Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
X) Version 1, Release 4
29 April 2011
______________________________________________________________________________ UNCLASSIFIED
UNCLASSIFIED
ii
TABLE OF CONTENTS
Page 1. INTRODUCTION..................................................................................................................1 1.1 1.2 1.3 1.4 1.5 1.6 2. 2.1 2.2 2.3 3. Background ..................................................................................................................... 1 Authority ......................................................................................................................... 2 Scope............................................................................................................................... 3 Vulnerability Severity Code Definitions ........................................................................ 3 STIG Distribution ........................................................................................................... 5 Document Revisions ....................................................................................................... 6 Wireless General Policy STIG........................................................................................ 7 BlackBerry Handheld STIG............................................................................................ 7 BlackBerry Enterprise Server STIG ............................................................................... 7
BES AND BLACKBERRY DEVICE SECURITY INFORMATION ............................11 3.1 Creating IT Policies ...................................................................................................... 11 3.2 BlackBerry Application Security.................................................................................. 12 3.2.1 Overview............................................................................................................... 12 3.2.2 Application Security Controls............................................................................... 14 3.2.3 Strategy for Secure Deployment and Management of BlackBerry Applications . 15 3.2.4 Strategy for Secure Connections to Back-Office Servers..................................... 16 3.2.5 Setting Up Application Security Controls ............................................................ 17 3.2.5.1 IT Policy Controls................................................................................................. 17 3.2.5.2 Setting Up an Application White List Software Configuration............................ 17 3.2.5.3 Security Controls for Non-Core BlackBerry Applications................................... 25 3.3 Configuring BlackBerry MDS Services Security ......................................................... 26 3.3.1 Configuring BlackBerry Authentication to Web Servers ..................................... 27 3.3.2 Data Encryption .................................................................................................... 27 3.3.3 BlackBerry MDS Connection Service Properties................................................. 28 3.3.4 BlackBerry MDS Integration Service Security..................................................... 32 3.3.5 BES MDS Connection Service Document Search Security ................................. 33 3.4 S/MIME Configuration................................................................................................. 33 3.5 PGP Encryption ............................................................................................................ 33 3.6 Managing Encryption Keys .......................................................................................... 33 3.7 Maintenance Configuration .......................................................................................... 34 3.7.1 Logging ................................................................................................................. 34 3.7.2 System Backup...................................................................................................... 34 3.7.3 BES Monitoring Tools.......................................................................................... 35 3.8 Content Protection ........................................................................................................ 35 3.9 Password Keeper Settings............................................................................................. 35 3.10 Bluetooth Security Settings........................................................................................... 36 3.11 Bluetooth Smart Card Reader ....................................................................................... 36 3.12 Forcing BlackBerry Device Software Updates............................................................. 37 UNCLASSIFIED
iii
3.13 Firewall Requirements .................................................................................................. 37 3.13.1 BES Architecture .................................................................................................. 37 3.13.2 BlackBerry Host-Based Firewall Non-Segmented Architecture .......................... 37 3.13.3 Segmented Architecture........................................................................................ 40 3.14 BlackBerry IP Modem .................................................................................................. 43 3.15 Disposal of BlackBerry Handhelds............................................................................... 43 3.16 Use of Team BlackBerrys ......................................................................................... 43 3.17 RIM Bluetooth Smart Card Reader (SCR) Connections to PCs................................... 43 3.18 Using Software Certificates .......................................................................................... 45 3.19 BlackBerry Use with Wireless LANs ........................................................................... 45 3.19.1 Wi-Fi Connection to a DoD-Operated Enterprise WLAN System....................... 46 3.19.2 Wi-Fi Connection to a Public Hot Spot WLAN System ...................................... 46 3.19.3 Wi-Fi Connection to a Home WLAN System ...................................................... 46 3.19.4 BlackBerry Wi-Fi Security Controls .................................................................... 47 3.19.5 Instructions for Installing a BlackBerry Device Certificate ................................. 48 3.19.6 BlackBerry Wi-Fi Voice over IP (VoIP) .............................................................. 48 3.20 Antivirus Support on BlackBerry Devices ................................................................... 48 3.21 AutoBerry/Sentinel Tool............................................................................................... 49 3.22 BlackBerry Instant Messaging (IM) ............................................................................. 49 3.23 Additional BlackBerry Applications and Services ....................................................... 50 3.23.1 Documents To Go ................................................................................................. 50 3.23.2 BlackBerry Mobile Voice System (MVS)............................................................ 50 3.24 BES System Administrator Training and Certification ................................................ 50 3.25 BlackBerry Single Sign-On Authentication.................................................................. 51 3.26 Bluetooth Headset......................................................................................................... 52 APPENDIX A. BES SYSTEM ADMINISTRATOR SECURITY CONFIGURATION TASKS ..........................................................................................................................................54 APPENDIX B. BLACKBERRY DISPOSAL PROCEDURES ..............................................58 APPENDIX C. CAC DIGITAL CERTIFICATE PROVISIONING .....................................60 APPENDIX D. VMS PROCEDURES.......................................................................................62 APPENDIX E. BLACKBERRY CONFIGURATION FOR GROUP E-MAIL ACCOUNTS64 APPENDIX F. MISCELLANEOUS BES 5.X CONFIGURATION PROCEDURES .........68 APPENDIX G. S/MIME CONFIGURATION PROCEDURES FOR BES 5.X ...................74 APPENDIX H: BLACKBERRY ADMINISTRATION SERVICE AND BLACKBERRY WEB DESKTOP MANAGER DOD SSL CERTIFICATE REQUEST AND INSTALLATION GUIDANCE ..................................................................................................78
UNCLASSIFIED
iv
LIST OF TABLES Page Table 1-1. Vulnerability Severity Category Code Definitions .......................................................3 Table 3-1. HTTP Properties..........................................................................................................28 Table 3-2. Proxy Properties ..........................................................................................................28 Table 3-3. TLS and HTTPS Properties.........................................................................................28 Table 3-4. Log Properties .............................................................................................................29 Table 3-5. Host-Based Firewall Architecture PPS for Non-Segmented Architecture on BES ....39 Table 3-6. Host-Based Firewall Architecture PPS for Segmented Architecture on BES Router.41 Table 3-7. Host-Based Firewall Architecture PPS for Segmented Architecture on BES.............41 Table D-1. VMS Asset Matrix......................................................................................................62 LIST OF FIGURES Page Figure 2-1. Example BlackBerry Network Architecture ................................................................8 Figure 2-2. Segmented BlackBerry Network Architecture.............................................................9 Figure 3-1. Disallowed Application Application Control Policy..............................................18 Figure 3-2. Required Application Application Control Policy .................................................19 Figure 3-3. Optional Application Application Control Policy ..................................................20 Figure 3-4. Application Control Policy for Google Maps 1 ......................................................21 Figure 3-5. Application Control Policy for Google Maps - 2.......................................................21 Figure 3-6. List of Application Control Policies on BES .............................................................22 Figure 3-7. Assigning Application Control Policies.....................................................................23 Figure 3-8. BlackBerry Connections to Enclave Servers .............................................................27 Figure 3-9. CRL Configuration (BES 5.x)....................................................................................29 Figure 3-10. LDAP Configuration (BES 4.1.x)............................................................................30 Figure 3-11. LDAP Configuration (BES 5.x)...............................................................................31 Figure 3-12. OCSP Configuration (BES 4.1.x) ............................................................................32 Figure 3-13. OCSP Configuration (BES 5.x) ...............................................................................32 Figure 3-14. Setting Password Keeper Password .........................................................................36
UNCLASSIFIED
UNCLASSIFIED
vi
1. INTRODUCTION 1.1 Background The BlackBerry Security Technical Implementation Guide (STIG) and associated documents (e.g., BlackBerry Overview, BlackBerry Configuration Tables, BlackBerry Handheld STIG, and BlackBerry Enterprise Server STIG), provide security policy and configuration requirements for the use of BlackBerry wireless e-mail in the Department of Defense (DoD). Guidance in these documents applies to all BlackBerry systems, including BlackBerry handheld devices and BlackBerry Enterprise Server (BES). This STIG provides security requirements for both BES 4.1.7 and 5.0.2 installations. DoD sites should migrate to BES 5.0.2 or later prior to June 2011 when Research In Motion (RIM) will discontinue support for BES 4.x. NOTE: The phrase Critical Information will be used throughout this document to bring attention to a critical item of information related to the operation, performance, or security of the BlackBerry system.