Email Services Policy STIG

Email Services Policy STIG requirements must be evaluated on each system review, regardless of the email product or release level. These policies ensure conformance to DoD requirements that govern email services deployment and operations. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]

Details

Version / Release: V2R2

Published: 2014-03-11

Updated At: 2018-09-23 02:27:29

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-20630r2_rule EMG3-015 EMail MEDIUM Annual procedural reviews must be conducted at the site. A regular review of current email security policies and procedures is necessary to maintain the desired security posture of Email services. Policies and procedures should be measured against current Department of Defense (DoD) policy, Security Technical I
    SV-43875r1_rule EMG3-020 EMail MEDIUM Exchange 2003 with Outlook Web Access must be deployed as Front-end/Back-end Architecture. Microsoft® Exchange 2003 supports a server architecture that distributes server tasks among front-end and back-end servers. Front-end/back-end architecture provides for logical separation of protocols, user traffic, and the subsequent ability to secure e
    SV-20644r2_rule EMG3-045 EMail MEDIUM Email Configuration Management (CM) procedures must be implemented. Uncontrolled, untested, or unmanaged changes can result in an unreliable security posture. All software libraries related to email services must be reviewed, considered, and the responsibility for CM assigned to ensure no libraries or configurations are l
    SV-20646r2_rule EMG0-056 EMail LOW Email Administrator role must be assigned and authorized by the IAO. Separation of roles supports operational security for application as well as human resources. Roles accompanied by elevated privileges, such as that of the Email Administrator, must be carefully regulated and monitored. All appointments to Information As
    SV-20650r2_rule EMG3-050 EMail MEDIUM Email Services must be documented in the EDSP (Email Domain Security Plan). A System Security Plan defines the security procedures and policies applicable to the Automated Information System (AIS). The Email Domain Security Plan (EDSP) defines the security settings and other protections for email systems. It may be implemented as
    SV-20652r2_rule EMG3-028 EMail LOW Email software installation account usage must be logged. Email Administrator or application owner accounts are granted more enhanced privileges than non-privileged users. It is especially important to grant access to privileged accounts to only those persons who are qualified and authorized to use them. Each us
    SV-20654r2_rule EMG3-037 EMail LOW Email audit trails must be reviewed daily. Access to email servers and software are logged to establish a history of actions taken in the system. Unauthorized access or use of the system could indicate an attempt to bypass established permissions. Reviewing the log history can lead to discovery
    SV-20667r2_rule EMG0-075 EMail MEDIUM Email Administrator Groups must ensure least privilege. When an oversight responsibility is assigned to the same person performing the actions being overseen, the function of oversight is compromised. When the responsibility to manage or control one application or activity is assigned to one party yet another
    SV-20669r2_rule EMG3-079 EMail MEDIUM Automated audit reporting tools must be available. Monitors are automated “process watchers” that respond to performance changes, and can be useful in detecting outages and alerting administrators where attention is needed. Log files help establish a history of activities, and can be useful in detecti
    SV-20671r2_rule EMG3-071 EMail MEDIUM Email audit records must be retained for 1 year. Audit data retention serves as a history that can aid in determining actions executed by users and administrators. Reasons for such research include both malicious actions that may have been perpetrated, as well as legal evidence that might be needed for
    SV-20673r2_rule EMG3-006 Email MEDIUM Audit logs must be documented and included in backups. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit logs are essential to the investigation and prosecution of unauthorized access to email servi
    SV-20675r2_rule EMG3-005 EMail LOW The email backup and recovery strategy must be documented and tested on an INFOCON compliant frequency. A disaster recovery plan exists that provides for the smooth transfer of all mission or business essential functions to an alternate site for the duration of an event with little or no loss of operational continuity. The backup and recovery plan should
    SV-20677r2_rule EMG3-009 EMail MEDIUM Email backup and recovery data must be protected. All automated information systems are at risk of data loss due to disaster or compromise. Failure to provide adequate protection to the backup and recovery data exposes it to risk of potential theft or damage that may ultimately prevent a successful resto
    SV-20679r2_rule EMG3-007 EMail MEDIUM Email backups must meet schedule and storage requirements. Hardware failures or other (sometimes physical) disasters can cause data loss to active applications, and precipitate the need for expedient recovery. Ensuring backups are conducted on an agreed schedule creates a timely copy from which to recover active
    SV-20681r2_rule EMG3-010 EMail MEDIUM Email critical software copies must be stored offsite in a fire rated container. There is always potential that accidental loss can cause system loss and that restoration will be needed. In the event that the installation site is compromised, damaged or destroyed copies of critical software media may be needed to recover the systems a
    SV-20683r2_rule EMG0-090 EMail LOW Email acceptable use policy must be documented in the Email Domain Security Plan (EDSP). Email is only as secure as the recipient, which is ultimately person who is receiving messages. Also to consider, the surest way to prevent SPAM and other malware from entering the email message transport path is by using secure IA measures at the point o
    SV-20685r2_rule EMG0-092 EMail LOW Email Acceptable Use Policy must contain required elements. Email is only as secure as the recipient, which is ultimately the person who is receiving messages. Also to consider, the surest way to prevent SPAM and other malware from entering the email message transport path is by using secure IA measures at the poi
    SV-21609r2_rule EMG3-106 Email HIGH Email domains must be protected by an Edge Server at the email transport path. Separation of roles supports operational security for application and protocol services. Since 2006, Microsoft best practices had taken the direction of creating operational “roles” for servers within email services. The Edge Transport server role (al
    SV-21613r2_rule EMG3-108 EMail HIGH Email domains must be protected by transaction proxy at the client access path. Separation of email server roles supports operational security for application and protocol services. The HTTP path to web sites is a proven convenience in requiring only a browser to access them, but is simultaneously a well known attack vector for peopl
    SV-43808r1_rule EMG0-093 EMail LOW Email acceptable use policy must be renewed annually. An Email Acceptable Use Policy is a set of rules that describe IA operation and expected user behavior with regard to email services. Formal creation and use of an Email Acceptable Use policy protects both organization and users by declaring boundaries, o
    SV-46514r1_rule EMG3-110 Email MEDIUM Transaction proxies protecting email domains must interrupt and inspect web traffic on the client access path prior to its entry to the enclave. Separation of email server roles supports operational security for application and protocol services. The HTTP path to web sites is a proven convenience in requiring only a browser to access them, but is simultaneously a well known attack vector for peopl
    SV-50955r1_rule EMG3-055 EMail MEDIUM Email client services for Commercial Mobile Devices must be documented in the Email Domain Security Plan (EDSP). Commercial Mobile Devices (CMDs) introduce additional IA concerns to email systems because of the additional guidance pertaining specifically to CMDs. The Department of Defense (DoD) Chief Information Officer (CIO) put forth specific guidance concerning C