policies tab.
-Select the policy set for the smartphone and click on Messaging on the left side.
-Verify “Do not allow data to be copied into the Good application” is checked.
Mark as a finding if “Do not allow data to be copied into the Good application” is not checked.