Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-25754 | WIR-WMS-GD-010 | SV-32013r2_rule | IATS-1 | Low |
Description |
---|
When a self-signed PKI certificate is used, a rogue mobile management server can impersonate the DoD mobile management server. DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI. |
STIG | Date |
---|---|
Mobile Device Management (MDM) Server Security Technical Implementation Guide (STIG) | 2013-01-17 |
Check Text ( C-32242r9_chk ) |
---|
Verify a DoD server certificate has been installed on the mobile management server and that the self-signed certificate, available as an option during the setup of the wireless email management server, has not been installed. The check procedure will depend on the mobile management server product used. Mark as a finding if a DoD server certificate has not been installed on the mobile device management server. For the Good Technology server follow these procedures: -Ask the SA to access the Good server using Internet Explorer. Verify no certificate error occurs. -Click the Lock icon next to the address bar, then select “view certificates”. On the General tab, verify the “Issued to:” and “Issued by:” fields do not show the same value. Then on the Certification Path tab, verify the top certificate is a trusted DoD Root certificate authority (e.g., DoD Root CA 2) and the certificate status field states “This certificate is OK”. If a certificate error occurs, either the default self-signed certificate is still installed, the Good server has not been rebooted since the DoD-issued certificate has been installed, or the computer accessing the Good server does not have the DoD Root and Intermediate certificate authorities installed. The reviewer can select the “Continue to this website” option and follow the same procedure above. If the certificate is issued from an approved DoD PKI, ask the SA to run InstallRoot on the computer accessing the Good server. Otherwise, have the SA follow the procedures outlined in the STIG to request/install a certificate issued from a trusted DoD PKI. |
Fix Text (F-28607r3_fix) |
---|
Use a DoD-issued digital certificate on the mobile management server. |