Email Services Policy

Email Services Policy

Details

Version / Release: V1R4

Published:

Updated At: 2018-09-23 02:27:54

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-20630r1_rule EMG3-015 EMail MEDIUM Annual procedural reviews are not conducted at the site. A regular review of current E-mail security policies and procedures is necessary to maintain the desired security posture of E-mail services. Policies and procedures should be measured against current Department of Defense (DoD) policy, Security Technical
    SV-20632r1_rule EMG3-020 Exch MEDIUM Exchange with Outlook Web Access is not deployed as Front-end/Back-end Architecture. Microsoft® Exchange supports a server architecture that distributes server tasks among front-end and back-end servers. Front-end/back-end architecture provides for logical separation of protocols, user traffic, and the subsequent ability to secure each o
    SV-20644r1_rule EMG3-045 EMail MEDIUM E-Mail Configuration Management (CM) procedures are not implemented. Uncontrolled, untested, or unmanaged changes can result in an unreliable security posture. All software libraries related to E-mail services must be reviewed, considered, and the responsibility for Configuration Management (CM) assigned to ensure that no
    SV-20646r1_rule EMG0-056 EMail LOW The E-mail Administrator role is not assigned and authorized by the IAO. Separation of roles supports operational security for application as well as human resources. Roles accompanied by elevated privileges, such as that of the E-Mail Administrator, must be carefully regulated and monitored. All appointments to Information
    SV-20650r1_rule EMG3-050 EMail MEDIUM E-mail Services are not documented in System Security Plan. A System Security Plan defines the security procedures and policies applicable to the Automated Information System (AIS). It includes definition of responsibilities and qualifications for those responsible for administering the security of the AIS. For
    SV-20652r1_rule EMG3-028 EMail LOW E-mail software installation account usage is not logged. E-mail Administrator or application owner accounts are granted more enhanced privileges than non-privileged users. It is especially important to grant access to privileged accounts to only those persons who are qualified and authorized to use them. Each
    SV-20654r1_rule EMG3-037 EMail LOW E-mail audit trails are not reviewed daily. Access to E-mail services and software is logged to establish a history of actions taken in the system. Unauthorized access or use of the system could indicate an attempt to bypass established permissions. Reviewing the log history can lead to discover
    SV-20667r1_rule EMG0-075 EMail MEDIUM E-mail Administrator Groups do not ensure least privilege. When an oversight responsibility is assigned to the same person performing the actions being overseen, the function of oversight is compromised. When the responsibility to manage or control one application or activity is assigned to one party yet another
    SV-20669r1_rule EMG3-079 EMail MEDIUM Automated audit reporting tools are not available. Monitors are automated “process watchers” that respond to performance changes, and can be useful in detecting outages and alerting administrators where attention is needed. Log files help establish a history of activities, and can be useful in d
    SV-20671r1_rule EMG3-071 EMail MEDIUM E-mail audit records are not retained for 1 year. Audit data retention serves as a history that can aid in determining actions executed by users and administrators. Reasons for such research include both malicious actions that may have been perpetrated, as well as legal evidence that might be needed for
    SV-20673r1_rule EMG3-006 E-mail MEDIUM Audit logs are not included in backups. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit logs are essential to the investigation and prosecution of unauthorized access to Exchange
    SV-20675r1_rule EMG3-005 EMail LOW The E-mail backup and recovery strategy is not documented or is not tested on an INFOCON compliant frequency. A disaster plan exists that provides for the smooth transfer of all mission or business essential functions to an alternate site for the duration of an event with little or no loss of operational continuity. The backup and recovery plan should include b
    SV-20677r1_rule EMG3-009 EMail MEDIUM E-mail backup and recovery data is not protected. All automated information systems are at risk of data loss due to disaster or compromise. Failure to provide adequate protection to the backup and recovery data exposes it to risk of potential theft or damage that may ultimately prevent a successful resto
    SV-20679r1_rule EMG3-007 EMail MEDIUM E-mail backups do not meet schedule or storage requirements. Hardware failures or other (sometimes physical) disasters can cause data loss to active applications, and the need for expedient recovery. Ensuring that backups are conducted on an agreed schedule creates a timely copy from which to recover active system
    SV-20681r1_rule EMG3-010 EMail MEDIUM E-mail critical software copies are not stored offsite in a fire rated container. There is always potential that accidental loss can cause system loss and that restoration will be needed. In the event that the installation site is compromised, damaged or destroyed, copies of critical software media may be needed to recover the systems
    SV-20683r1_rule EMG0-090 EMail LOW E-mail acceptable use policy is not documented in the System Security Plan or does not require annual user review. E-mail is only as secure as the recipient, which can be either a server or a human (client). Add to that, the surest way to prevent SPAM and other malware from entering the E-mail message transfer path by using secure IA measures at the point of origin.
    SV-20685r1_rule EMG0-092 EMail LOW E-mail Acceptable Use Policy does not contain required elements. E-mail is only as secure as the recipient, which can be either a server or a human (client). Add to that, the surest way to prevent SPAM and other malware from entering the E-mail message transfer path by using secure IA measures at the point of origin.
    SV-21609r1_rule EMG3-106 Exch2K3 HIGH E-mail services and servers are not protected by routing all SMTP traffic through an Edge Transport Server. Separation of roles supports operational security for application and protocol services. Since 2006, Microsoft best practices had taken the direction of creating operational “roles” for servers within E-mail services. The Edge Transport server role
    SV-21613r1_rule EMG3-108 Exch2K3 HIGH E-mail web services are not protected by having an application proxy server outside the enclave. Separation of roles supports operational security for application and protocol services. The HTTP path to web sites is a proven convenience in requiring only a browser to access them, but is simultaneously a well known attack vector for people and applic