Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Email Services Policy

  • Version/Release: V1R4
  • Published:
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

Email Services Policy
b
Annual procedural reviews are not conducted at the site.
Medium - V-18857 - SV-20630r1_rule
RMF Control
Severity
Medium
CCI
Version
EMG3-015 EMail
Vuln IDs
  • V-18857
Rule IDs
  • SV-20630r1_rule
A regular review of current E-mail security policies and procedures is necessary to maintain the desired security posture of E-mail services. Policies and procedures should be measured against current Department of Defense (DoD) policy, Security Technical Implementation Guide (STIG) guidance, vendor-specific guidance and recommendations, and site-specific or other security policy. Information Assurance OfficerDCAR-1
Checks: C-22671r1_chk

Review procedures and implementation evidence of annual reviews of Exchange 2003 E-mail Services Information Assurance (IA) policy and procedures. If procedures do not exist, are incomplete, or are not implemented and followed annually or more frequently, then this is a finding. Criteria: If procedures exist, are complete, and annual reviews are conducted annually, this is not a finding.

Fix: F-19565r1_fix

Procedure: Ensure that procedures exist, and that annual reviews are scheduled and completed.

b
Exchange with Outlook Web Access is not deployed as Front-end/Back-end Architecture.
Medium - V-18858 - SV-20632r1_rule
RMF Control
Severity
Medium
CCI
Version
EMG3-020 Exch
Vuln IDs
  • V-18858
Rule IDs
  • SV-20632r1_rule
Microsoft® Exchange supports a server architecture that distributes server tasks among front-end and back-end servers. Front-end/back-end architecture provides for logical separation of protocols, user traffic, and the subsequent ability to secure each of these aspects of E-Mail technology using discrete security techniques that are appropriate for each. In this architecture, a front-end server accepts requests from clients and proxies them to the appropriate back-end server for processing and offloads the SSL encryption The term "back-end server" refers to all servers in an organization that are not front-end servers after a front-end server is introduced into the organization. In a multi-server environment, one or more back-end servers may be cast in the role of ‘Bridgehead’ server. Bridgehead servers are used in large domains that deploy mailbox servers in multiple locations, sometimes spanning wide area network (WAN) (or other slow) connections, or require careful bandwidth management for other reasons. Bridgehead servers work in pairs, one at each side of a location, to manage replication and distribution tasks. The primary advantage of the front-end/back-end server architecture is the ability to expose a single, consistent namespace to end users, for example, https://mail.mycompany.com. Without a front-end server, users must know the name of the server that stores their mailbox. Information Assurance OfficerDCBP-1
Checks: C-22790r1_chk

Interview the E-mail administrator or the Information Assurance Officer (IAO). Access the documented topography diagrams and System Security plan information. Sites offering Outlook Web Access (OWA) for remote E-mail access from the Internet should have an Exchange 2003 front-end server. In E-mail environments where OWA is not offered, front-end servers are not needed. Criteria: If the Exchange deployment model is a multi-server environment with OWA and is using a front-end/back-end architecture, this is not a finding.

Fix: F-19298r1_fix

For OWA enabled environments, the environment should be re-engineered to add at least one front-end server. Consult with network and protocol requirements for additional requirements such as perimeter protection, protocol paths and other configuration requirements that some Exchange configurations assume are in place.

b
E-Mail Configuration Management (CM) procedures are not implemented.
Medium - V-18864 - SV-20644r1_rule
RMF Control
Severity
Medium
CCI
Version
EMG3-045 EMail
Vuln IDs
  • V-18864
Rule IDs
  • SV-20644r1_rule
Uncontrolled, untested, or unmanaged changes can result in an unreliable security posture. All software libraries related to E-mail services must be reviewed, considered, and the responsibility for Configuration Management (CM) assigned to ensure that no libraries or configurations are left unaddressed. This is true even if CM responsibilities appear to cross organizational boundaries. Information Assurance OfficerDCPR-1
Checks: C-22457r1_chk

Procedure: Interview the E-mail Administrator or the IAO to ask if CM procedures are in place to prevent untested and uncontrolled software modifications to the production system. Access documentation demonstrating process, scheduling, and signoff procedures. Criteria: If CM procedures are documented and implemented, this is not a finding.

Fix: F-19570r1_fix

Procedure: Implement Configuration Management procedures; document them and follow them. Ensure that patches, configurations, and upgrades are addressed. Process steps should have specific procedures and responsibilities assigned.

a
The E-mail Administrator role is not assigned and authorized by the IAO.
Low - V-18865 - SV-20646r1_rule
RMF Control
Severity
Low
CCI
Version
EMG0-056 EMail
Vuln IDs
  • V-18865
Rule IDs
  • SV-20646r1_rule
Separation of roles supports operational security for application as well as human resources. Roles accompanied by elevated privileges, such as that of the E-Mail Administrator, must be carefully regulated and monitored. All appointments to Information Assurance (IA) roles, such as Designated Approving Authority (DAA), Information Assurance Manager (IAM), and Information Assurance Officer (IAO) are in writing, and include assigned duties and appointment criteria such as training, clearance and IT designation. The E-mail Administrator role is assigned and controlled by the IAM. The IAM role owns the responsibility to document responsibilities, privileges, training and scope for the E-mail Administrator role. It is with this definition that the IAO is able to monitor assigned resources, ensuring that intended tasks are completed, and that elevated privileges are not used for purposes beyond their intended tasks. Information Assurance OfficerDCSD-1
Checks: C-22458r1_chk

Procedure: Review the documented procedures for approval and granting of E-mail Administrator Privileges. Review implementation evidence for the procedures. Criteria: If the E-mail Administrator role is documented and authorized by the IAO, this is not a finding.

Fix: F-19386r1_fix

Procedure: Establish a procedure that ensures the E-mail Administrator role is defined and authorized (assigned) as documented by the IAO.

b
E-mail Services are not documented in System Security Plan.
Medium - V-18867 - SV-20650r1_rule
RMF Control
Severity
Medium
CCI
Version
EMG3-050 EMail
Vuln IDs
  • V-18867
Rule IDs
  • SV-20650r1_rule
A System Security Plan defines the security procedures and policies applicable to the Automated Information System (AIS). It includes definition of responsibilities and qualifications for those responsible for administering the security of the AIS. For E-mail services, this includes specifically the E-mail Administrator in addition to the standard System Administration (SA) and Information Assurance Officer (IAO) roles. Without a System Security Plan, unqualified personnel may be assigned responsibilities that they are incapable of meeting and E-mail security is prone to an inconsistent or incomplete implementation. Security controls applicable to E-mail services may not be documented, tracked, or followed if not identified in the System Security Plan. Any omission of security control consideration could lead to an exploit of E-mail services vulnerabilities. Information Assurance OfficerDCSD-1
Checks: C-22675r1_chk

Interview the IAO. Review the System Security Plan for E-mail services. Review coverage of the following in the System Security Plan: - technical, administrative, and procedural IA program and policies that govern E-mail services - identification of all IA roles and assignments(IAM, IAO, DBA, SA) - specific IA requirements and objectives such as unique security considerations and outage contingency plans. Criteria: If E-mail services are documented in the System Security Plan, this is not a finding.

Fix: F-19571r1_fix

Procedure: Establish a System Security Plan E-mail services component.

a
E-mail software installation account usage is not logged.
Low - V-18868 - SV-20652r1_rule
RMF Control
Severity
Low
CCI
Version
EMG3-028 EMail
Vuln IDs
  • V-18868
Rule IDs
  • SV-20652r1_rule
E-mail Administrator or application owner accounts are granted more enhanced privileges than non-privileged users. It is especially important to grant access to privileged accounts to only those persons who are qualified and authorized to use them. Each use of the account should be logged to demonstrate this accountability. Information Assurance OfficerECPA-1
Checks: C-22676r1_chk

Procedure: Interview the IAO or E-mail Administator. Verify implementation of logging procedures defined for use of the Exchange 2003 installation account. Criteria: If E-mail software installation account usage is logged, this is not a finding.

Fix: F-19572r1_fix

Procedure: Develop and implement a logging procedure for use of the Exchange 2003 software installation account that provides accountability to individuals for any actions taken by the account.

a
E-mail audit trails are not reviewed daily.
Low - V-18869 - SV-20654r1_rule
RMF Control
Severity
Low
CCI
Version
EMG3-037 EMail
Vuln IDs
  • V-18869
Rule IDs
  • SV-20654r1_rule
Access to E-mail services and software is logged to establish a history of actions taken in the system. Unauthorized access or use of the system could indicate an attempt to bypass established permissions. Reviewing the log history can lead to discovery of unauthorized access attempts. Reviewing the logs daily helps to ensure that prompt attention is given to any suspicious activities discovered therein. Information Assurance OfficerECAT-1
Checks: C-22677r1_chk

Interview the IAO. Review the audit trail review procedures in the System Security plan. The procedures should include evidence of the occurence and frequency of reviews. Also review the evidence of review results. Criteria: If Audit trail review procedures and evidence of reviews exist, this is not a finding.

Fix: F-19573r1_fix

Procedure: Develop and implement procedures to review audit records daily. Include procedures for response to indications of access by unauthorized usage.

b
E-mail Administrator Groups do not ensure least privilege.
Medium - V-18877 - SV-20667r1_rule
RMF Control
Severity
Medium
CCI
Version
EMG0-075 EMail
Vuln IDs
  • V-18877
Rule IDs
  • SV-20667r1_rule
When an oversight responsibility is assigned to the same person performing the actions being overseen, the function of oversight is compromised. When the responsibility to manage or control one application or activity is assigned to one party yet another party is also assigned the privilege to the same actions, then neither party can logically be held responsible for those action. By separating responsibility and permissions by role, accountability is achieved. Roles, once defined, can then be used as “groups” with permissions granted, in the AD domain. Microsoft names three roles for E-mail administration as a starting point (appearing in diminishing order): E-mail Full Administrator, E-mail Administrator, and E-Mail View-Only Administrator. Because Exchange 2003 is an application, all three roles are subordinate to OS Administrator roles. E-mail Full Administrator has the ability to install the application and configure the access and operational parameters, perform user and configuration setup, and view all aspects of E-mail configuration and performance. The Exchange Installation account would be a good candidate for this group. E-mail Administrator is able to perform user and configuration setup, and view all aspects of e-mail configuration and performance. Operational tasks and administrators would be good candidates for this role. E-mail View-Only Administrator is able to view all aspects of E-mail configuration and performance. Persons or utilities that monitor throughput, connector, and queue performance would be a good candidate for this group. Further granularity is possible, and often makes sense to do, enabling each role to operate using the least possible permissions to perform the role. Information Assurance OfficerECPA-1
Checks: C-22520r1_chk

Procedure: Interview the E-mail administrator or the IAO. Review documentation that describes division of duties by role in the E-mail administration assignments. Criteria: If E-mail Administrator tasks are assigned to a defined role in the organization, and the role is operating at least privilege for the tasks, this is not a finding.

Fix: F-19470r1_fix

Procedure: Create, or have created, Policies / OUs / Security Groups to define roles and permissions for the E-mail Administration team. Verify that each role is commensurate with least possible permission to perform the associated tasks.

b
Automated audit reporting tools are not available.
Medium - V-18878 - SV-20669r1_rule
RMF Control
Severity
Medium
CCI
Version
EMG3-079 EMail
Vuln IDs
  • V-18878
Rule IDs
  • SV-20669r1_rule
Monitors are automated “process watchers” that respond to performance changes, and can be useful in detecting outages and alerting administrators where attention is needed. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. However, audit record collection may quickly overwhelm storage resources and an auditor’s ability to review it in a productive manner. Add to that, an audit trail that is not monitored for detection of suspicious activities provides little value. Regular or daily review of audit logs not only leads to the earliest possible notice of a compromise, but can also minimize the extent of the compromise. Automated Log Monitoring gives the additional boost to the monitoring process, in that noteworthy events are more immediately detected, provided they have been defined to the automated monitoring process. Log data can be mined for specific events, and upon detection, they can be analyzed and summarized by such tools to provide choices for alert methods, reports, trend analyses, attack scenario solutions. Information Assurance OfficerECRG-1
Checks: C-22523r1_chk

Interview the IAO or the E-mail administrator. Review automated tool usage for reporting of audit trail data. Criteria: If automated tools are available for review and reporting on E-mail Service audit records, this is not a finding.

Fix: F-19576r1_fix

Procedure: Ensure that automated tools are implemented and available for review and reporting on E-mail Service audit records.

b
E-mail audit records are not retained for 1 year.
Medium - V-18879 - SV-20671r1_rule
RMF Control
Severity
Medium
CCI
Version
EMG3-071 EMail
Vuln IDs
  • V-18879
Rule IDs
  • SV-20671r1_rule
Audit data retention serves as a history that can aid in determining actions executed by users and administrators. Reasons for such research include both malicious actions that may have been perpetrated, as well as legal evidence that might be needed for proof of activity. Audit data records are required to be retained for a period of 1 year. Information Assurance OfficerECRR-1
Checks: C-22681r1_chk

Interview the IAO or E-mail Administrator. Access documentation that describes data retention for audit records. Criteria: If E-mail audit records are retained for required time period (1 year), this is not a finding.

Fix: F-19478r1_fix

Procedure: Ensure that E-mail audit records are categorized and retained for required time period of 1 year.

b
Audit logs are not included in backups.
Medium - V-18880 - SV-20673r1_rule
RMF Control
Severity
Medium
CCI
Version
EMG3-006 E-mail
Vuln IDs
  • V-18880
Rule IDs
  • SV-20673r1_rule
Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit logs are essential to the investigation and prosecution of unauthorized access to Exchange 2003 software and data. Unless audit logs are available for review, the extent of data compromise may not be determined and the vulnerability exploited may not be discovered. Undiscovered vulnerabilities could lead to additional or prolonged compromise of the data. Audit records should be backed up not less than weekly on to a different system or media than the system being audited, to ensure preservation of audit history. Information Assurance OfficerECTB-1
Checks: C-22682r1_chk

Interview the E-mail Administrator or the IAO. Access documentation that describes inclusion of Exchange audit data with the weekly backups. Audit data specific to Exchange 2003 services are located in %systemroot\system32\logfiles. Verify that this directory is included in backup strategy to preserve log history. Criteria: If Audit records are backed up at least weekly on to a different system or media, this is not a finding.

Fix: F-19577r1_fix

Ensure that Exchange 2003 audit records are backed up at least weekly on to a different system or media.

a
The E-mail backup and recovery strategy is not documented or is not tested on an INFOCON compliant frequency.
Low - V-18881 - SV-20675r1_rule
RMF Control
Severity
Low
CCI
Version
EMG3-005 EMail
Vuln IDs
  • V-18881
Rule IDs
  • SV-20675r1_rule
A disaster plan exists that provides for the smooth transfer of all mission or business essential functions to an alternate site for the duration of an event with little or no loss of operational continuity. The backup and recovery plan should include business recovery, system contingency, facility disaster recovery plans and plan acceptance. Information Assurance OfficerCODP-1
Checks: C-22534r1_chk

Procedure: Interview the E-mail Administrator or the IAO. Access the System Security Plan or other documentation that describes the backup and recovery strategy for Exchange 2003 E-mail servers. The documentation should detail specifically what files and data stores are saved, including the frequency and schedules of the saves (as required by INFOCON levels), and recovery plans (should they become necessary). The recovery plan should also state a periodic recovery rehearsal to ensure the backup strategy is sound. Criteria: If E-mail Backup and Recovery strategy is documented and periodically tested, this is not a finding.

Fix: F-19578r1_fix

Ensure that the E-mail Backup and Recovery Strategy is documented in the site Disaster Recovery Plan, with components, locations and directions, and is tested according to INFOCON frequency requirements.

b
E-mail backup and recovery data is not protected.
Medium - V-18882 - SV-20677r1_rule
RMF Control
Severity
Medium
CCI
Version
EMG3-009 EMail
Vuln IDs
  • V-18882
Rule IDs
  • SV-20677r1_rule
All automated information systems are at risk of data loss due to disaster or compromise. Failure to provide adequate protection to the backup and recovery data exposes it to risk of potential theft or damage that may ultimately prevent a successful restoration, should the need become necessary. Adequate protection ensures that backup components can be used to provide transparent or easy recovery from losses or operations outages. Backup files need the same protections against unauthorized access when stored on backup media as when online and actively in use by the E-mail system. Included in this category are physical media, online configuration file copies, and any user data that will need to be restored. Information Assurance OfficerCOBR-1
Checks: C-22536r1_chk

Procedure: Interview the E-mail Administrator or the IAO. Access the System Security Plan documentation that describes protections for the Backup and Recovery data. Direct access must be granted to only processes and personnel who are responsible for handling that data. Criteria: If E-mail backup and recovery data and processes are restricted to authorized groups, this is not a finding.

Fix: F-19579r1_fix

Ensure that only E-mail Administrator and authorized backup and restore personnel have access to Exchange 2003 backup and restore data.

b
E-mail backups do not meet schedule or storage requirements.
Medium - V-18883 - SV-20679r1_rule
RMF Control
Severity
Medium
CCI
Version
EMG3-007 EMail
Vuln IDs
  • V-18883
Rule IDs
  • SV-20679r1_rule
Hardware failures or other (sometimes physical) disasters can cause data loss to active applications, and the need for expedient recovery. Ensuring that backups are conducted on an agreed schedule creates a timely copy from which to recover active systems. Storing backup contents at a separate physical location protects the backup data from site-specific physical disasters. Backup schedule and storage location are determined in accordance with the MAC category and confidentiality level. Information Assurance OfficerCODB-2
Checks: C-22537r1_chk

Procedure: Interview the IAO. Access the site's System Security Plan. Review backup frequency schedule. Also, review file locations, access protections and procedures for offline files, and storage methods. Criteria: If E-mail backups are conducted on schedule and are stored appropriately, this is not a finding.

Fix: F-19580r1_fix

Procedure: Perform followup to ensure that E-mail backups are conducted on schedule and are stored appropriately

b
E-mail critical software copies are not stored offsite in a fire rated container.
Medium - V-18884 - SV-20681r1_rule
RMF Control
Severity
Medium
CCI
Version
EMG3-010 EMail
Vuln IDs
  • V-18884
Rule IDs
  • SV-20681r1_rule
There is always potential that accidental loss can cause system loss and that restoration will be needed. In the event that the installation site is compromised, damaged or destroyed, copies of critical software media may be needed to recover the systems and become operational. Copies of the operating system (OS) and other critical software such as E-mail services applications must be created and stored off site in a fire rated container. If a site experiences loss or compromise of the installed software libraries, available copies can reduce the risk and shorten the time period for a successful E-mail services recovery. Information Assurance OfficerCOSW-1
Checks: C-22538r1_chk

Interview the E-Mail Administrator or IAO. Reference a copy of the System Security Plan. Procedure: Review the application software baseline procedures and implementation evidence. Review the list of files and directories included in the baseline procedure for completeness. Criteria: If E-mail software copy exists to serve as a baseline and is available for comparison during scanning efforts, this is not a finding.

Fix: F-19497r1_fix

Procedure: Create E-mail Software Copies for use in recovering systems, should they be needed. Ensure that the copies are stored off site and that details are documented in the system security plan.

a
E-mail acceptable use policy is not documented in the System Security Plan or does not require annual user review.
Low - V-18885 - SV-20683r1_rule
RMF Control
Severity
Low
CCI
Version
EMG0-090 EMail
Vuln IDs
  • V-18885
Rule IDs
  • SV-20683r1_rule
E-mail is only as secure as the recipient, which can be either a server or a human (client). Add to that, the surest way to prevent SPAM and other malware from entering the E-mail message transfer path by using secure IA measures at the point of origin. For inbound messages, that point is at the perimeter, where the Edge Transport Role server performs authentication and sanitization measures on the messages. For outbound messages, that point is the human user, who (with assistance from a client application such as Outlook) must use care with actions taken when reading or creating E-mail messages. An E-mail Acceptable Use Policy is a set of rules that describe IA operation and expected user behavior with regard to E-mail services. Formal creation and use of an E-mail Acceptable Use policy protects both organization and users by declaring boundaries, operational processes, and user training surrounding HelpDesk procedures, legal constraints and E-mail based threats that may be encountered. The Acceptable Use Policy should be distributed to each new E-mail user, as a requirement for obtaining an E-mail account. The policy must also be annually updated, then subject to repeat review by users. Requiring signed acknowledgement of the rules should be a condition of continued access to the E-mail system. Information Assurance OfficerPRRB-1
Checks: C-22539r1_chk

Procedure: Interview the IAO. Access the documentation that describes the E-mail Acceptable Use Policy that is followed at the site. The Acceptable Use Policy serves as training for users and sets expectations for E-mail parameters. Criteria: If the E-mail Acceptable Use Policy is documented in the System Security Plan and requires annual user review with signature acknowledgement, this is not a finding.

Fix: F-19581r1_fix

Procedure: Implement an E-mail Acceptable Use Policy that is documented in the System Security Plan or at the organizational level, and requires signed annual review by users.

a
E-mail Acceptable Use Policy does not contain required elements.
Low - V-18886 - SV-20685r1_rule
RMF Control
Severity
Low
CCI
Version
EMG0-092 EMail
Vuln IDs
  • V-18886
Rule IDs
  • SV-20685r1_rule
E-mail is only as secure as the recipient, which can be either a server or a human (client). Add to that, the surest way to prevent SPAM and other malware from entering the E-mail message transfer path by using secure IA measures at the point of origin. For inbound messages, that point is at the perimeter, where the Edge Transport Role server performs authentication and sanitization measures on the messages. For outbound messages, that point is the human user, who (with assistance from a client application such as Outlook) must use care with actions taken when reading or creating E-mail messages. E-mail Acceptable Use Policy statements must include, among other items, user education and expectations, as well as penalties and legal ramifications surrounding noncompliance. User education elements should include such elements as: Classification and Sensitivity Labeling; A user’s electronic signature is the stamp of authenticity that enables information to be trusted. SPAM and PHISHING recognition; The ability to recognize non-authentic messages is key to protecting the organization against user manipulation that results from false information. Acceptable and non-acceptable text content; Users should also be acquainted with legal responsibilities surrounding harassment, soliciting, or distribution of inappropriate content as outlined by the organization. Security Constraints; Forbidden attachment types and security reasons for each. “Personal business” usage policy; Message content guidelines, attention to CC: lists, information sensitivity, chain letters, and spillage prevention. Request help; how to report if you are a witnesses or victim of misuse, phone numbers for support, troubleshooting, how to request an account for a new user. User expectations elements should include such elements as: Acceptable Use Policy location; for ongoing reference if needed. E-mail types of services offered; for example, Outlook, OWA and Public Folders included, access from POP3 clients is not allowed, etc. E-mail tools, rules, and alerts; descriptions and official formats of E-mail based announcements that may originate from the E-mail Administration team (to prevent users being SPAMMED or compromised by social engineering exploits). Because there are known social engineering techniques that SPAM users in the form of ‘Administrator Requests’ to end users, it may be advantageous to have an ‘official’ method of communicating, enabling users to then recognize non-authentic requests and report them. Legal issues; what constitutes harassment, threats, or inappropriate language. E-mail Administration processes; how to add, remove, and manage the e-mail user population, report problems or abuse, compromise. Constraints; Mailbox, message, and attachment size limitations. Policies; Data retention, type of servers, server uptime and maintenance schedules Penalties for violating E-mail Acceptable Use Policy Schedule for Periodic review, format for signoff Information Assurance OfficerPRRB-1
Checks: C-22540r1_chk

Procedure: Interview the IAO. Access documentation that describes the elements included in the E-mail Acceptable Use policy. User education elements should include such elements as: • Classification and Sensitivity Labeling; A user’s electronic signature is the stamp of authenticity that enables information to be trusted. • SPAM and PHISHING recognition; The ability to recognize non-authentic messages is key to protecting the organization against user manipulation that results from false information. • Acceptable and non-acceptable text content; Users should also be acquainted with legal responsibilities surrounding harassment, soliciting, or distribution of inappropriate content as outlined by the organization. • Security Constraints; Forbidden attachment types and security reasons for each. •“Personal business” usage policy; Message content guidelines, attention to CC: lists, information sensitivity, chain letters, and spillage prevention. • Request help; how to report if you are a witnesses or victim of misuse, phone numbers for support, troubleshooting, how to request an account for a new user. User expectations elements should include such elements as: • Acceptable Use Policy location; for ongoing reference if needed. • E-mail types of services offered; for example, Outlook, OWA and Public Folders included, access from POP3 clients is not allowed, etc. • E-mail tools, rules, and alerts; descriptions and official formats of E-mail based announcements that may originate from the E-mail Administration team (to prevent users being SPAMMED or compromised by social engineering exploits). Because there are known social engineering techniques that SPAM users in the form of ‘Administrator Requests’ to end users, it may be advantageous to have an ‘official’ method of communicating, enabling users to then recognize non-authentic requests and report them. • Legal issues; what constitutes harassment, threats, or inappropriate language. • E-mail Administration processes; how to add, remove, and manage the e-mail user population, report problems or abuse, compromise. • Constraints; Mailbox, message, and attachment size limitations. • Policies; Data retention, type of servers, server uptime and maintenance schedules • Penalties for violating E-mail Acceptable Use Policy • Schedule for Periodic review, format for signoff Criteria: If the E-mail Acceptable Use Policy contains required elements, this is not a finding.

Fix: F-19582r1_fix

Revise or supplement the E-mail Acceptable Use Policy so that it contains the required elements.

c
E-mail services and servers are not protected by routing all SMTP traffic through an Edge Transport Server.
High - V-19546 - SV-21609r1_rule
RMF Control
Severity
High
CCI
Version
EMG3-106 Exch2K3
Vuln IDs
  • V-19546
Rule IDs
  • SV-21609r1_rule
Separation of roles supports operational security for application and protocol services. Since 2006, Microsoft best practices had taken the direction of creating operational “roles” for servers within E-mail services. The Edge Transport server role (also called the E-mail Secure Gateway) was created to focus authentication and sanitization tasks in one server, to provide Internet facing protection for internal E-mail servers. Microsoft Exchange 2003 does not offer the Edge Transport server role. In the E-mail services infrastructure, it has become imperative that inbound messages be examined prior to their being forwarded into the enclave, primarily due to the amount of SPAM and malware contained in the message stream. Similarly, outbound messages must be examined so that an organization might locate, or perhaps intercept, messages with potential data spillage of sensitive or important information. The Edge Transport E-mail server role, which includes ‘appliances’ such as “Iron Port”, “Iron Mail” and the like, is designed to group protective measures for both inbound and outbound messages. Its charter is to face the Internet, and to scrutinize all SMTP traffic, to determine whether to grant continued passage to its destination Inbound E-mail sanitization steps include (but are not limited to) the following: • Sender Authentication • Sender Reputation Evaluation (White-listing and Black-listing) • SPAM content scoring • Virus and Malware removal • Web Link URL evaluation • Absent sender information • SPOOFED domain sources (such as the local domain appearing as inbound mail) • 0-Day attack detection • Archiving or Quarantining trapped messages • Alerting and Reporting when configured items are identified. Failure to implement an E-mail Secure Gateway increases risk that raw messages will reach the internal servers and networks, thereby increasing risk of their compromise. Even though Exchange 2003 E-mail Services are able to perform many of these evaluations, their Windows domain membership requires that they be internal to the enclave rather than expose the domain interaction to the Public Internet. Attempting to sanitize E-mail after it arrives inside the domain is not longer an acceptable or effective security measure. By using an Edge Transport Server (E-mail Secure Gateway), any SMPT-specific attack vectors are more optimally secured. Information Assurance OfficerEBBD-1
Checks: C-23795r1_chk

Procedure: Interview the IAO. Review documentation that describes the infrastructure for E-mail services. Verify that an Edge Transport Server (or E-mail Secure Gateway) is installed and active on the network. Ensure that all inbound and outbound E-mail messages pass through and are examined by a perimeter-based Edge Transport Server. Criteria: If the site employs an Edge Transport Server or E-mail Secure Gateway. Ensure that all inbound and outbound E-mail messages are routed through the gateway.

Fix: F-20241r1_fix

Procedure: Install and configure an Edge Transport Server role in the infrastructure. Ensure that all SMTP traffic passes through this gateway, prior to forwarding messages into the enclave mail servers.

c
E-mail web services are not protected by having an application proxy server outside the enclave.
High - V-19548 - SV-21613r1_rule
RMF Control
Severity
High
CCI
Version
EMG3-108 Exch2K3
Vuln IDs
  • V-19548
Rule IDs
  • SV-21613r1_rule
Separation of roles supports operational security for application and protocol services. The HTTP path to web sites is a proven convenience in requiring only a browser to access them, but is simultaneously a well known attack vector for people and applications that would attempt to gain unwelcome admittance. Web-based applications such as Exchange 2003 Outlook Web Access (OWA) reside on Windows domain Member Servers, and are classified as ‘internal’, or private web servers. In order for the DoD to grant web-based access to E-mail services, careful authentication, encryption, and other precautions are needed. Authentication, via Common Access Card, is not a feature of Exchange 2003. Add to that, it is risky to admit Internet-sourced web traffic, even with SSL or TLS encryption, into the enclave without some inspection, such as for suspicious URL formation. Also, ensuring that only the desired protocols are allowed reduces risk as well as excess traffic. An application proxy server, such as Microsoft Internet Security and Acceleration (ISA) server is an effective firewall and proxy that offers all of these features when properly equipped and configured. Failure to require CAC authentication of each user, a new security context for the transaction, and FIPS 140-2 compliant encryption for the Internet leg of the transaction, all increase risk of compromise to the OWA web server. Information Assurance OfficerEBBD-1
Checks: C-23796r1_chk

For sites not using Exchange 2003 E-mail web services, this check is N/A. Procedure: Interview the IAO. Access documentation that describes the E-mail services infrastructure. Verify that a proxy server such as Microsoft ISA server 2006 is installed and requires CAC authentication, is a member of the local Windows domain, and initiates a new security context for the transaction. Criteria: If the site employs an application proxy server such as Microsoft ISA, that requires CAC authentication, FIPS 140-2 encryption, and URL evaluation, this is not a finding.

Fix: F-20244r1_fix

Procedure: Install an application proxy server capable of authenticating a CAC-enabled transaction, continue the transaction in a new security context, and require FIPS 140-2 encryption for the Internet connection to the end user.