The BES must be configured to disable the capability of the BES to proxy a user’s authentication to back-office application, web, and content servers. Users must authenticate directly to back-office servers using a USCYBERCOM CTO 07-15Rev1 authorized method.

From BlackBerry Enterprise Server (version 5.x), Part 2 Security Technical Implementation Guide

Part of BES authentication to back-office servers

SV-17336r3_rule The BES must be configured to disable the capability of the BES to proxy a user’s authentication to back-office application, web, and content servers. Users must authenticate directly to back-office servers using a USCYBERCOM CTO 07-15Rev1 authorized method.

Vulnerability discussion

User authentication credentials should not be proxied by the BES, because the BES would then be saving DoD user authentication credentials in its database.

Check content

Verify the site BES has been configured to require BlackBerry users to authenticate directly with enclave application and content servers. - On the BAS, go to Servers and components >> BlackBerry Solution topology >> BlackBerry Domain >> MDS Connection Service. -Click "Edit components". -Select the "HTTP" tab. -In the "Authentication support" enabled drop-down list, verify "No" has been selected. If the configuration setting is not correct, this is a finding. Exception: When a site Internet Proxy is set to require user authentication, the configuration setting above will cause a loss of Internet connectivity. In this case only, the "Support HTTP Authentication" setting should be set to TRUE, and then, when prompted, enter no value for the user authentication information (this will cause the BES to prompt for the user's authentication credentials whenever an Internet connection is requested). When a site uses authentication on the Internet proxy, the reviewer should verify the required setting for "Support HTTP Authentication" and then have users show on their BlackBerry they have to enter their Internet Proxy authentication credentials whenever they try to connect to the Internet.

Fix text

The BES must be configured to disable the capability of the BES to proxy a user’s authentication to back-office application, web, and content servers.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer