Check: WIR1315-02
BlackBerry Enterprise Server, Part 2:
WIR1315-02
(in versions v2 r10 through v2 r8)
Title
Security controls must be set up on the BES for connections to “back-office” servers. (Cat II impact)
Discussion
Strong access controls to back-office servers are required to ensure DoD data is not exposed to users of the BlackBerry system that are not authorized to access the server.
Check Content
Detailed Policy Requirements: If the site provides BlackBerry users access to "back-office" applications and content servers located on the site network enclave, the following controls will be implemented: - All enclave application and content servers that are accessed by BlackBerry users will implement CAC authentication. - The BES host-based firewall is set to block connections to back-office application and content servers unless the server IP address is on the firewall list of trust IP addresses and subnets. Note: BlackBerry back-office application and content servers include J2ME application servers, SOAP web services, and web servers. Check Procedures: Ask the BlackBerry SA if the site provides BlackBerry users access to "back-office" applications and content servers located on the site network enclave. If the response is "Yes", ask for a list of all enclave servers BlackBerry users can access and then perform the following checks. - Verify CAC authentication has been implemented on each server. Have the Windows reviewer assist with the review of each server. If CAC authentication has not been implemented on each server, this is a finding. - Verify the BES host-based firewall has been configured as required. This check should have been performed during the review of check WIR1300-02. Confirm this requirement was reviewed.
Fix Text
Set up required controls on the BES for connections to "back-office" servers.
Additional Identifiers
Rule ID: SV-21095r3_rule
Vulnerability ID: V-19206
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |