The Sentry must enforce approved authorizations for logical access to information and system resources by enabling identity-based, role-based, and/or attribute-based security policies. These controls are enabled in MobileIron UEM (MobileIron Core) and applied by the Sentry for conditional access enforcement.

An XCCDF Rule

Description

<VulnDiscussion>Successful authentication through Sentry must not automatically give an entity access to resources behind Sentry. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-251008r802246_rule
Severity: Medium
References: CCI-000213
Updated: about 1 year ago

Configure the Sentry to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.

1. Log in to the Core Admin Portal.
2. Go to Services >> Sentry. 
3. Create one or all of the applicable Sentry Services: ActiveSync, AppTunnel, or Kerberos Proxy based on the Sentry use case. (Refer to the MobileIron Sentry Guide on how to configure the specific Sentry Services. ActiveSync: Page 43; AppTunnel: Page 64; Kerberos Proxy: Page 92.)
4. If Sentry is being used as an ActiveSync Proxy or AppTunnel, configure an Identity Certificate for the Device Authentication Configuration in the Sentry Configuration and enable the CRL checkbox.5. Save the Sentry configuration.
 
MobileIron UEM applies security, privacy, lockdown, and sync policies to registered devices. These policies ensure that devices can connect only if they comply to an organization’s security requirements. Standalone Sentry gets device posture and compliance information from MobileIron UEM and allows access to email via ActiveSync or backend systems based on the device posture.

1. Log in to the Core Admin Portal.
2. Go to Policies and Configurations >> Policies.
3. Create or edit the Lockdown and Security Policies.
4. Ensure the policies are applied to devices accessing systems behind a Sentry if configuring Sentry for ActiveSync.

By default, Sentry allows unregistered devices to access the ActiveSync server. Use this setting to change Sentry’s behavior to block unregistered devices from access if configuring Sentry for ActiveSync.

1. Log in to the Core Admin Portal. 
2. Go to Services >> Sentry >> Preferences. 
3. Change the Auto Block Unregistered Devices setting to "Yes". 
4. Click "Save".

Description

Remediation - Manual Procedure