Check: WIR1340-01
BlackBerry Enterprise Server, Part 2:
WIR1340-01
(in versions v2 r10 through v2 r9)
Title
BlackBerry accounts must not be assigned to the default IT policy installed on the BES or any other non-STIG compliant IT policy. Accounts will only be assigned a STIG compliant IT policy. (Cat I impact)
Discussion
The BlackBerry default policy installed on the BES does not include many DoD-required security policies for data encryption, authentication, and access control. DoD enclaves are at risk of data exposure and hacker attack if users are assigned to a non-STIG compliant IT policy.
Check Content
Detailed Policy Requirements: 1. Separate STIG compliant IT policies will be set up on the BES: one for users that have been issued an approved Bluetooth headset/handsfree device and one for users that have not been issued an approved Bluetooth headset/handsfree device. 2. All user accounts will be assigned to a STIG compliant IT policy. Check Procedures: Interview the BlackBerry system administrator. Ask the administrator to identify the default IT policy installed on the BES (usually labeled "Default") and any other non-STIG compliant IT policies set up on the BES. View the list of IT policies set up on the BES as follows: BAS >> BlackBerry solution management box >> Policy >> Manage IT policies Verify no users are assigned to the default IT policy or any other non-STIG IT policy by performing the following steps for each policy. For the default IT policy: - Click on the policy name. - Click on "View users with IT policy". - Click "Search". A list of all users assigned to the policy will be shown. - Determine if any users have been assigned to the default or other non-STIG compliant IT policy. If any users have been assigned to the default IT policy, this is a finding. Note: If the default IT policy has been configured to be STIG compliant, the severity of this specific finding may be downgraded to a CAT II. For the non-STIG compliant policies, look at each IT policy listed under “Manage IT policies” to be checked: - Click on the policy name. - Click on "View users with IT policy". - Click "Search". A list of all users assigned to the policy will be shown. - Click on the "IT Policy Name" column heading to sort the list of users by IT policy. - Determine if any users have been assigned to the non-STIG compliant IT policy. If any users have been assigned to the non-STIG compliant IT policy, this is a finding. Note: IT policies identified by the BES administrator as STIG compliant should be reviewed to verify compliance when reviewing the WIR14xx series of checks.
Fix Text
User accounts will only be assigned a STIG compliant IT policy.
Additional Identifiers
Rule ID: SV-21115r4_rule
Vulnerability ID: V-19226
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |