Mod Security on Apache

Similar Messages

• Server, Port details are revealed after enabling Mod Security

  Hi,
  I have applied the mod security on the OAS to remediate the cross site scripting. With this fix the cross site scripting is remediated and prevent XSS attacks (HTML/Javascript injection). However on the browser with Show friendly error message unchecked the error page displays with server & its port information, whereas with checkbox checked error page 406 is displayed.
  All i need is not to display the server and its port while showing the error page. Please suggest how i resolve this.
  Regards,
  R.Babu

  Hi,
  This is what i have added in the httpd.conf when there is an error which will direct to 406 error page.
  SecFilterDefaultAction "deny,log,status:406"
  I dont know how to create direct it to the one i define (can you help here). I believe even then with Show friendly HTTP error mesages unchecked i will not get my error page i defined.
  - Babu

• Transport + Message (Both mode) security in WCF ?

  Hello,
  In WCF, how transport + message security is implemented ?
  i.e. How X.509 certificates are used to encrypt transport + message (BOTH mode) security ?
  Thanks in advance

  Hi,
  >> how transport + message security is implemented ?
  It seem that you want to implement the both transport and message security mode in one wcf application, I will suggest you use the security mode
  TransportWithMessageCredential.
  When the TransportWithMessageCredential security mode is configured, the transport security is used to provide confidentiality and integrity for the transmitted messages and to perform the service authentication. However,
  the client authentication is performed by putting the client credential directly in the message. This allows you to use any credential type that is supported by the message security mode for the client authentication while keeping the performance
  benefit of transport security mode. In one word is that client authentication is provided at the message level, and message protection and service authentication are provided at the transport level.
  For more information, please try to refer to:
  #Message and Transport Security:
  http://msdn.microsoft.com/en-us/library/ff648863.aspx .
  >>How X.509 certificates are used to encrypt transport + message (BOTH mode) security
  In the service side, the X.509 certificates will use to provide the message protection and service authentication. If you used the certificate authentication, then in the client side, the X.509 certificates will use to
  identify itself to the server.
  For more information, please try to refer to:
  #How to: Secure a Service with an X.509 Certificate:
  http://msdn.microsoft.com/en-us/library/ms788968(v=vs.110).aspx .
  Best Regards,
  Amy Peng
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Solaris 10: Compiling Mod Security 2.5.9 on existing Apache 2.0.63

  I cant seem to get it to compile. I get multiple errors (linker input file unused because linking not done) when i try a make. Eg.
  /var/apache2/build/libtool silent mode=compile /opt/SUNWspro/bin/cc -prefer-pic -xO3 -xarch=v8 -xspace -W0,-Lt -W2,-Rcond_elim -Xa -xildoff -xO4 -DSSL_EXPERIMENTAL -DSSL_ENGINE -DSOLARIS2=10 -D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/apache2/include -I/usr/apache2/include -I/usr/apache2/include -I/usr/sfw/include -O2 -g -Wall -I/usr/apache2/include -I/usr/local/include -I/usr/local/include/libxml2 -c -o mod_security2.lo mod_security2.c && touch mod_security2.slo
  cc: unrecognized option `-Xa'
  cc: unrecognized option `-KPIC'
  cc: language O4 not recognized
  cc: mod_security2.c: linker input file unused because linking not done
  Pls help!

  Hi,
  Try with following steps.
  Step-1
  Apache 2.0.x, install the plug-in by copying the mod_wl_20.so file to the APACHE_HOME\modules directory and adding the following line to your APACHE_HOME/conf/httpd.conf file manually:
  LoadModule weblogic_module modules/mod_wl_20.so
  Step-2
  Apache 2.0.x, manually add the following line to the httpd.conf file:
  LoadModule weblogic_module modules\mod_wl_20.so
  Step-3
  For a non-clustered WebLogic Server:
  <IfModule mod_weblogic.c>
  WebLogicHost myweblogic.server.com
  WebLogicPort 7001
  </IfModule>
  If you want more detail please refer the following link. http://e-docs.bea.com/wls/docs90/plugins/apache.html
  I know this is late response for you. But it will helpful for others.
  Regards,
  Balaji,
  System Admin
  Arman Infotech Systems
  India

• Web Service security with Apache Axis. 403 forbidden error

  Hello.
  I have to invoke a Web Service method via https. To achieve that, I have correctly added the server certificate to my truststore.
  When I invoke the method, I obtain this error:
  AxisFault
  faultCode: {http://xml.apache.org/axis/}HTTP
  faultSubcode:
  faultString: (403)Forbidden
  This is because the server requests me for a client certificate.
  I have the certificate, but I don't know how to use it in the java client.
  Does anybody know how to do that? Any kind of help will be very useful.
  Thank you very much in advance.
  NOTE: If I write the url of the web service in a web browser, the server requests me for a client cert. When I chose the appropiate certficate, the web browser shows me this message from the web service: "Hello, this is a Web Service"

  Finally my problem has been solved.
  I added the necesary properties to the system and everything went well.
  This is the code:
  String trustStore = System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar);
  String keyStore = System.getProperty("java.home") + "/lib/security/keystorePKCS12".replace('/', File.separatorChar);
  String tspasswd = "myTrustStorePassword";
  String kspasswd = "myKeyStorePassword";
  System.setProperty("javax.net.ssl.trustStore", trustStore);
  System.setProperty("javax.net.ssl.trustStorePassword", tspasswd );
  System.setProperty("javax.net.ssl.keyStore", keyStore);
  System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");
  System.setProperty("javax.net.ssl.keyStorePassword", kspasswd );It's necesary to say that my keystore is PKCS12 type, and it stores only one pkcs certificate.
  Note that is also posible to set these system properties in the Tomcat start script.

• Mac OS X Target Disk Mode Security Hole?

  I just put my iBook in Target disk mode (as in held down T while booting, so that it appears as an external disk on my PowerMac G5 via a firewire cable) and my G5 has root (well, unlimited) access to the iBook's hard disk! No passwords asked!
  I could just take anyone's computer and attach with a firewire cable.. and bob's your uncle, access to anyone's files! What's going on?!
  Both Macs are on 10.4.3

  If you are concerned about security, note what the second paragraph of the article: Macintosh: How to Use FireWire Target Disk Mode has to say:
  Important: The computer will not go into FireWire target disk mode if "Open Firmware Password" has been enabled.You can find out about Open Firmware here: Setting up Open Firmware Password Protection in Mac OS X 10.1 or later.

• Wallpaper GPO + Loop-back Merge mode+ security filtering. issue

  I have deployed a loopback Merge Mode GPO to set wallpaper for all users who logon to specified workstations. And you have set security filtering just allow workstations in specified group can apply this GPO. Then you doubt whether user can apply user configuration
  in the loopback GPO because they don’t in your security filtering allow list.
  So I think why not add “Domain Users” group to security filtering. Then all domain users have both Read and AGP (Apply Group Policy) permission for user configuration in the loopback GPO.
  Loopback GPO only takes effect on computer objects in your specified OU, and your workstation group security filtering control apply scope, then “Domain Users” security filtering grant permissions for all users.
  ========================issue is below================
  Now GPO is applying to other workstations which are not part of group filtered in GPO.
  its randomly but not for all workstations..
  Workstations are XP operating systems..

  I have deployed a loopback Merge Mode GPO to set wallpaper for all users who logon to specified workstations. And you have set security filtering just allow workstations in specified group can apply this GPO. Then you doubt whether user can apply user configuration
  in the loopback GPO because they don’t in your security filtering allow list.
  So I think why not add “Domain Users” group to security filtering. Then all domain users have both Read and AGP (Apply Group Policy) permission for user configuration in the loopback GPO.
  Loopback GPO only takes effect on computer objects in your specified OU, and your workstation group security filtering control apply scope, then “Domain Users” security filtering grant permissions for all users.
  ========================issue is below================
  Now GPO is applying to other workstations which are not part of group filtered in GPO.
  its randomly but not for all workstations..
  Workstations are XP operating systems..
  "Domain Users" or I would prefer "Authenticated Users" should only have Read, Not Apply Policy. 
  Enfo Zipper
  Christoffer Andersson – Principal Advisor
  http://blogs.chrisse.se - Directory Services Blog

• Mods, Security issue in my unread messages

  Dear Mods and readers
  I was somewhat aggravated this morning to receive the following message in my "unread messages" as I logged onto the forum.
  I IS CLEARLY A SCAM!!:
  My Dear,
  Permit me to inform you of my desire of going into business relationship with you.I know this mail may come to you as a surprise,since we have not known or written before.After you receive this mail kindly contact me on my private Email contact below,([email protected]) for the full details of the transfer.
  I am Miss Bella Duncan,the Only Daugther of the late Gavin Duncan,my father was a gold and cocoa mercahant based in accra, Ghana and Abidjan (Ivory Coast),he was poisoned to death by his business associates on one of their business trips recently.Before his death, he called me bedside him and told me that he has the sum of $7.500,000USD deposited in one of the prime bank here in abidjan ivory coast,that he used my name being the only Daugther as the next of kin in deposited fund.Please my dear contact me on my private email for the full informations and my picture and the deposited slip and other douctments conciering the transfer.I will need your assistance as follows;
  1) To assist me in retriving this money from the bank.
  2) To serve as the guardian of this fund.
  3) To make arrangement for me to come over to your country to further my education and to secure a residential permit in your country.Moreover,I am willing to offer you 15% of the total sum as compensation for your effort/input after the successful transfer of this fund to your nominated account overseas.
  Reply to my private e-mail box below for more details)
  Anticipating to hear from you soon.
  Awaiting your urgent reply.
  Regards,
  Miss Bella [email protected]
  PLEASE MODS CAN WE TAKE SOME ACTION TO STOP THIS!
  tHANKYOU
  Solved!
  Go to Solution.

  Hi chris
  I had the same via PM on 06/10/10
  I sent this to Kerry for her attention
  Kerry already knew of this and prevented the user from posting further messages
  Maybe this person has created a new id and started again
  -+-No longer a forum member-+-

• Is bridge mode secure?

  I am using a imac connected to Time Capsule, then to tmobile cell spot booster, then to comcast modem.  Apparently each has a function.  But the TC made me change its setting to Bridge Mode. I'd wondering if this is less secure.  Does the security come through the sign in I have to do for the Comcast and TMobile routers?

  The security is furnished by the main network router, so in your case bridge mode is secure since you are connecting to the main network router.

• 6.1 to 7.0 compatability mode security exception

  I have a 7.0 server in compatability mode with a client which obtains
  contexts to both
  servers and attempts to execute beans on both servers.
  However in certain cases I get the following exception
  Anyone seen this.
  I do have a support case open.
  Exception on login...
  java.lang.SecurityException: Invalid Subject: principals=[system]
  Start server side stack trace:
  java.lang.SecurityException: Invalid Subject: principals=[system]
  at
  weblogic.security.service.SecurityServiceManager.seal(SecurityService
  Manager.java:943)
  at
  weblogic.rjvm.MsgAbbrevInputStream.getSubject(MsgAbbrevInputStream.ja
  va:147)
  at
  weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.jav
  a:309)
  at
  weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest
  .java:30)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:153)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:134)
  End server side stack trace
  at
  weblogic.rmi.internal.BasicOutboundRequest.sendReceive(BasicOutboundR
  equest.java:85)
  at
  weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteR
  ef.java:262)
  at
  weblogic.rmi.cluster.ReplicaAwareRemoteRef.invoke(ReplicaAwareRemoteR
  ef.java:229)
  at weblogic.rmi.internal.ProxyStub.invoke(ProxyStub.java:35)
  at $Proxy1.getHomeHandle(Unknown Source)
  at com.tfn.autex.util.Service.getHome(Service.java:146)
  at
  com.tfn.autex.util.ServiceLocator.getService(ServiceLocator.java:89)
  at
  com.tfn.autex.connection.WLInstance.getFixSessionBean(WLInstance.java
  :330)
  at
  com.tfn.autex.connection.WLInstance.loginConnection(WLInstance.java:4
  76)
  at
  com.tfn.autex.connection.HostConnectionImpl.loginConnection(HostConne
  ctionImpl.java:496)
  at
  com.tfn.autex.TestClient.FixDriverTest.login(FixDriverTest.java:106)
  at
  com.tfn.autex.TestClient.FixDriverTest.main(FixDriverTest.java:312)
  Invalid Subject: principals=[system]
  Start server side stack trace:
  java.lang.SecurityException: Invalid Subject: principals=[system]
  at
  weblogic.security.service.SecurityServiceManager.seal(SecurityService
  Manager.java:943)
  at
  weblogic.rjvm.MsgAbbrevInputStream.getSubject(MsgAbbrevInputStream.ja
  va:147)
  at
  weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.jav
  a:309)
  at
  weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest
  .java:30)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:153)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:134)
  End server side stack trace
  Terminate batch job (Y/N)? y
  C:\projects\jcvs\its\java\3.1-75>'

  Hard to say without more information. I'd start by taking some simple
  timing checks or profiles on both the 6.x and 7.0 servers and comparing.
  It'd be helpful to get a general idea which area of the system is
  slower (ie is it in the web tier, ejbs, accessing the 3rd party data etc.)
  -- Rob
  Tony Heiderscheidt wrote:
  We are migrating an exsiting application from WLS 6.1 to WLS 7.0 SP1. Performance degraded significantly with only this change. Is there anything obvious or identified as to why when all other things remain constant that this Upgrade would cause such an impact.
  The application basically takes a http transaction, invokes an EJB, the EJB uses RAR's for access to 3rd party data.
  Environment:
  OS - HP Tru64 5.1a
  JVM - Java Fast VM (1.3.1-2)
  WLS version - WLS 7.0 SP1
  We can upgrade to the latest JVM from HP and maybe increase performance however that only masks the issue and doesn't correct or identify the problem.

• Setup and Security of XP Mode in Windows 7 SP1

  I purchased my new ThinkPad W530 with Windows 7 SP1 and XP Mode factory installed to allow use of some "legacy" programs.  Presumably the first thing I have to do (if I can figure out how to get XP activated) is to download all the updates before extended support ends in April.  Reading the accompanying Lenovo documentation, I see the statement, "Note: For secuirty reasons, you should run a version of the antivirus program and firewall that you use with your Windows 7 operating systems."  (I presume they mean inside the virtual machine.)
  Has anyone satisfactorily accomplished this?  Does it mean I have to install (for example) MSE in the virtual copy of XP, somehow keep it updated as well, and, of course, turn on the Windows XP SP3 firewall (and/or purchase and install another copy of, for example, W78C)?  Will such installations and settings persist from session to session of XP Mode, or do they have to be renewed at every new session?  Similarly with Windows Updates -- do they persist through a shutdown once installed?
  Once XP support ceases, I suppose the only safe thing to do is shut off Internet access to XP entierely through its built-in firewall.  Does that agree with prevailing wisdom?
  Any experience or suggestions would be most welcome! -- JCW2

  Nobody has answered your questions, so I'll give it a shot, but I emphasize I'm not any kind of expert.
  Here's how I set up Windows 7 Virtual PC XP Mode:
  1) Both the XP Mode and Virtual PC install packages are available on the download.microsoft.com web site and can be installed once your PC has passed the "Genuine Windows" test, so it's convenient to visit that website with Microsoft's Internet Explorer--an ActiveX control will be used.
  2) The Windows XP Mode is installed first, then the Virtual PC "Update" (.msu) package. I think a reboot was necessary the last time I did it.
  3) Once rebooted, use the "Windows Virtual PC"-->"Windows XP Mode" shortcut to start the process rolling. You don't need to be logged into an admistrative account to do this--use your regular login account--since the Windows Virtual PC machines are set up for each individual user of your machine.
  4) You will be asked various questions, such as to set a password for XP Mode--make sure you tick the option to store the password, and later to enable automatic Windows Updates. Depending on the speed of your PC, the complete setup might take 5-10 minutes.
  5) Finally, the window opens to the complete XP desktop, and the first thing to do is to start the MSIE 6.0 browser using the "Windows Update" shortcut in the Start Menu. The browser will ask for permission to install various bits and pieces of the Windows Update program, and eventually get you to a web page that offers a choice of Automatic or Custom updates. I always choose Custom, since I don't want extra programs like Bing Bar or Windows Live Blog/Video/Picture editors. I do install "Windows Search 4.0" for easy searches in the virtual XP machine.
  N.B. If you install a program in Windows XP mode that registers itself as the default program for particular file types, these choices will often be transferred to the host Windows system! So you have to be really careful when installing e.g. an old version of Microsoft Office in Windows XP mode, since you may then find that opening an Office document in Windows 7 suddenly starts up the program version installed in the virtual XP Mode. You can correct these missteps in the Windows 7 Control Panel's "Default Programs" area.
  6) Using the Windows Update website displayed in the browser choose and install all the updates you want--I install everything except the optional standalone programs like the ones I mentioned earlier.
  7) You'll need to go through 2 or 3 reboot cycles of the virtual XP machine to get all the updates. I also switch to the "Microsoft Update" web site choice given on the "Windows Update" website in order to obtain the maximum number of critical and optional updates. make sure the XP system's "System Restore" feature is enabled!
  8) Install all the other programs you want in the virtual XP machine and their updates.
  9) At this point, I shutdown the XP machine entirely via the "Ctrl+Alt+Del" menu point of the XP Mode window and choosing "Shutdown" in the XP dialog--remember that XP Mode is configured to hibernate when the close button is used on the XP Mode enclosing window.
  10) Each time before I make major changes in the virtual XP machine I go via the Windows 7 Start Menu into the Settings of the Windows XP Mode machine (i.e. "Windows Virtual PC"-->"Windows Virtual PC" and enable "Undo Disks". This setting is useful when you recognize that something has gone wrong/mis-configured in the XP Mode and you want to completely drop the changes. After the major changes are shown to work, use the "Apply changes" choice in the Undo Disk settings panel. I keep the Undo Disk always enabled in any case.
  Windows XP mode security (set in the Settings panel of the XP Mode machine):
  1) if you are not going to use any Internet connection from programs running in the virtual XP, set the Networking to "Internal Network" or "Not Connected" except when updating the machine.
  2) if read/write access to the local disks of the Windows 7 host system is not really required from the XP machine, disable it in the "Integration Features" panel.
  3) Microsoft Security Essentials has steadily lost ground in its detection rates of malware activity over the last 2 years, eventhough it is very efficient in use of system resources. One of the lighter weight free anti-malware XP compatible products that keep a local off-line signature database and monitor system activity (e.g. Avira or AVG) will probably keep the XP virtual machine healthy.
  4) If you use Internet via the XP machine, you should have good current anti-malware-behavior software installed on the host Windows 7 machine, so that anything that "jumps the gap" from XP to the host is caught--XP is still a relatively greater security risk.
  Anyway, that is roughly how I set up Windows XP Mode.

• Major Security Fail since OSX Update - Password Request from Screensaver & Sleep Mode

  Like me, I'm sure you walk away from your Mac with the knowledge that your computer is safe from prying eyes once the screensaver or sleep mode activates.
  Not anymore..!
  Since the recent 10.10.3 OSX update to fix a hidden backdoor API security issue, Apple have unknowingly left users wide open with an error in System Preferences' Security & Privacy.
  It is recommended that users shut down their machine and not rely on screensaver and sleep mode security.
  The password request does NOT work...
  Well done, Apple.

  My Macs all ask for passwords still, however none of them will automatically start the screensaver anymore.  I have to manually start the screensaver using hot corners.
  I would have believed it to be an issue with a 3rd party application or a specific configuration, except all FOUR of my Macs started doing this the moment I loaded 10.10.3.
  The other oddity is, if I sit and watch my macs with the screensaver running, periodically the password prompt / login window appears like someone moved the mouse or pressed a key (except no one did).
  I have tried resetting to different screensavers, resetting the timeout for the screensaver to something different....and of course, turning it off and on again.
  Sure hope Apple fixes this soon.
  Systems:
  iMac (27-inch, Late 2013)
  10.10.3 (14D136)
  3.5 GHz Intel Core i7
  32 GB 1600 MHz DDR3
  iMac (27-inch, Late 2012)
  10.10.3 (14D136)
  3.4 GHz Intel Core i7
  32 GB 1600 MHz DDR3
  MacBook Pro (13-inch, Mid 2012)
  10.10.3 (14D136)
  2.9 GHz Intel Core i7
  8 GB 1600 MHz DDR3
  Mac mini Server (Mid 2011)
  10.10.3 (14D131)
  2 GHz Intel Core i7
  16 GB 1600 MHz DDR3
  NOTE: The issue seems to not be consistent on this system.

• Wpa2 security vs. wpa2/wpa mixed mode

  What's the advantage of using the "wpa2/wpa mixed mode" security setting vs. wpa2? Is the mixed mode setting as security as the wpa2 only setting?
  Thanks
  Solved!
  Go to Solution.

  WPA2 is the next generation of Wi-Fi security. It is the Wi-Fi Alliance's interoperable implementation of the ratified IEEE 802.11i standard. It implements the National Institute of Standards and Technology (NIST) recommended Advanced Encryption Standard (AES) encryption algorithm using Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). WPA2 facilitates government FIPS 140-2 compliance, and it is fully supported by the Cisco Wireless Security Suite..
  WPA and WPA2 mixed mode operation permits the coexistence of WPA and WPA2 clients on a common SSID. WPA and WPA2 mixed mode is a Wi-Fi certified feature. During WPA and WPA2 mixed mode, the Access Point (AP) advertises the encryption ciphers (TKIP, CCMP, other) that are available for use. The client selects the encryption cipher it would like to use and the selected encryption cipher is used for encryption between the client and AP once it is selected by the client.

• The server principal "XYuser" is not able to access the database "Ydb" under the current security context

  SQL2005 on winserver 2003. I have a view in Xdb that accesses tables in 2 different databases (Xdb and Ydb) on the same server. I have mixed mode security. I have a SQL user (XYuser) that has read access to all tables and views on both databases, yet when I try to access the view using a C# windows application I get the following error:
  The server principal "XYuser" is not able to access the database "Ydb" under the current security context
  This same scenario works under SQL 2000. I looked through the postings and tried to set TRUSTWORTHY ON on both databases but that didn't help. I can access any other views or tables on the SQL 2005 server, just not the one that joins the tables cross databases. Any help is much appreciated... john

  This appears to be a Login/Database Mapping issue.  I was having this problem, but was able to resolve it as follows:
  Using the SQL Server management Studio:
  In the Object explorer, under the SERVER security folder (not the database security folder), expand Logins. 
  That is: ServerName -> Security -> Logins
  NOT: ServerName -> Databases -> DatabaseName -> Security -> Users
  Select the Login that is having the troubles.  Right click on the Login and select ‘Properties.’
  The ‘User Mapping’ page should list all databases on the server with a check mark on the databases that the Login has been mapped to.  When I was getting the error, the database in question was not checked (even though the Login was assigned as a User on the database itself).  Map the Login by checking the box next to the database name.  Set the default schema.  Then select the roles for the Login in the Database role membership list box.  I selected db_datareader and public.  After clicking OK to save the changes, the problem was resolved.
  In order to ‘Map’ the Login, the Login must not already be as User on the database, so you may have to go to the database security (ServerName -> Databases -> DatabaseName -> Security -> Users) and delete the Login from the list of database Users before mapping the Login to the database.

• How do I get Mass Storage Mode Support turned on my BB?

  Okay I am sure there is a way to do this but I have not yet found it. under media card in the setup options I have the following:
  Media Card support set to yes
  Encryption Mode: Security Password and Device
  Encrypt Media Files Yes
  Mass Storage Mode Support: is off with a little red lock by it.
  I really need to be able to change it to on, any ideas? My IT support team does not have a clue of how to turn it on.
  thanks in advance Glenn Thomas..  

  If there is a lock icon next to it you can't enable mass storage mode. It means that the setting is forced via IT Policy. The IT Policy is pushed to every device that is connected to a BES server.