16:["$","div",null,{"className":"mx-auto max-w-7xl px-6 py-10","children":[["$","div",null,{"className":"mb-2","children":["$","$L2",null,{"href":"/stigs","className":"text-link text-sm hover:underline","children":"← Back to STIGs"}]}],["$","div",null,{"className":"mb-6 flex flex-wrap items-center gap-3","children":[["$","h1",null,{"className":"font-display text-3xl font-bold","children":"BlackBerry Enterprise Mobility Server 2.x Security Technical Implementation Guide"}],false,["$","$L20",null,{}]]}],["$","section",null,{"className":"border-border bg-surface mb-8 rounded-lg border p-6","children":[["$","div",null,{"className":"grid grid-cols-2 gap-4 sm:grid-cols-5","children":[["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Version"}],["$","p",null,{"className":"font-semibold","children":["V","1","R","3"]}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Release Date"}],["$","p",null,{"className":"font-semibold","children":"May 15, 2020"}]]}],["$","div",null,{"className":"min-w-0","children":[["$","p",null,{"className":"text-text-muted text-xs","children":"SCAP Benchmark ID"}],["$","p",null,{"className":"truncate font-mono text-sm","title":"BEMS_2-x_STIG","children":"BEMS_2-x_STIG"}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Total Checks"}],["$","p",null,{"className":"font-semibold","children":23}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Tags"}],["$","div",null,{"className":"flex flex-wrap gap-1","children":[["$","span","other",{"className":"bg-tag-bg text-tag-text rounded-full px-2 py-0.5 text-xs","children":"other"}]]}]]}]]}],["$","div",null,{"className":"mt-4 flex gap-4","children":[["$","span",null,{"className":"bg-severity-high-bg text-severity-high-text rounded px-3 py-1 text-sm font-medium","children":["CAT I: ",2]}],["$","span",null,{"className":"bg-severity-medium-bg text-severity-medium-text rounded px-3 py-1 text-sm font-medium","children":["CAT II: ",21]}],["$","span",null,{"className":"bg-severity-low-bg text-severity-low-text rounded px-3 py-1 text-sm font-medium","children":["CAT III: ",0]}]]}],["$","p",null,{"className":"text-text-secondary mt-4 text-sm","children":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil."}],["$","div",null,{"className":"mt-4 flex flex-wrap gap-3","children":[["$","a",null,{"href":"/api/export/checklist?stigTitle=BlackBerry%20Enterprise%20Mobility%20Server%202.x%20Security%20Technical%20Implementation%20Guide&format=ckl","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CKL"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=BlackBerry%20Enterprise%20Mobility%20Server%202.x%20Security%20Technical%20Implementation%20Guide&format=csv","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CSV"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=BlackBerry%20Enterprise%20Mobility%20Server%202.x%20Security%20Technical%20Implementation%20Guide&format=json","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export JSON"}],["$","a",null,{"href":"https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_BEMS_2-x_V1R3_STIG.zip","target":"_blank","rel":"noopener noreferrer","className":"bg-link/10 text-link hover:bg-link/20 border-link/30 rounded border px-3 py-1 text-sm font-medium","children":"Download STIG ZIP"}]]}]]}],["$","$L21",null,{"checks":[{"id":"7a4e70c9-8dfe-4f04-8c48-aba19fbfe60c","vulnId":"V-79003","severity":"medium","ruleTitle":"The BlackBerry Enterprise Mobility Server (BEMS) must protect log information from any type of unauthorized read access.","description":"If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to his or her advantage.\n\nApplication servers contain admin interfaces that allow reading and manipulation of log records. Therefore, these interfaces should not allow unfettered access to those records. Application servers also write log data to log files which are stored on the OS, so appropriate file permissions must also be used to restrict access.\n\nLog information includes all information (e.g., log records, log settings, transaction logs, and log reports) needed to successfully log information system activity. Application servers must protect log information from unauthorized read access.","checkContent":"$22","fixText":"$23"},{"id":"c4d52e2d-a554-49db-91e5-8d8192db8ece","vulnId":"V-79005","severity":"medium","ruleTitle":"The BlackBerry Enterprise Mobility Server (BEMS) must protect log information from unauthorized modification.","description":"If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to his or her advantage.\n\nApplication servers contain admin interfaces that allow reading and manipulation of log records. Therefore, these interfaces should not allow unfettered access to those records. Application servers also write log data to log files which are stored on the OS, so appropriate file permissions must also be used to restrict access.\n\nLog information includes all information (e.g., log records, log settings, transaction logs and log reports) needed to successfully log information system activity. Application servers must protect log information from unauthorized modification.","checkContent":"$24","fixText":"$25"},{"id":"1ca2628e-7f4c-497a-8fc5-4ccdf7a143cd","vulnId":"V-79007","severity":"medium","ruleTitle":"The BlackBerry Enterprise Mobility Server (BEMS) must protect log information from unauthorized deletion.","description":"If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. \n\nApplication servers contain admin interfaces that allow reading and manipulation of log records. Therefore, these interfaces should not allow for unfettered access to those records. Application servers also write log data to log files which are stored on the OS, so appropriate file permissions must also be used to restrict access.\n\nLog information includes all information (e.g., log records, log settings, transaction logs, and log reports) needed to successfully log information system activity. Application servers must protect log information from unauthorized deletion.","checkContent":"$26","fixText":"$27"},{"id":"77fb0386-1f1e-454b-8efa-0d773786ed49","vulnId":"V-79009","severity":"medium","ruleTitle":"The BlackBerry Enterprise Mobility Server (BEMS) platform must be protected by a DoD-approved firewall.","description":"Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Unneeded services and processes provide additional threat vectors and avenues of attack to the information system. BEMS is a critical component of the mobility architecture and must be configured to enable only those ports, protocols, and services (PPS) necessary to support functionality. All others must be expressly disabled or removed. A DoD-approved firewall implements the required network restrictions. A host-based firewall is appropriate where BEMS runs on a standalone platform. Network firewalls or other architectures may be preferred where BEMS runs in a cloud or virtualized solution.","checkContent":"Review the BEMS configuration to determine whether a DoD-approved firewall is installed or if the platform operating system provides a firewall service that can restrict both inbound and outbound traffic by TCP/UDP port and IP address.\n\nIf there is not a host-based firewall present on BEMS, this is a finding.","fixText":"Install a DoD-approved firewall."},{"id":"5a96676d-79e1-4ac8-8c3d-b97243f200db","vulnId":"V-79011","severity":"medium","ruleTitle":"The firewall protecting the BlackBerry Enterprise Mobility Server (BEMS) must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support BEMS functions.","description":"Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations. Since BEMS is a critical component of the mobility architecture and must be configured to enable only those ports, protocols, and services (PPS) necessary to support functionality, all others must be expressly disabled or removed. A firewall installed on BEMS provides a protection mechanism to ensure unwanted service requests do not reach BEMS and outbound traffic is limited to only BEMS functionality.","checkContent":"Ask the BEMS administrator for a list of ports, protocols, and IP address ranges necessary to support BEMS functionality. A list can usually be found in the STIG Supplemental document or MDM product documentation.\n\nCompare the list against the configuration of the firewall and identify discrepancies.\n\nIf the host-based firewall is not configured to support only those ports, protocols, and IP address ranges necessary for operation, this is a finding.","fixText":"Configure the firewall on BEMS to only permit ports, protocols, and IP address ranges necessary for operation."},{"id":"65f3504b-1544-428b-a9b1-7d9a68a72258","vulnId":"V-79013","severity":"medium","ruleTitle":"The firewall protecting the BlackBerry Enterprise Mobility Server (BEMS) must be configured so that only DoD-approved ports, protocols, and services are enabled. See the DoD Ports, Protocols, Services Management (PPSM) Category Assurance Levels (CAL) list for DoD-approved ports, protocols, and services.","description":"All ports, protocols, and services used on DoD networks must be approved and registered via the DoD PPSM process. This is to ensure that a risk assessment has been completed before a new port, protocol, or service is configured on a DoD network and has been approved by proper DoD authorities. Otherwise, the new port, protocol, or service could cause a vulnerability to the DoD network, which could be exploited by an adversary.","checkContent":"Ask the BEMS administrator for a list of ports, protocols, and services that have been configured on the host-based firewall of BEMS or generate the list by inspecting the firewall. Verify all allowed ports, protocols, and services are included on the DoD PPSM CAL list.\n\nIf any allowed ports, protocols, and services on the MDM host-based firewall are not included on the DoD PPSM CAL list, this is a finding.","fixText":"Turn off any ports, protocols, and services on the BEMS host-based firewall that are not on the DoD PPSM CAL list."},{"id":"61212550-edb1-421b-8dc4-5791c24e63b6","vulnId":"V-79015","severity":"medium","ruleTitle":"The BlackBerry Enterprise Mobility Server (BEMS) must protect the confidentiality and integrity of transmitted information through the use of an approved TLS version.","description":"$28","checkContent":"Verify BEMS has been configured to use only approved versions of TLS as follows:\n\n1. Find the xml file \"jetty.xml\" located in the BEMS install directory on the BEMS host Windows server. \n2. Find the \"ExcludeProtocols\" field.\n3. Verify if unauthorized versions of SSL and TLS are listed in the \"jetty.xml\" file.\n\nIf BEMS has not been configured to use only approved versions of TLS, this is a finding.","fixText":"Configure BEMS to use approved versions of TLS.\n\n1. Find the xml file \"jetty.xml\" located in the BEMS install directory on the BEMS host Windows server. \n2. Find the \"ExcludeProtocols\" field and add all unauthorized versions or SSL and TLS.\n \n \n TLSv1\n TLSv1.1\n SSL\n SSLv2\n SSLv2Hello\n SSLv3\n3. Save the file.\n4. Restart the BEMS server."},{"id":"5cec64fb-3fce-42c7-8cda-39481f9160b3","vulnId":"V-79017","severity":"medium","ruleTitle":"The BlackBerry Enterprise Mobility Server (BEMS) must remove all export ciphers to protect the confidentiality and integrity of transmitted information.","description":"During the initial setup of a Transport Layer Security (TLS) connection to the application server, the client sends a list of supported cipher suites in order of preference. The application server will reply with the cipher suite it will use for communication from the client list. If an attacker can intercept the submission of cipher suites to the application server and place, as the preferred cipher suite, a weak export suite, the encryption used for the session becomes easy for the attacker to break, often within minutes to hours.","checkContent":"Verify BEMS has been configured to remove all export ciphers:\n\n1. Find the xml file \"jetty.xml\" located in the BEMS install directory on the BEMS host Windows server. \n2. Find the \"AllowCiphersSuites\" field.\n3. Verify if any export ciphers are listed in the \"jetty.xml\" file. Verify only approved cypher suites are included. (See NIST SP 800-53r2 for a list of approved TLS suites.)\n\nIf BEMS has been configured to use export ciphers, this is a finding.","fixText":"Configure BEMS to remove all export ciphers.\n\n1. Find the xml file \"jetty.xml\" located in the BEMS install directory on the BEMS host Windows server. \n2. Find the \"AllowCiphersSuites\" field and remove all cipher suites that are not approved. (See NIST SP 800-53r2 for a list of approved TLS suites.)\n3. Save file.\n4. Restart the BEMS server."},{"id":"55b98572-94c1-48f7-808d-9673db53d5d3","vulnId":"V-79019","severity":"medium","ruleTitle":"The BlackBerry Enterprise Mobility Server (BEMS) must be configured to have at least one user in the following Administrator roles: Server primary administrator, auditor.","description":"Having several administrative roles for the BEMS supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management privileges to one group and security policy privileges to another group. This helps prevent administrators from intentionally or inadvertently altering other settings and configurations they may not understand or approve of, which can weaken overall security and increase the risk of compromise.\n\n- Server primary administrator: Responsible for server installation, initial configuration, and maintenance functions. Responsible for the setup and maintenance of security configuration administrator and auditor accounts. \n- Auditor: Responsible for reviewing and maintaining server and mobile device audit logs.","checkContent":"$29","fixText":"$2a"},{"id":"b885b609-070c-4e05-9492-17a96c51d430","vulnId":"V-79021","severity":"medium","ruleTitle":"The BlackBerry Enterprise Mobility Server (BEMS) must be configured to use Windows Authentication for the database connection.","description":"To assure accountability and prevent unauthorized access, organizational users must be identified and authenticated. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations). Users (and any processes acting on behalf of users) are uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the information system without identification or authentication.","checkContent":"Verify BEMS is configured for Windows Authentication for the database connection as follows:\n\nIn the Database Information dialog box, verify \"Windows Authentication\" is selected. \n\nIf \"Windows Authentication\" is not selected for the BEMS database connection, this is a finding.","fixText":"Set up Windows Authentication for the database connection on the BEMS console. In the Database Information dialog box, perform the following actions:\n\n1. In the \"Host\" field, type the instance name of your SQL Server.\n2. In the \"Database\" name field, type the name for the BEMS-Core database.\n3. In the \"Port\" field, type the port number that connects to the SQL Server.\n4. Select \"Windows Authentication\".\n5. Click \"Next\"."},{"id":"afd28593-0241-402b-a366-28acc1ea6111","vulnId":"V-79023","severity":"high","ruleTitle":"The BlackBerry Enterprise Mobility Server (BEMS) must be configured to use HTTPS.","description":"Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission to web applications. This is usually achieved through the use of HTTPS.","checkContent":"Verify BEMS has been configured to use HTTPS as follows:\n\n1. In the BEMS Dashboard, under \"BEMS System Settings\", click \"BEMS Configuration\".\n2. Click \"BlackBerry Dynamics\".\n3. In the Protocol drop-down list, verify \"HTTPS\" is selected.\n\nIf HTTPS is not configured on BEMS, this is a finding.","fixText":"Configure BEMS to use HTTPS as follows:\n\n1. In the BEMS Dashboard, under \"BEMS System Settings\", click \"BEMS Configuration\".\n2. Click \"BlackBerry Dynamics\".\n3. In the Protocol drop-down list, select \"HTTPS\"."},{"id":"d9d4e0ca-4a3b-4c70-afb0-ebb0eefdcce1","vulnId":"V-79025","severity":"medium","ruleTitle":"The BlackBerry Enterprise Mobility Server (BEMS) must be configured to use DoD certificates for SSL.","description":"Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established.","checkContent":"Verify a DoD SSL certificate has been installed on BEMS as follows:\n\n1. Open the browser.\n2. Browse to the BEMS dashboard.\n3. Select SSL certificate and view the certificate.\n4. Verify the certificate is a DoD certificate (has the DoD CA listed in the certificate).\n\nIf the SSL certificate installed on BEMS is not a DoD certificate, this is a finding.","fixText":"Replace the auto-generated BEMS SSL certificate with a DoD certificate as follows:\n\n1. Generate a CSR request and obtain a certificate from the DoD CA.\n2. Import the certificate into the BEMS keystore.\n3. Update the certificate passwords in BEMS."},{"id":"905c2393-7050-4299-a35a-cecb93da579c","vulnId":"V-79027","severity":"medium","ruleTitle":"The BlackBerry Enterprise Mobility Server (BEMS) must be configured with an inactivity timeout of 15 minutes or less.","description":"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications need to be able to identify when a user's application session has idled and take action to initiate the session lock.","checkContent":"Verify the BEMS inactivity timeout is set to 15 minutes or less as follows:\n\n1. Find the xml file \"jetty.xml\" located in the BEMS install directory on the BEMS host Windows server. \n2. Find the \"maxIdleTime\" field. (Note: “idelTimeout” may be the field, depending on the version of BEMS)\n3. Verify it is set to 900 or less (seconds). (Note: time may be in milliseconds, depending on the version of BEMS. In this case, the value is 900000.)\n\n\nIf the BEMS inactivity timeout is not set to 15 minutes (900 seconds) or less, this is a finding.","fixText":"Configure BEMS with an inactivity timeout of 15 minutes or less.\n\n1. Find the xml file \"jetty.xml\" located in the BEMS install directory on the BEMS host Windows server. \n2. Find the \"maxIdleTime\" field and set it to 900 or less (seconds). (Note: “idelTimeout” may be the field and time may be in milliseconds, depending on the version of BEMS. In this case, the value is 900000.)\n3. Save the file.\n4. Restart the BEMS server."},{"id":"f86a48ec-7504-477d-9d42-e3d6c17c4c0f","vulnId":"V-79029","severity":"medium","ruleTitle":"If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Authentication for the database connection.","description":"To assure accountability and prevent unauthorized access, organizational users must be identified and authenticated. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations). Users (and any processes acting on behalf of users) are uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the information system without identification or authentication.","checkContent":"This requirement is not applicable if the Mail service (Push Notifications support for BlackBerry Work) is not enabled on BEMS.\n\nVerify the mail service in BEMS is configured for Windows Authentication for the database connection as follows:\n\n1. In the BEMS Dashboard, under \"BlackBerry Services Configuration\", click \"Mail\".\n2. Click \"Database\".\n3. In the \"Server\" field, type the Microsoft SQL Server host name and instance.\n4. In the \"Database\" field, type the database name.\n5. In the Windows Authentication drop-down list, verify \"Windows Authentication\" is selected.\n\nIf \"Windows Authentication\" is not selected for the mail service database connection, this is a finding.","fixText":"Set up Windows Authentication for the database connection for the mail service in BEMS:\n\n1. In the BEMS Dashboard, under \"BlackBerry Services Configuration\", click \"Mail\". \n2. Click \"Database\".\n3. In the \"Server\" field, type the Microsoft SQL Server host name and instance.\n4. In the \"Database\" field, type the database name.\n5. In the Windows Authentication drop-down list, select \"Windows Authentication\".\n6. Click \"Save\"."},{"id":"ca812702-ad69-4fc3-9da0-e52e481390ad","vulnId":"V-79031","severity":"medium","ruleTitle":"If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Integrated Authentication for the Exchange connection.","description":"To assure accountability and prevent unauthorized access, organizational users must be identified and authenticated. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations). Users (and any processes acting on behalf of users) are uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the information system without identification or authentication.","checkContent":"This requirement is not applicable if the Mail service (Push Notifications support for BlackBerry Work) is not enabled on BEMS.\n\nVerify Windows Integrated Authentication for the Exchange connection for the Mail service has been set up in BEMS as follows:\n\n1. In the BEMS Dashboard, under \"BlackBerry Services Configuration\", click \"Mail\".\n2. Click \"Microsoft Exchange\".\n3. Under \"Enter Service Account Details\", verify \"Use Windows Integrated Authentication\" has been selected.\n\nIf Windows Integrated Authentication for the Exchange connection for the Mail service has not been set up in BEMS, this is a finding.","fixText":"Set up Windows Integrated Authentication for the Exchange connection for the Mail service in BEMS:\n\n1. Log on to BEMS with the service account that will be configured.\n2. In the BEMS Dashboard, under \"BlackBerry Services Configuration\", click \"Mail\".\n3. Click \"Microsoft Exchange\".\n4. Under \"Enter Service Account Details\", select the \"Use Windows Integrated Authentication\" check box.\n5. Click \"Save\"."},{"id":"35d37ef2-e39b-4ec7-95f4-a124fe8fc392","vulnId":"V-79033","severity":"medium","ruleTitle":"If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to Enable SSL LDAP when using LDAP Lookup for users.","description":"Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS) or SSL.","checkContent":"This requirement is not applicable if the Mail service (Push Notifications support for BlackBerry Work) is not enabled on BEMS.\n\nVerify Enable SSL LDAP for LDAP Lookup for users for the Mail service is configured in BEMS as follows:\n\n1. In the BEMS Dashboard, under \"BlackBerry Services Configuration\", click \"Mail\".\n2. Click \"User Directory Lookup\".\n3. If the \"Enable LDAP Lookup\" has been selected, verify the \"Enable SSL LDAP\" check box is also selected.\n\nWhen LDAP Lookup for user has been configured on BEMS, if Enable SSL LDAP is not configured, this is a finding.","fixText":"Enable SSL LDAP when using LDAP Lookup for users for the Mail service in BEMS as follows:\n\n1. In the BEMS Dashboard, under \"BlackBerry Services Configuration\", click \"Mail\".\n2. Click \"User Directory Lookup\".\n3. Select the \"Enable LDAP Lookup\" check box.\n4. Select the \"Enable SSL LDAP\" check box.\n5. Click \"Save\"."},{"id":"07635339-ee9a-4d5b-ad15-57a7c4381d70","vulnId":"V-79035","severity":"medium","ruleTitle":"If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to Enable SSL LDAP for certificate directory lookup.","description":"Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS) or SSL.","checkContent":"This requirement is not applicable if the Mail service (Push Notifications support for BlackBerry Work) is not enabled on BEMS.\n\nVerify Enable SSL LDAP for LDAP Lookup for certificates for the Mail service is configured in BEMS as follows:\n\n1. In the BEMS Dashboard, under BlackBerry Services Configuration, click mail and then click Certificate Directory Lookup\n2. If the Enable LDAP Lookup has been selected, verify the Enable SSL LDAP check box is also selected.\n\nWhen LDAP Lookup for certificates has been configured on BEMS, if Enable SSL LDAP is not configured, this is a finding.","fixText":"Enable SSL LDAP when using LDAP Lookup for certificates for the Mail service in BEMS as follows:\n\n1. In the BEMS Dashboard, under \"BlackBerry Services Configuration\", click \"Mail\".\n2. Click \"Certificate Directory Lookup\".\n3. Select the \"Enable LDAP Lookup\" check box.\n4. Select the \"Enable SSL LDAP\" check box.\n5. Click \"Save\"."},{"id":"ad57c345-fbd6-48bd-ba1a-c81058814d7f","vulnId":"V-79037","severity":"medium","ruleTitle":"If the BlackBerry Connect service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Authentication for the database connection.","description":"To assure accountability and prevent unauthorized access, organizational users must be identified and authenticated. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations). Users (and any processes acting on behalf of users) are uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the information system without identification or authentication.","checkContent":"This requirement is not applicable if the BlackBerry Connect service is not enabled on BEMS.\n\nVerify the BlackBerry Connect service in BEMS is configured for Windows Authentication for the database connection as follows:\n\n1. In the BEMS Dashboard, under \"BlackBerry Services Configuration\", click \"Connect\".\n2. Click \"Database\".\n3. In the \"Database\" field, type the database name.\n4. In the Windows Authentication drop-down list, verify \"Windows Authentication\" is selected.\n\nIf \"Windows Authentication\" is not selected for the BlackBerry Connect database connection, this is a finding.","fixText":"Set up Windows Authentication for the database connection for the BlackBerry Connect service in BEMS:\n\n1. In the BEMS Dashboard, under \"BlackBerry Services Configuration\", click \"Connect\".\n2. Click \"Database\".\n3. In the \"Database\" field, type the database name.\n4. In the Windows Authentication drop-down list, select \"Windows Authentication\".\n5. Click \"Save\"."},{"id":"f9b0dba0-57ef-45d0-8167-fc6a95a16c8c","vulnId":"V-79039","severity":"medium","ruleTitle":"If the BlackBerry Connect service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to enable SSL support for BlackBerry Proxy and use only DoD approved certificates.","description":"Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS) or SSL. Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established.","checkContent":"This requirement is not applicable if the BlackBerry Connect service is not enabled on BEMS.\n\nVerify SSL is enabled for the BlackBerry Connect service and a DoD certificate is used as follows:\n\n1. Browse to FQDN of the BEMS Connect server(s) on port 8082.\n2. Click on the SSL certificate to verify it has been issued by the DoD CA.\n3. Repeat steps 1 and 2 for each BEMS server that has the Connect service added to it.\n\nIf SSL is not enabled for BlackBerry Connect and if the SSL certificate is not a DoD CA issued certificate, this is a finding.","fixText":"Configure BlackBerry Connect to enable SSL with a DoD certificate.\n\n1. Submit a CSR request to the DoD CA.\n2. Import the DoD certificate to the computer that hosts BEMS.\n3. Bind the SSL certificate to the Connect SSL port.\n4. Add the new certificate information to the BEMS configuration file.\n5. Configure BlackBerry Connect to send requests over SSL.\n6. Configure Connect to use SSL with BlackBerry Proxy."},{"id":"da55a05f-172a-45fa-8113-b8cef90d7e03","vulnId":"V-79041","severity":"medium","ruleTitle":"If the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Authentication for the database connection.","description":"To assure accountability and prevent unauthorized access, organizational users must be identified and authenticated. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations). Users (and any processes acting on behalf of users) are uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the information system without identification or authentication.","checkContent":"This requirement is not applicable if the BlackBerry Docs service is not enabled on BEMS.\n\nVerify the BlackBerry Docs service in BEMS is configured for Windows Authentication for the database connection as follows:\n\n1. In the BEMS Dashboard, under \"BlackBerry Services Configuration\", click \"Docs\".\n2. Click \"Database\".\n3. In the \"Database\" field, type the database name.\n4. In the Windows Authentication drop-down list, verify \"Windows Authentication\" is selected.\n\nIf \"Windows Authentication\" is not selected for the BlackBerry Docs database connection, this is a finding.","fixText":"Set up Windows Authentication for the database connection for the BlackBerry Docs service in BEMS:\n\n1. In the BEMS Dashboard, under \"BlackBerry Services Configuration\", click \"Docs\".\n2. Click \"Database\".\n3. In the \"Database\" field, type the database name.\n4. In the Windows Authentication drop-down list, select \"Windows Authentication\".\n5. Click \"Save\"."},{"id":"e549d102-673a-45d1-b4e3-4fe840855040","vulnId":"V-79043","severity":"medium","ruleTitle":"If the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use NTLM authentication.","description":"To assure accountability and prevent unauthorized access, organizational users must be identified and authenticated. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations). Users (and any processes acting on behalf of users) are uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the information system without identification or authentication.","checkContent":"This requirement is not applicable if the BlackBerry Docs service is not enabled on BEMS.\n\nVerify NTLM authentication is enabled for the BlackBerry Docs service as follows:\n\n1. In the BEMS Dashboard, under \"Good Services Configuration\", click \"Docs\".\n2. Click \"Web Proxy\".\n3. Select \"Use Web Proxy\".\n4. In the Proxy Server Authentication Type drop-down list, verify \"NTLM authentication\" is selected.\n\nIf NTLM authentication is not enabled for the BlackBerry Docs service, this is a finding.","fixText":"Configure NTLM authentication for the BlackBerry Docs service as follows:\n\n1. In the BEMS Dashboard, under \"Good Services Configuration\", click \"Docs\".\n2. Click \"Web Proxy\".\n3. Select the \"Use Web Proxy\".\n4. In the Proxy Server Authentication Type drop-down list, select \"NTLM authentication\".\n5. Click \"Save\"."},{"id":"c4fa9e61-716a-4927-8183-afe78e67903c","vulnId":"V-79045","severity":"high","ruleTitle":"If the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use SSL for LDAP lookup to connect to the Office Web App Server (e.g., SharePoint).","description":"Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS) or SSL.","checkContent":"This requirement is not applicable if the BlackBerry Docs service is not enabled on BEMS.\n\nVerify the BlackBerry Docs service is configured to use SSL for LDAP Lookup to connect to the Office Web App Server (e.g., SharePoint) as follows:\n\n1. In the BEMS Dashboard, under \"BlackBerry Services Configuration\", click \"Docs\".\n2. Click \"Settings\".\n3. Verify \"Use SSL for LDAP\" is selected.\n\nIf SSL for LDAP is not enabled for the BlackBerry Docs service, this is a finding.","fixText":"This requirement is not applicable if the BlackBerry Docs service is not enabled on BEMS.\n\nConfigure the BlackBerry Docs service to use SSL for LDAP Lookup to connect to the Office Web App Server (e.g., SharePoint) as follows:\n\n1. In the BEMS Dashboard, under \"BlackBerry Services Configuration\", click \"Docs\". \n2. Click \"Settings\".\n3. Select the \"Enable Kerberos Constrained Delegation\" check box to allow Docs to use Kerberos constrained delegation.\n4. Enter each of the Microsoft SharePoint Online domains you plan to make available.\n5. Enter the URL for your approved Office Web App Server.\n6. Provide your Microsoft Active Directory user domains (separated by commas) and then enter the corresponding LDAP Port. \n7. Select the \"Use SSL for LDAP\" check box.\n8. Click \"Save\"."},{"id":"6fc67fad-e0d9-4bc4-926f-015f76ea604a","vulnId":"V-79047","severity":"medium","ruleTitle":"If the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to enable audit logs.","description":"Logging must be used in order to track system activity, assist in diagnosing system issues, and provide evidence needed for forensic investigations post security incident.","checkContent":"This requirement is not applicable if the BlackBerry Docs service is not enabled on BEMS.\n\nVerify audit logging is enabled for the BlackBerry Docs service as follows:\n\n1. In the BEMS Dashboard, under \"BlackBerry Services Configuration\", click \"Docs\".\n2. Click \"Audit\".\n3. On the \"Audit Settings\" tab, verify \"Enable Audit Logs\" is selected.\n\nIf audit logging is not enabled for the BlackBerry Docs service, this is a finding.","fixText":"Enable audit logging for the BlackBerry Docs service as follows:\n\n1. In the BEMS Dashboard, under \"BlackBerry Services Configuration\", click \"Docs\".\n2. Click \"Audit\".\n3. On the \"Audit Settings\" tab, select the \"Enable Audit Logs\" check box.\n4. Click \"Save\"."}]}]]}]

BlackBerry Enterprise Mobility Server 2.x Security Technical Implementation Guide

Checks (23)