Security controls must be set up on the BES for connections to “back-office” servers.

From BlackBerry Enterprise Server (version 5.x), Part 2 Security Technical Implementation Guide

Part of BlackBerry back-office connections

SV-21095r3_rule Security controls must be set up on the BES for connections to “back-office” servers.

Vulnerability discussion

Strong access controls to back-office servers are required to ensure DoD data is not exposed to users of the BlackBerry system that are not authorized to access the server.

Check content

Detailed Policy Requirements: If the site provides BlackBerry users access to "back-office" applications and content servers located on the site network enclave, the following controls will be implemented: - All enclave application and content servers that are accessed by BlackBerry users will implement CAC authentication. - The BES host-based firewall is set to block connections to back-office application and content servers unless the server IP address is on the firewall list of trust IP addresses and subnets. Note: BlackBerry back-office application and content servers include J2ME application servers, SOAP web services, and web servers. Check Procedures: Ask the BlackBerry SA if the site provides BlackBerry users access to "back-office" applications and content servers located on the site network enclave. If the response is "Yes", ask for a list of all enclave servers BlackBerry users can access and then perform the following checks. - Verify CAC authentication has been implemented on each server. Have the Windows reviewer assist with the review of each server. If CAC authentication has not been implemented on each server, this is a finding. - Verify the BES host-based firewall has been configured as required. This check should have been performed during the review of check WIR1300-02. Confirm this requirement was reviewed.

Fix text

Set up required controls on the BES for connections to "back-office" servers.

Pro Tips

Powered by sagemincer