The BlackBerry Enterprise Mobility Server (BEMS) must be configured to have at least one user in the following Administrator roles: Server primary administrator, auditor.

An XCCDF Rule

Description

<VulnDiscussion>Having several administrative roles for the BEMS supports separation of duties. This allows administrator-level privileges to be granted granularly, such as giving application management privileges to one group and security policy privileges to another group. This helps prevent administrators from intentionally or inadvertently altering other settings and configurations they may not understand or approve of, which can weaken overall security and increase the risk of compromise. - Server primary administrator: Responsible for server installation, initial configuration, and maintenance functions. Responsible for the setup and maintenance of security configuration administrator and auditor accounts. - Auditor: Responsible for reviewing and maintaining server and mobile device audit logs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-254714r879887_rule
Severity: Medium
References: CCI-000366
Updated: about 1 year ago

Configure BEMS to have at least one user in the following Administrator roles: Server primary administrator, auditor.

1. In the BEMS Dashboard, under "BEMS System Settings", click "BEMS Configuration".
2. Click "Dashboard Administrators".
3. Click "Add Group".
4. In the "Active Directory Security Group" field, type the name of the Microsoft Active Directory security group.5. Click "Save".
6. Repeat steps 3 through 5 to add additional security groups.
7. For the server primary administrator, the default role of Admin meets the required roles and no additional configuration is needed.
8. For the Auditor role, complete the following steps:
  - In AD, create a domain auditor group and assign personnel designated as auditors to that group.
  - Browse to the log repository.
  - Right-click on the folder.
  - Select "Properties".
  - Select the "Security" tab.
  - Click "Edit".
  - Click "Add".
  - Type the name of the user group.
  - Confirm that only the necessary groups have rights to the folder (CREATOR OWNER, SYSTEM, Administrators, Auditors).
  - Set proper permissions for auditors (Read, List folder contents, Read & Execute).

The BlackBerry Enterprise Mobility Server (BEMS) must be configured to have at least one user in the following Administrator roles: Server primary administrator, auditor.

Description

Remediation - Manual Procedure