Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review procedures and implementation evidence of annual reviews of Exchange 2003 E-mail Services Information Assurance (IA) policy and procedures. If procedures do not exist, are incomplete, or are not implemented and followed annually or more frequently, then this is a finding. Criteria: If procedures exist, are complete, and annual reviews are conducted annually, this is not a finding.
Procedure: Ensure that procedures exist, and that annual reviews are scheduled and completed.
Interview the E-mail administrator or the Information Assurance Officer (IAO). Access the documented topography diagrams and System Security plan information. Sites offering Outlook Web Access (OWA) for remote E-mail access from the Internet should have an Exchange 2003 front-end server. In E-mail environments where OWA is not offered, front-end servers are not needed. Criteria: If the Exchange deployment model is a multi-server environment with OWA and is using a front-end/back-end architecture, this is not a finding.
For OWA enabled environments, the environment should be re-engineered to add at least one front-end server. Consult with network and protocol requirements for additional requirements such as perimeter protection, protocol paths and other configuration requirements that some Exchange configurations assume are in place.
Procedure: Interview the E-mail Administrator or the IAO to ask if CM procedures are in place to prevent untested and uncontrolled software modifications to the production system. Access documentation demonstrating process, scheduling, and signoff procedures. Criteria: If CM procedures are documented and implemented, this is not a finding.
Procedure: Implement Configuration Management procedures; document them and follow them. Ensure that patches, configurations, and upgrades are addressed. Process steps should have specific procedures and responsibilities assigned.
Procedure: Review the documented procedures for approval and granting of E-mail Administrator Privileges. Review implementation evidence for the procedures. Criteria: If the E-mail Administrator role is documented and authorized by the IAO, this is not a finding.
Procedure: Establish a procedure that ensures the E-mail Administrator role is defined and authorized (assigned) as documented by the IAO.
Interview the IAO. Review the System Security Plan for E-mail services. Review coverage of the following in the System Security Plan: - technical, administrative, and procedural IA program and policies that govern E-mail services - identification of all IA roles and assignments(IAM, IAO, DBA, SA) - specific IA requirements and objectives such as unique security considerations and outage contingency plans. Criteria: If E-mail services are documented in the System Security Plan, this is not a finding.
Procedure: Establish a System Security Plan E-mail services component.
Procedure: Interview the IAO or E-mail Administator. Verify implementation of logging procedures defined for use of the Exchange 2003 installation account. Criteria: If E-mail software installation account usage is logged, this is not a finding.
Procedure: Develop and implement a logging procedure for use of the Exchange 2003 software installation account that provides accountability to individuals for any actions taken by the account.
Interview the IAO. Review the audit trail review procedures in the System Security plan. The procedures should include evidence of the occurence and frequency of reviews. Also review the evidence of review results. Criteria: If Audit trail review procedures and evidence of reviews exist, this is not a finding.
Procedure: Develop and implement procedures to review audit records daily. Include procedures for response to indications of access by unauthorized usage.
Procedure: Interview the E-mail administrator or the IAO. Review documentation that describes division of duties by role in the E-mail administration assignments. Criteria: If E-mail Administrator tasks are assigned to a defined role in the organization, and the role is operating at least privilege for the tasks, this is not a finding.
Procedure: Create, or have created, Policies / OUs / Security Groups to define roles and permissions for the E-mail Administration team. Verify that each role is commensurate with least possible permission to perform the associated tasks.
Interview the IAO or the E-mail administrator. Review automated tool usage for reporting of audit trail data. Criteria: If automated tools are available for review and reporting on E-mail Service audit records, this is not a finding.
Procedure: Ensure that automated tools are implemented and available for review and reporting on E-mail Service audit records.
Interview the IAO or E-mail Administrator. Access documentation that describes data retention for audit records. Criteria: If E-mail audit records are retained for required time period (1 year), this is not a finding.
Procedure: Ensure that E-mail audit records are categorized and retained for required time period of 1 year.
Interview the E-mail Administrator or the IAO. Access documentation that describes inclusion of Exchange audit data with the weekly backups. Audit data specific to Exchange 2003 services are located in %systemroot\system32\logfiles. Verify that this directory is included in backup strategy to preserve log history. Criteria: If Audit records are backed up at least weekly on to a different system or media, this is not a finding.
Ensure that Exchange 2003 audit records are backed up at least weekly on to a different system or media.
Procedure: Interview the E-mail Administrator or the IAO. Access the System Security Plan or other documentation that describes the backup and recovery strategy for Exchange 2003 E-mail servers. The documentation should detail specifically what files and data stores are saved, including the frequency and schedules of the saves (as required by INFOCON levels), and recovery plans (should they become necessary). The recovery plan should also state a periodic recovery rehearsal to ensure the backup strategy is sound. Criteria: If E-mail Backup and Recovery strategy is documented and periodically tested, this is not a finding.
Ensure that the E-mail Backup and Recovery Strategy is documented in the site Disaster Recovery Plan, with components, locations and directions, and is tested according to INFOCON frequency requirements.
Procedure: Interview the E-mail Administrator or the IAO. Access the System Security Plan documentation that describes protections for the Backup and Recovery data. Direct access must be granted to only processes and personnel who are responsible for handling that data. Criteria: If E-mail backup and recovery data and processes are restricted to authorized groups, this is not a finding.
Ensure that only E-mail Administrator and authorized backup and restore personnel have access to Exchange 2003 backup and restore data.
Procedure: Interview the IAO. Access the site's System Security Plan. Review backup frequency schedule. Also, review file locations, access protections and procedures for offline files, and storage methods. Criteria: If E-mail backups are conducted on schedule and are stored appropriately, this is not a finding.
Procedure: Perform followup to ensure that E-mail backups are conducted on schedule and are stored appropriately
Interview the E-Mail Administrator or IAO. Reference a copy of the System Security Plan. Procedure: Review the application software baseline procedures and implementation evidence. Review the list of files and directories included in the baseline procedure for completeness. Criteria: If E-mail software copy exists to serve as a baseline and is available for comparison during scanning efforts, this is not a finding.
Procedure: Create E-mail Software Copies for use in recovering systems, should they be needed. Ensure that the copies are stored off site and that details are documented in the system security plan.
Procedure: Interview the IAO. Access the documentation that describes the E-mail Acceptable Use Policy that is followed at the site. The Acceptable Use Policy serves as training for users and sets expectations for E-mail parameters. Criteria: If the E-mail Acceptable Use Policy is documented in the System Security Plan and requires annual user review with signature acknowledgement, this is not a finding.
Procedure: Implement an E-mail Acceptable Use Policy that is documented in the System Security Plan or at the organizational level, and requires signed annual review by users.
Procedure: Interview the IAO. Access documentation that describes the elements included in the E-mail Acceptable Use policy. User education elements should include such elements as: • Classification and Sensitivity Labeling; A user’s electronic signature is the stamp of authenticity that enables information to be trusted. • SPAM and PHISHING recognition; The ability to recognize non-authentic messages is key to protecting the organization against user manipulation that results from false information. • Acceptable and non-acceptable text content; Users should also be acquainted with legal responsibilities surrounding harassment, soliciting, or distribution of inappropriate content as outlined by the organization. • Security Constraints; Forbidden attachment types and security reasons for each. •“Personal business” usage policy; Message content guidelines, attention to CC: lists, information sensitivity, chain letters, and spillage prevention. • Request help; how to report if you are a witnesses or victim of misuse, phone numbers for support, troubleshooting, how to request an account for a new user. User expectations elements should include such elements as: • Acceptable Use Policy location; for ongoing reference if needed. • E-mail types of services offered; for example, Outlook, OWA and Public Folders included, access from POP3 clients is not allowed, etc. • E-mail tools, rules, and alerts; descriptions and official formats of E-mail based announcements that may originate from the E-mail Administration team (to prevent users being SPAMMED or compromised by social engineering exploits). Because there are known social engineering techniques that SPAM users in the form of ‘Administrator Requests’ to end users, it may be advantageous to have an ‘official’ method of communicating, enabling users to then recognize non-authentic requests and report them. • Legal issues; what constitutes harassment, threats, or inappropriate language. • E-mail Administration processes; how to add, remove, and manage the e-mail user population, report problems or abuse, compromise. • Constraints; Mailbox, message, and attachment size limitations. • Policies; Data retention, type of servers, server uptime and maintenance schedules • Penalties for violating E-mail Acceptable Use Policy • Schedule for Periodic review, format for signoff Criteria: If the E-mail Acceptable Use Policy contains required elements, this is not a finding.
Revise or supplement the E-mail Acceptable Use Policy so that it contains the required elements.
Procedure: Interview the IAO. Review documentation that describes the infrastructure for E-mail services. Verify that an Edge Transport Server (or E-mail Secure Gateway) is installed and active on the network. Ensure that all inbound and outbound E-mail messages pass through and are examined by a perimeter-based Edge Transport Server. Criteria: If the site employs an Edge Transport Server or E-mail Secure Gateway. Ensure that all inbound and outbound E-mail messages are routed through the gateway.
Procedure: Install and configure an Edge Transport Server role in the infrastructure. Ensure that all SMTP traffic passes through this gateway, prior to forwarding messages into the enclave mail servers.
For sites not using Exchange 2003 E-mail web services, this check is N/A. Procedure: Interview the IAO. Access documentation that describes the E-mail services infrastructure. Verify that a proxy server such as Microsoft ISA server 2006 is installed and requires CAC authentication, is a member of the local Windows domain, and initiates a new security context for the transaction. Criteria: If the site employs an application proxy server such as Microsoft ISA, that requires CAC authentication, FIPS 140-2 encryption, and URL evaluation, this is not a finding.
Procedure: Install an application proxy server capable of authenticating a CAC-enabled transaction, continue the transaction in a new security context, and require FIPS 140-2 encryption for the Internet connection to the end user.