Microsoft Exchange Server 2003

Separation of roles supports operational security for application as well as human resources. By isolating a server role such as ‘Mailbox Role’, boundaries that pertain to Mailbox data protection need only be focused in the Mailbox data server. In this way, any Mailbox-specific attack vectors, protocol traffic requirements are more optimally secured. Mailbox data repositories should only be hosted on the Mailbox Server Role. E-Mail AdministratorECSC-1

Administrator responsibilities include the ability to react to unplanned maintenance tasks or emergency situations that may require Public Folder Store data manipulation. Occasionally, there may be a need to start the server with ‘unmounted ’ data stores, if manual maintenance is being performed on them. Failure to uncheck the ‘do not mount on startup’ condition will result in unavailability of Public Folder services. Correct configuration of this control will prevent unplanned outages due to being enabled. On occasions when it is needed, care should be taken in process steps to clear the checkbox task completion, so that public folder stores are available to users (unmounted public folder stores are not available to users). E-Mail AdministratorECSC-1

SPAM originators, in an effort to refine mailing lists, sometimes use a technique where they monitor transmissions for automated bounce back messages such as “Out of Office” messages. Automated messages include such items as Out of Office responses, non-delivery messages, or automated message forwarding. Automated bounce back messages can be used by a third party to determine user “liveness” on the server. This can result in the disclosure of active user accounts to third parties, paving the way for possible future attacks. Mail forwarding is an automated feature that does not provide information to third parties, but it poses a potential risk on networks where classified or confidential information may be sent. For example, if auto-forwarding is configured, sensitive information sent to this user’s account may automatically be transferred outside the control of the organization. The “Default” format applies to all domains. However, if a new format is created and applied to a specific domain, that domain will use the new format's configuration while all other domains (those without specially designated formats) will use the Default format. Automated messages must be disabled to prevent inadvertent information disclosure about E-mail recipients. E-Mail AdministratorECSC-1

SPAM origination sites and other sources of suspected E-Mail borne malware have the ability to corrupt, compromise, or otherwise limit availability of E-Mail servers. Limiting exposure to unfiltered inbound messages can reduce the risk of SPAM and malware impacts. The Global Accept and Deny List settings (sometimes referred to 'Black Lists' and 'White Lists' ) respectively block or admit messages originating from specific sources. Ideally, 'Black List' filtering is done at the perimeter of the network (using a commercial 'Block List' service), because eliminating threats there prevents them being evaluated inside the enclave where there is more risk they can do harm. When no commercial 'Block List Service' is employed as the 'Black List', the values configured here perform similar filtering and can be used to supplement the sites identified in the 'Block List Service'. For example, during a 0-Day threat action, entries can be added, then removed when the threat is mitigated. A common practice is to enter the enterprise’s home domain in the 'Global Deny List', at a minimum, as inbound E-mail where a ‘from’ address of the home domain is very likely to be SPOOFED SPAM. The Accept List field (referring to the ‘White List’) overrides both the ‘Deny List’ and the ‘Block List’ Service. Even if the ‘Block List’ claims that listed domains are spammers, inbound mail will still be received mail from them. Normally, no entry should appear in the Global Accept List. Note: Use of ‘White List’ entries can inadvertently lead to Denial of Service situations due to inbound messages bypassing the filtering mechanism. EMG2-013Severity can be overridden to Category III if terms of the mitigation are met by configuring this SPAM protection on an Exchange Server processing inbound messages. Configure Global Accept and Deny List configurations on the first Exchange server receiving messages directly from the public Internet. Note: This mitigation is preferred to having no SPAM protection employed; however, it does not qualify as closing the open finding for perimeter protection. Procedure: Exchange System Manager >> Global Settings >> Message Delivery>> Properties >> Connection Filtering tab >> Global Accept and Deny List configuration >> {List of entries} Enter the Home domain in the Global Deny List. Justify or remove other entries. The Global Accept list should remain empty. Information Assurance OfficerE-Mail AdministratorECSC-1

By performing filtering at the perimeter, up to 90% of SPAM, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the mail server environment. SPAM origination sites and other sources of suspected E-Mail borne malware have the ability to corrupt, compromise, or otherwise limit availability of E-Mail servers. Limiting exposure to unfiltered inbound messages can reduce the risk of SPAM and malware impacts. By performing filtering at the perimeter, SPAM, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the mail server environment. This significantly reduces the attack vector for inbound E-mail-borne SPAM and malware. SPAM evaluation (heuristic) filters scan inbound email messages for evidence of SPAM and other attacks that primarily use ‘Social Engineering’ techniques. Upon evaluation, a rating is assigned to each message estimating the likelihood of its being SPAM. When the message is received in the user’s mailbox, the junk mail filter threshold determines whether the message will be withheld from delivery, delivered to the junk mail folder, or delivered to the user’s inbox. For Exchange 2003 servers, Microsoft introduced the Intelligent Message Filter (IMF). Beginning with Exchange 2003 SP2 it was included as part of the application. Since that time, however, it is recommended that such filtering occur at the network perimeter. That said, risk of inbound SPAM can be somewhat mitigated by using the Microsoft IMF on the Exchange 2003 Mail server, even as an interim measure, while planning for a more comprehensive, Edte Transport Server (E-Mail Secure Gateway). EMG2-029Severity can be overridden to Category III if terms of the mitigation are met by configuring this SPAM protection on an Exchange Server processing inbound messages. Exchange Intelligent Message Filter (IMF) is engaged on the first Exchange 2003 Bridgehead server or Mailbox Server that receives inbound messages from anonymous Internet connection. Note: This mitigation is preferred to having no SPAM protection employed; however, it does not qualify as closing the open finding for perimeter protection. Configure IMF on the Exchange 2003 server. Procedure: Exchange System Manager >> Global Settings >> Message Delivery>> Properties >> Intelligent Message Filtering tab Set the Gateway Blocking Configuration. A usual first choice is 8. The “When blocking Messages” choices are "Archive", "Delete", "No action", or "Reject". Note: An action of "Archive" will require sufficient disk space to host the archived messages. However, actions of "Delete" or "Reject" may contribute to inadvertent data loss. Action of "No Action" will cause the message to be forwarded to the user, carrying the evaluation score, where it may eventually be placed in the user's Junk Mail folder. Set the “Store Junk E-mail Configuration". A usual first choice is 4. Check the IMF filter “Yes” checkbox. Exchange System Manager >> Administrative Groups >> [administrator group] >> Servers >> [server] >> Protocols >> SMTP >> [specific SMTP server] >> Properties>>General Tab>> Advanced >> Edit Check "Intelligent Message Filter (IMF)" to activate the filter. Information Assurance OfficerE-Mail AdministratorECSC-1

SPAM origination sites and other sources of suspected E-Mail borne malware have the ability to corrupt, compromise, or otherwise limit availability of E-Mail servers. Limiting exposure to unfiltered inbound messages can reduce the risk of SPAM and malware impacts. Ideally, 'Block List' filtering is done at the perimeter of the network (using a commercial 'Block List' service), because eliminating threats there prevents them being evaluated inside the enclave where there is more risk they can do harm. Block List Services are fee based data providers that collect the IP addresses of known SPAMmers and other malware purveyors. Subscribers to these services benefit from more effective SPAM elimination (up to 90% of inbound mail volume) as well as leveraging the E-Mail Administration effort needed to maintain and update larger block lists than a single E-Mail site administrator could conveniently maintain. Neglecting to specify a 'Block List' would require E-Mail Administrators to manually specify addresses in the ‘Deny List’ field as they are discovered. The 'Block List' Services provider will provide a value for this field – usually the DNS suffix for their domain.EMG2-015Severity can be overridden to Category III if terms of the mitigation are met by configuring this SPAM protection on an Exchange Server processing inbound messages.The Block List Services provider is configured on the Exchange 2003 Bridgehead server (MTA role) or the Exchange 2003 Mailbox server that is the first Exchange server receiving inbound SMTP messages from the public Internet. Procedure: Exchange System Manager >> Global Settings >> Message Delivery>> Properties >> Connection Filtering tab >> Block List Service Configuration >> {List of entries} Click the ADD button, enter Block List Service as specified by vendor. Note: This mitigation is preferred to having no Block List filtering protection employed; however, it does not qualify as closing the open finding for perimeter protection. Information Assurance OfficerE-Mail AdministratorECSC-1

SPAM origination sites and other sources of suspected E-Mail borne malware have the ability to corrupt, compromise, or otherwise limit availability of E-Mail servers. Limiting exposure to inbound messages is one type of filtering that can reduce the risk of SPAM and malware impacts. Ideally, 'Block List' filtering is done at the perimeter of the network (using a commercial 'Block List' service), because eliminating threats there prevents them being evaluated inside the enclave where there is more risk they can do harm. Block List Exceptions are used to specify sources that should not be blocked despite their presence in a block list. Exceptions, if used, should be carefully vetted to ensure they are sources of legitimate email. EMG2-017Severity can be overridden to Category III if terms of the mitigation are met by configuring this SPAM protection on an Exchange Server processing inbound messages. Block List Services Exceptions are configured on the Exchange 2003 Bridgehead (MTA role) server or Mailbox server where Block List subscription content is configured. Note: This mitigation is preferred to having no Block List filtering protection employed; however, it does not qualify as closing the open finding for perimeter protection. Procedure: Configure (with documentation) or clear Block List exceptions on the Exchange server as follows: Exchange System Manager >> Global Settings >> Message Delivery>> Properties >> Connection Filtering Tab >> Block List Service Configuration >> Exception Button >> {List of IP addresses}. Information Assurance OfficerE-Mail AdministratorECSC-1

Email is only as secure as the recipient. When the recipient is an E-Mail server accepting inbound messages, authenticating the sender enables the receiver to better assess message quality and to validate the sending domain as authentic. One or more authentication techniques used in combination can be effective in reducing SPAM, PHISHING, and FORGERY attacks. There are two primary methods of sender authentication; Sender ID Framework (SIDF), and Domain Keys Identified Mail (DKIM). The Sender ID Framework (SIDF) receiver accesses specially formatted DNS records (SPF format) that contain the IP address of authorized sending servers for the sending domain that can be compared to data in the email message header. Receivers are able to validate the authenticity of the sending domain, eliminate PHISHING SPAM, and can be used in combination with DKIM. SIDF is a Microsoft creation, and is available on Exchange 2003 Servers. The DKIM receiver accesses specially formatted DNS records that contain the Public Key for the sending domain’s authorized outbound mail servers. The key is used to decrypt the hash in the message header and determine whether the message has been modified. DKIM is not effective against replay attacks, but can detect forgeries. Some false positives are possible if interim E-Mail forwarders append text to the message body. DKIM is a Cisco creation, and is available on most Edge Transport Server (E-mail Secure Gateway) products. EMG2-043Note: This mitigation is preferred over not having any SIDF protection at all. however, it does not qualify as closing the open finding for perimeter protection. If SIDF methods are in place, finding to be downgraded to a CAT III.SIDF is configured on the Exchange 2003 Bridgehead server or Mailbox Server that receives inbound messages from Internet sources. Note: This mitigation is preferred over not having any SIDF protection at all. however, it does not qualify as closing the open finding for perimeter protection. If SIDF methods are in place, finding to be downgraded to a CAT III. Configure SIDF on the Exchange server that receives inbound E-mail from the public Internet. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> Severs >> [server] >> Protocols >> SMTP >> [specific SMTP server] >> Properties >> General Tab >> Advanced Button >> Edit Select “Sender ID Filter” Note: Microsoft Exchange includes only the SIDF method of sender authentication. Senders that are successfully authenticated using this method are scored higher for non-spam likelyhood. Senders that do not successfully authenticate are scored lower, or are immediately declared SPAM and processed according to configured SPAM removal process for the site. Information Assurance OfficerE-Mail AdministratorECSC-1

E-Mail system availability depends in part on best practices strategies for setting tuning configurations. Message size limits should be set to 30 megabytes at most, but often are smaller, depending on the organization. The key point in message size is that it should be set globally, and it should not be set to ‘unlimited’. Selecting the “no limit” radio button on either field is likely to result in abuse and can lead to rapid filling of server disk space. Message size limits may be applied in Routing Group connectors, SMTP connectors, Public Folders, and on the user account under AD. Changes at these lower levels are discouraged, as the single global setting is usually sufficient. This practice prevents conflicts that could impact availability and it simplifies server administration. E-Mail AdministratorECSC-1

E-Mail system availability depends in part on best practices strategies for setting tuning configurations. Global Message Recipient Limits determine the total number of recipients that can be addressed on a single message. At the virtual server level, this field is set to a limited size, and is used to control the maximum number of recipients who will receive a copy of this message at one time. It is intended to improve efficiency by forcing messages sent to a greater number of recipients to be sent out in multiple messages. EMG2-107 Exch2K3The default value of 64000 will be appropriate for most environments. In some environments there may exist valid reason to modify this setting. If settings are changed to a lower value, is justified, authorized by the IAO, and documented in the System Security Plan, this is an acceptable solution and 'not a finding'. E-Mail AdministratorECSC-1

SPAM originators, in an effort to refine mailing lists, sometimes use a technique where they first create fictitious names, then monitor rejected E-mails for non-existent recipients. Those not rejected, of course, are deemed to exist, and are therefore used in future SPAM mailings. To prevent this disclosure of existing E-Mail accounts to SPAMmers, this feature should not be employed. Instead, it is recommended that all messages be received, then evaluated and disposed of without enabling the sender to determine recipients that are existing vs. non-existing. EMG2-031Severity can be overridden to Category III if terms of the mitigation are met by configuring this SPAM protection on an Exchange Server processing inbound messages. Non-existent recipient filtering is configured on the MTA Server role (Exchange 2003 Bridgehead server) or Exchange 2003 Mailbox server where Recipient Filtering is configured. Note: This mitigation is preferred to having no recipient filtering protection employed: however, it does not qualify as closing the open finding for perimeter protection. Procedure: Exchange System Manager >> Global Settings >> Message Delivery>> Properties >> Recipient Filtering Clear the “filter recipients who are not in the directory” check box. Information Assurance OfficerE-Mail AdministratorECSC-1

By performing filtering at the perimeter, up to 90% of SPAM, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the mail server environment. This significantly reduces the attack vector for inbound E-mail-borne SPAM and malware. As messages are filtered, it is prudent to temporarily host them in an archive for evaluation by administrators or users. The archive can be used to recover messages that might have been inappropriately filtered, preventing data loss, and to provide a base of analysis that can provide future filter refinements. EMG2-024Severity can be overridden to Category III if terms of the mitigation are met by configuring this SPAM protection on an Exchange Server processing inbound messages. Filtered message archiving is configured on the Exchange 2003 Bridgehead server or Mailbox server where Sender Filtering is configured. Note: This mitigation is preferred to having no sender filtering protection employed; however, it does not qualify as closing the open finding for perimeter protection. Procedure: Exchange System Manager >> Global Settings >> Message Delivery>> Properties >> Sender Filtering Procedure: Select the Archive Filtered Messages checkbox. Note: If a reminder dialog appears advising that the sender filter must be enabled, click ‘ok’. There is a separate checklist item that requires filter enabling. A finding will be produced if the filter is not enabled, and can be addressed at the resolution of that finding. Information Assurance OfficerE-Mail AdministratorECSC-1

By performing filtering at the perimeter, up to 90% of SPAM, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the mail server environment. Anonymous E-mail (messages with blank sender fields) cannot be replied to. Messages formatted in this way may be attempting to hide their true origin to avoid responses, or to SPAM any receiver with impunity while hiding their source of origination. Rather than spend resource and risk infection while evaluating them, it is recommended that these messages be filtered immediately upon receipt and not forwarded to end users. EMG2-026Severity can be overridden to Category III if terms of the mitigation are met by configuring this SPAM protection on an Exchange Server processing inbound messages.Messages with blank sender filter are configured on the MTA Server Role (Exchange 2003 Bridgehead Server) or Exchange 2003 Mailbox server where Sender Filtering is configured. Note: This mitigation is preferred to having no sender filtering protection employed; however, it does not qualify as closing the open finding for perimeter protection. Procedure: Exchange System Manager >> Global Settings >> Message Delivery>> Properties >> Sender Filtering Select the “Filter Messages with Blank Sender” checkbox. Information Assurance OfficerE-Mail AdministratorECSC-1

SPAM origination sites and other sources of suspected E-Mail borne malware have the ability to corrupt, compromise, or otherwise limit availability of E-Mail servers. Limiting exposure to unfiltered inbound messages can reduce the risk of SPAM and malware impacts. It is recommended that “drop connections” action be taken when inbound requests are from addresses that match sender filters (such as those on Block List) and be performed in the perimeter network by an E-Mail Secure Gateway server, because eliminating threats there prevents them being evaluated inside the enclave where there is more risk they can do harm. If the other party has other messages to send, it must re-initiate the Simple Message Transfer Protocol (SMTP) connection to start sending the next message (as opposed to simply continuing the current connection). This will slow down the rate at which this blocked sender is able to send messages to the server, further mitigating the potential for a Denial of Service attack. EMG2-021Severity can be overridden to Category III if terms of the mitigation are met by configuring this SPAM protection on an Exchange Server processing inbound messages. “Drop connections from ‘sender filter’ sources” is configured on the MTA Server Role (Exchange 2003 Bridgehead) server or Exchange 2003 Mailbox server where Sender Filtering is configured. Note: This mitigation is preferred to having no sender filtering protection employed; however, it does not qualify as closing the open finding for perimeter protection. Procedure: Exchange System Manager >> Global Settings >> Message Delivery>> Properties >> Sender Filtering Select the “Drop Connection if Sender Matches Filter” checkbox. Information Assurance OfficerE-Mail AdministratorECSC-1

Unneeded, but running, services offer attackers an enhanced attack profile, and attackers are constantly watching to discover open ports with running services. By analyzing and disabling unneeded services, the associated open ports become unresponsive to outside queries, and servers become more secure as a result. Exchange 2003 has role-based server deployment to enable protocol path control and logical separation of network traffic types. For example, a server implemented in the Client Access role (i.e., Outlook Web Access [OWA]) is configured and tuned as a web server using web protocols. A client access server exposes only web protocols (HTTP/HTTPS) enabling System Administrators to optimize the protocol path and disable all services unnecessary for Exchange web services. Similarly, Back-End servers created to host mailboxes are dedicated to that task, and operate only the services needed for mailbox hosting. (Back-end servers must also operate some Web services, but only to the degree that Exchange 2003 requires the IIS engine in order to function). To restrict attack vectors available with E-mail message access, the protocols on the E-mail servers should match offerings on the DoD standard desktop deployment. These include Microsoft Outlook using MAPI, S/MIME enabled clients, and secured connections. It also includes Outlook via VPN for offsite telework. Browsers may access OWA provided it uses PKI/CAC access brokered through a reverse proxy Application Server. Because NNTP, POP3, and IMAP4 clients are not included in the standard desktop offering, they must be disabled. Guidance is not provided for these protocols in this document. Information Assurance OfficerE-Mail AdministratorECSC-1

E-Mail system availability depends in part on best practices strategies for setting tuning configurations. For message size restrictions, multiple places exist to set or override inbound or outbound message size. Failure to control the configuration strategy can result in loss of data or system availability. This setting enables the administrator to control the maximum size of outgoing messages on a Routing Group connector. It is recommended that, in general, no limits are applied at the connector level. This is done so that connectors do not end up prohibiting the delivery of messages that would otherwise be permitted by the Exchange configuration at the virtual server level. Using connectors to control size limits at an enterprise-wide level is discouraged since the limits would need to be applied to every potential connector in order to create an effective enterprise-wide limit.E-Mail AdministratorECSC-1

E-mail is only as secure as the recipient. Recipient SMTP servers that accept messages from all sources provide a way for rogue senders (such as SPAMMERS) or malicious users to insert message batches (that may be SPOOFED or FORGED) into the message transfer path. This setting controls which IP addresses are allowed to connect to this Virtual Server to download messages. Two strategies exist for this control, “Deny None” or “Deny All”. Exceptions can be listed in the form of IP addresses, which can also be wildcarded as subnet groups. To significantly reduce the attack vector for unauthorized connections, the “Deny All” approach must be used, stating authorized connections from “only the list below”. Depending on the server’s role in the infrastructure, the list of clients or other SMTP servers authorized to connect to this virtual server should be specified.E-Mail AdministratorECSC-1

Identification and Authentication provide the foundation for access control. The ExAdmin Virtual Directory is used by the Exchange System Manager to access mailboxes and Public Folders. This feature controls the authentication method used to connect to this virtual directory. This setting should be set to Integrated Windows Authentication only. Anonymous access provides for no access control of this virtual directory, Basic authentication transmits the password in the clear, and the other methods are not recommended by Microsoft for this control. Failure to configure this as per the recommendations may result in unrestricted access to this directory, passwords being sent in the clear, and/or the inability to correctly authenticate, depending on which change is made.E-Mail AdministratorECSC-1

E-mail system availability depends in part on best practices strategies for setting tuning configurations. This setting determines which SMTP Servers are permitted to use this SMTP Connector, identifying those for which it is the most efficient link. Failure to control SMTP network connections risks slow or lost data due to inefficient links between SMTP connections. Selecting “Entire Organization” allows any computer in the Exchange organization to use this connector. Selecting “Routing Group” means only those members of the connector's routing group may use the connector. Use of the connector should be limited to the Routing Group in order to limit and control general network connectivity.E-Mail AdministratorECSC-1

E-mail system availability depends in part on best practices strategies for setting tuning configurations. In the case of identifying a ‘Smart Host’ for the E-Mail environment, the connector level is the preferred location for this configuration because flow control in this routing group will be retained even if future changes occur at the virtual server level. A ‘Smart Host’ (Edge Transport Server) Role acts as an Internet Facing Concentrator for other E-mail servers. Appropriate hardening can be applied to the Edge Transport Server (E-Mail Secure Gateway) role rather than at multiple locations throughout the enterprise. The ‘Smart Host’ performs all Domain Name Service (DNS) lookups to determine mail routing and offers some proxy-type benefits. Failure to identify a ‘Smart Host’ could default to each E-mail server performing its own lookups (potentially through protective firewalls). Exchange 2003 servers should not be Internet facing, and should therefore not perform any ‘Smart Host’ functions. They must, however, be configured to identify the server that is performing the “Smart Host” function. EMG2-721Note: Implementations may have this feature configured as pointing to a “Smart-Host” function on the Exchange 2003 Bridgehead or Mailbox Server where no E-mail Secure Gateway exists outside the enclave firewall. This configuration is preferred when no E-mail Secure Gateway server is in use; however, it does not qualify as closing the open finding for perimeter protection. If this configuration is in place, finding to be downgraded to a CAT III.Implementations may have this feature configured as pointing to a “Smart-Host” function on the Exchange 2003 Bridgehead or Mailbox Server where no E-mail Secure Gateway exists outside the enclave firewall. This configuration is preferred when no E-mail Secure Gateway server is in use; however, it does not qualify as closing the open finding for perimeter protection. If this configuration is in place, finding to be downgraded to a CAT III. Configure the 'Smart Host'. Exchange System Manager>>Administrative Groups>> [Administrative Group]>>Routing Groups>> [routing group]>>Connectors>> [SMTP connector]>> >>Properties >> General tab>>Radio Group The “Smart-Host” should be selected and the designated E-Mail server should be identified. E-Mail AdministratorECSC-1

E-mail is only as secure as the recipient. This control is used to limit the servers that may use this server as a relay. If an Simple Mail Transport Protocol (SMTP) sender does not have a direct connection to the Internet (for example, an application that produces reports to be E-mailed) then it will need to use an SMTP Virtual Server that does have a path to the Internet (for example, a local E-mail server) as a relay. SMTP relay functions must be protected so that third parties are not able to hijack a relay service for their own purposes. Most commonly, hijacking of relays is done by SPAMMERS to disguise the source of their messages, and may also be used to cover the source of more destructive attacks. Relays can be restricted in one of three ways; by blocking relays (restrict to a blank list of servers), by restricting use to lists of valid servers, or by restricting use to servers that can authenticate. A fourth configuration, ‘allow all except the list below’, should never be used. Because authenticated connections are the most secure for SMTP virtual servers, it is recommended that relays allow only servers that can authenticate. E-Mail AdministratorECSC-1

E-Mail system availability depends in part on best practices strategies for setting tuning configurations. This control determines whether the entire Virtual Server routes its outbound Simple Mail Transfer Protocol (SMTP) messages through a single “Smart-Host”. “Smart-Hosts” can help secure communication, but configuring the virtual server level to use the same “Smart-Host” can lead to congestion problems and inflexibility. As such, it is recommended that administrators NOT use “Smart-Hosts” at the virtual server level. Instead, use of “Smart-Hosts” should be configured at the SMTP connector level. E-Mail AdministratorECSC-1

Identification and Authentication provide the foundation for access control. The key to preventing SPAM insertion into the SMTP message transfer path is to require authentication at each ‘hop’ of the journey from sender to receiver. Failure to authenticate increases risk that an attacker can insert unauthenticated mail messages, a form of internally SPOOFED SPAM that can be difficult to trace. Encryption ensures confidentiality of data in motion as it traverses network connections. Failure to specify TLS encryption causes message transfer to be sent unencrypted, (including the authentication password), which makes it susceptible to eavesdropping. This setting controls the default authentication and encryption algorithms used for outbound connections using this connector. (That is, the authentication used when delivering outbound mail to another SMTP Virtual Server.) Because E-Mail services environments typically support multi-directional message flow at the Connector level, it is preferred that specific requirements be set there, and let this configuration at the Virtual Server level serve as a default. Authentication type of Anonymous and use of TLS are recommended for this setting. Information Assurance OfficerE-Mail AdministratorECSC-1

Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Diagnostic logging, however, characteristically produces large volumes of data and requires care in managing the logs to prevent risk of disk capacity denial of service conditions. Exchange Diagnostic Logging is broken up into 14 main “services” each of which has anywhere from 2 to 26 “categories” of events to be monitored. Moreover, each category may be set to one of four levels of logging: None (logging disabled), Minimum, Medium, and Maximum, depending on how much detail one desires. The higher the level of detail, the more disk space required to store the audit material. Diagnostic logging is intended to help administrators debug problems with their systems, not as a general purpose auditing tool. The diagnostic logs collect a great deal of information – diagnostic log files can grow huge very quickly. Diagnostic logs should be enabled for limited periods of time when attempting to debug relevant pieces of Exchange functionality. Once debugging has finished, diagnostic logging should be disabled again.E-Mail AdministratorECSC-1

Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. When “message tracking” is enabled, only the sender, recipients, time, and other delivery information is included by default. Information such as the subject and message body is not included. However, the absence of the message subject line can make it difficult to locate a specific message in the log unless one knows roughly what time the message was sent. To simplify searches through these logs, Exchange offers the ability to include the message “subject line” in the log files and in the Message Tracking Center display. This can make it significantly easier to locate a specific Message. This feature creates larger log files and will contain information that may raise privacy and legal concerns - enterprise policy should be consulted before this feature is enabled. Also, since the log files may contain sensitive information in the form of the subject line, the log files will need to be protected, commensurate with the sensitivity level, as the content may be of interest to an attacker. For these reasons, it is recommended that subject logging not be enabled during regular production operations, but instead treat this feature as a diagnostic that can be used if needed. The tradeoff of this is that finding the correct message in the message tracking logs will become more difficult since the administrator will need to search using only the time the message was sent and the message’s sender. This control will have no effect unless Message Tracking is enabled. That said, the setting should be disabled in case message tracking is perchance enabled at a future time. E-Mail AdministratorECSC-1

Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. This setting controls the location of the SMTP Virtual Server log file. By default, these files will be stored in \WINNT\SYSTEM32\LOGFILES\SMPTVSx (where x is a number used to distinguish between virtual servers in this organization). The drop-down menu is used to select the format of the log file. The properties button next to this dropdown displays configuration information specific to the type of log format selected, but usually has some control to indicate the log rotation schedule (that is, how often the old log file should be closed and a new log file should be started). It is required that all log files be written to separate partitions from those used by the Exchange Stores and separate also from the Operating System. Exchange will dismount its stores if it detects that it has run out of disk space, resulting in a complete loss of Exchange services. To minimize the chance of this happening, log files should write to a separate partition so that if the logs fill this partition it will not result in the failure of Exchange.System AdministratorE-Mail AdministratorECSC-1

Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. This setting enables an automated log entry to be sent to Microsoft giving general details about the nature and location of the error. Microsoft, in turn, uses this information to improve the robustness of their product. While this type of debugging information would not ordinarily contain sensitive information, it may alert eavesdroppers to the existence of problems in your Exchange organization. At the very least, it could alert them to (possibly) advantageous timing to mount an attack. At worst, it may provide them with information as to which aspects of Exchange are causing problems and might be vulnerable (or at least sensitive) to attack. All system errors in Exchange will result in outbound traffic that may be identified by an eavesdropper. For this reason, the “Report errors to Microsoft” feature must be disabled at all times.E-Mail AdministratorECSC-1

Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Exchange 2003 built-in monitors enable the administrator to generate alerts if thresholds are reached, better enabling them to react in a timely fashion. If the server were ever to run out of disk space, the server could fail catastrophically, possibly with data loss. This field allows the administrator to control notifications when a ‘warning’ or ‘critical’ trigger is issued in response to low disk availability. A good rule of thumb is to issue warnings when free space falls under 15% and critical messages when it falls under 5% of total disk space. Notification choices include E-Mail alert to an E-Mail enabled account, for example, an E-Mail Administrator, or invoke a script to take other action, for example, to add an Event to the Microsoft Application Event Log, where external monitors might detect it. E-Mail AdministratorECSC-1

Monitors are automated “process watchers” that respond to performance changes, and can be useful in detecting outages and alerting administrators where attention is needed. Exchange 2003 built-in monitors enable the administrator to generate alerts if thresholds are reached, better enabling them to react in a timely fashion. This field offers choices of alerts when a ‘warning’ or ‘critical’ threshold is reached on CPU utilization. A good rule of thumb (default) is to issue warnings when CPU utilization exceeds 70% for a duration of 10 minutes and critical messages when it exceeds 80% for a duration of 10 minutes, which should only exist occasionally. Frequent alerts against this counter may indicate that additional capacity is needed, or a network or other issue (such as inbound SPAMMER traffic) that directly impacts E-mail delivery. CPU availability should be monitored. If the server were ever to exceed the maximum CPU threshold, the server could effectively experience a denial of service (DOS) condition. Notification choices include E-Mail alert to an E-Mail enabled account, for example, an E-Mail Administrator, or invoke a script to take other action, for example, to add an Event to the Microsoft Application Event Log, where external monitors might detect it. E-Mail AdministratorECSC-1

Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Exchange 2003 built-in monitors enable the administrator to generate alerts if thresholds are reached, better enabling them to react in a timely fashion. This field offers choices of alerts when a ‘warning’ or ‘critical’ threshold is reached on low virtual memory. A good rule of thumb (default) is to issue warnings when virtual memory is less than 25% for a duration of 3 minutes, and critical messages when less than 10% for a duration of 3 minutes, which should only exist occasionally. Frequent alerts against this counter may indicate that additional capacity is needed, or a network or other issue (such as inbound SPAMMER traffic) that directly impacts e-mail delivery. Virtual Memory availability should be monitored. Frequent alerts on this counter could indicate that the server is nearing capacity and that load mitigation measures may be needed. E-Mail AdministratorECSC-1

Monitors are automated “process watchers” that respond to performance changes, and can be useful in detecting outages and alerting administrators where attention is needed. Exchange 2003 built-in monitors enable the administrator to generate alerts if thresholds are reached, better enabling them to react in a timely fashion. This field offers choices of alerts when a ‘warning’ or ‘critical’ threshold is reached on the SMTP queue. A good rule of thumb (default) is to issue warnings when SMTP queue growth exceeds 10 minutes and critical messages when it exceeds 20 minutes, which should only exist occasionally. Frequent alerts against this counter may indicate a network or other issue (such as inbound SPAMMER traffic) that directly impacts E-mail delivery. Notification choices include E-Mail alert to an E-Mail enabled account, for example, an E-Mail Administrator, or invoke a script to take other action, for example, to add an Event to the Microsoft Application Event Log, where external monitors might detect it. E-Mail AdministratorECSC-1

Monitors are automated “process watchers” that respond to performance changes, and can be useful in detecting outages and alerting administrators where attention is needed. Exchange 2003 built-in monitors enable the administrator to generate alerts if thresholds are reached, better enabling them to react in a timely fashion. This setting allows the administrator to control notifications when a ‘warning’ or ‘critical’ trigger is issued in response to a selected Windows 2003 service being down. Exchange is dependent on certain Windows services being active: (Event Log, NT Lan Man (NTLM) Security Support Provider, Remote Procedure Call (RPC), Server, Workstation, Internet Information Service (IIS) Admin Services, and Hypertext Transfer Protocol (HTTP) Secure Sockets Layer (SSL). Failure in these services will cause Exchange to also fail in some way. Once all the above services have been added, the “When service is not running change state to” field should be set to Critical. The trigger should be “Critical” because, if any of the services that the core Exchange services depend on stop, this will require immediate attention. Notification choices include E-mail alert to an E-mail enabled account, (for example, an E-mail Administrator), or invoking a script to take other action (for example, to add an Event to the Microsoft Application Event Log, where external monitors might detect it). E-Mail AdministratorECSC-1

Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Exchange 2003 built-in monitors enable the administrator to generate alerts if thresholds are reached, better enabling them to react in a timely fashion. This field allows the administrator to control notifications when a ‘warning’ or ‘critical’ trigger is issued in response to an Exchange Core service being down. If exchange core services are down, the service status state should be set to critical, as this will require immediate attention. Notification choices include E-Mail alert to an E-Mail enabled account, for example, an E-Mail Administrator, or invoke a script to take other action, for example, to add an Event to the Microsoft Application Event Log, where external monitors might detect it. E-Mail AdministratorECSC-1

The principle of Least Privilege ordinarily requires analysis to ensure that users and processes are granted only as much privilege as is required to function effectively, but no additional privileges that could enable mischief, either accidental or intentional. The Pubic Virtual Server enables web access to public folder documents via browser. This control determines whether users will have read, write, script source access, and/or directory browsing capabilities under this virtual server. Public Virtual Server requires that users have read, write, script source access, and directory browsing permissions since these are required for proper functioning Public Folders access. E-Mail AdministratorECSC-1

By performing filtering at the perimeter, up to 90% of SPAM, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the Mail server environment. Attachments have been known to carry malware, although the file type and malware types have changed over time. Attachments must be controlled at the entry point into the E-mail environment to prevent successful attachment-based attacks. For outbound messages, the entry point is at E-mail creation, for example, in Outlook or Outlook Web Access (OWA). For inbound messages, it is at the perimeter. By using this practice, attachments that are disallowed or are found to be malware carriers can be stripped before the attachment is forwarded to the mailbox server. In the case of 0-day threats, attachment configuration can be modified to add specific attachment types if they are known to be associated with a newly devised attack. For Microsoft E-Mail services, attachments are controlled by the E-mail client applications, in this case OWA or Outlook. The attachment file types list should be coordinated among other Microsoft client applications, such as OWA or Outlook, and with other E-mail services that may act upon message attachments, such as a perimeter-based attachment filter used by a non-Microsoft product. EMG2-030BEMitigation: None available. Exchange 2003 mailbox server does not offer the ability to perform attachment filtering. Information Assurance OfficerE-Mail AdministratorECSC-1

Backup and recovery procedures are an important part of overall system availability and integrity. Complete backups reduce the chance of accidental deletion of important information, and ensure that complete recoveries are possible. It is not uncommon for users to receive and delete messages in the scope of a single backup cycle. This setting ensures that at least one backup has been run on the mailbox store before the message physically disappears. By enabling this setting, all messages written to recipients who have accounts on this store will reside in backups even if they have been deleted by the user before the backup has run.E-Mail AdministratorECSC-1

Backup and recovery procedures are an important part of overall system availability and integrity. Complete backups reduce the chance of accidental deletion of important information, and ensure that complete recoveries are possible. It is not uncommon for users to receive and delete documents in the scope of a single backup cycle. This setting ensures that at least one backup has been run on the folder store before the message physically disappears. By enabling this setting, all messages written to recipients who have accounts on this store will reside in backups even if they have been deleted by the user before the backup has run.E-Mail AdministratorECSC-1

In the same way that added security layers can provide a cumulative positive effect on security posture, multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit to one application can lead to an exploit of other applications sharing the same security context. For example, an exploit to a web server process that leads to unauthorized administrative access to the host system can most likely lead to a compromise of all applications hosted by the same system. E-Mail services should be installed to a descrete set of directories, on a partition that does not host other applications. E-Mail services should never be installed on a Domain Controller / Directory Services server. Information Assurance OfficerE-Mail AdministratorDCPA-1

Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit log content must always be considered sensitive, and in need of protection. Successful exploit of an application server vulnerability may well be logged by monitoring or audit processes when it occurs. By writing log and audit data to a separate directory or partition where separate security contexts protect them, it offers the ability to protect this information from being modified or removed by the exploit mechanism. E-Mail AdministratorDCPA-1

PPSM Standard defined ports and protocols must be used for all Exchange services. The standard port for HTTP connections is 80 and the standard port for HTTPS Connections is 443. Changing the ports to non-standard values provides only temporary and limited protection against automated attacks since these attacks will not likely connect to the custom port. However, a determined attacker may still be able to determine which ports are used for the HTTP and HTTPS protocols by performing a comprehensive port scan. Negative impacts to using nonstandard ports include complexity for the system administrator, custom configurations for connecting clients, risk of port conflict with non-exchange applications, and risk of incompatibility with standard port monitoring applications. E-Mail AdministratorDCPP-1

Standard defined ports and protocols should be used for all Exchange services. The standard port for regular SMTP connections is 25. Changing the ports to non-standard values provides only temporary and limited protection against automated attacks since these attacks will not connect to the custom port. A determined attacker may still be able to determine which ports are used for the SMTP by performing a comprehensive port scan Negative impacts of using non-standard ports include complexity for the system administrator, custom configurations for connecting clients, risk of port conflict with non-exchange applications, and risk of incompatibility with standard port monitoring applications. E-Mail AdministratorDCPP-1

PPSM Standard defined ports and protocols must be used for all Exchange services. The default port for SMTP connections is 25. Changing the ports to non-standard values provides only temporary and limited protection against automated attacks since these attacks will not likely connect to the custom port. A determined attacker may still be able to determine which ports are used for the SMTP by performing a comprehensive port scan. Negative impacts of using non-standard ports include complexity for the system administrator, custom configurations required for connecting clients, risk of port conflict with non-exchange applications, and risk of incompatibility with port monitoring applications. Since changing the port introduces a large amount of complexity for a relatively small gain, the DoD PPSM requires that standard SMTP ports be used.E-Mail AdministratorDCPP-1

The INFOCON system provides a framework within which the Commander USSTRATCOM regional commanders, service chiefs, base/post/camp/station/vessel commanders, or agency directors can increase the measurable readiness of their networks to match operational priorities. The readiness strategy provides the ability to continuously maintain and sustain one’s own information systems and networks throughout their schedule of deployments, exercises and operational readiness life cycle independent of network attacks or threats. The system provides a framework of prescribed actions and cycles necessary for reestablishing the confidence level and security of information systems for the commander and thereby supporting the entire Global Information Grid (GIG) (SD 527-1 Purpose). The Exchange software files and directories as well as the files and directories of dependent applications are vulnerable to unauthorized changes if not adequately protected. An unauthorized change could affect the integrity or availability of e-mail services overall. For this reason, all application software installations must monitor for change against a software baseline that is preserved when installed, and updated periodically as patches or upgrades are installed. Automated and manual schedules for software change monitoring must be compliant with SD527-1 frequencies. Information Assurance OfficerE-Mail AdministratorDCSL-1

The Security Support Structure is a security control function or service provided by an external system or application. For example, a Windows Domain Controller that provides Identification and Authentication Services (Active Directory) may be at risk of compromise if a co-resident application becomes compromised. The attacker can then use another system to control access to other parts of the domain. The vulnerabilities and associated risk of Exchange 2003 installed on a system that provides a security support structure is significantly higher than when installed with other functions that do not provide security support. For this reason, applications such as Exchange 2003 should never be co-resident on a server with Active Directory. Information Assurance OfficerE-Mail AdministratorDCSP-1

Exchange 2003 software, as with other application software installed on a host system, must be included in a system baseline record and periodically reviewed, otherwise unauthorized changes to the software may not be discovered. This effort is a vital step to securing the host and the applications, as it is the only method that may provide the ability to detect and recover from otherwise undetected changes, such as those that result from worm or bot intrusions. The Exchange 2003 software and configuration baseline is created and maintained for comparison during scanning efforts. Operational procedures must include baseline updates as part of configuration management tasks that change the software and configuration. Information Assurance OfficerE-Mail AdministratorDCSW-1

The Default Web site is the virtual server on which all Exchange virtual directories reside. This feature controls the authentication method used to connect to this virtual server and its virtual directories. Ensure that this is set to Integrated Windows Authentication only. Anonymous access provides for no access control of this virtual server, Basic Authentication transmits the password in the clear and risks exposure, and the other methods are not recommended by Microsoft for this control. Failure to configure this as per the recommendation may result in unrestricted access to this virtual server, passwords being sent in the clear, and/or the inability to correctly authenticate, depending on which change is made. Because CAC authentication will be required and configured via a proxy server such as ISA, settings in this area must assume the presence of an application proxy (such as ISA) between the Public Internet and the Exchange Client Access (Front End) server role. E-Mail AdministratorIAIA-1

Monitors are automated “process watchers” that respond to performance changes, and can be useful in detecting outages and alerting administrators where attention is needed. This setting controls whether all monitoring processes on this server are enabled or disabled. Monitoring should never be disabled on the server during production hours. The processing cycles needed for monitoring should be incorporated into server sizing. If the configuration disables monitoring, it stops Exchange's built in safety checks to warn the administrators of malfunctions.E-Mail AdministratorECAR-2

Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. This setting controls the creation and format of log files used to monitor the interaction between this SMTP Virtual Server and other SMTP hosts. E-Mail AdministratorECAT-1

E-mail is only as secure as the recipient. By ensuring secured connections for all Simple Mail Transfer Protocol (SMTP) servers along the message transfer path, risk of “Anonymous” message transfers by rogue servers is reduced. If all message transfers were authenticated from server to server, most SPAM would be eliminated, because anonymous spammers would be more readily traceable. However, the ability to authenticate a sender from another domain will not be possible until a common authentication method exists between the receiving domain and all of the sending domains that might wish to correspond. For that reason, the Edge Transport Server role (E-Mail Secure Gateway) should be the only role enabled for Anonymous connections (because it will also perform the sanitization steps) and all internal E-mail application server roles must authenticate to each other. This setting controls the authentication method required to allow connection and message transfer to this virtual server (recipient). Authentication options include Anonymous, Basic authentication (with clear text password), and Integrated Windows Authentication. Anonymous requires no authentication, and is therefore not acceptable. NT Lan Manager, or NTLM, (Integrated Windows Authentication checkbox) is negotiated, does not provide encryption of message bodies, and cannot sufficiently secure the connection in Exchange 2003. Risks include the potential of allowing message content to be sniffed over the wire. "Basic authentication" and "Require SSL/TLS" should be selected in this panel. The use of SSL/TLS not only protects the username and password during authentication, but encrypts the mail messages as they are being transmitted, preventing eavesdroppers from reading messages. All Exchange 2003 servers should belong to this category. EMG2-111Severity can be overridden to Category III if terms of the mitigation are met by configuring this SPAM protection on an Exchange Server processing inbound messages.Exchange servers deployed at sites without an Edge Transport Server (E-mail Secure Gateway) role may need to receive inbound connections from remote domains using anonymous connections. If this situation exists, anonymous connections should be confined to one or more servers that perform E-mail sanitization steps on the same server before forwarding the messages to the Mailbox server role. For these sites, "Anonymous" security (with TLS) may be configured on the MTA server role (Exchange 2003 Bridgehead server) or the Exchange 2003 Mailbox Server where SMTP virtual server receives connections from external mail servers. Note: This mitigation is necessary when no secure e-mail gateway server exists; however, it does not qualify as closing the open finding for perimeter protection. For each SMTP virtual server that connects to an external E-mail domain, set authentication on the SMTP Virtual Server. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> servers >> [server] >> Protocols >> SMTP >> [specific SMTP server] >> properties >> Access tab >> Access Control >> Authentication button Select “Basic authentication” and "Anonymous", with TLS encryption. Information Assurance OfficerE-Mail AdministratorEBBD-1

The Simple Mail Transfer Protocol (SMTP) Virtual Server is used by the Exchange System Manager to send and receive messages from server to server using SMTP protocol. This setting controls the encryption strength used for client connections to the SMTP Virtual Server. With this feature enabled, only clients capable of supporting secure communications will be able to send mail using this SMTP server. Where secure channels are required, 128 bit encryption can also be selected. The use of secure communication prevents eavesdroppers from reading or modifying communications between mail clients and servers. While sensitive message bodies should be encrypted by the sender at the client, requiring a secure connection from the client to the server adds protection by encrypting the sender and recipient information that cannot be encrypted by the sender. Individually, channel security and encryption have been compromised by attackers. Used together, E-mail becomes a more difficult target, and security is heightened. Failure to enable this feature gives eavesdroppers an opportunity to read or modify messages between the client and server.E-Mail AdministratorECCT-1

Automated connection responses occur as a result of FTP or Telnet connections, when connecting to those services. They report a successful connection by greeting the connecting client, stating the name, release level, and (often) additional information regarding the responding product. While useful to the connecting client, connection responses can also be used by a third party to determine operating system (OS) or product release levels on the target server. The result can include disclosure of configuration information to third parties, paving the way for possible future attacks. For example, when querying the SMTP service on port 25, the default response looks similar to this one: 220 exchange.mydomain.org Microsoft ESMTP MAIL Service, Version: 6.0.3790.211 ready at Wed, 2 Feb 2005 23:40:00 -0500 Changing the response to hide local configuration details reduces the attack profile of the target. E-Mail AdministratorECIC-1

Applications introduce some of the most common database attack avenues, and can provide a pathway for an unlimited number of malicious users to access sensitive data. An account responsible for Service execution, if compromised, may subject the data to unauthorized exposure if it is granted more privileges than necessary. Typically, service accounts must run only their designated services, and must not be shared with other applications or people. Audit Log Monitoring can then assume an ‘expected’ set of activities for each service account, and administrators can more readily recognize events that are unexpected. A discrete history of account activity is valuable if an attack of the host system needs to be investigated. If accounts are shared among multiple services or people, it increases the risk that firewall Administrators will not have an accurate history for investigation and troubleshooting purposes. In the case of Microsoft Exchange Server 2003, attempting to run Exchange services on an alternate service account (rather than the default SYSTEM account) is not a supported Microsoft configuration. Due to the nature of the Exchange services access required within the server and the network, Exchange 2003 services must run under the Microsoft Windows SYSTEM account. Information Assurance OfficerE-Mail AdministratorECLP-1

Good security practice demands both the separation of duties and the assignment of least privilege. Role Based Access Control (RBAC) is the most accepted method for meeting these two criteria. A securely designed E-Mail Services implementation includes the definition of E-mail Roles (Servers and services, Users, Administrators, Installers) based on functional requirements for each, then assigning the fewest possible privileges to these roles. Roles are then assigned to people or services based on the application functions they are required to perform. In the case of Microsoft Exchange Server 2003, attempting to run Exchange services on an alternate service account (rather than the default SYSTEM account) is not a supported Microsoft configuration. Due to the nature of the Exchange services access required within the server and the network, Exchange 2003 services must run under the Microsoft Windows SYSTEM account.E-Mail AdministratorECLP-1

Good security practice demands both the separation of duties and the assignment of least privilege. Role Based Access Control (RBAC) is the most accepted method for meeting these two criteria. The right to restore e-mail applications or data following a service interruption must align with the E-mail Installation and E-mail Administration role, excluding all other user roles. Because this elevated privilege has the ability to change the application functionality or data from its initial version, it must be carefully assigned, monitored, and controlled. E-Mail AdministratorE-Mail InstallerECLP-1

Good security practice demands both the separation of duties and the assignment of least privilege. Role Based Access Control (RBAC) is the most accepted method for meeting these two criteria. A securely designed E-mail Services Implementation includes the definition of E-mail Roles (Servers and services, Users, Administrators, Installers) based on functions required by each, then assigning the fewest privileges to these roles. Roles are then assigned to people or services on the application functions they are required to perform. The Exchange GPO templates available from Microsoft enable the E-mail Administrator to easily set a Baseline Security Policy that hardens services permissions. Installations configured without use of policy templates must nevertheless meet vendor recommended minimums for service protection.E-Mail AdministratorECLP-1

Default product installations may provide more generous permissions than are necessary to run the application. By examining and tailoring permissions to more closely provide the least amount of privilege possible, attack vectors that align with user permissions are less likely to access more highly secured areas. Vendor-supplied policies are available to assist in further hardening the permissions set for Exchange. Application file permissions on Exchange 2003 servers can be set by importing the group policy for Exchange Back-End or Front-End servers. To the extent of file permissions, both policies set the same directory permissions as shown here. E-Mail AdministratorE-Mail InstallerECLP-1

Scripts on virtual servers are a frequent cause of server compromises. Since this virtual (web) server is the primary interface between Exchange and the web, it is particularly at risk of compromise. Therefore, attack vectors via scripts and executables running on the server, should be minimized. The Exchange Virtual Server enables web access (OWA) for user mailbox stores. It is designed to provide much of the same functionality as the Outlook client, but through a web browser. This control allows the administrator to specify whether scripts and/or executables may be run on this virtual server. Scripts and executables should be denied permissions to run, eliminating this attack vector from the security profile. E-Mail AdministratorECLP-1

Scripts on virtual servers are a frequent cause of server compromises. Since this virtual (web) server is the primary interface between Exchange and the web, it is particularly at risk of compromise. Therefore, attack vectors via scripts and executables running on the server, should be minimized. The Public Virtual Server enables web access for shared public folders. This control allows the administrator to specify whether scripts and/or executables may be run on this virtual server. Scripts and executables should be denied permissions to run on this server, eliminating this attack vector from the security profile. E-Mail AdministratorECLP-1

The ExAdmin Virtual Server is used by the Exchange System Manager to access mailboxes and Public Folders. As such, it is a required part of the Exchange application. The Exchange System Manager is a central part of the Exchange application and without these capabilities it will be unable to function properly. Scripts on servers are a frequent cause of server compromises. Since virtual servers are the primary interface between Exchange and the web, they are particularly at risk of compromise. Therefore, attack vectors via scripts and executables running on the server should be minimized. The ExAdmin Virtual Server is used by the Exchange System Manager to access mailboxes and Public Folders. This control allows the administrator to specify whether scripts and/or executables may be run on this virtual server. Scripts and executables should be denied the ability to run on this server. The Exchange System Manager is the only entity that interfaces with it, and since the default provides all of the capabilities needed, there should be no reason to change it. E-Mail AdministratorECLP-1

The principle of Least Privilege ordinarily requires analysis to ensure that users and processes are granted only as much privilege as is required to function effectively, but no additional privileges that could enable mischief, either accidental or intentional. The Exchange Virtual Server (OWA) enables web access for user E-mail mailboxes, however, users to not access the virtual server directly. This control determines whether users will have read, write, script source access, and/or directory browsing capabilities under this virtual server. The OWA Virtual Server requires that users have read, write, script source access, and directory browsing permissions since these are required for the proper functioning of OWA. E-Mail AdministratorECLP-1

The principle of Least Privilege ordinarily requires analysis to ensure that users and processes are granted only as much privilege as is required to function effectively, but no additional privileges that could enable mischief, either accidental or intentional. The ExAdmin Virtual Directory enables web access to E-mail and public folder documents for the Exchange 2003 System Manager. No users access this part of the application. This control determines whether the ExAdmin user will have read, write, script source access, and/or directory browsing capabilities under this virtual server. ExAdmin requires read, write, script source access, and directory browsing permissions since these are required for all of Exchange Web access. E-Mail AdministratorECLP-1

Individual messages can be protected by requiring message signing at the creation point (Outlook), at the originator’s discretion, enabling integrity protection for their messages. However, messages can also be created by report generators and other applications using automated processes that do not typically sign messages. By signing outbound messages as they exit into the public Internet, the sending SMTP server gives all receivers the opportunity to authenticate the sending domain and server as authentic. (using the DNS-based DKIM record), and validate the message content as unaltered in transit (using the DKIM public key to rehash). In this way, forgeries are prevented, SPAMMERs are more easily tracked. To be effective, it should be noted that unless both senders and receivers participate, sender authentication techniques are of limited effectiveness. For receivers not configured to recognize signed messages, there is no impact to processing – they default to treating the messages as if from anonymous sender origin, and examine it with the evaluation methods that are available. The DKIM (Domain Keys Identified Mail) process is not part of Exchange 2003 functionality; so inbound messages that reach an Exchange server as the first receiving touchpoint will not be able to perform this type of sender authentication. However, most e-mail Secure Gateway products now offer this feature. EMG2-038None. Exchange 2003 does not possess DKIM signing or validation featuresInformation Assurance OfficerE-Mail AdministratorECTM-1

Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit log content must always be considered sensitive, and in need of protection. Audit data available for modification by a malicious user can be altered to conceal malicious activity. Audit data might also provide a means for the malicious user to plan unauthorized activities that exploit weaknesses. The contents of audit logs are protected against unauthorized access, modification, or deletion. Only authorized auditors and the audit functions should be granted Read and Write to audit log data. Information Assurance OfficerE-Mail AdministratorECTP-1

Unauthorized or malicious data changes can compromise the integrity and usefulness of the data, Automated attacks or malicious users with elevated privileges have the ability to affect change using the same mechanisms as E-mail administrators. Auditing changes to access mechanisms supports accountability and non-repudiation for those authorized to define the environment but also enables investigation of changes made by others who may not be authorized. E-Mail AdministratorECAT-1

E-mail system availability depends in part on best practices strategies for setting tuning configurations. For message size restrictions, multiple places exist to set or override inbound or outbound message size. Failure to control the configuration strategy can result in loss of data or system availability. This setting enables the Administrator to control the maximum size of outgoing messages on an SMTP Connector. It is recommended that, in general, no limits are applied at the connector level. This is done so that connectors do not end up prohibiting the delivery of messages that would otherwise be permitted by the Exchange configuration at the virtual server level. Using connectors to control size limits at an enterprise-wide level is discouraged since the limits would need to be applied to every potential connector in order to create an effective enterprise-wide limit.E-Mail AdministratorECSC-1