Table of Contents
Advertisement
BlackBerry Enterprise Solution
Configuration option
Delete unsecured, old setup
files
Audit connections to the
Microsoft SQL Server
Changing the BlackBerry Configuration Database
If the BlackBerry Enterprise Server administrator moves the BlackBerry device to a BlackBerry Enterprise Server
that uses a different BlackBerry Configuration Database, the BlackBerry Enterprise Server administrator or a
BlackBerry device user must permanently delete all BlackBerry device user and application data, the BlackBerry
device master encryption key, and the IT policy public key from the BlackBerry device. For more information, see
"Types of remote BlackBerry device wipes" on page 62.
The BlackBerry Enterprise Server administrator or the BlackBerry device user must initiate regeneration of a new,
unique master encryption key. The new BlackBerry Enterprise Server must generate a unique IT policy private
and public key pair and digitally sign and send the Default IT policy and the IT policy public key to the
BlackBerry device before the BlackBerry device can communicate with the new BlackBerry Enterprise Server.
The new BlackBerry Configuration Database stores the new BlackBerry Enterprise Server name and the
BlackBerry device master encryption key and IT policy private key.
Protecting the BlackBerry Enterprise Solution connections
The BlackBerry Enterprise Server is designed to communicate with the BlackBerry Infrastructure using SRP
authentication to establish a connection to the wireless network. The BlackBerry Enterprise Server contacts the
BlackBerry Infrastructure to establish an initial connection using SRP.
The BlackBerry Enterprise Server and the BlackBerry Infrastructure perform an authentication handshake when
they attempt to establish a connection. If the authentication fails, they do not establish a connection. If a
BlackBerry Enterprise Server uses the same unique SRP authentication key and unique SRP ID to connect to (and
then disconnect from) the BlackBerry Infrastructure five times in one minute, the BlackBerry Infrastructure
disables that SRP ID to prevent a malicious user using the same SRP ID (for example, to try to create a Denial of
Service condition).
After the BlackBerry Enterprise Server and the BlackBerry Infrastructure establish an initial connection over the
Internet, the BlackBerry Enterprise Server uses a persistent TCP/IP connection to send data to the BlackBerry
Infrastructure. The BlackBerry Infrastructure uses standard protocols to send data to the BlackBerry device.
A BlackBerry device can bypass SRP connectivity and authentication by using the BlackBerry Router to connect
directly to the BlackBerry Enterprise Server. The BlackBerry Enterprise Server can communicate with the
BlackBerry Router using a combination of the SRP and BlackBerry Router authentication protocols.
www.blackberry.com
Recommendations
Delete Microsoft SQL Server setup files that might contain plain text,
credentials encrypted with weak public keys, or sensitive configuration
information that the Microsoft SQL Server logged to a Microsoft SQL Server
version-dependent location during installation.
Note: Microsoft distributes a free tool, Killpwd, which is designed to locate
and delete passwords from unsecured, old setup files on your system. For
more information, see the Microsoft Knowledge Base article Service Pack
Installation May Save Standard Security Password in File.
•
At a minimum, log failed connection attempts to the Microsoft SQL
Server and review the log regularly.
•
When possible, save log files to a different hard drive than the one on
which data files are stored.
36
Advertisement
Table of Contents
