acceptedSamsung SDS EMM v1.5.x Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
DISASTIG.DOD.MILRelease: 1 Benchmark Date: 20 Jan 20171I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>PP-MDM-201100<GroupDescription></GroupDescription>SEMM-15-000010Before establishing a user session, the Samsung SDS EMM server must display an administrator-specified advisory notice and consent warning message regarding use of the Samsung SDS EMM server.<VulnDiscussion>Note: The advisory notice and consent warning message is not required if the General Purpose OS or Network Device displays an advisory notice and consent warning message when the administrator logs on to the General Purpose OS or Network Device prior to accessing the Samsung SDS EMM server or Samsung SDS EMM server platform.
The Samsung SDS EMM server/server platform is required to display the DoD-approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. This ensures the legal requirements for auditing and monitoring are met.
The approved DoD text must be used as specified in KS referenced in DoDI 8500.01.
The non-bracketed text below must be used without any changes as the warning banner.
[A. Use this banner for desktops, laptops, and other devices accommodating banners of 1300 characters. The banner shall be implemented as a click-through banner at logon (to the extent permitted by the operating system), meaning it prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating “OK.”]
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
[B. For Blackberries and other PDAs/PEDs with severe character limitations:]
I've read & consent to terms in IS user agreem't.
SFR ID: FMT_SMF_EXT.1.1(2) Refinement</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung SDS EMM 1.5.xDISADPMS TargetSamsung SDS EMM 1.5.x3175CCI-000048Configure the MDM server to display the appropriate warning banner text.
On the MDM console, do the following:
1) Log into the Samsung SDS EMM Server Admin Console using a web browser.
2) Go to Settings >> Admin Console >> System and click on the button labeled “Logo / Notification” near the top of the screen.
3) In the “Logo / Notification” window that appears, enter required DoD text in the Login Notification “Text” box.
4) Click "Save".Review Samsung SDS EMM server documentation and configuration settings to determine if the warning banner is using the appropriate designated wording.
On the MDM console, do the following:
1) Log in to the Samsung SDS EMM Server Admin Console using a web browser.
2) Go to Settings >> Admin Console >> System and click on the button labeled “Logo / Notification” near the top of the screen.
3) In the “Logo / Notification” window that appears, confirm the text in the Login Notification “Text” is the required DoD banner text.
If the warning banner is not set up on the MDM server or wording does not exactly match the requirement text, this is a finding.PP-MDM-201104<GroupDescription></GroupDescription>SEMM-15-000070The Samsung SDS EMM server must be configured with the Administrator roles: a. MD user; b. Server primary administrator; c. Security configuration administrator; d. Device user group administrator; and e. Auditor.<VulnDiscussion>Having several roles for the Samsung SDS EMM server supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management privileges to one group and security policy privileges to another group. This helps prevent administrators from intentionally or inadvertently altering other settings and configurations they may not understand or approve of, which can weaken overall security and increase the risk of compromise.
- Server primary administrator: responsible for server installation, initial configuration, and maintenance functions. Responsible for the setup and maintenance of Security configuration administrator and Auditor accounts.
- Security configuration administrator: responsible for security configuration of the server, setting up and maintenance of mobile device security policies, defining device user groups, setup and maintenance of device user group administrator accounts, and defining privileges of device user group administrators.
- Device user group administrator: responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion. Can only perform administrative functions assigned by the Security configuration administrator.
- Auditor: responsible for reviewing and maintaining server and mobile device audit logs.
SFR ID: FMT_SMR.1.1(1) Refinement</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung SDS EMM 1.5.xDISADPMS TargetSamsung SDS EMM 1.5.x3175CCI-000128CCI-000129CCI-000169CCI-000366CCI-001571Configure the MDM server with the Administrator roles:
a. MD user;
b. Server primary administrator;
c. Security configuration administrator;
d. Device user group administrator; and
e. Auditor.
On the MDM console, do the following to create an MD user:
1) Log in to the Samsung SDS EMM Server Admin Console using a web browser.
2) Go to Devices & Users >> Users & Organization and select the “+” to get a pull-down menu. Select “Add Single User”.
3) Complete fields with user specific information.
4) Click "Save".
5) Click "No" in next dialog box (OK box) to complete setup of user.
On the MDM console, do the following to create users in the roles (c), (d), and (e):
1) Log in to the Samsung SDS EMM Server Admin Console using a web browser.
2) Go to Settings >> Admin Console >> Administrators and click on the “+” button near the top of the screen.
3) In the “Add Administrator” window, fill in the following once for each user account being created:
a) Choose the “New” radio button.
b) Fill in the “Admin ID” and “Admin Name” fields with values for a new user.
c) To Create a Security configuration administrator do the following: Set the Type field to “Super”.
d) To Create a Device user group administrator do the following: Set the Type field to “Common” and check all of the “Authorization” boxes.
e) To Create an Auditor do the following: Set the Type field to “common” and check only the Audit box.
4) Choose “Save” to create the account with the specified role.
5) Click "Yes" in next dialog box (Save box) to complete setup of user.
A user in the Server Primary Administrator role is created by defining a Windows Administrator account on the platform running the Samsung SDS EMM server. This is automatically created during server install.Review the MDM server configuration settings and verify the server is configured with the Administrator roles:
a. MD user;
b. Server primary administrator;
c. Security configuration administrator;
d. Device user group administrator; and
e. Auditor.
This validation procedure is performed on the MDM Administration Console.
On the MDM console, do the following to verify that users in the roles MD user exists:
1) Log in to the Samsung SDS EMM Server Admin Console using a web browser.
2) Go to Devices & Users >> Users & Organization.
3) Observe that the user created in the Implementation Guidance is listed on this screen.
On the MDM console, do the following to verify that users in the roles (c), (d) and (e) exist:
1) Log in to the Samsung SDS EMM Server Admin Console using a web browser.
2) Go to Settings >> Admin Console >> Administrators.
3) Observe that the user with the Security configuration administrator role is in the list on this screen, that the “Type” column indicates “Super”, and that a modify symbol appears under all of the columns for “App”, “Cert”, “Org”, “Profile”, “Portal”, and “Audit”.
4) Observe that the user with the Device user group administrator role is in the list on this screen, that the “Type” column indicates “Common”, and that a modify symbol appears under all of the columns for “App”, “Cert”, “Org”, “Profile”, “Portal”, and “Audit”.
5) Observe that the user with the Auditor role is in the list on this screen, that the “Type” column indicates “Common”, and that a modify symbol appears only under the “Audit” column.
No verification is needed for the Server primary administrator since this role is always automatically created during server install.
If the MDM console is not configured with required Administrator roles, this is a finding.PP-MDM-201129<GroupDescription></GroupDescription>SEMM-15-000320The Samsung SDS EMM server must be configured to transfer MD audit logs and Samsung SDS EMM server logs to another server for analysis and reporting.<VulnDiscussion>Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. Since the Samsung SDS EMM server has limited capability to store MD log files and perform analysis and reporting of MD log files, the Samsung SDS EMM server must have the capability to transfer log files to an audit log management server.
SFR ID: FMT_SMF.1.1(2) Refinement, f</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung SDS EMM 1.5.xDISADPMS TargetSamsung SDS EMM 1.5.x3175CCI-000128CCI-000129CCI-000169CCI-000366CCI-001571The following describes how the MDM server can transfer MD audit logs and MDM server logs to another server for analysis and reporting. This is a manual process that has to be performed by the administrator periodically.
To transfer Samsung SDS EMM server logs, on the MDM console, do the following:
1) Log in to the Samsung SDS EMM Server Admin Console using a web browser.
2) Go to Service Overview >> Logs >> Audit Logs.
3) Choose a date and click the "Export" button to export the selected Audit data to a file on the administrator’s workstation.
4) Follow the browser-specific instructions to save the comma-separated values file.
To transfer MD audit logs, on the MDM console, do the following:
1) Log in to the Samsung SDS EMM Server Admin Console using a web browser.
2) Go to Service Overview >> Logs >> Device Logs.
3) Choose the desired device in the left side of the “Device Logs” screen.
4) Choose the Export action in the row for the device log to be saved to export the selected MD audit log to a file on the administrator’s workstation.
5) Follow the browser-specific instructions to save the comma-separated values file.The following describes how the MDM server transfers MD audit logs and MDM server logs to another server for analysis and reporting.
Ask the system administrator to identify which audit management server Samsung SDS EMM server logs are transferred to. Verify that the audit management server contains records of the MD audit logs and MDM server logs, which have been transferred from the Samsung SDS EMM server. If logs are not automatically transferred periodically, verify logs are transferred manually at least daily.
If the Samsung SDS EMM server is not configured to transfer MD audit logs to another server (automatically or manually), this is a finding.PP-MDM-991010<GroupDescription></GroupDescription>SEMM-15-100010The Samsung SDS EMM server or platform must initiate a session lock after a 15-minute period of inactivity.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications need to be able to identify when a user's application session has idled and take action to initiate the session lock.
The session lock is implemented at the point where session activity can be determined and/or controlled. This is typically at the operating system-level and results in a system lock but may be at the application-level where the application interface window is secured instead.
SFR ID: FMT_SMF.1.1(1) Refinement</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung SDS EMM 1.5.xDISADPMS TargetSamsung SDS EMM 1.5.x3175CCI-000057To configure the Samsung SDS EMM server or platform to lock the server after 15 minutes of inactivity do the following:
1) Log in to the Samsung SDS EMM Server Admin Console using a web browser.
2) Click the “v” symbol at the top right of the web page to get a pull-down menu.
3) Choose “Configure session timeout”.
4) Set the Session Timeout(min) value to "15".
5) Click on the “Save” button.Review the Samsung SDS EMM server or platform configuration to determine whether the system is locked after 15 minutes. Clock the time on a server to validate that it is correctly enforcing the time period.
If the session lock does not occur within 15 minutes of inactivity, this is a finding.PP-MDM-991040<GroupDescription></GroupDescription>SEMM-15-100040The Samsung SDS EMM server platform must be protected by a DoD-approved firewall.<VulnDiscussion>Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Unneeded services and processes provide additional threat vectors and avenues of attack to the information system. The Samsung SDS EMM server is a critical component of the mobility architecture and must be configured to only those ports, protocols, and services (PPS) necessary to support functionality, all others must be expressly disabled or removed. A DoD-approved firewall implements the required network restrictions. A host-based firewall is appropriate where the Samsung SDS EMM server runs on a standalone platform. Network firewalls or other architectures may be preferred where the Samsung SDS EMM server runs in a cloud or virtualized solution.
SFR ID: FMT_SMF.1.1(1) Refinement</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung SDS EMM 1.5.xDISADPMS TargetSamsung SDS EMM 1.5.x3175CCI-000382Install a DoD-approved firewall.Review the Samsung SDS EMM server platform configuration to determine whether a DoD-approved firewall is installed or if the platform operating system provides a firewall service that can restrict both inbound and outbound traffic by TCP/UDP port and IP address.
If there is not a host-based firewall present on the Samsung SDS EMM server platform, this is a finding.PP-MDM-991050<GroupDescription></GroupDescription>SEMM-15-100050The firewall protecting the Samsung SDS EMM server platform must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support Samsung SDS EMM server and platform functions.<VulnDiscussion>Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations. Since Samsung SDS EMM server is a critical component of the mobility architecture and must be configured to only those ports, protocols, and services (PPS) necessary to support functionality, all others must be expressly disabled or removed. A firewall installed on the Samsung SDS EMM server provides a protection mechanism to ensure unwanted service requests do not reach the Samsung SDS EMM server and outbound traffic is limited to only Samsung SDS EMM server functionality.
SFR ID: FMT_SMF.1.1(1) Refinement</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung SDS EMM 1.5.xDISADPMS TargetSamsung SDS EMM 1.5.x3175CCI-000382Configure the firewall on the Samsung SDS EMM server to only permit ports, protocols, and IP address ranges necessary for operation.Ask the MDM administrator for a list of ports, protocols and IP address ranges necessary to support Samsung SDS EMM server and platform functionality (see the STIG Supplemental document for a list of required ports, protocols, and services).
Review the list to determine if the stated required configuration is appropriate.
Compare the list against the configuration of the firewall, and identify discrepancies.
If the host-based firewall is not configured to support only those ports, protocols, and IP address ranges necessary for operation, this is a finding.PP-MDM-991060<GroupDescription></GroupDescription>SEMM-15-100060The firewall protecting the Samsung SDS EMM server platform must be configured so that all allowed ports, protocols, and services are approved for DoD use (on the DoD Ports, Protocols, Services Management (PPSM) Category Assurance Levels (CAL) list).<VulnDiscussion>All ports, protocols, and services used on DoD networks must be approved and registered via the DoD Ports, Protocols, Services Management (PPSM) process. This is to insure that a risk assessment has been completed before a new port, protocol, or service is configured on a DoD network and has been approved by proper DoD authorities. Otherwise, the new port, protocol, or service could cause a vulnerability to the DoD network, which could be exploited by an adversary.
SFR ID: FMT_SMF.1.1(1) Refinement</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung SDS EMM 1.5.xDISADPMS TargetSamsung SDS EMM 1.5.x3175CCI-000382Turn off any ports, protocols, and services on the MDM host-based firewall that are not on the DoD Ports, Protocols, Services Management (PPSM) Category Assurance Levels (CAL) list.Ask the MDM administrator for a list of ports, protocols and services that have been configured on the host-based firewall. Verify all allowed ports, protocols, and services are included on the DoD PPSM CAL list.
If any allowed ports, protocols, and services on the MDM host-based firewall are not included on the DoD PPSM CAL list, this is a finding.PP-MDM-201101<GroupDescription></GroupDescription>SEMM-15-200010The Samsung SDS EMM agent must be configured for the periodicity of reachability events for six hours or less.<VulnDiscussion>Mobile devices that do not enforce security policy or verify the status of the device are vulnerable to a variety of attacks. The key security function of MDM technology is to distribute mobile device security polices in such a manner that they are enforced on managed mobile devices. To accomplish this function, the Samsung SDS EMM agent must verify the status and other key information of the managed device and report that status to the MDM server periodically.
SFR ID: FMT_SMF_EXT.3.2</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Samsung SDS EMM 1.5.xDISADPMS TargetSamsung SDS EMM 1.5.x3175CCI-002696Configure the MDM agent periodicity of reachable events to six hours or less.
On the MDM console, do the following:
1) Log in to the Samsung SDS EMM Server Admin Console using a web browser.
2) Go to Settings >> Service >> Configuration.
3) For Android: Ensure that row 20 “Inventory Collection Period for Android (Hrs)” shows a value of "6" or less.
4) For iOS: Ensure that row 21 “Inventory Collection Period for iOS (Hrs)” shows a value of "6" or less.
5) Click on the check-mark box in the top left of the "Configuration" screen to "Apply Changes".
6) Click “OK” on the “Notify” save completed window.
On the MDM agent, do the following:
No actions required on the MDM agentReview the MDM agent configuration settings to determine if the agent is configured with a periodicity of reachable events set to six hours or less.
This validation procedure is performed on both the Samsung SDS EMM Server Admin Console.
1) Log in to the Samsung SDS EMM Server Admin Console using a web browser.
2) Go to Settings >> Service >> Configuration.
3) For Android: On row 20 verify “Inventory Collection Period for Android (Hrs)” is set to "6" or less.
4) For iOS: On row 21 verify “Inventory Collection Period for iOS (Hrs)” is set to "6" or less.
If the periodicity of reachable events is not set to "6" hours or less, this is a finding.