Installation guide

ManualsBrandsBlackberry ManualsComputer equipmentENTERPRISE SOLUTION SECURITY - SECURITY FOR DEVICES WITH BLUETOOTH WIRELESS TECHNOLOGY - TECHNICAL

BlackBerry Enterprise Solution 36

Configuration option Recommendations

Use a secure file system

• Use NTFS for the Microsoft SQL Server because it is more stable and

recoverable than FAT file systems, and enables security options such

as file and directory ACLs and EFS.

• Do not change the permissions that the Microsoft SQL Server sets

during installation. The Microsoft SQL Server sets appropriate ACLs on

registry keys and files if it detects NTFS.

• If the system administrator must change the account that runs the

Microsoft SQL Server, decrypt the files under the old account and re-

encrypt them under the new account.

Delete unsecured, old setup

files

Delete Microsoft SQL Server setup files that might contain plain text,

credentials encrypted with weak public keys, or sensitive configuration

information that the Microsoft SQL Server logged to a Microsoft SQL Server

version-dependent location during installation.

Note: Microsoft distributes a free tool, Killpwd, which is designed to locate

and delete passwords from unsecured, old setup files on your system. For

more information, see the Microsoft Knowledge Base article Service Pack

Installation May Save Standard Security Password in File.

Audit connections to the

Microsoft SQL Server

• At a minimum, log failed connection attempts to the Microsoft SQL

Server and review the log regularly.

• When possible, save log files to a different hard drive than the one on

which data files are stored.

Changing the BlackBerry Configuration Database

If the BlackBerry Enterprise Server administrator moves the BlackBerry device to a BlackBerry Enterprise Server

that uses a different BlackBerry Configuration Database, the BlackBerry Enterprise Server administrator or a

BlackBerry device user must permanently delete all BlackBerry device user and application data, the BlackBerry

device master encryption key, and the IT policy public key from the BlackBerry device. For more information, see

“Remotely erasing data from BlackBerry device memory and making the BlackBerry device unavailable” on page

62.

The BlackBerry Enterprise Server administrator or the BlackBerry device user must initiate regeneration of a new,

unique master encryption key. The new BlackBerry Enterprise Server must generate a unique IT policy private

and public key pair and digitally sign and send the Default IT policy and the IT policy public key to the

BlackBerry device before the BlackBerry device can communicate with the new BlackBerry Enterprise Server.

The new BlackBerry Configuration Database stores the new BlackBerry Enterprise Server name and the

BlackBerry device master encryption key and IT policy private key.

BlackBerry MDS Services databases

The BlackBerry MDS Services store their database access credentials in plain text form in

INSTALL_DIR\BlackBerry MDS Services 4.1.0\jakarta-tomcat-5.5.9\conf\server.xml. To protect the access

credentials in that storage location, the system administrator must

• use a separate SQL login account to install and manage the BlackBerry MDS Services databases

• assign read and write control to that location to a separate BlackBerry MDS Services SQL login account only

For more information, see the BlackBerry Enterprise Server Installation Guide.