The MDM server must require a password to access the servers private keys saved in the key certificate store that meets organizationally defined network administrator password requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-36023	SRG-APP-176-MDM-020-SRV	SV-47412r1_rule		Medium

Description
The cornerstone of the PKI is the private key used to encrypt or digitally sign information. Allowing unauthenticated access to private keys can enable an adversary in possession of the device to decrypt messages encrypted with the public-key and to digitally sign data, thereby potentially enabling an adversary to impersonate the user in any application that uses that private key for user authentication. Requiring a password to access keys saved in the certificate store mitigates the risk of unauthorized access.

Description

The cornerstone of the PKI is the private key used to encrypt or digitally sign information. Allowing unauthenticated access to private keys can enable an adversary in possession of the device to decrypt messages encrypted with the public-key and to digitally sign data, thereby potentially enabling an adversary to impersonate the user in any application that uses that private key for user authentication. Requiring a password to access keys saved in the certificate store mitigates the risk of unauthorized access.

STIG	Date
Mobile Device Manager Security Requirements Guide	2013-01-24

Details

Check Text ( C-44262r1_chk )
Review the MDM server configuration to determine the system can require a password to access the server's private keys saved in the key certificate store that meets organizationally defined network administrator password requirements. If the MDM server cannot require this password, this is a finding.

Fix Text (F-40553r1_fix)
Configure the MDM server to require a password to access the server's private keys saved in the key certificate store that meets organizationally defined network administrator password requirements.