Check: BS12-3X-000700
BlackBerry BES 12-5-x STIG:
BS12-3X-000700
(in version v1 r3)
Title
The BES12 server must be configured with the Administrator roles: a. MD user b. Server primary administrator c. Security configuration administrator d. Device user group administrator e. Auditor. (Cat II impact)
Discussion
Having several roles for the MDM server supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management privileges to one group and security policy privileges to another group. This helps prevent administrators from intentionally or inadvertently altering other settings and configurations they may not understand or approve of, which can weaken overall security and increase the risk of compromise. Roles a. MD user: able to log onto the application store and request approved applications b. Server primary administrator: primary administrator for the server, including server installation, configuration, patching, and setting up admin accounts c. Security configuration administrator: has the ability to define new policies but not to push them to managed mobile devices d. Device user group administrator: has the ability to set up new user accounts, add devices, push security policies, and issue administrative commands to managed mobile devices or MDM agents e. Auditor: has the ability to set audit configuration parameters and delete or modify the content of logs SFR ID: FMT_SMR.1.1(1) Refinement
Check Content
Review the BES12 server configuration settings, and verify the server is configured with the Administrator roles: a. MD user; b. Server primary administrator; c. Security configuration administrator; d. Device user group administrator; and e. Auditor. Note: The intent of the requirement is that there be separate people performing each administrator role. Note: The roles noted below are the preconfigured roles on the BES12 and have the required capabilities associated with the roles identified in the Requirement statement. On the BES12, do the following: 1. Log on to the BES12 console and select the "Settings" tab at the top of the screen. 2. Expand the "Administrators" tab on the left pane. 3. Select the "Roles" tab on the left pane. 4. Verify there is at least one user assigned to each of the following roles: a. Security Administrator; b. Enterprise Administrator; c. Senior Help Desk; and d. Junior Help Desk. If at least one user is not associated with each of the roles above, this is a finding.
Fix Text
On the BES12, do the following: 1. Log on to the BES12 console and select the "Settingsā tab at the top of the screen. 2. Expand the "Administrators" tab on the left pane. 3. Assign the appropriate role to either a user or a group, as directed by the Administrator, as described below: To assign a role to a user: 1. Click "Users". 2. Click the "Add an administrator" icon (upper-right corner). 3. If necessary, search for a user account. 4. Click the name of the user account. 5. In the "Role" drop-down list, click the role that you want to add. 6. Click "Save". To assign a role to a group: 1. Click "Groups". 2. Click the "Add role to user group" icon (upper-right corner). 3. If necessary, search for a user group. 4. Click the name of the user group. 5. In the "Role" drop-down list, click the role that you want to add. 6. Click "Save". Note: The intent of the requirement is that there be separate people performing each administrator role.
Additional Identifiers
Rule ID: SV-83177r2_rule
Vulnerability ID: V-68687
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |