Microsoft Exchange Server 2003

Guidance for Microsoft Exhange Server 2003 in the Mailbox Server, MTA, and the Client Access (OWA) Server Roles.

Details

Version / Release: V1R5

Published: 2014-08-19

Updated At: 2018-09-23 02:27:56

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-20214r1_rule EMG2-313 Exch2K3 MEDIUM User mailboxes are hosted on non-Mailbox Server role. Separation of roles supports operational security for application as well as human resources. By isolating a server role such as ‘Mailbox Role’, boundaries that pertain to Mailbox data protection need only be focused in the Mailbox data server. In
    SV-20216r1_rule EMG2-323 Exch2K3 HIGH E-mail Server does not require S/MIME capable clients. Identification and Authentication provide the foundation for access control. The ability for receiving users to authenticate the source of E-Mail messages helps to ensure that they are not FORGED or SPOOFED before they arrive. MIME (Multipurpose Intern
    SV-20218r1_rule EMG2-136 Exch2K3 LOW E-mail user mailboxes do not have Storage Quota Limitations. E-mail system availability depends in part on best practices strategies for setting tuning configurations. These settings control the maximum sizes of a user’s mailbox and the system’s response if these limits are exceeded. Mailbox data that is no
    SV-20220r1_rule EMG2-139 Exch2K3 LOW E-mail Public Folders do not have Storage Quota Limitations. E-Mail system availability depends in part on best practices strategies for setting tuning configurations. These settings control the maximum sizes of a Public Folder and the system’s response if these limits are exceeded. There are two available contr
    SV-20222r1_rule EMG2-507 Exch2K3 LOW Public Folders Store storage quota limits are overridden. E-mail system availability depends in part on best practices strategies for setting tuning configurations. Some settings enable more granular control when it is needed for a specific circumstance, however, if a sound strategy is not planned for configur
    SV-20224r1_rule EMG2-318 Exch2K3 LOW Mailbox Stores "Do Not Mount at Startup" is enabled. Administrator responsibilities include the ability to react to unplanned maintenance tasks or emergency situations that may require Mailbox data manipulation. Occasionally, there may be a need to start the server with ‘unmounted’ data stores, if man
    SV-20254r1_rule EMG2-320 Exch2K3 MEDIUM Public Folder Stores "Do not Mount at Startup" is enabled. Administrator responsibilities include the ability to react to unplanned maintenance tasks or emergency situations that may require Public Folder Store data manipulation. Occasionally, there may be a need to start the server with ‘unmounted ’ data st
    SV-20260r1_rule EMG2-511 Exch2K3 LOW Public Folder “Send on Behalf of” feature is in use. The principle of non-repudiation gives a message recipient the assurance that the message can be attributed to the named sender. If users are allowed to send on behalf of other parties, it introduces risk that receivers may never realize the identity of
    SV-20264r1_rule EMG2-046 Exch2K3 MEDIUM Automated Response Messages are Enabled. SPAM originators, in an effort to refine mailing lists, sometimes use a technique where they monitor transmissions for automated bounce back messages such as “Out of Office” messages. Automated messages include such items as Out of Office responses,
    SV-20266r1_rule EMG2-013 Exch2K3 MEDIUM Mailbox server is not protected by E-mail Edge Transport role (E-mail Secure Gateway) performing Global Accept/Deny list filtering. SPAM origination sites and other sources of suspected E-Mail borne malware have the ability to corrupt, compromise, or otherwise limit availability of E-Mail servers. Limiting exposure to unfiltered inbound messages can reduce the risk of SPAM and malwar
    SV-20268r1_rule EMG2-029 Exch2K3 MEDIUM Mailbox Server is not protected by an Edge Transport Server (E-mail Secure Gateway) performing SPAM evaluation. By performing filtering at the perimeter, up to 90% of SPAM, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the mail server environment. SPAM origination sites and other sources of suspected
    SV-20270r1_rule EMG2-015 Exch2K3 MEDIUM The Mailbox server is not protected by an Edge Transport Server Role (E-mail Secure Gateway) performing 'Block List' filtering. SPAM origination sites and other sources of suspected E-Mail borne malware have the ability to corrupt, compromise, or otherwise limit availability of E-Mail servers. Limiting exposure to unfiltered inbound messages can reduce the risk of SPAM and malwar
    SV-20272r1_rule EMG2-017 Exch2K3 MEDIUM Mailbox server is not protected by an Edge Transport Server role (E-mail Secure Gateway) performing Block List exception filtering at the perimeter. SPAM origination sites and other sources of suspected E-Mail borne malware have the ability to corrupt, compromise, or otherwise limit availability of E-Mail servers. Limiting exposure to inbound messages is one type of filtering that can reduce the risk
    SV-20274r1_rule EMG2-043 Exch2K3 MEDIUM Mailbox Server is not protected by an Edge Transport Server (E-mail Secure Gateway) performing Sender Authentication at the perimeter. Email is only as secure as the recipient. When the recipient is an E-Mail server accepting inbound messages, authenticating the sender enables the receiver to better assess message quality and to validate the sending domain as authentic. One or more aut
    SV-20276r1_rule EMG2-005 Exch2K3 MEDIUM E-mail Server Global Sending or Receiving message size is set to Unlimited. E-Mail system availability depends in part on best practices strategies for setting tuning configurations. Message size limits should be set to 30 megabytes at most, but often are smaller, depending on the organization. The key point in message size is
    SV-20278r1_rule EMG2-010 Exch2K3 LOW Sending or Receiving message size is not set to Unlimited on the SMTP virtual server. E-mail system availability depends in part on best practices strategies for setting tuning configurations. E-mail system availability has become a necessary feature in information sharing, and controlling message size limit reduces risk that servers beco
    SV-20280r1_rule EMG2-129 Exch2K3 LOW The SMTP Virtual Server Session Size is not set to "Unlimited". E-Mail system availability depends in part on best practices strategies for setting tuning configurations. This setting controls the maximum SMTP Virtual Server session sizes (inbound and outbound) and applies globally to the Simple Mail Transfer Protoco
    SV-20282r1_rule EMG2-149 Exch2K3 LOW The SMTP Virtual Server Message Count Limit is not 20. E-Mail system availability depends in part on best practices strategies for setting tuning configurations. This setting controls the maximum number of messages allowed in a single SMTP session by breaking large numbers of messages into multiple sessions.
    SV-20284r1_rule EMG2-107 Exch2K3 MEDIUM Message Recipient Count Limit is not limited on the SMTP virtual server. E-Mail system availability depends in part on best practices strategies for setting tuning configurations. Global Message Recipient Limits determine the total number of recipients that can be addressed on a single message. At the virtual server level, t
    SV-20286r1_rule EMG2-006 Exch2K3 LOW The Global Recipient Count limit is set to “Unlimited”. E-Mail system availability depends in part on best practices strategies for setting tuning configurations. The Global Recipient Count limit field is used to control the maximum number of recipients that can be specified in a single message sent from th
    SV-20288r1_rule EMG2-031 Exch2K3 MEDIUM The Exchange E-mail Services environment is not protected by an Edge Transport Server (E-Mail Secure Gateway) performing Non-existent recipient filtering at the perimeter. SPAM originators, in an effort to refine mailing lists, sometimes use a technique where they first create fictitious names, then monitor rejected E-mails for non-existent recipients. Those not rejected, of course, are deemed to exist, and are therefore
    SV-20290r1_rule EMG2-024 Exch2K3 MEDIUM The Mailbox server is not protected by having filtered messages archived by the Edge Transport Role server (E-mail Secure Gateway) at the perimeter. By performing filtering at the perimeter, up to 90% of SPAM, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the mail server environment. This significantly reduces the attack vector for inbo
    SV-20292r1_rule EMG2-026 Exch2K3 MEDIUM The Mailbox server is not protected by having blank sender messages filtered by the Edge Transport Role server (E-mail Secure Gateway) at the perimeter. By performing filtering at the perimeter, up to 90% of SPAM, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the mail server environment. Anonymous E-mail (messages with blank sender fields)
    SV-20294r1_rule EMG2-021 Exch2K3 MEDIUM The E-Mail server is not protected by having connections from “Sender Filter” sources dropped by the Edge Transport Server role (E-Mail Secure Gateway) at the perimeter. SPAM origination sites and other sources of suspected E-Mail borne malware have the ability to corrupt, compromise, or otherwise limit availability of E-Mail servers. Limiting exposure to unfiltered inbound messages can reduce the risk of SPAM and malwar
    SV-20302r1_rule EMG1-002 Exch2K3 LOW Unneeded OMA E-mail Web Virtual Directory is not removed. To reduce the vectors through which a server can be attacked, unneeded application components should be disabled or removed. By default, a virtual directory is installed for OMA, and the Exchange application default has OMA disabled. If an attacker wer
    SV-20304r1_rule EMG1-004 Exch2K3 LOW Unneeded Active Sync E-mail Web Virtual Directory is not removed. To reduce the vectors through which a server can be attacked, unneeded application components should be disabled or removed. By default, a virtual directory is installed for Active Sync, and the Exchange application default has Active Sync disabled. If
    SV-20306r1_rule EMG1-012 Exch2K3 LOW Unneeded "Public" E-mail Virtual Directory is not removed. To reduce the vectors through which a server can be attacked, unneeded application components should be disabled or removed. By default, a virtual directory is installed for Public Folders. If an attacker were to intrude into an Exchange Front-End serv
    SV-20310r1_rule EMG2-713 Exch2K3 LOW Connectors are not clearly named as to direction or purpose. E-mail system availability depends in part on best practices strategies for setting tuning configurations. For connectors, unclear naming as to direction and purpose increases risk that messages may not flow as intended, troubleshooting efforts may be i
    SV-20312r1_rule EMG2-710 Exch2K3 MEDIUM Message size restrictions are specified on routing group connectors. E-Mail system availability depends in part on best practices strategies for setting tuning configurations. For message size restrictions, multiple places exist to set or override inbound or outbound message size. Failure to control the configuration st
    SV-20314r1_rule EMG2-123 Exch2K3 LOW The Outbound Delivery Retry Values are not at the Defaults, or do not have alternate values documented in the System Security Plan. E-Mail system availability depends in part on best practices strategies for setting tuning configurations. This setting controls the rate at which delivery attempts from the home domain are retried, user notification is issued, and expiration timeout wh
    SV-20316r1_rule EMG2-130 Exch2K3 LOW SMTP Maximum Hop Count is not 30. E-mail system availability depends in part on best practices strategies for setting tuning configurations. This setting controls the maximum number of hops (E-mail servers traversed) a message may take as it travels to its destination. Part of the origi
    SV-20318r1_rule EMG2-126 Exch2K3 LOW SMTP Maximum outbound connections are not at 1000, or an alternate value is not documented in System Security Plan. E-Mail system availability depends in part on best practices strategies for setting tuning configurations. This setting controls the maximum number of simultaneous outbound connections allowed for a given SMTP Virtual Server, and can be used to throttle
    SV-20320r1_rule EMG2-114 Exch2K3 LOW Maximum outbound connection timeout limit is not at 10 minutes or less. E-mail system availability depends in part on best practices strategies for setting tuning configurations. This configuration controls the number of idle minutes before the connection is dropped. It works in conjunction with the Maximum Outbound Conne
    SV-20322r1_rule EMG2-120 Exch2K3 LOW Outbound Connection Limit per Domain Count is not 100 or less. E-Mail system availability depends in part on best practices strategies for setting tuning configurations. This configuration controls the maximum number of simultaneous outbound connections from a domain, and works in conjunction with the Maximum Outbou
    SV-20324r1_rule EMG2-125 Exch2K3 LOW Inbound Connection Count Limit is not set to "Unlimited". E-Mail system availability depends in part on best practices strategies for setting tuning configurations. This configuration controls the maximum number of simultaneous inbound connections allowed to the SMTP server. By default, the number of simultan
    SV-20326r1_rule EMG2-117 Exch2K3 LOW Maximum Inbound Connection Timeout Limit is not 10 or less. E-Mail system availability depends in part on best practices strategies for setting tuning configurations. This configuration controls the number of idle minutes before the connection is dropped. It works in conjunction with the Maximum Inbound Connec
    SV-20328r1_rule EMG2-250 Exch2K3 MEDIUM SMTP Connection Restrictions do not use the "Deny All" strategy. E-mail is only as secure as the recipient. Recipient SMTP servers that accept messages from all sources provide a way for rogue senders (such as SPAMMERS) or malicious users to insert message batches (that may be SPOOFED or FORGED) into the message tra
    SV-20330r1_rule EMG2-272 Exch2K3 LOW SMTP Sender, Recipient, or Connection Filters are not engaged. E-mail system availability depends in part on best practices strategies for setting tuning configurations. Careful tuning reduces the risk that system or network congestion will contribute to availability impacts. Filters that govern inbound E-mail e
    SV-20332r1_rule EMG2-251 Exch2K3 MEDIUM ExAdmin Virtual Directory is not Configured for Integrated Windows Authentication. Identification and Authentication provide the foundation for access control. The ExAdmin Virtual Directory is used by the Exchange System Manager to access mailboxes and Public Folders. This feature controls the authentication method used to connect to
    SV-20334r1_rule EMG2-730 Exch2K3 MEDIUM Routing Group is not selected as the SMTP connector scope. E-mail system availability depends in part on best practices strategies for setting tuning configurations. This setting determines which SMTP Servers are permitted to use this SMTP Connector, identifying those for which it is the most efficient link. F
    SV-20336r1_rule EMG2-721 Exch2K3 MEDIUM The SMTP connectors do not specify use of a “Smart Host”. E-mail system availability depends in part on best practices strategies for setting tuning configurations. In the case of identifying a ‘Smart Host’ for the E-Mail environment, the connector level is the preferred location for this configuration bec
    SV-20338r1_rule EMG2-736 Exch2K3 HIGH SMTP connectors allow unauthenticated relay. Identification and Authentication provide the foundation for access control. The key to preventing SPAM insertion into the SMTP message transfer path is to require authentication at each ‘hop’ of the journey from sender to receiver. Allowing unauthe
    SV-20340r1_rule EMG2-146 Exch2K3 MEDIUM SMTP virtual Server does not Restrict Relay Access. E-mail is only as secure as the recipient. This control is used to limit the servers that may use this server as a relay. If an Simple Mail Transport Protocol (SMTP) sender does not have a direct connection to the Internet (for example, an application t
    SV-20342r1_rule EMG2-131 Exch2K3 MEDIUM “Smart-Host” is specified at the Virtual Server level. E-Mail system availability depends in part on best practices strategies for setting tuning configurations. This control determines whether the entire Virtual Server routes its outbound Simple Mail Transfer Protocol (SMTP) messages through a single “Sma
    SV-20344r1_rule EMG2-148 Exch2K3 LOW The SMTP Virtual Server performs reverse DNS lookups for anonymous message delivery. E-mail system availability depends in part on best practices strategies for setting tuning configurations. This feature causes the server to use a Directory Naming Service (DNS) lookup to try to resolve the source of incoming E-mail for anonymous message
    SV-20346r1_rule EMG2-803 Exch2K3 MEDIUM Virtual Server default outbound security is not anonymous and TLS. Identification and Authentication provide the foundation for access control. The key to preventing SPAM insertion into the SMTP message transfer path is to require authentication at each ‘hop’ of the journey from sender to receiver. Failure to authe
    SV-20348r1_rule EMG2-143 Exch2K3 LOW The SMTP Virtual Server is configured to perform DNS lookups for anonymous E-mails. E-Mail system availability depends in part on best practices strategies for setting tuning configurations. This feature causes the server to use a Directory Naming Service (DNS) lookup to try to determine the source of each anonymous E-mail message.
    SV-20352r1_rule EMG2-811 Exch2K3 MEDIUM E-mail Diagnostic Logging is enabled during production operations. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Diagnostic logging, however, characteristically produces large volumes of data and requires care
    SV-20354r1_rule EMG2-810 Exch2K3 MEDIUM E-mail “Subject Line” logging is enabled during production operations. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. When “message tracking” is enabled, only the sender, recipients, time, and other delivery info
    SV-20360r1_rule EMG2-825 Exch2K3 MEDIUM SMTP Virtual Server Audit Records are not directed to a separate partition. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. This setting controls the location of the SMTP Virtual Server log file. By default, these fil
    SV-20611r1_rule EMG2-831 Exch2K3 MEDIUM Exchange sends fatal errors to Microsoft. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. This setting enables an automated log entry to be sent to Microsoft giving general details about
    SV-20612r1_rule EMG2-835 Exch2K3 MEDIUM Disk Space Monitoring is not Configured with Threshold and Action. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Exchange 2003 built-in monitors enable the administrator to generate alerts if thresholds are re
    SV-20367r1_rule EMG2-807 Exch2K3 MEDIUM CPU Monitoring Notifications are not configured with threshold and action. Monitors are automated “process watchers” that respond to performance changes, and can be useful in detecting outages and alerting administrators where attention is needed. Exchange 2003 built-in monitors enable the administrator to generate aler
    SV-20369r1_rule EMG2-813 Exch2K3 MEDIUM Virtual memory monitoring notifications are not configured with threshold and action. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Exchange 2003 built-in monitors enable the administrator to generate alerts if thresholds are re
    SV-20371r1_rule EMG2-806 Exch2K3 MEDIUM SMTP Queue Monitor is not configured with a threshold and alert. Monitors are automated “process watchers” that respond to performance changes, and can be useful in detecting outages and alerting administrators where attention is needed. Exchange 2003 built-in monitors enable the administrator to generate alerts
    SV-20377r1_rule EMG2-817 Exch2K3 MEDIUM Exchange Core Services Monitors are not configured with threshold and actions. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Exchange 2003 built-in monitors enable the administrator to generate alerts if thresholds are re
    SV-20381r1_rule EMG2-266 Exch2K3 MEDIUM Users do not have correct permissions in the Public Virtual Server. The principle of Least Privilege ordinarily requires analysis to ensure that users and processes are granted only as much privilege as is required to function effectively, but no additional privileges that could enable mischief, either accidental or inten
    SV-20389r1_rule EMG2-340 Exch2K3 MEDIUM Mailboxes and messages are not retained until backups are complete. Backup and recovery procedures are an important part of overall system availability and integrity. Complete backups reduce the chance of accidental deletion of important information, and ensure that complete recoveries are possible. It is not uncom
    SV-20391r1_rule EMG2-344 Exch2K3 MEDIUM Public Folder stores and documents are not retained until backups are complete. Backup and recovery procedures are an important part of overall system availability and integrity. Complete backups reduce the chance of accidental deletion of important information, and ensure that complete recoveries are possible. It is not uncom
    SV-20393r1_rule EMG2-307 Exch2K3 LOW Mailbox Stores Restore Overwrite is enabled. E-mail system availability depends in part on best practices strategies for setting tuning configurations. Unauthorized or accidental restoration of mailbox data risks data loss or corruption. This setting controls whether the mailbox store can be
    SV-20395r1_rule EMG2-311 Exch2K3 LOW Public Folder Stores Restore Overwrite is enabled. E-mail system availability depends in part on best practices strategies for setting tuning configurations. Unauthorized or accidental restoration of public folder data risks data loss or corruption. This setting controls whether the public folder stor
    SV-20397r1_rule EMG2-317 Exch2K3 LOW E-mail message copies are not archived. For E-mail environments with sufficiently sensitive requirements (either legal or data classification), local e-mail policy may require that all messages sent or received from a given server be preserved. If local policy requires it for historical or lit
    SV-20405r1_rule EMG3-115 Exch2K3 MEDIUM E-mail application installation is sharing a partition with another application. In the same way that added security layers can provide a cumulative positive effect on security posture, multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit to one application can lead to an exploit of ot
    SV-20407r1_rule EMG3-823 Exch2K3 MEDIUM Audit data is sharing directories or partitions with the E-mail application. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit log content must always be considered sensitive, and in need of protection. Successful
    SV-20409r1_rule EMG1-110 Exch2K3 MEDIUM E-mail web applications are operating on non-standard ports. PPSM Standard defined ports and protocols must be used for all Exchange services. The standard port for HTTP connections is 80 and the standard port for HTTPS Connections is 443. Changing the ports to non-standard values provides only temporary and li
    SV-20411r1_rule EMG2-105 Exch2K3 MEDIUM E-mail SMTP services are using Non-PPSM compliant ports. Standard defined ports and protocols should be used for all Exchange services. The standard port for regular SMTP connections is 25. Changing the ports to non-standard values provides only temporary and limited protection against automated attacks si
    SV-20413r1_rule EMG2-109 Exch2K3 MEDIUM SMTP Virtual Server is not bound to the PPSM Standard Port. PPSM Standard defined ports and protocols must be used for all Exchange services. The default port for SMTP connections is 25. Changing the ports to non-standard values provides only temporary and limited protection against automated attacks since th
    SV-20425r1_rule EMG3-058 Exch2K3 MEDIUM E-mail software is not monitored for change on INFOCON frequency schedule. The INFOCON system provides a framework within which the Commander USSTRATCOM regional commanders, service chiefs, base/post/camp/station/vessel commanders, or agency directors can increase the measurable readiness of their networks to match operational p
    SV-20427r1_rule EMG3-802 Exch2K3 MEDIUM Security support data or process is sharing a directory or partition with Exchange. The Security Support Structure is a security control function or service provided by an external system or application. For example, a Windows Domain Controller that provides Identification and Authentication Services (Active Directory) may be at risk of
    SV-20429r1_rule EMG3-805 Exch2K3 MEDIUM Exchange software baseline copy does not exist. Exchange 2003 software, as with other application software installed on a host system, must be included in a system baseline record and periodically reviewed, otherwise unauthorized changes to the software may not be discovered. This effort is a vital st
    SV-20431r1_rule EMG2-327 Exch2K3 HIGH E-mail Public Folders do not require S/MIME capable clients. Identification and Authentication provide the foundation for access control. The ability for receiving users to authenticate the source of Public Folder messages helps to ensure that they are not FORGED or SPOOFED before they arrive. MIME (Multipurpos
    SV-20433r1_rule EMG2-271 Exch2K3 HIGH OWA Virtual Server has Forms-Based Authentication enabled. Identification and Authentication provide the foundation for access control. Access to E-Mail services applications in the DoD require authentication using DoD Public Key Infrastructure (PKI) certificates. The Exchange Virtual Server, which operates Out
    SV-20449r1_rule EMG1-007 Exch2K3 MEDIUM Default web site allows anonymous access. The Default Web site is the virtual server on which all Exchange virtual directories reside. This feature controls the authentication method used to connect to this virtual server and its virtual directories. Ensure that this is set to Integrated Windows
    SV-20451r1_rule EMG2-256 Exch2K3 HIGH OWA does not require only Integrated Windows Authentication. Identification and Authentication provide the foundation for access control. Access to E-mail services applications in the DoD require authentication using DoD Public Key Infrastructure (PKI) certificates. The Exchange Virtual Server, which controls O
    SV-20455r1_rule EMG2-133 Exch2K3 HIGH One or more SMTP Virtual Servers do not have a Valid Certificate. Server certificates are required for many security features in Exchange, and without them the server cannot engage in many forms of secure communication. Certificates must be manually installed on each virtual server. This means that installing a certif
    SV-20457r1_rule EMG2-840 Exch2K3 LOW Audit Records do not contain all required fields. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. This item declares the fields that must be available in audit log file records in order to adequa
    SV-20464r1_rule EMG2-833 Exch2K3 MEDIUM The “Disable Server Monitoring” feature is enabled. Monitors are automated “process watchers” that respond to performance changes, and can be useful in detecting outages and alerting administrators where attention is needed. This setting controls whether all monitoring processes on this server are e
    SV-20470r1_rule EMG2-124 Exch2K3 MEDIUM SMTP Virtual Server Auditing is not active. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. This setting controls the creation and format of log files used to monitor the interaction between
    SV-22062r1_rule EMG2-111 Exch2K3 MEDIUM Exchange Server is not protected by an Edge Transport Server (E-mail Secure Gateway) that performs Anonymous Connections interaction with Internet-based E-mail servers. E-mail is only as secure as the recipient. By ensuring secured connections for all Simple Mail Transfer Protocol (SMTP) servers along the message transfer path, risk of “Anonymous” message transfers by rogue servers is reduced. If all message trans
    SV-20491r1_rule EMG2-144 Exch2K3 MEDIUM SMTP Virtual Servers do not Require Secure Channels and Encryption. The Simple Mail Transfer Protocol (SMTP) Virtual Server is used by the Exchange System Manager to send and receive messages from server to server using SMTP protocol. This setting controls the encryption strength used for client connections to the SMTP V
    SV-20495r1_rule EMG2-743 Exch2K3 HIGH SMTP Connectors perform outbound anonymous connections. Identification and Authentication provide the foundation for access control. The key to preventing SPAM insertion into the SMTP message transfer path is to require authentication at each ‘hop’ of the journey from sender to receiver. Failure to authe
    SV-20498r1_rule EMG1-103 Exch2K3 HIGH Public Folder access does not require secure channels and encryption. Failure to require secure connections on a web site increases the potential for unintended decryption and data loss. This setting controls whether client machines should be forced to use secure channels to communicate with this virtual directory. If thi
    SV-20500r1_rule EMG1-105 Exch2K3 HIGH Outlook Web Access (OWA) does not require secure channels and encryption. Failure to require secure connections on a web site increases the potential for unintended decryption and data loss. This setting controls whether client machines should be forced to use secure channels to communicate with this virtual directory. If thi
    SV-20502r1_rule EMG2-305 Exch2K3 LOW ExAdmin is configured for Secure Channels and Encryption. ExAdmin Virtual Directory is used by the Exchange System Manager to access mailboxes and Public Folders. Users do not directly access the ExAdmin Virtual Directory. This feature controls the security setting used to determine whether client machines s
    SV-21318r1_rule EMG3-116 Exch2K3 MEDIUM SMTP service banner response reveals configuration details. Automated connection responses occur as a result of FTP or Telnet connections, when connecting to those services. They report a successful connection by greeting the connecting client, stating the name, release level, and (often) additional information
    SV-20514r1_rule EMG3-119 Exch2K3 MEDIUM E-mail Services accounts are not restricted to named services. Applications introduce some of the most common database attack avenues, and can provide a pathway for an unlimited number of malicious users to access sensitive data. An account responsible for Service execution, if compromised, may subject the data to u
    SV-20516r1_rule EMG3-145 Exch2K3 MEDIUM E-Mail service accounts are not operating at least privilege. Good security practice demands both the separation of duties and the assignment of least privilege. Role Based Access Control (RBAC) is the most accepted method for meeting these two criteria. A securely designed E-Mail Services implementation includes
    SV-20520r1_rule EMG3-828 Exch2K3 MEDIUM E-mail restore permissions are not restricted to E-mail administrators. Good security practice demands both the separation of duties and the assignment of least privilege. Role Based Access Control (RBAC) is the most accepted method for meeting these two criteria. The right to restore e-mail applications or data following a
    SV-20524r1_rule EMG3-121 Exch2K3 MEDIUM Services permissions do not reflect least privilege. Good security practice demands both the separation of duties and the assignment of least privilege. Role Based Access Control (RBAC) is the most accepted method for meeting these two criteria. A securely designed E-mail Services Implementation includes t
    SV-20526r1_rule EMG3-824 Exch2K3 MEDIUM Exchange application permissions are not at vendor recommended settings. Default product installations may provide more generous permissions than are necessary to run the application. By examining and tailoring permissions to more closely provide the least amount of privilege possible, attack vectors that align with user perm
    SV-20528r1_rule EMG2-259 Exch2K3 MEDIUM Scripts are permitted to execute in the OWA Virtual Server. Scripts on virtual servers are a frequent cause of server compromises. Since this virtual (web) server is the primary interface between Exchange and the web, it is particularly at risk of compromise. Therefore, attack vectors via scripts and executables
    SV-20530r1_rule EMG2-275 Exch2K3 MEDIUM Scripts are permitted to execute in the Public Folder web server. Scripts on virtual servers are a frequent cause of server compromises. Since this virtual (web) server is the primary interface between Exchange and the web, it is particularly at risk of compromise. Therefore, attack vectors via scripts and executables
    SV-20532r1_rule EMG2-255 Exch2K3 MEDIUM Scripts are Permitted to Execute in the ExAdmin Virtual Server. The ExAdmin Virtual Server is used by the Exchange System Manager to access mailboxes and Public Folders. As such, it is a required part of the Exchange application. The Exchange System Manager is a central part of the Exchange application and without th
    SV-20534r1_rule EMG2-263 Exch2K3 MEDIUM Users do not have correct permissions in the OWA Virtual Server. The principle of Least Privilege ordinarily requires analysis to ensure that users and processes are granted only as much privilege as is required to function effectively, but no additional privileges that could enable mischief, either accidental or inten
    SV-20536r1_rule EMG2-269 Exch2K3 MEDIUM ExAdmin does not have correct permissions in the ExAdmin Virtual Server. The principle of Least Privilege ordinarily requires analysis to ensure that users and processes are granted only as much privilege as is required to function effectively, but no additional privileges that could enable mischief, either accidental or inten
    SV-20546r1_rule EMG2-303 Exch2K3 LOW Exchange application memory is not zeroed out after message deletion. Residual data left in memory after a transaction is completed adds risk that it can be used for malicious purposes in the event that access to the data is achieved. Applications may perform ‘logical delete’ functions, which make the data invisible to
    SV-20557r1_rule EMG2-038 Exch2K3 MEDIUM E-mail Services are not protected by having an Edge Transport Server (E-mail Secure Gateway) performing outbound message signing at the perimeter. Individual messages can be protected by requiring message signing at the creation point (Outlook), at the originator’s discretion, enabling integrity protection for their messages. However, messages can also be created by report generators and other ap
    SV-20559r1_rule EMG3-150 Exch2K3 MEDIUM E-Mail audit trails are not protected against unauthorized access. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit log content must always be considered sensitive, and in need of protection. Audit data ava
    SV-20561r1_rule EMG3-829 Exch2K3 HIGH E-mail servers do not have E-mail aware virus protection. With the proliferation of trojans, viruses, and SPAM attaching themselves to E-Mail messages (or attachments), it is necessary to have capable E-Mail Aware Anti-Virus (AV) products to scan messages and identify any resident malware. Because E-Mail messa
    SV-21025r1_rule EMG2-863 Exch2K3 MEDIUM Mailbox access control mechanisms are not audited for changes. Unauthorized or malicious data changes can compromise the integrity and usefulness of the data, Automated attacks or malicious users with elevated privileges have the ability to affect change using the same mechanisms as E-mail administrators. Auditing
    SV-21038r1_rule EMG2-718 Exch2K3 MEDIUM Message size restriction is specified at the SMTP connector level. . E-mail system availability depends in part on best practices strategies for setting tuning configurations. For message size restrictions, multiple places exist to set or override inbound or outbound message size. Failure to control the configuration st
    SV-67615r1_rule EMG1-009 Exch2K3 HIGH Exchange Server Software that is no longer supported by the vendor for security updates must not be installed on a system. Exchange Server Software that is no longer supported by Microsoft for security updates is not evaluated or updated for vulnerabilities, leaving it open to potential attack. Organizations must transition to a supported Exchange Server Software to ensure co