Security controls must be implemented on the MDM server for connections to back-office servers and applications by managed mobile devices.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-24976	WIR-WMS-GD-005	SV-30814r2_rule	ECSC-1	High

Description
The secure connection from the smartphone to the MDM server can be used by the mobile device to allow a user to connect to back-office servers and applications located on the enclave network. These connections bypass network authentication controls setup on the enclave. Strong access controls to back-office servers are required to ensure DoD data is not exposed to users of the smartphone system that are not authorized to access the back-office servers and applications. Many MDM servers have the capability to proxy the authentication credentials for the mobile device user to the network. (The network views the connection request as if it is coming from the MDM server, not the mobile device user, therefore the server must proxy network authentication on behalf of the user.) In the DoD environment where CAC authentication to the network is required, the MDM server must have the capability to proxy (pass to Active Directory) the user’s CAC authentication, but most MDM servers cannot support this capability; therefore connections to back-office servers via the MDM server must be disabled.

Description

The secure connection from the smartphone to the MDM server can be used by the mobile device to allow a user to connect to back-office servers and applications located on the enclave network. These connections bypass network authentication controls setup on the enclave. Strong access controls to back-office servers are required to ensure DoD data is not exposed to users of the smartphone system that are not authorized to access the back-office servers and applications. Many MDM servers have the capability to proxy the authentication credentials for the mobile device user to the network. (The network views the connection request as if it is coming from the MDM server, not the mobile device user, therefore the server must proxy network authentication on behalf of the user.) In the DoD environment where CAC authentication to the network is required, the MDM server must have the capability to proxy (pass to Active Directory) the user’s CAC authentication, but most MDM servers cannot support this capability; therefore connections to back-office servers via the MDM server must be disabled.

STIG	Date
Mobile Device Management (MDM) Server Security Technical Implementation Guide (STIG)	2013-05-08

Details

Check Text ( C-31230r7_chk )
Detailed Policy Requirements: Access to internal Intranet sites via the secure connection between the MDM server and MDM agent must be set as follows: -If CAC authentication of the user is not enforced either by the MDM agent on the mobile device, by the MDM server before the user gains access to back-office servers located on the NIPRNet, or by all servers the user would access on the NIPRNet, all connections to back-office servers must be blocked at the MDM server. Check Procedures: -Talk to the site administrator and review the site SSP to determine if CAC authentication is enforced, and if yes, where it is enforced in the mobile architecture. If CAC authentication is enforced, this is not a finding. -If CAC authentication is not enforced, the MDM server must be configured to block access by users to back-office servers on the NIPRNet. The procedures to verify this setting will vary by MDM product. Mark as a finding if a local security policy has not been set up on the MDM server to block access to Internet sites. If the Good Technology server is used, use the following procedure: 1. On the Windows host server for the Good Mobile Messaging Server, browse to Start Menu > Administrative Tools > Local Security Policies. 2. Within Local Security Policies right click on IP Security Policies on Local Computer. 3. Open the policy and verify the following setting has been configured: -Ensure the default response rule is unchecked. 4. Go to the properties of the security policy and verify the following rules are included: -Allow access from the GMM Server to the DNS Servers. -Allow access from the GMM Server to the Exchange Servers. -Allow access from remote workstations to GMM Server in case Terminal Services will be used to manage the server remotely. -Deny access to everything else. Verify the IP Security policy has been assigned to the Windows server. -Allow access from the GMM Server to the Default Gateway.

Check Text ( C-31230r7_chk )

Detailed Policy Requirements:
Access to internal Intranet sites via the secure connection between the MDM server and MDM agent must be set as follows:

-If CAC authentication of the user is not enforced either by the MDM agent on the mobile device, by the MDM server before the user gains access to back-office servers located on the NIPRNet, or by all servers the user would access on the NIPRNet, all connections to back-office servers must be blocked at the MDM server.

Check Procedures:
-Talk to the site administrator and review the site SSP to determine if CAC authentication is enforced, and if yes, where it is enforced in the mobile architecture. If CAC authentication is enforced, this is not a finding.

-If CAC authentication is not enforced, the MDM server must be configured to block access by users to back-office servers on the NIPRNet. The procedures to verify this setting will vary by MDM product.

Mark as a finding if a local security policy has not been set up on the MDM server to block access to Internet sites.

If the Good Technology server is used, use the following procedure:

1. On the Windows host server for the Good Mobile Messaging Server, browse to Start Menu > Administrative Tools > Local Security Policies.

2. Within Local Security Policies right click on IP Security Policies on Local Computer.

3. Open the policy and verify the following setting has been configured:

-Ensure the default response rule is unchecked.

4. Go to the properties of the security policy and verify the following rules are included:
-Allow access from the GMM Server to the DNS Servers.
-Allow access from the GMM Server to the Exchange Servers.
-Allow access from remote workstations to GMM Server in case Terminal Services will be used to manage the server remotely.
-Deny access to everything else.

Verify the IP Security policy has been assigned to the Windows server.

-Allow access from the GMM Server to the Default Gateway.

Fix Text (F-27617r4_fix)
Set up required controls on the CMD management server for connections to back-office servers.