Check: BBDS-00-000290
BBDS10 2 X STIG:
BBDS-00-000290
(in version v1 r5)
Title
The BlackBerry Device Service server must require administrators to be authenticated with an individual authenticator prior to using a group authenticator. (Cat I impact)
Discussion
To assure individual accountability and prevent unauthorized access, MDM administrators and users (and any processes acting on behalf of users) must be individually identified and authenticated. Without individual accountability, there can be no traceability back to an individual if there were a security incident on the system. In addition, group accounts can be shared with individuals who do not have authorized access.
Check Content
Review the BlackBerry Device Service server configuration to ensure the system is authenticating through the Enterprise Authentication Mechanism that requires administrators to be authenticated with an individual authenticator prior to using a group authenticator. To ensure correct configuration have the BlackBerry Device Service (BDS) Administrator log on to the BDS Server, and ensure authentication was performed via Active Directory. If access to the server is not being authenticated via this method, this is a finding.
Fix Text
Configure the BlackBerry Device Service server to authenticate through the Enterprise Authentication Mechanism. To configure the BDS server to authenticate via Active Directory the following process can be used: Local authentication rules are handled by the host Operating system. Remote connection via web browser can be configured to use Microsoft Active Directory authentication during the installation of the BlackBerry Device Server. Configure permissions for the service account: The service account is a Windows account that runs the services for the BlackBerry Device Service. On the computer that you want to install the BlackBerry Device Service on, you must configure permissions for the service account. Without the correct permissions, the BlackBerry Device Service cannot run. If your organization's environment includes the BlackBerry Enterprise Server, you can use the BlackBerry Enterprise Server service account to install the BlackBerry Device Service. If you do not have a BlackBerry Enterprise Server service account, in Microsoft Active Directory, create a service account that you name BDSAdmin. During the installation of the BlackBerry Device Service, steps 16 and 17 describe the setup of the Active Directory login, as follows: 16. In the Microsoft Active Directory settings dialog box, specify information for the reader account that the BlackBerry Administration Service uses to authenticate with Microsoft Active Directory. By default, the setup application uses the service account that you used in step 1. If you want to use a different account as the reader account, you must specify the username, password, and Windows domain for a Microsoft Active Directory account. The account must have permission to read the user information that is stored in the global catalog servers that the BlackBerry Administration Service can access. 17. In the Create an administrator account dialog box, perform one of the following actions: * If you select Use Microsoft Active Directory authentication, you can choose to use the Microsoft Active Directory account that you used in step 16, or you can specify the username and Windows domain for a different Microsoft Active Directory account. * If you select Use BlackBerry Administration Service authentication, type and confirm a password for the BlackBerry Administration Service administrator account. You use the account information that you specify to log in to the BlackBerry Administration Service for the first time. Log in to the BlackBerry Administration Service: When you install the BlackBerry Administration Service, you specify the credentials that you use to log in to the BlackBerry Administration Service for the first time. 1. In the browser, type "https://<server_name>/webconsole/login", where <server_name> is the name of the computer that hosts the BlackBerry Administration Service. 2. In the "User name" field, type your username. 3. In the "Password" field, type your password. 4. Perform one of the following actions: * In the "Log in using" drop-down list, click "BlackBerry Administration Service". * In the "Log in using" drop-down list, click "Active Directory" and type the Microsoft Active Directory domain in the "Domain" field. 5. Click "Log in". 6. Install the RIMWebComponents.cab add-on if you are prompted to do so. For further details regarding the BlackBerry Device Service Installation and configuration, see the accompanying Overview Document, and the "Install the BlackBerry Device Service software" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service Installation and Configuration Guide.
Additional Identifiers
Rule ID:
Vulnerability ID: V-48581
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000770 |
The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed. |
Controls
Number | Title |
---|---|
IA-2 (5) |
Group Authentication |