All Access Control Rules assigned to user and group accounts must be configured to deny access to all file shares.

From BlackBerry Enterprise Server (version 5.x), Part 2 Security Technical Implementation Guide

Part of Disable BES MDS CS document search -02

SV-27296r3_rule All Access Control Rules assigned to user and group accounts must be configured to deny access to all file shares.

Vulnerability discussion

The BES MDS Connection Service allows BlackBerry users to search the enclave for files and documents of interest to the user without any authentication requirements to the enclave. Access control requirements of the network can be bypassed.

Check content

Detailed Policy Requirements: The BES must be configured so that all network file share access by BlackBerry users has been blocked. A high-level "deny all" Access Control Rule policy must be set up and assigned to each user or group account. Check Procedures: 1. Verify that all domain URL Pattern has been configured on the BES as follows: BAS >> Servers and components >> BlackBerry Domain >> Component view >> MDS Connection service >> Pull URL pattern tab. Note: the Description (name of the TCP URL pattern) that has the following pattern: \\*.*\*. If no TCP URL pattern is configured as indicated, this is a finding. 2. Verify all access control rules identified in check WIR1350-02 have been set up with a URL pattern with the "Deny" rule. BAS >> Servers and components >> BlackBerry Domain >> Component view >> MDS Connection service >> Access control rules tab. View each Access Control Rule. Note: If the URL Pattern identified in Step 1 has been assigned to each rule and the "Allowed" configuration has been set to "Deny". If no "Deny" URL pattern has been set up on the BES for each rule, this is a finding.

Fix text

The BES MDS Connection Service will be configured to disable browsing on the enclave for files and documents of interest. Each access control rule assigned to user and group accounts has been set up with a "Deny" URL pattern.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer