Where is your BES Policy?

Several months ago, users of a wireless carrier in the United Arab Emirates (UAE) were sent an SMS message to their Blackberry devices instructing them to install a software patch that would resolve recent network trouble they’ve been experiencing. The patch turned out to be spyware (Etisalat.A[MA]) and would intercept the user’s email, sending the messages to a listening agent inside the Etisalat network.

About one month ago, a problem in the Blackberry browser left devices open to attack due to a certificate notification flaw. An advisory from Research in Motion details how a malicious user could spoof a “trusted” website then use a phishing technique to send users to that site using SMS or email.

A malformed SMS message causing a memory corruption error could be used to cause a denial of service or execution of arbitrary code on Apple’s iPhone (CVE-2009-2204). Although not related to Blackberry, I wanted to get the point across that mobile devices are beginning to see their fair share of vulnerabilities which could lead to malicious activity.

Turning our focus back to the Blackberry, a director for Hermis Consulting in Jakarta, Indonesia recently wrote an application for the Blackberry which can turn the handheld into a remote bugging device.
The software is called PhoneSnoop and was written to demonstrate how an “attacker can activate the microphone of a Blackberry handheld and listen to sounds near or around it.” There are currently no stealth or spyware aspects of the software, but it shows how the capabilities of a Blackberry could be used for malicious purposes.

These issues remind me of my previous position, managing a global infrastructure team for a financial company.  Exchange and Blackberry services were under our umbrella of responsibilities.  When I first arrived many years ago, as with most companies that are victims of rapid growth, IT policies were non-existent.  Though unpopular with the users, I had to have a BES policy implemented, and one that took quite a bit of control from the user. From password policies to WiFi disabling, where is your BES policy?

 

Note: A BES (Blackberry Enterprise Software) is middleware software which connects to your enterprise messaging solution (such as Microsoft Exchange or IBM Lotus Domino) and redirects email and PIM information to and from Blackberry mobile devices.

Note: A BES IT Policy is configured from the BES and are assigned to the Blackberry devices over the air.  Policies can be assigned to users and user groups. The default installation does not enforce policies which should definitely be enabled and are best practices on any platform or device. See the bottom of this post for the KB with instructions on how to create and apply policies.

At the bare minimum, you should have these basic policies set:

• Password Required Rule – True
• User Can Change Time – False
• User Can Disable Password – False
• Password Pattern Checks – Require at least 1 alpha and 1 numeric
• Minimum Password Length – 7 characters
• Maximum Password Age – 30 or 60 days
• Set Password Timeout – 10 minutes
• Set Maximum Password Attempts – 10
• Maximum Password History – 6
• Set Owner Info – Customize
• Set Owner Name – Customize
• Lock Owner Info – Customize
• Remote Wipe Reset to Factory Defaults – True

Control Upgrades:

• Allow Non Enterprise Upgrade – False
• Disallow Device User Requested Upgrade – True

Camera Options:

• Disable Photo Camera – True 
• Disable Video Camera – True

Application Control:

• Disable Application Center – True
• Allow Application Down Services – False
• Disallow Third Party Application Downloads – True

Other Policies I Like:

• Disable USB Mass Storage – True
• Disable Blackberry Messenger – True
• Disable Bluetooth – True
• Allow Application Download Services – False
• Allow Hotspot Browser – False
• Allow IBS Browser – False

Too Much?

Now, these policies are starting to sound too strict at a glance; but, the purpose of the device is for users to have access to their email, contacts and calendars anywhere and to have a mobile phone they can be reached at any time.  Cameras, Hotspots and transferring photos and music using USB mass storage are features that are not necessary. If you have legitimate business needs for these features, than you can enable them for certain user groups using a policy.

The policies mentioned are a very small fraction of what is available. I’d like to hear which policies you find useful in your environment, or which you find to be more harm than good.

For a complete list of policies, please see the Policy Reference Guide.

 

Howto

Create, Assign, View, and Send IT policies
Doc ID : KB02022
Last Modified : 2007-02-01
Document Type : How To
Environment
This article applies to BlackBerry® Enterprise Server software versions 3.6, 4.0, and 4.1 for Microsoft® Exchange.
Procedure
The BlackBerry Enterprise Server uses an IT policy to control the behavior of the BlackBerry devices assigned to it. IT policies cover a wide range of BlackBerry device functions (for example, passwords, attachment viewing, and available browsers). Administrators can create custom IT policies in addition to the IT policies already present on the BlackBerry Enterprise Server.
Creating IT Policies
To create an IT policy, complete these steps:
BlackBerry Enterprise Server software versions 3.6 and 4.0

1. Depending on your version, open the BlackBerry Enterprise Server Management console or BlackBerry Manager.
2. Right-click the BlackBerry Enterprise Server name, then click IT Policy.
3. Click New, then create a name for the IT policy.
4. Select the check box beside each IT policy rules item you would like to assign. A description of the IT policy will appear.
5. To enable the selected IT policy, in the description window, click TRUE.
6. Click Apply, then click OK.

BlackBerry Enterprise Server software version 4.1

1. In BlackBerry Manager, select Servers, then click the Global tab.
2. From the Tasks menu, click Edit Properties.
3. Select IT Policy, then double-click IT Policies.
4. Click New, then create a name for the IT policy.
5. Select an IT policy group to view the associated IT policy rules.
6. Select the appropriate IT policy rules.
7. Click Apply, then click OK.

Assigning IT Policies
To assign an IT policy to a BlackBerry device user, complete the following steps:
BlackBerry Enterprise Server software versions 3.6 and 4.0

1. Depending on your version, open the BlackBerry Enterprise Server Management console or BlackBerry Manager.
2. Right-click the BlackBerry Enterprise Server name, then click IT Policy.
3. Select an IT policy, then click Edit User List.
4. Click Add Users to This Policy.
5. Select a BlackBerry device user, then click Add.
6. Click Close, then click OK to close the Edit IT Policy Userlist window.
7. Click OK again.

BlackBerry Enterprise Server software version 4.1

1. In BlackBerry Manager, select Servers, then click the Global tab.
2. From the Tasks menu, select Edit Properties.
3. Select IT Policy, then double click IT Policy to User Mapping.
4. Select a BlackBerry device user, then click the button next to the appropriate IT policy.
5. Click OK to close the IT policy to User Mapping window.
6. Click Apply, then click OK.

Viewing IT Policies
To view IT policies on the BlackBerry Enterprise Server, complete these steps:
BlackBerry Enterprise Server software versions 3.6 and 4.0

1. Depending on your version, open the BlackBerry Enterprise Server Management console or BlackBerry Manager
2. Right-click the BlackBerry Enterprise Server name, then click IT Policy.
3. Select an IT policy, then click View to see the BlackBerry device and Desktop Policy Settings that have been applied.
4. Click OK to close the View Policy window.
5. Click OK again.

BlackBerry Enterprise Server software version 4.1

1. In BlackBerry Manager, click Servers, then click the Global tab.
2. From the Tasks menu, select Edit Properties.
3. Select IT Policy, then double-click IT Policies.
4. To view the IT policy rules, click Properties.
5. Click OK.

To view an IT policy on a BlackBerry device, complete these steps:

1. From the Home screen, select Options.
2. Select Security Options > General Settings.
3. The IT policy Name, Last Updated, and Time Stamp fields will be listed.

Note: Depending on the BlackBerry device and BlackBerry Device Software version, the instructions for viewing the IT policy on the BlackBerry device may vary. For example, on the BlackBerry 7100 series, the BlackBerry device user must select Settings or Tools, then select Security.

Sending IT Policies
To send an IT policy to a BlackBerry device user, complete the following steps:
Note: By default, when you assign an IT policy to a BlackBerry device user, the IT policy is automatically sent to the BlackBerry device user.
Note: When a change is made to an existing IT policy, it is automatically resent to all BlackBerry device users assigned to that IT policy.
BlackBerry Enterprise Server software versions 3.6 and 4.0

1. Depending on your version, open the BlackBerry Enterprise Server Management console or BlackBerry Manager
2. Select the BlackBerry Enterprise Server name, then right-click a BlackBerry device user name.
3. Click Properties.
4. On the IT Admin tab, click Resend policy.
5. Click Apply, then click OK.

BlackBerry Enterprise Server software version 4.1

1. In BlackBerry Manager, select the BlackBerry Enterprise Server name.
2. Select a BlackBerry device user, then click the question mark ( ? ) symbol beside IT Admin.
3. From the menu that appears, you can resend the IT policy or assign an IT policy to a BlackBerry device user.
4. Click OK.

Related Posts:

• Security and IT Pros, I need your help
• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• First Patch Tuesday of 2010
• Regular or Decaf? Tool launched to combat COFEE

Filed Under: Administration • Data Leak Prevention • Security

Tags: BES, blackberry, exchange, iphone, IT, mobile, passwords, policy, Windows