|
Introduction This document outlines the critical IT policy settings that should be configured within the BlackBerry IT Policies for security reasons. Note: This is not the full list of settings for BES version 4. Those not in these lists were not considered to have a direct impact on security and therefore are left up to the discretion of each organisation.
The recommended settings are grouped as they are found in the IT Policy Editor under the following headings:
Ungrouped Device-only Items
The following settings are ungrouped device-only items: | Name | Value | | Password required | True | | Allow PIN to PIN | False | | Minimum password length | 7 | | Users can disable passwords | False | | Maximum security timeout | 3 minutes | | Maximum password age | 90 days | | User can change timeout | True | | Password pattern checks | 3 | | Enable long term timeout | True | | Enable WAP configuration | False | Ungrouped Desktop-only Items
The following settings are ungrouped desktop-only items: | Name | Value | | Show application loader | False | | Force load count | 0 | | Email conflict desktop wins | True | | Auto backup enabled | True | | Auto backup frequency | 1 day | | Auto backup include all | True | | Allow other email services | False | Password Policy Group The following group of settings control the use of passwords: | Name | Value | | Set password timeout | 3 minutes | | Set maximum password attempts | 3 | | Suppress password echo | True | | Maximum password history | 8 | Compressed MIME (CMIME) Application Policy Group The following group of settings control the use of Compressed MIME: | Name | Value | | Disable revoked certificate use | True | | Disable Peer to Peer normal send | True | | Disable key store low security | True | | Key store password maximum timeout | 60 minutes | | Disable third-party applications download | True | | Forced lock when holstered | True | | Allow third-party applications to use serial port | False | | Allow internal connection | False | | Allow external connections | False | | Allow split pipe connections | False | | Disable invalid certificate use | True | | Disable weak certificate use | True | Transport Layer Security (TLS) Application Policy Group The following group of settings control the use of Transport Layer Security: | Name | Value | | TLS disable weak ciphers | 0 (disabled) | | TLS disable untrusted connection | 0 (disabled) | | TLS minimum strong RSA key length | 1024 bits | | TLS minimum strong DH key length | 1024 bits | | TLS minimum strong ECC key length | 163 bits | | TLS disable invalid connection | 0 (disabled) | | TLS restrict FIPS ciphers | False | | TLS minimum strong DSA key length | 1024 bits |
Wireless TLS (WTLS) Application Policy Group
The following group of settings control the use of Wireless Transport Layer Security:
Name | Value | | WTLS disable weak ciphers | 0 (disabled) | | WTLS disable untrusted connection | 0 (disabled) | | WTLS minimum strong RSA key length | 1024 bits | | WTLS minimum strong DH key length | 1024 bits | | WTLS minimum strong ECC key length | 163 bits | | WTLS disable invalid connection | 0 (disabled) |
Desktop Policy Group
The following group of settings control the Desktop Policy: | Name | Value | | Desktop password cache timeout | 10 minutes | | Desktop allow desktop add-ins | False | | Desktop allow device switch | False |
|
