UCF STIG Viewer Logo

Mobile Device Integrity Scanning (MDIS) Server Security Technical Implementation Guide (STIG)


Overview

Date Finding Count (24)
2012-07-20 CAT I (High): 13 CAT II (Med): 8 CAT III (Low): 3
STIG Description
This STIG provides technical security controls required for the use of a mobile MDIS server to audit the integrity of mobile devices in the DoD environment. The requirements listed in this benchmark apply to any DoD iOS 5 implementation when iOS 5 devices process sensitive DoD information, connect to a DoD network or network connected PC, or provide service to a DoD email system. The requirements can be implemented in an application server separate from the MDM server or included in the MDM server.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-32759 High The MDIS server must not be capable of being disabled or controlled by the user or other mobile device application.
V-32758 High The MDIS server must verify the integrity of all operating system files, device drivers, and security enforcement mechanisms at startup and at least every six hours thereafter, using one or more DoD approved cryptographic mechanisms that compare attributes of the operating system configuration to a known good baseline.
V-32756 High The MDIS server must use automated mechanisms to alert security personnel when the device has been jailbroken or rooted.
V-32754 High The MDIS server must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs.
V-32753 High The MDIS server must alert when it identifies malicious code on managed mobile devices.
V-32751 High The MDIS server must implement detection and inspection mechanisms to identify unauthorized mobile code on managed mobile devices.
V-32750 High The MDIS server must employ automated mechanisms to detect the presence of unauthorized software on managed mobile devices and notify designated organizational officials in accordance with the organization defined frequency.
V-24975 High The host server where the mobile management server is installed must have a host-based or appliance firewall, which must be configured as required.
V-32764 High The MDIS server must identify unexpected changes in applications installed on the mobile device.
V-32762 High The MDIS server must operate separate and independent of the management of the mobile devices security policy.
V-32763 High The MDIS server must identify changes in file structure and files on the mobile device.
V-32749 High Mitigation actions identified by MDIS server scans on site managed mobile OS devices must be implemented.
V-26564 High Authentication on system administration accounts for mobile management servers must be configured to support Microsoft Active Directory (AD) authentication.
V-32757 Medium The MDIS server must accept alerts from the mobile operating system when the mobile OS has detected integrity check failures.
V-32755 Medium The MDIS server must provide notifications regarding suspicious events to an organization defined list of response personnel who are identified by name and/or by role.
V-32752 Medium The MDIS server must scan for malicious code on managed mobile devices on an organization defined frequency.
V-24973 Medium The host server where the mobile management server is installed must be hardened according to the appropriate Application STIG (SQL, Apache Web Server, Apache Tomcat, IIS, etc.).
V-32765 Medium MDIS server must archive results of scans for individual devices.
V-32760 Medium The MDIS server must identify the affected mobile device, severity of the finding, and provide a recommended mitigation.
V-32761 Medium The MDIS server must base recommended mitigations for findings on the identified risk level of the finding.
V-32748 Medium The results and mitigation actions from MDIS server on site managed mobile OS devices must be maintained by the site for at least 6 months (1 year recommended).
V-33231 Low The master AES encryption key used to encrypt data between the management server and the agent on the mobile device must be changed on a periodic basis.
V-32766 Low The MDIS server must provide the capability for the site administrator to amend information on mitigation actions that have taken place (e.g., wipe the device) to the scan report before the report is archived.
V-25754 Low The PKI digital certificate installed on mobile management servers must be a DoD PKI-issued certificate.