Security controls must be implemented on the smartphone management server for connections to back-office servers and applications.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-24976	WIR-WMS-GD-005	SV-30814r1_rule	ECSC-1	High

Description
The secure connection from the smartphone to the smartphone management server can be used by the smartphone user to connect to back-office servers and applications located on the enclave network. These connections bypass network authentication controls setup on the enclave. Strong access controls to back-office servers are required to ensure DoD data is not exposed to users of the smartphone system that are not authorized to access the back-office servers and applications.

Description

The secure connection from the smartphone to the smartphone management server can be used by the smartphone user to connect to back-office servers and applications located on the enclave network. These connections bypass network authentication controls setup on the enclave. Strong access controls to back-office servers are required to ensure DoD data is not exposed to users of the smartphone system that are not authorized to access the back-office servers and applications.

STIG	Date
Good Mobility Suite Server (Apple iOS 4) Interim Security Configuration Guide (ISCG)	2011-11-07

Details

Check Text ( C-31230r1_chk )
Detailed Policy requirements Access to internal Intranet sites via the Good Browser must be blocked. Check Procedures Verify a local security policy has been set up on the Good server to block access to Intranet sites via the Good browser. 1. On the Windows host server for the Good Mobile Messaging Server, browse to Start Menu > Administrative Tools > Local Security Policies. 2. Within Local Security Policies right click on IP Security Policies on Local Computer. 3. Open the policy and verify the following setting has been configured: -Activate the default response rule is unchecked. 4. Go to the properties of the security policy and verify the following rules are included: a. Allow access from the GMM Server to the Default Gateway. b. Allow access from the GMM Server to the DNS Servers. c. Allow access from the GMM Server to the Exchange Servers. d. Allow access from remote workstations to GMM Server in case Terminal Services will be used to manage the server remotely. e. Deny access to everything else. Verify the IP Security policy has been assigned to the Windows server. Mark as a finding if a local security policy has not been set up on the Good server to block access to Internet sites via the good browser or if the policy has not been configured as required.

Check Text ( C-31230r1_chk )

Detailed Policy requirements
Access to internal Intranet sites via the Good Browser must be blocked.

Check Procedures
Verify a local security policy has been set up on the Good server to block access to Intranet sites via the Good browser.

1. On the Windows host server for the Good Mobile Messaging Server, browse to Start Menu > Administrative Tools > Local Security Policies.

2. Within Local Security Policies right click on IP Security Policies on Local Computer.

3. Open the policy and verify the following setting has been configured:

-Activate the default response rule is unchecked.

4. Go to the properties of the security policy and verify the following rules are included:
a. Allow access from the GMM Server to the Default Gateway.
b. Allow access from the GMM Server to the DNS Servers.
c. Allow access from the GMM Server to the Exchange Servers.
d. Allow access from remote workstations to GMM Server in case Terminal Services will be used to manage the server remotely.
e. Deny access to everything else.

Verify the IP Security policy has been assigned to the Windows server.

Mark as a finding if a local security policy has not been set up on the Good server to block access to Internet sites via the good browser or if the policy has not been configured as required.

Fix Text (F-27617r1_fix)
Set up required controls on the smartphone management server for connections to back-office servers.