Check: BBDS-00-000315
Policy SRG:
BBDS-00-000315
(in version v1 r1)
Title
The BlackBerry Device Service server must use mechanisms for authentication to a cryptographic module meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. (Cat I impact)
Discussion
MDM applications utilizing encryption are required to use approved encryption modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised due to weak algorithms.
Check Content
Review the BlackBerry Device Service server configuration to ensure the system is authenticating through the Enterprise Authentication Mechanism utilizing a cryptographic module meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. If the BlackBerry Device Service server is not authenticating through the Enterprise Authentication Mechanism, this is a finding. Local authentication rules are handled by the host Operating system. Remote connection via web browser can be configured to use Microsoft Active Directory authentication during the installation of the BlackBerry Device Server. Configure permissions for the service account: The service account is a Windows account that runs the services for the BlackBerry Device Service. On the computer that you want to install the BlackBerry Device Service on, you must configure permissions for the service account. Without the correct permissions, the BlackBerry Device Service cannot run. If your organization's environment includes the BlackBerry Enterprise Server, you can use the BlackBerry Enterprise Server service account to install the BlackBerry Device Service. If you do not have a BlackBerry Enterprise Server service account, in Microsoft Active Directory, create a service account that you name BDSAdmin. During the installation of the BlackBerry Device Service, steps 1 and 2 describe the setup of the Active Directory login, as follows: 1. In the Microsoft Active Directory settings dialog box, specify information for the reader account that the BlackBerry Administration Service uses to authenticate with Microsoft Active Directory. If you want to use a different account as the reader account, you must specify the username, password, and Windows domain for a Microsoft Active Directory account. The account must have permission to read the user information that is stored in the global catalog servers that the BlackBerry Administration Service can access. 2. In the Create an administrator account dialog box, perform one of the following actions: * If you select Use Microsoft Active Directory authentication, you can choose to use the Microsoft Active Directory account that you used in step 1, or you can specify the username and Windows domain for a different Microsoft Active Directory account. * If you select Use BlackBerry Administration Service authentication, type and confirm a password for the BlackBerry Administration Service administrator account. You use the account information that you specify to log in to the BlackBerry Administration Service for the first time. Log in to the BlackBerry Administration Service: When you install the BlackBerry Administration Service, you specify the credentials that you use to log in to the BlackBerry Administration Service for the first time. 1. In the browser, type https://<server_name>/webconsole/login, where <server_name> is the name of the computer that hosts the BlackBerry Administration Service. 2. In the User name field, type your username. 3. In the Password field, type your password. 4. Perform one of the following actions: * In the Log in using drop-down list, click BlackBerry Administration Service. * In the Log in using drop-down list, click Active Directory and type the Microsoft Active Directory domain in the Domain field. 5. Click Log in. 6. Install the RIMWebComponents.cab add-on if you are prompted to do so. For further details regarding the BlackBerry Device Service Installation and configuration, see the accompanying Overview Document, and the "Install the BlackBerry Device Service software" section of the BlackBerry Enterprise Service 10 BlackBerry Device Service Version: 6.2, Installation and Configuration Guide.
Fix Text
Configure the BlackBerry Device Service server to authenticate through the Enterprise Authentication Mechanism utilizing a cryptographic module meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
Additional Identifiers
Rule ID:
Vulnerability ID: BBDS-00-000315
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000803 |
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. |
Controls
Number | Title |
---|---|
IA-7 |
Cryptographic Module Authentication |