The MDM server host based firewall must be configured to Deny All except when explicitly authorized and block all incoming and outgoing ports, protocols, and IP address ranges except for those required to support the MDM server functions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-36033	SRG-APP-142-MDM-029-SRV	SV-47422r1_rule		High

Description
Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations. Since the MDM server is a critical component of the mobility architecture and it must be configured to only those ports, protocols, and services (PPS) necessary to support functionality, all others must be expressly disabled or removed. A host firewall installed on the MDM server provides a protection mechanism to ensure unwanted service requests do not reach the MDM server and outbound traffic is limited to only MDM server functionality. By not allowing only known good traffic into the MDM server, the MDM server could be vulnerability to denial of service attacks, as well as brute-force attacks by intruders.

Description

Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations. Since the MDM server is a critical component of the mobility architecture and it must be configured to only those ports, protocols, and services (PPS) necessary to support functionality, all others must be expressly disabled or removed. A host firewall installed on the MDM server provides a protection mechanism to ensure unwanted service requests do not reach the MDM server and outbound traffic is limited to only MDM server functionality. By not allowing only known good traffic into the MDM server, the MDM server could be vulnerability to denial of service attacks, as well as brute-force attacks by intruders.

STIG	Date
Mobile Device Manager Security Requirements Guide	2013-01-24

Details

Check Text ( C-44272r1_chk )
Examine the server configuration to determine whether the DoD approved host based firewall is configured to "Deny All" except when explicitly authorized and block all incoming and outgoing ports, protocols, and IP address ranges except for those required to support the MDM server functions. If the firewall is not locked down to only support the MDM server functions, this is a finding.

Fix Text (F-40563r1_fix)
Configure the DoD approved host based firewall to "Deny All" except when explicitly authorized and block all incoming and outgoing ports, protocols, and IP address ranges except for those required to support the MDM server functions.