The BES12 server must leverage the BES12 Platform user accounts and groups for BES12 server user identification and authentication.

From BlackBerry BES 12.5.x MDM Security Technical Implementation Guide

Part of PP-MDM-204101

Associated with: CCI-000015

SV-83181r2_rule The BES12 server must leverage the BES12 Platform user accounts and groups for BES12 server user identification and authentication.

Vulnerability discussion

A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire MDM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the MDM server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos).SFR ID: FIA

Check content

Review the BES12 server configuration settings, and verify the server is configured to leverage the MDM Platform user accounts and groups for BES12 server user identification and authentication. On the BES12, do the following: 1. Log on to the BES12 host server and navigate to the BES12 console. 2. Verify the BES12 server does not prompt for additional authentication before opening the BES12 console. If the BES12 server does not display an Administrator-specified advisory notice and consent warning message regarding use of the server, this is a finding. If the BES12 server prompts for additional authentication before opening the BES12 console, this is a finding.

Fix text

On the BES12, do the following: Configure constrained delegation for the Microsoft Active Directory account to support single sign-on: 1. Log on to the BES12 host server and use the Windows Server ADSI Edit tool to add the following SPNs for BES12 to the Microsoft Active Directory account: - HTTP/ (for example, HTTP/domain123.example.com) - BASPLUGIN111/ (for example, BASPLUGIN111/domain123.example.com) NOTE: - If you configured high availability for the management consoles in a BES12 domain, specify the pool name. Otherwise, specify the FQDN of the computer that hosts the management console. - Verify that no other accounts in the Microsoft Active Directory forest have the same SPNs. 2. Open Microsoft Active Directory Users and Computers. 3. In the Microsoft Active Directory account properties, on the "Delegation" tab, select the following options: - Trust this user for delegation to specified services only - Use Kerberos only 4. Add the SPNs from Step 1 to the list of services. Configure single sign-on for BES12: Note: - When you configure single sign-on for BES12, you configure it for the management console and BES12 Self-Service. - If you enable single sign-on for multiple Microsoft Active Directory connections, verify that there are no trust relationships between the Microsoft Active Directory forests. 1. Log on to the BES12 console and select the "Settings” tab at the top of the screen. 2. Expand the "External integration" tab on the left pane. 3. Click "Company directory". 4. In the Configured directory connections section, click the name of a Microsoft Active Directory connection. 5. On the Authentication tab, select the check box next to "Enable Windows single sign-on". 6. Click "Save". Note: BES12 validates the information for Microsoft Active Directory authentication. If the information is invalid, BES12 prompts you to specify the correct information. 7. Click "Close". 8. Restart the BES12 services on each computer that hosts a BES12 instance. 9. Instruct administrators and BES12 Self-Service users to configure their browsers to support single sign-on for BES12.

Pro Tips

Powered by sagemincer