The MDM server PKI certificate store must encrypt contents using AES encryption (AES 128 bit encryption key length is the minimum requirement; AES 256 desired).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-36247	SRG-APP-194-MDM-228-SRV	SV-47651r1_rule		Medium

Description
If an adversary can access the key store, it may be able to use the keys to perform a variety of unauthorized transactions. It may also be able to modify public-keys in a way that it can trick the operating system into accepting invalid certificates. Encrypting the key store protects the integrity and confidentiality of keys. AES encryption with adequate key lengths provides assurance that the protection is strong.

Description

If an adversary can access the key store, it may be able to use the keys to perform a variety of unauthorized transactions. It may also be able to modify public-keys in a way that it can trick the operating system into accepting invalid certificates. Encrypting the key store protects the integrity and confidentiality of keys. AES encryption with adequate key lengths provides assurance that the protection is strong.

STIG	Date
Mobile Device Manager Security Requirements Guide	2013-01-24

Details

Check Text ( C-44487r1_chk )
Review MDM server configuration, and NIST FIPS certificate to validate the server uses AES encryption for the certificate store. Confirm that at least AES 128 bit encryption is used. If the MDM server does not use AES 128 or AES 256 encryption for the certificate store, this is a finding.

Fix Text (F-40777r1_fix)
Configure the MDM server to use AES 128 or AES 256 encryption for the certificate store.