STIGQter STIGQter: STIG Summary: BlackBerry Enterprise Mobility Server 2.x Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 24 Jul 2020:

The BlackBerry Enterprise Mobility Server (BEMS) must protect log information from unauthorized deletion.

DISA Rule

SV-93713r1_rule

Vulnerability Number

V-79007

Group Title

SRG-APP-000120-AS-000080

Rule Version

BEMS-00-002800

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure BEMS to have at least one user in the following Administrator roles: Server primary administrator, auditor.

1. In the BEMS Dashboard, under "BEMS System Settings", click "BEMS Configuration".
2. Click "Dashboard Administrators".
3. Click "Add Group".
4. In the "Active Directory Security Group" field, type the name of the Microsoft Active Directory security group.
5. Click "Save".
6. Repeat steps 3 to 5 to add additional security groups.
7. For the server primary administrator, the default role of Admin meets the required roles and no additional configuration is needed.
8. For the Auditor role, complete the following steps:
- In active directory, create a domain auditor group and assign personnel designated as auditors to that group.
- Browse to the log repository.
- Right-click on the folder.
- Select "Properties".
- Select the "Security" tab.
- Click "Edit".
- Click "Add".
- Type in name of the user group.
- Confirm that only the necessary groups have rights to the folder (CREATOR OWNER, SYSTEM, Administrators, Auditors).
- Set proper permissions for auditors (Read, List folder contents, Read & Execute).

Check Contents

Verify BEMS has been configured with the following administrator groups/roles, each group/role has required permissions, and at least one user has been assigned to each Administrator group/role: Server primary administrator, auditor.

Procedure for Server Primary Administrator:
1. In the BEMS Dashboard, under "BEMS System Settings", click "BEMS Configuration".
2. Click "Dashboard Administrators".
3. Confirm the Administrator role for the primary server administrator has been assigned the dashboard role of Admin.
4. Verify in AD at least one member has been assigned to the BEMS administrator group. (Note: Actual group name may be different.)

Procedure for Auditor:
1. Verify in AD an auditor group has been set up with at least one member.
2. Browse to the log repository.
3. Right-click on the folder.
4. Select "Properties".
5. Select the "Security" tab.
6. Confirm the auditor security group is listed.

If required administrator roles have not been set up on BEMS and at least one user has not been assigned to each role, this is a finding.

Vulnerability Number

V-79007

Documentable

False

Rule Version

BEMS-00-002800

Severity Override Guidance

Verify BEMS has been configured with the following administrator groups/roles, each group/role has required permissions, and at least one user has been assigned to each Administrator group/role: Server primary administrator, auditor.

Procedure for Server Primary Administrator:
1. In the BEMS Dashboard, under "BEMS System Settings", click "BEMS Configuration".
2. Click "Dashboard Administrators".
3. Confirm the Administrator role for the primary server administrator has been assigned the dashboard role of Admin.
4. Verify in AD at least one member has been assigned to the BEMS administrator group. (Note: Actual group name may be different.)

Procedure for Auditor:
1. Verify in AD an auditor group has been set up with at least one member.
2. Browse to the log repository.
3. Right-click on the folder.
4. Select "Properties".
5. Select the "Security" tab.
6. Confirm the auditor security group is listed.

If required administrator roles have not been set up on BEMS and at least one user has not been assigned to each role, this is a finding.

Check Content Reference

M

Target Key

3259

Comments