BBDS10 2 X STIG
BlackBerry Enterprise Service v10.2.x BlackBerry Device Service STIG. Version v1 r5, released Oct. 23, 2015.
BBDS-00-003177: The BlackBerry Device Service server must direct all Work Space application traffic through the BlackBerry Device Service server via centrally managed policy.
Review the BlackBerry Device Service server policy configuration to determine whether all Work Space application traffic is routed through the BlackBerry Device Service server. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Discussion
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Fix
Configure the centrally managed BlackBerry Device Service server policy rule to direct all Work Space application traffic through the BlackBerry Device Service server. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Security" and verify "Network Access Control for Work Apps" is set to "Yes".
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
BBDS-00-002542: The BlackBerry Device Service server must allow only Work Space contacts to be read from a native Personal Space application via centrally managed policy.
Review the BlackBerry Device Service server policy configuration to determine whether only work persona contacts to be read from a native personal persona application. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Discussion
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. If this control is not available, sensitive DoD data stored inside the security container could be exposed if it is copied to a non-secure area on the device.
Fix
Configure the centrally managed BlackBerry Device Service server policy rule to allow only work persona contacts to be read from a native personal space application. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Security" and verify "Personal Apps Access to Work Contacts" is set to "Only BlackBerry Apps". Note: Check text is applicable for EMM-Corporate (BlackBerry Balance) devices only. This requirement is N/A for EMM-Regulated (Work Space only) devices.
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
BBDS-00-000149: The BlackBerry Device Service server must disable the Hands-Free Profile (HFP) Bluetooth profile via centrally managed policy.
Review the BlackBerry Device Service server policy configuration to determine whether the Hands-Free Profile (HFP) Bluetooth profile has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Discussion
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Fix
Configure the centrally managed BlackBerry Device Service server policy rule to disable the Hands-Free Profile (HFP) Bluetooth profile. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify both "Transfer Work Contacts Using Bluetooth PBAP or HFP" and "Bluetooth HFP" are set to "Disallow".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
BBDS-00-000161: The BlackBerry Device Service server must disable the transfer of any file-based data via Near Field Communication (NFC) via centrally managed policy.
Review the BlackBerry Device Service server policy configuration to determine whether the transfer of any file-based data via NFC has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Discussion
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Fix
Configure the centrally managed BlackBerry Device Service server policy rule to disable the transfer of any file-based data via NFC. For EMM-Corporate and EMM-Regulated devices, log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Transfer Work Data Using NFC" is set to "Disallow".
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
BBDS-00-000230: The BlackBerry Device Service server must set the number of incorrect password attempts before a data wipe procedure is initiated to 10 via centrally managed policy.
Review the BlackBerry Device Service server policy configuration to determine whether the number of incorrect password attempts before a data wipe procedure is initiated is set to 10. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Discussion
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Fix
Configure the centrally managed BlackBerry Device Service server policy rule to set the number of incorrect password attempts before a data wipe procedure is initiated to 10. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Password" and verify "Maximum Password Attempts" is set to "10".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
BBDS-00-000310: The key store password for the certificate that the BlackBerry Administration Service (BAS) and BlackBerry Web Desktop Manager (BWDM) use must be changed from the default.
When the BlackBerry Administration Service is installed the setup application generates a password for the web.keystore file. The web.keystore file stores the SSL certificate that the BlackBerry Administration Service uses to authenticate with browsers. You can change the web.keystore password after the installation process completes. All BlackBerry Administration Service instances in a BlackBerry Device Service domain must use the same web.keystore password. Consult the system administrator to determine if the default password was changed. If the default password has not been changed, this is a finding.
Discussion
The key store password protects the server digital authentication certificates from unauthorized use.
Fix
The key store password for the certificate that the BlackBerry Administration Service (BAS) and BlackBerry Web Desktop Manager (BWDM) use must be changed from the default. To change the web.keystore password, use the following procedure: Before you begin: To verify the current password for the web.keystore file, log in to the BlackBerry Administration Service using an administrator account with the Security Administrator role. Under "Servers and components" on the left side, navigate to "BlackBerry Solution topology > BlackBerry Domain> Component view > BlackBerry Administration Service", and check the "Security settings" section. 1. From the Windows machine with BlackBerry Enterprise Service 10, navigate to "Start > All Programs > BlackBerry Enterprise Service 10" and open "Configuration Tool for BlackBerry Enterprise Service 10". 2. On the "Administration Service - Web.Keystore" tab, type the current password. 3. Type a new password and confirm the new password. 4. Click "OK". 5. In the Windows Services, restart the BlackBerry Administration Service services. 6. Repeat steps 1 to 5 on each computer that hosts a BlackBerry Administration Service instance.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
BBDS-00-000156: The BlackBerry Device Service server must disable the transfer of any file-based data via Bluetooth via centrally managed policy.
Review the BlackBerry Device Service server policy configuration to determine whether the transfer of any file-based data via Bluetooth has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Discussion
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Fix
Configure the centrally managed BlackBerry Device Service server policy rule to disable the transfer of any file-based data via Bluetooth. For EMM-Corporate (BlackBerry Balance) devices, log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Transfer Work Files Using Bluetooth OPP" is set to "Disallow." For EMM-Regulated (Work Space only) and Balance-Regulated devices, log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Bluetooth File Transfer Using OBEX" is set to "Disallow."
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
BBDS-00-003178: The BlackBerry Device Service server must disallow Personal Space applications access to the Work Space network connection via centrally managed policy.
Review the BlackBerry Device Service server policy configuration to determine whether Personal Space applications access to the Work Space network connection has been disallowed. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Discussion
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Fix
Configure the centrally managed BlackBerry Device Service server policy rule to disallow Personal Space applications access to the Work Space network connection. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Security" and verify "Work Network Usage for Personal Apps" is set to "Disallow". Note: Check text is applicable for EMM-Corporate (BlackBerry Balance) devices only. This requirement is N/A for EMM-Regulated (Work Space only) devices.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
BBDS-00-000132: The BlackBerry Device Service server must enforce the email client S/MIME encryption algorithm to be 3DES or AES256 via centrally managed policy.
Review the BlackBerry Device Service server policy configuration to determine whether the encryption algorithms used to encrypt S/MIME protected email messages are 3DES or AES256. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Discussion
Cryptography is only as strong as the encryption modules/algorithms that are employed to encrypt the data. Strong encryption must be used to protect the integrity and confidentiality of the data. In this case the requirement states that S/MIME must utilize a 3DES or AES encryption algorithm.
Fix
Configure the centrally managed BlackBerry Device Service server policy rule to enforce the email client S/MIME encryption algorithm to be 3DES or AES256 via centrally managed policy. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Profiles > Manage email profiles > <Profile Name> > Email profile settings" and verify "Allowed content ciphers" is set to "AES (256-bit), or "Triple DES."
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
BBDS-00-003120: The BlackBerry Device Service server must enforce the minimum password length for the Personal Space password to 4 digits via centrally managed policy.
Review the BlackBerry Device Service server policy configuration to determine whether a device unlock password with a minimum length of 4 characters has been enabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Discussion
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Fix
Configure the BlackBerry Device Service server to enable a device unlock password with a minimum length of 4 characters. This requirement can be met via one of two methods: Method #1: Train users to set the following device unlock/personal area password feature on a PlayBook 2.0 or BlackBerry 10 device: Navigate to "Options/Settings -> Security ->Password" and set "Enable Password" to "ON". Create a 4 digit passcode for the device lock. **************************************************************************************** Method #2: The BDS IT policy rule "Apply Work Space Password to Full Device" can be applied to force the Work Space password to be used for both Work and Personal Spaces. IT policy rules can be specified per group or per user. To add an IT policy to a group: 1. Log into BlackBerry Administration Service and under "BlackBerry solution management" on the left side, expand "Group". 2. Click "Manage groups". 3. Click the name of the group. 4. Click "Edit group". 5. Click the "Policies" tab. 6. In the "IT policy list", select the IT policy. 7. Click "Save all". To add an IT policy to a user account: 1. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side expand "User". 2. Click "Manage users". 3. Search for a user account. 4. In the search results, select the check box for the user account. 5. In the "Add to user configuration" list, click "Set IT policy". 6. In the "IT policy" drop-down list, select the IT policy. 7. Click "Save". For more details and information, please see the "Setting up device controls" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service Administration Guide.
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
BBDS-00-000146: The BlackBerry Device Service server must disable the Advanced Audio Distribution Profile (A2DP) Bluetooth profile via centrally managed policy.
Review the BlackBerry Device Service server policy configuration to determine whether the Advanced Audio Distribution Profile (A2DP) Bluetooth profile has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Discussion
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Fix
Configure the centrally managed BlackBerry Device Service server policy rule to disable the Advanced Audio Distribution Profile (A2DP) Bluetooth profile. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Bluetooth A2DP" is set to "Disallow". Note: The above is only applicable for devices with "Balance-Regulated" and "Work space only" activation types.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
BBDS-00-000147: The BlackBerry Device Service server must disable the Audio/Video Remote Control Profile (AVRCP) Bluetooth profile via centrally managed policy.
Review the BlackBerry Device Service server policy configuration to determine whether the Audio/Video Remote Control Profile (AVRCP) Bluetooth profile has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Discussion
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Fix
Configure the centrally managed BlackBerry Device Service server policy rule to disable the Audio/Video Remote Control Profile (AVRCP) Bluetooth profile. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Bluetooth AVRCP" is set to "Disallow". Note: The above is only applicable for devices with "Balance-Regulated" and "Work space only" activation types.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
BBDS-00-000295: The BlackBerry Device Service server must use organization defined replay-resistant authentication mechanisms for network access to privileged accounts.
Review the BlackBerry Device Service server configuration to ensure the system is authenticating through the Enterprise Authentication Mechanism that employs replay-resistant features. To ensure correct configuration have the BlackBerry Device Service (BDS) Administrator logon to the BDS Server, and ensure authentication was performed via Active Directory. If access to the server is not being authenticated via this method, this is a finding.
Discussion
An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Replay attacks, if successfully used against a MDM account could result in unfettered access to the MDM settings and data records.
Fix
Configure the BlackBerry Device Service server to authenticate through the Enterprise Authentication Mechanism. To configure the BDS server to authenticate via Active Directory the following process can be used: Local authentication rules are handled by the host Operating system. Remote connection via web browser can be configured to use Microsoft Active Directory authentication during the installation of the BlackBerry Device Server. Configure permissions for the service account: The service account is a Windows account that runs the services for the BlackBerry Device Service. On the computer that you want to install the BlackBerry Device Service on, you must configure permissions for the service account. Without the correct permissions, the BlackBerry Device Service cannot run. If your organization's environment includes the BlackBerry Enterprise Server, you can use the BlackBerry Enterprise Server service account to install the BlackBerry Device Service. If you do not have a BlackBerry Enterprise Server service account, in Microsoft Active Directory, create a service account that you name BDSAdmin. During the installation of the BlackBerry Device Service, steps 16 and 17 describe the setup of the Active Directory login, as follows: 16. In the Microsoft Active Directory settings dialog box, specify information for the reader account that the BlackBerry Administration Service uses to authenticate with Microsoft Active Directory. By default, the setup application uses the service account that you used in step 1. If you want to use a different account as the reader account, you must specify the username, password, and Windows domain for a Microsoft Active Directory account. The account must have permission to read the user information that is stored in the global catalog servers that the BlackBerry Administration Service can access. 17. In the Create an administrator account dialog box, perform one of the following actions: * If you select Use Microsoft Active Directory authentication, you can choose to use the Microsoft Active Directory account that you used in step 16, or you can specify the username and Windows domain for a different Microsoft Active Directory account. * If you select Use BlackBerry Administration Service authentication, type and confirm a password for the BlackBerry Administration Service administrator account. You use the account information that you specify to log in to the BlackBerry Administration Service for the first time. Log in to the BlackBerry Administration Service: When you install the BlackBerry Administration Service, you specify the credentials that you use to log in to the BlackBerry Administration Service for the first time. 1. In the browser, type "https://<server_name>/webconsole/login", where <server_name> is the name of the computer that hosts the BlackBerry Administration Service. 2. In the "User name" field, type your username. 3. In the "Password" field, type your password. 4. Perform one of the following actions: * In the "Log in using" drop-down list, click "BlackBerry Administration Service". * In the "Log in using" drop-down list, click "Active Directory" and type the Microsoft Active Directory domain in the "Domain" field. 5. Click "Log in". 6. Install the RIMWebComponents.cab add-on if you are prompted to do so. For further details regarding the BlackBerry Device Service Installation and configuration, see the accompanying Overview Document, and the "Install the BlackBerry Device Service software" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service Installation and Configuration Guide.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
BBDS-00-000159: The BlackBerry Device Service server must disable the transfer of any file-based data via Bluetooth (Transfer Work Contacts Using Bluetooth PBAP or HFP) via centrally managed policy.
Review the BlackBerry Device Service server policy configuration to determine whether the transfer of any file-based data via Bluetooth has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Discussion
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Fix
Configure the centrally managed BlackBerry Device Service server policy rule to disable the transfer of any file-based data via Bluetooth (Transfer Work Contacts Using Bluetooth PBAP or HFP). For EMM-Corporate (BlackBerry Balance) devices, log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Transfer Work Contacts Using Bluetooth PBAP or HFP" is set to "Disallow".
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
BBDS-00-000290: The BlackBerry Device Service server must require administrators to be authenticated with an individual authenticator prior to using a group authenticator.
Review the BlackBerry Device Service server configuration to ensure the system is authenticating through the Enterprise Authentication Mechanism that requires administrators to be authenticated with an individual authenticator prior to using a group authenticator. To ensure correct configuration have the BlackBerry Device Service (BDS) Administrator log on to the BDS Server, and ensure authentication was performed via Active Directory. If access to the server is not being authenticated via this method, this is a finding.
Discussion
To assure individual accountability and prevent unauthorized access, MDM administrators and users (and any processes acting on behalf of users) must be individually identified and authenticated. Without individual accountability, there can be no traceability back to an individual if there were a security incident on the system. In addition, group accounts can be shared with individuals who do not have authorized access.
Fix
Configure the BlackBerry Device Service server to authenticate through the Enterprise Authentication Mechanism. To configure the BDS server to authenticate via Active Directory the following process can be used: Local authentication rules are handled by the host Operating system. Remote connection via web browser can be configured to use Microsoft Active Directory authentication during the installation of the BlackBerry Device Server. Configure permissions for the service account: The service account is a Windows account that runs the services for the BlackBerry Device Service. On the computer that you want to install the BlackBerry Device Service on, you must configure permissions for the service account. Without the correct permissions, the BlackBerry Device Service cannot run. If your organization's environment includes the BlackBerry Enterprise Server, you can use the BlackBerry Enterprise Server service account to install the BlackBerry Device Service. If you do not have a BlackBerry Enterprise Server service account, in Microsoft Active Directory, create a service account that you name BDSAdmin. During the installation of the BlackBerry Device Service, steps 16 and 17 describe the setup of the Active Directory login, as follows: 16. In the Microsoft Active Directory settings dialog box, specify information for the reader account that the BlackBerry Administration Service uses to authenticate with Microsoft Active Directory. By default, the setup application uses the service account that you used in step 1. If you want to use a different account as the reader account, you must specify the username, password, and Windows domain for a Microsoft Active Directory account. The account must have permission to read the user information that is stored in the global catalog servers that the BlackBerry Administration Service can access. 17. In the Create an administrator account dialog box, perform one of the following actions: * If you select Use Microsoft Active Directory authentication, you can choose to use the Microsoft Active Directory account that you used in step 16, or you can specify the username and Windows domain for a different Microsoft Active Directory account. * If you select Use BlackBerry Administration Service authentication, type and confirm a password for the BlackBerry Administration Service administrator account. You use the account information that you specify to log in to the BlackBerry Administration Service for the first time. Log in to the BlackBerry Administration Service: When you install the BlackBerry Administration Service, you specify the credentials that you use to log in to the BlackBerry Administration Service for the first time. 1. In the browser, type "https://<server_name>/webconsole/login", where <server_name> is the name of the computer that hosts the BlackBerry Administration Service. 2. In the "User name" field, type your username. 3. In the "Password" field, type your password. 4. Perform one of the following actions: * In the "Log in using" drop-down list, click "BlackBerry Administration Service". * In the "Log in using" drop-down list, click "Active Directory" and type the Microsoft Active Directory domain in the "Domain" field. 5. Click "Log in". 6. Install the RIMWebComponents.cab add-on if you are prompted to do so. For further details regarding the BlackBerry Device Service Installation and configuration, see the accompanying Overview Document, and the "Install the BlackBerry Device Service software" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service Installation and Configuration Guide.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
BBDS-00-000235: The BlackBerry Device Service server must enable a Work Space password via centrally managed policy.
Review the BlackBerry Device Service server policy configuration to determine whether a Work Space password has been enabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Discussion
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Fix
Configure the centrally managed BlackBerry Device Service server policy rule to enable a work space password. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Password" and verify "Password Required for Work Space" is set to "Yes". Note: The above is only for devices with EMM-Corporate (BlackBerry Balance). This check is not applicable to EMM-Regulated (Work Space only) devices.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
BBDS-00-000160: The BlackBerry Device Service server must enable Bluetooth pairing using a randomly generated passkey size of at least 8 digits via centrally managed policy.
Review the BlackBerry Device Service server policy configuration to determine whether Bluetooth pairing using a randomly generated passkey size of at least 8 digits has been enabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Discussion
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Fix
Configure the centrally managed BlackBerry Device Service server policy rule to enable Bluetooth pairing using a randomly generated passkey size of at least 8 digits. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Enforce Minimum Bluetooth Passkey Length" is set to "Yes". Note: The above is only for devices with EMM-Regulated (Work Space only).
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
BBDS-00-000320: The BlackBerry Device Service server must employ strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions.
Review the BlackBerry Device Service server configuration to ensure the system is authenticating through the Enterprise Authentication Mechanism that employs strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions. To ensure correct configuration have the BlackBerry Device Service (BDS) Administrator log on to the BDS Server, and ensure authentication was performed via Active Directory. If access to the server is not being authenticated via this method, this is a finding.
Discussion
Lack of authentication enables anyone to gain access to the MDM. Network access control mechanisms interoperate to prevent unauthorized access and to enforce the organization's security policy. Authorization for access to the MDM to perform maintenance and diagnostics requires an individual account identifier that has been approved, assigned, and configured. Authentication of non-local maintenance and diagnostics sessions must be accomplished through two-factor authentication via the combination of passwords, tokens, and biometrics.
Fix
Configure the BlackBerry Device Service server to authenticate through an Enterprise Authentication Mechanism that employs strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions. To configure the BDS server to authenticate via Active Directory the following process can be used: Local authentication rules are handled by the host Operating system. Remote connection via web browser can be configured to use Microsoft Active Directory authentication during the installation of the BlackBerry Device Server. Configure permissions for the service account: The service account is a Windows account that runs the services for the BlackBerry Device Service. On the computer that you want to install the BlackBerry Device Service on, you must configure permissions for the service account. Without the correct permissions, the BlackBerry Device Service cannot run. If your organization's environment includes the BlackBerry Enterprise Server, you can use the BlackBerry Enterprise Server service account to install the BlackBerry Device Service. If you do not have a BlackBerry Enterprise Server service account, in Microsoft Active Directory, create a service account that you name BDSAdmin. During the installation of the BlackBerry Device Service, steps 16 and 17 describe the setup of the Active Directory login, as follows: 16. In the Microsoft Active Directory settings dialog box, specify information for the reader account that the BlackBerry Administration Service uses to authenticate with Microsoft Active Directory. By default, the setup application uses the service account that you used in step 1. If you want to use a different account as the reader account, you must specify the username, password, and Windows domain for a Microsoft Active Directory account. The account must have permission to read the user information that is stored in the global catalog servers that the BlackBerry Administration Service can access. 17. In the Create an administrator account dialog box, perform one of the following actions: * If you select Use Microsoft Active Directory authentication, you can choose to use the Microsoft Active Directory account that you used in step 16, or you can specify the username and Windows domain for a different Microsoft Active Directory account. * If you select Use BlackBerry Administration Service authentication, type and confirm a password for the BlackBerry Administration Service administrator account. You use the account information that you specify to log in to the BlackBerry Administration Service for the first time. Log in to the BlackBerry Administration Service: When you install the BlackBerry Administration Service, you specify the credentials that you use to log in to the BlackBerry Administration Service for the first time. 1. In the browser, type "https://<server_name>/webconsole/login", where <server_name> is the name of the computer that hosts the BlackBerry Administration Service. 2. In the "User name" field, type your username. 3. In the "Password" field, type your password. 4. Perform one of the following actions: * In the "Log in using" drop-down list, click "BlackBerry Administration Service". * In the "Log in using" drop-down list, click "Active Directory" and type the Microsoft Active Directory domain in the "Domain" field. 5. Click "Log in". 6. Install the RIMWebComponents.cab add-on if you are prompted to do so. For further details regarding the BlackBerry Device Service Installation and configuration, see the accompanying Overview Document, and the "Install the BlackBerry Device Service software" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service Installation and Configuration Guide.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
BBDS-00-003176: The BlackBerry Device Service server must disable any mobile OS service that connects to a cloud storage server via centrally managed policy.
Review the BlackBerry Device Service server policy configuration to determine whether any mobile OS service that connects to a cloud storage server has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Discussion
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Fix
Configure the centrally managed BlackBerry Device Service server policy rule to disable any mobile OS service that connects to a cloud storage server. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Software" and verify "Cloud Storage Access from Work Space" is set to "Disallow". Note: The above is only for devices with EMM-Corporate (BlackBerry Balance). Devices with EMM-Corporate (Work Space only) inherently meet this requirement.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
BBDS-00-003160: The BlackBerry Device Service server must disable the mobile device users access to BlackBerry World for Work Space and only allow access to apps published from BlackBerry Device Service.
Review the BlackBerry Device Service server configuration to determine if the commercial application store contains no applications. Otherwise, this is a finding.
Discussion
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Fix
Configure the BlackBerry Device Service server application store to contain no commercial applications. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Software > Applications > Manage Applications" and verify that there are no applications listed under "BlackBerry World Applications".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
BBDS-00-000286: BlackBerry Web Desktop Manager must be configured to disable a users capability to perform a user-initiated backup or restore.
Review the BlackBerry Device Service server policy configuration to determine whether a user initiated backup or restore of the Work Space of a managed mobile device has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Discussion
The overall security posture of the BlackBerry system is dependent on strict configuration management controls, including ensuring only authorized BlackBerry devices are being used and authorized devices are provisioned as required. When these configurations are not set as required, users may have the capability to activate unauthorized BlackBerry devices.
Fix
Configure the centrally managed BlackBerry Device Service server policy rule to disallow a user initiated backup or restore of the Work Space of a managed mobile device. For BlackBerry Balance (Corporate and Regulated) devices, log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Security" and verify "Backup and Restore Work Space" is set to "Disallow". For Work Space only devices, log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Security" and verify "Backup and Restore Device" is set to "Disallow".
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
BBDS-00-003181: The BlackBerry Device Service server must disable any mobile OS service that connects to a cloud-based service via centrally managed policy.
Review the BlackBerry Device Service server policy configuration to determine whether any mobile OS service that connects to a cloud-based service server has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Discussion
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Fix
Configure the centrally managed BlackBerry Device Service server policy rule to disable any mobile OS service that connects to a cloud-based service. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Software" and verify "Find More Contact Details" is set to "Disallow".
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
BBDS-00-000300: The BlackBerry Device Service server must be configured to accept only trusted connections to back-office enclave application or web push servers. Push servers are set up to push content to BlackBerry users.
Verify the site has configured the BlackBerry Device Service server to require trusted connections to push enclave application or web servers. Otherwise, this is a finding.
Discussion
Only authorized servers should be able to push content to BlackBerry devices.
Fix
Configure the BlackBerry Device Service server to push content to BlackBerry devices. Log into BlackBerry Administration Service, and under "Servers and components" on the left side of the screen, navigate to "'BlackBerry Solution topology > BlackBerry Domain > Component view > MDS Connection Service > <MDS Connection Service Instance>". - On the "Instance information" tab, click "Edit instance". - In the "Access control" section, verify "Push authentication:" is set to "Yes".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
BBDS-00-003179: The BlackBerry Device Service server must have the administrative functionality disallow hyperlinks within Work Space applications from opening within the Personal Space browser application via centrally managed policy.
Review the BlackBerry Device Service server policy configuration to determine whether hyperlinks within Work Space applications cannot open within the Personal Space browser application. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Discussion
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Fix
Configure the centrally managed BlackBerry Device Service server policy rule to disallow hyperlinks within Work Space applications from opening within the Personal Space browser application. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Software" and verify "Open Links in Work Email Messages in the Personal Browser" is set to "Disallow".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
BBDS-00-000200: BlackBerry Web Desktop Manager must be configured to permit users to activate new BlackBerry devices only.
Verify the BlackBerry Administration Service (BAS) has been configured to permit users to activate new BlackBerry devices only. Otherwise, this is a finding.
Discussion
The overall security posture of the BlackBerry system is dependent on strict configuration management controls, including ensuring only authorized BlackBerry devices are being used and authorized devices are provisioned as required. When these configurations are not set as required, users may have the capability to activate unauthorized BlackBerry devices.
Fix
BlackBerry Administration Service is configured to permit users to activate new BlackBerry devices only via BlackBerry Web Desktop Manager. Log into the BAS as an administrator with Security Administrator role. Under "Organization Administration", expand "Organization". - Click "My organization". - Click the "BlackBerry Web Desktop Manager Information" tab. - On the "Allowed user operations", verify "Allow user wireline activation:" is set to "Activate unused PIN only".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
BBDS-00-000260: The BlackBerry Device Service server must enable a minimum Work Space password length of six or more characters via centrally managed policy.
Review the BlackBerry Device Service server policy configuration to determine whether the minimum Work Space password length is at least six characters. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Discussion
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Fix
Configure the centrally managed BlackBerry Device Service server policy rule to set the minimum work space password length of six or more characters. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Password" and verify "Minimum Password Length" is set to "6".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
BBDS-00-000151: The BlackBerry Device Service server must disable the Message Access Profile (MAP) Bluetooth profile via centrally managed policy.
Review the BlackBerry Device Service server policy configuration to determine whether the Message Access Profile (MAP) Bluetooth profile has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Discussion
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Fix
Configure the centrally managed BlackBerry Device Service server policy rule to disable the Message Access Profile (MAP) Bluetooth profile. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify all of "Transfer Work Messages Using Bluetooth MAP", "Transfer Work Messages Using Bluetooth MAP Without Prompt" and "Bluetooth MAP" are set to "Disallow".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
BBDS-00-000305: The BlackBerry Device Service server must support administrator authentication to the server via the Enterprise Authentication Mechanisms authentication.
Review the BlackBerry Device Service server configuration to ensure the system is authenticating through the Enterprise Authentication Mechanism. To ensure correct configuration have the BlackBerry Device Service (BDS) Administrator log on to the BDS Server, and ensure authentication was performed via Active Directory. If access to the server is not being authenticated via this method, this is a finding.
Discussion
In the DoD, Administrator credential requirements for authentication are defined by CTO 07-115Rev1, which is can be enforced by the Enterprise Authentication Mechanism. Non-complaint credential enforcement mechanisms make the DoD IS vulnerable to attack.
Fix
Configure the BlackBerry Device Service server to support administrator authentication to the server via the Enterprise Authentication Mechanism's authentication. To configure the BDS server to authenticate via Active Directory the following process can be used: Local authentication rules are handled by the host Operating system. Remote connection via web browser can be configured to use Microsoft Active Directory authentication during the installation of the BlackBerry Device Server. Configure permissions for the service account: The service account is a Windows account that runs the services for the BlackBerry Device Service. On the computer that you want to install the BlackBerry Device Service on, you must configure permissions for the service account. Without the correct permissions, the BlackBerry Device Service cannot run. If your organization's environment includes the BlackBerry Enterprise Server, you can use the BlackBerry Enterprise Server service account to install the BlackBerry Device Service. If you do not have a BlackBerry Enterprise Server service account, in Microsoft Active Directory, create a service account that you name BDSAdmin. During the installation of the BlackBerry Device Service, steps 16 and 17 describe the setup of the Active Directory login, as follows: 16. In the Microsoft Active Directory settings dialog box, specify information for the reader account that the BlackBerry Administration Service uses to authenticate with Microsoft Active Directory. By default, the setup application uses the service account that you used in step 1. If you want to use a different account as the reader account, you must specify the username, password, and Windows domain for a Microsoft Active Directory account. The account must have permission to read the user information that is stored in the global catalog servers that the BlackBerry Administration Service can access. 17. In the Create an administrator account dialog box, perform one of the following actions: * If you select Use Microsoft Active Directory authentication, you can choose to use the Microsoft Active Directory account that you used in step 16, or you can specify the username and Windows domain for a different Microsoft Active Directory account. * If you select Use BlackBerry Administration Service authentication, type and confirm a password for the BlackBerry Administration Service administrator account. You use the account information that you specify to log in to the BlackBerry Administration Service for the first time. Log in to the BlackBerry Administration Service: When you install the BlackBerry Administration Service, you specify the credentials that you use to log in to the BlackBerry Administration Service for the first time. 1. In the browser, type "https://<server_name>/webconsole/login", where <server_name> is the name of the computer that hosts the BlackBerry Administration Service. 2. In the "User name" field, type your username. 3. In the "Password" field, type your password. 4. Perform one of the following actions: * In the "Log in using" drop-down list, click "BlackBerry Administration Service". * In the "Log in using" drop-down list, click "Active Directory" and type the Microsoft Active Directory domain in the "Domain" field. 5. Click "Log in". 6. Install the RIMWebComponents.cab add-on if you are prompted to do so. For further details regarding the BlackBerry Device Service Installation and configuration, see the accompanying Overview Document, and the "Install the BlackBerry Device Service software" section of the BlackBerry Enterprise Service 10.2 BlackBerry Device Service Installation and Configuration Guide.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
BBDS-00-000165: The BlackBerry Device Service server must enable Bluetooth 128 bit encryption via centrally managed policy.
Review the BlackBerry Device Service server configuration to determine whether Bluetooth 128 bit encryption is enabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Discussion
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Fix
Configure the centrally managed BlackBerry Device Service server policy rule to enable Bluetooth 128 bit encryption. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Minimum Bluetooth Encryption Key Length" is set to "16 Bytes". Note: The above is only for devices with EMM-Regulated (Work Space only).
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
BBDS-00-000275: The BlackBerry Device Service server must configure the Work Space to prohibit the download of software from a DoD non-approved source (e.g., a non-DoD operated mobile device application store or BlackBerry Device Service server).
Review the BlackBerry Device Service server configuration to ensure the BlackBerry Device Service server can configure the mobile device Work Space to prohibit the download of software from a DoD non-approved source (e.g., a non-DoD operated mobile device application store or BlackBerry Device Service server). Otherwise, this is a finding.
Discussion
DoD can perform due diligence on sources of software to mitigate the risk that malicious software is introduced to those sources. Therefore, if software is downloaded from a DoD-approved source, then it is less likely to be malicious than if it is downloaded from an unapproved source. To prevent access to unapproved sources, the operating system in most cases can be configured to disable user access to public application stores.
Fix
Configure the BlackBerry Device Service server so the Work Space is configured to prohibit the download of software from a DoD non-approved source. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Security" and verify "Development Mode Access to Work Space" is set to "Disallow".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
BBDS-00-000157: The BlackBerry Device Service server must disable the transfer of any file-based data via Bluetooth (Bluetooth MAP) via centrally managed policy.
Review the BlackBerry Device Service server policy configuration to determine whether the Message Access Profile (MAP) Bluetooth profile has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Discussion
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Fix
Configure the centrally managed BlackBerry Device Service server policy rule to disable the transfer of any file-based data via Bluetooth (Bluetooth MAP). Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Transfer Work Messages Using Bluetooth MAP" is set to "Disallow".
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
BBDS-00-000125: The BlackBerry Device Service server must bind removable storage media cards to the mobile device via centrally managed policy.
Review the BlackBerry Device Service server policy configuration to determine whether removable media storage cards are bound to the mobile device. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Discussion
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Fix
Configure the centrally managed BlackBerry Device Service server policy rule to bind removable storage media cards to the mobile device. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy >Software" and verify "Media Card Encryption" is set to "Yes". Note: The above is only required "Work space only" activation types, and remains optional for "Balance-Corporate" or "Balance-Regulated" activation types.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
BBDS-00-000148: The BlackBerry Device Service server must disable the Phone Book Access Profile (PBAP) Bluetooth profile via centrally managed policy.
Review the BlackBerry Device Service server policy configuration to determine whether the Phone Book Access Profile (PBAP) Bluetooth profile has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Discussion
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Fix
Configure the centrally managed BlackBerry Device Service server policy rule to disable the Phone Book Access Profile (PBAP) Bluetooth profile. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify both "Transfer Work Contacts Using Bluetooth PBAP or HFP" and "Bluetooth Contacts Transfer Using PBAP" are set to "Disallow".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
BBDS-00-000155: The BlackBerry Device Service server must disable Bluetooth Discoverable Mode via centrally managed policy.
Review the BlackBerry Device Service server policy configuration to determine whether Bluetooth Discoverable Mode has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Discussion
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Fix
Configure the centrally managed BlackBerry Device Service server policy rule to disable Bluetooth Discoverable Mode. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Bluetooth Discoverable Mode" is set to "Disallow". Note: The above is only for devices with EMM-Regulated (Work Space only).
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
BBDS-00-000315: The BlackBerry Device Service server must use mechanisms for authentication to a cryptographic module meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
Review the BlackBerry Device Service server configuration to ensure the system is authenticating through the Enterprise Authentication Mechanism that utilizes a cryptographic module meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. To ensure correct configuration have the BlackBerry Device Service (BDS) Administrator log on to the BDS Server, and ensure authentication was performed via Active Directory. If access to the server is not being authenticated via this method, this is a finding.
Discussion
MDM applications utilizing encryption are required to use approved encryption modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised due to weak algorithms.
Fix
Configure the BlackBerry Device Service server to authenticate through the Enterprise Authentication Mechanism utilizing a cryptographic module meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. To configure the BDS server to authenticate via Active Directory the following process can be used: Local authentication rules are handled by the host Operating system. Remote connection via web browser can be configured to use Microsoft Active Directory authentication during the installation of the BlackBerry Device Server. Configure permissions for the service account: The service account is a Windows account that runs the services for the BlackBerry Device Service. On the computer that you want to install the BlackBerry Device Service on, you must configure permissions for the service account. Without the correct permissions, the BlackBerry Device Service cannot run. If your organization's environment includes the BlackBerry Enterprise Server, you can use the BlackBerry Enterprise Server service account to install the BlackBerry Device Service. If you do not have a BlackBerry Enterprise Server service account, in Microsoft Active Directory, create a service account that you name BDSAdmin. During the installation of the BlackBerry Device Service, steps 16 and 17 describe the setup of the Active Directory login, as follows: 16. In the Microsoft Active Directory settings dialog box, specify information for the reader account that the BlackBerry Administration Service uses to authenticate with Microsoft Active Directory. By default, the setup application uses the service account that you used in step 1. If you want to use a different account as the reader account, you must specify the username, password, and Windows domain for a Microsoft Active Directory account. The account must have permission to read the user information that is stored in the global catalog servers that the BlackBerry Administration Service can access. 17. In the Create an administrator account dialog box, perform one of the following actions: * If you select Use Microsoft Active Directory authentication, you can choose to use the Microsoft Active Directory account that you used in step 16, or you can specify the username and Windows domain for a different Microsoft Active Directory account. * If you select Use BlackBerry Administration Service authentication, type and confirm a password for the BlackBerry Administration Service administrator account. You use the account information that you specify to log in to the BlackBerry Administration Service for the first time. Log in to the BlackBerry Administration Service: When you install the BlackBerry Administration Service, you specify the credentials that you use to log in to the BlackBerry Administration Service for the first time. 1. In the browser, type "https://<server_name>/webconsole/login", where <server_name> is the name of the computer that hosts the BlackBerry Administration Service. 2. In the "User name" field, type your username. 3. In the "Password" field, type your password. 4. Perform one of the following actions: * In the "Log in using" drop-down list, click "BlackBerry Administration Service". * In the "Log in using" drop-down list, click "Active Directory" and type the Microsoft Active Directory domain in the "Domain" field. 5. Click "Log in". 6. Install the RIMWebComponents.cab add-on if you are prompted to do so. For further details regarding the BlackBerry Device Service Installation and configuration, see the accompanying Overview Document, and the "Install the BlackBerry Device Service software" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service Installation and Configuration Guide.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
BBDS-00-003170: The BlackBerry Device Service server must force the display of a warning banner on the lock screen of the mobile device via centrally managed policy.
Review the BlackBerry Device Service server policy configuration to determine whether the Owner Information has been set. Otherwise, this is a finding.
Discussion
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately. The warning banner must be displayed before or immediately after the user successfully unlocks the mobile device or unlocks a secure application where sensitive DoD data is stored: "I've read consent to terms in IS user agreem't." (Wording must be exactly as specified.)
Fix
Configure the Blackberry Device Service server to force the display of a warning banner on the mobile device. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Security" and verify "Owner Information" is set to "I've read & consent to terms in IS user agreem't".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
BBDS-00-000152: The BlackBerry Device Service server must disable the Personal Area Networking Profile (PAN) Bluetooth profile via centrally managed policy.
Review the BlackBerry Device Service server policy configuration to determine whether the Personal Area Networking (PAN) Bluetooth profile has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Discussion
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Fix
Configure the centrally managed BlackBerry Device Service server policy rule to disable the Personal Area Networking Profile (PAN) Bluetooth profile.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
BBDS-00-000285: The BlackBerry Device Service server must be configured to prevent users from performing self-service tasks.
Review Windows Services configuration to ensure the BlackBerry Device Service server has been disabled to prevent users from performing self-service tasks. Otherwise, this is a finding.
Discussion
The overall security posture of the BlackBerry system is dependent on strict configuration management controls, including ensuring only authorized BlackBerry devices are being used and authorized devices are provisioned as required. When these configurations are not set as required, users may have the capability to activate unauthorized BlackBerry devices.
Fix
Configure the BlackBerry Device Service server to prevent users from performing self-service tasks. Log into the BlackBerry Device Service server as a local administrator. Open "Services" by navigating to "Start > Run... > services.msc" and ensure the "BES10 - Self-Service" service is stopped and its Startup Type is set to "Disabled".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
BBDS-00-000158: The BlackBerry Device Service server must disable the transfer of any file-based data via Bluetooth (Bluetooth MAP without prompt) via centrally managed policy.
Review the BlackBerry Device Service server policy configuration to determine whether the Message Access Profile (MAP) Bluetooth profile has been disabled. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Discussion
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Fix
Configure the centrally managed BlackBerry Device Service server policy rule to disable the transfer of any file-based data via Bluetooth (Bluetooth MAP without prompt). Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Hardware" and verify "Transfer Work Messages Using Bluetooth MAP Without Prompt" is set to "Disallow".
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
BBDS-00-000325: The server PKI digital certificate installed on the BlackBerry Device Service (BDS) Server to support BlackBerry Administration Service and BlackBerry Web Desktop Manager (BWDM) authentication must be a DoD PKI issued certificate.
Examine the server configuration to determine if a DoD PKI issued certificate has been installed. Otherwise, this is a finding.
Discussion
When a self signed PKI certificate is used, a rogue BDS server can impersonate the DoD BDS server during SA connections to the BAS or when a BlackBerry user uses BWDM to connect to the BAS. In addition, DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI.
Fix
Configure the Blackberry Device Service server to use a DoD issued digital certificate on the BES to support BAS and BlackBerry Web Desktop Manager authentication. Open Internet Explorer, and navigate to BlackBerry Administration Service. Click on the Lock icon located to the right of the Address bar (or click "Certificate error", if the certificate is untrusted) and select "View certificates" Ensure the certificate is issued by a valid DoD CA. Steps to replace self-signed, or non-DoD certificate: Log into the server as the BlackBerry Enterprise Server (BES) service account and complete the following tasks to replace the self-signed Secure Socket Layer (SSL) certificate used by the BAS and the BWDM with a custom certificate (such as, one from VeriSign or from a Windows certificate authority). Task 1 - Retrieve your web.keystore password: 1. Login to the BAS as an administrator with Security Administrator role. 2. Under "BlackBerry Solution topology" on the left side, navigate to "BlackBerry Domain > Component view > BlackBerry Administration Service". 3. In the "Security settings", check the value for "Default password to encrypt the web.keystore file" and note it. Task 2 - Back up the web.keystore file: 1. Open a Windows Command prompt as an Administrator. 2. Type copy "c:\Program Files (x86)\Research In Motion\BlackBerry Device Service\BAS\bin\web.keystore" "c:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore.OLD" Note: Do not remove or rename the existing web.keystore file. Task 3 - Delete the self-signed SSL certificate from inside the web.keystore file: 1. Open a Command prompt as an Administrator. 2. Type "c:\Program Files\Java\jre1.6.0_31\bin\keytool.exe" -delete -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -storepass "<password>" Note: The -storepass parameter must be the password you retrieved from step 1. The quotes are required due to special characters. Task 4 - Generate the BlackBerry Administration Service certificate key pair: * Type "c:\Program Files\Java\jre1.6.0_31\bin\keytool.exe" -genkey -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -storepass "<password>" -dname "CN=<BAS Server or BAS Pool full name>, OU=BAS, O=Company, L=City, ST=ST, C=US" Note: Some Certificate Authority (CA) servers require RSA encryption of the certificate request. If this is the case, add -keyalg RSA to this keytool command. Also, the -keyalg RSA switch defaults to 1024 as a keysize. For environments that require 2048 as a keysize, use the -keysize 2048 command switch, e.g., -keyalg RSA -keysize 2048 STOP: After following this step, the web.keystore file now contains a private key entry. This exact private key MUST be matched with the reply generated from your Certificate Authority below in order for this process to succeed. It is highly recommended that the web.keystore file be backed up after this step has been performed, so that this private key is retained. If this is not done, and any of the following steps are not successful, then it will be necessary to clear out the key store and start again from Task 1. This is especially important to note for environments with manual certificate request processes. Task 5 - Generate a certificate request to the certification authority: * Type "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -certreq -alias httpssl -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certreq.csr" -storepass "<password>" Note: If the -keyalg switch was used in Task 3 for a CA that requires RSA encryption, it is recommended to also use it here. Also, the -keyalg RSA switch defaults to 1024 as a keysize. For environments that require 2048 as a keysize, use the -keysize 2048 command switch. e.g. -keyalg RSA -keysize 2048 * Type "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -certreq -alias httpssl -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certreq.csr" -storepass "<passwprd>" -keyalg RSA -keysize 2048. Task 6 - Request the certificate from the certificate authority (CA): Note: The steps in this task are based on the steps required to request a certificate from a Windows certificate authority. If requesting a certificate from a third-party certificate authority, see the information in the Additional Information section. Domain administrator permission is required to complete this task. 1. Log off the server as the BlackBerry Enterprise Server service account. 2. Log into the server with a domain account with domain administrator permissions or permissions to submit a webserver template request. 3. Browse to the organization's certificate server using Windows Internet Explorer. (For example: http://<certificate_server_name>/certsrv) 4. Click "Request a certificate". 5. Click "Advanced certificate request". 6. Click "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file", or "submit a renewal request by using a base-64-encoded PKCS#7 file". 7. Paste the full contents of the certreq.csr file into the "Saved Request" field. 8. Choose "Web Server" from the "Certificate Template" drop-down list. 9. Click "Submit". 10. Click "Download certificate". 11. Save the file to c:\bascert.cer when prompted. Note: If the error "The certificate is not valid for the requested usage" appears, choose Subordinates Certification Authority from the Certificate Template drop-down list instead of Web Server. Task 7 - Download the CA certificate from the certificate authority: 1. Browse to the organization's certificate server using Windows Internet Explorer. (For example: http://<certificate_server_name>/certsrv) 2. Click "Download a CA certificate, certificate chain, or CRL". 3. Click "Download CA certificate". Save it as c:\certnewCA.cer. Task 8 - Import the CA certificate into the BlackBerry Administration Service key store: 1. Log off the server as the domain account used in Tasks 6 and 7 above to request the certificate from the certificate authority (CA). 2. Log onto the server as BES service account. 3. Open a command prompt window as Administrator in the same manner as used in Task 2. 4. Type: "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -import -alias cacert -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certnewCA.cer" -storepass "<password>" If the BlackBerry Administration Service certificate is issued by an Intermediate CA, perform step 4 to import certificates of every Intermediate CA in the certificate chain. Use a unique alias name for every imported certificate. If the error "keytool error: java.lang.Exception: Failed to establish chain from reply" is displayed when performing Task 9 below, this step needs to be completed. To import an Intermediate Certificate Authority certificate: "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -import -alias cacert2 -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certnewCA2.cer" -storepass "<password>" Task 9 - Import the BlackBerry Administration Service certificate to the BlackBerry Administration Service key store: * In the command prompt window used in Task 8, type: "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -import -alias httpssl -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\bascert.cer" -storepass "<password>" Task 10 - Restart the BlackBerry Administration Service.
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
BBDS-00-000270: The BlackBerry Device Service server must set the Work Space inactivity timeout to 15 minutes via centrally managed policy.
Review the BlackBerry Device Service server policy configuration to determine whether the Work Space inactivity timeout is set to 15 minutes. If there are multiple policies, they must all be reviewed. Otherwise, this is a finding.
Discussion
Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of attacks. The use of an MDM allows an organization to assign values to security related parameters across all the devices it manages. This provides assurance that the required mobile OS security controls are being enforced, and that the device user or an adversary has not modified or disabled the controls. It also greatly increases efficiency and manageability of devices in a large scale environment relative to an environment in which each device must be configured separately.
Fix
Configure the centrally managed BlackBerry Device Service server policy rule to set the work space inactivity timeout to 15 minutes. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Policy > Manage IT policies > <Policy Name> > View complete IT Policy > Password" and verify "Security Timeout" is set to "15 minutes".
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
BBDS-00-000100: The BlackBerry Device Service server must implement separation of administrator duties by requiring a specific role be assigned to each administrator account.
Review the BlackBerry Device Service server configuration to ensure there are multiple administrator roles configured as assigned by the site. Otherwise, this is a finding.
Discussion
Separation of duties supports the management of individual accountability and reduces the power of one individual or administrative account. Employing a separation of duties model reduces the threat that one individual has the authority to make changes to a system, and the authority to delete any record of those changes. This requirement is intended to limit exposure due to operating from within a privileged account or role. The inclusion of a role is intended to address those situations where an access control policy, such as Role Based Access Control (RBAC), is being implemented and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. It is recommended that the following or similar roles be supported: - MDM administrative account administrator: responsible for server installation, initial configuration, and maintenance functions. - Security configuration policy administrator (IA technical professional): responsible for security configuration of the server and setting up and maintenance of mobile device security policies. - Device management administrator (Technical operator): responsible for maintenance of mobile device accounts, including setup, change of account configurations, and account deletion. - Auditor (internal auditor or reviewer): responsible for reviewing and maintaining server and mobile device audit logs.
Fix
Create and configure accounts to be aligned with the following roles as assigned by the site. Log into BlackBerry Administration Service, and under "BlackBerry solution management" on the left side of the screen, navigate to "Administrator users > Manage users > <User Name> > Roles" and verify the roles required by the site are assigned. Note: The roles in BlackBerry Device services are as follows: Security Administrator - This role has permission to perform all tasks in the BlackBerry Device Service. Enterprise Administrator - This role has permission to perform all tasks in the BlackBerry Device Service except changing role assignments. This role can only view role assignments. Senior Helpdesk Administrator - This role has permission to perform advanced administrative tasks in the BlackBerry Device Service. Junior Helpdesk Administrator - This role has permission to perform basic administrative tasks in the BlackBerry Device Service. Server Only Administrator - This role has permissions to perform system management tasks in the BlackBerry Device Service. User Only Administrator - This role has permission to perform user management tasks in the BlackBerry Device Service.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None