UCF STIG Viewer Logo

The PKI digital certificate installed on the wireless email management server must be a DoD PKI-issued certificate.


Overview

Finding ID Version Rule ID IA Controls Severity
V-25754 WIR-WMS-GD-010 SV-32013r2_rule IATS-1 Low
Description
When a self signed PKI certificate is used, a rogue wireless email management server can impersonate the DoD wireless email management server. DoDI 8520-02 requires PKI certificates come from a trusted DoD PKI.
STIG Date
Good Mobility Suite Server (Windows Phone 6.5) Security Technical Implementation Guide 2011-10-04

Details

Check Text ( C-32242r2_chk )
Verify that a DoD server certificate has been installed on the Good wireless email management server and that the self-signed certificate, available as an option during the setup of the wireless email management server, has not been installed.

Ask the SA to access the Good server using Internet Explorer. Verify no certificate error occurs. Click the Lock icon next to the address bar then select “view certificates”. On the General tab, verify the “Issued to:” and “Issued by:” fields do not show the same value. Then on the Certification Path tab, verify the top certificate is a trusted DoD Root certificate authority (e.g., DoD Root CA 2) and the certificate status field states “This certificate is OK”.

If a certificate error occurs, either the default self-signed certificate is still installed, the Good server has not been rebooted since the DoD issued certificate has been installed, or the computer accessing the Good server does not have the DoD Root and Intermediate certificate authorities installed. The reviewer can select the “Continue to this website” option and follow the same procedure above. If the certificate is issued from an approved DoD PKI, ask the SA to run InstallRoot on the computer accessing the Good server. Otherwise, have the SA follow the procedures outlined in the STIG/ISCG to request/install a certificate issued from a trusted DoD PKI.

Mark as a finding if a DoD server certificate has not been installed on the Good wireless email management server or that the self-signed certificate has been installed.
Fix Text (F-28607r1_fix)
Use a DoD issued digital certificate on the wireless email management server.