Microsoft Exchange Server 2003

U_Exchange_2003_Server_V1R5_Manual-xccdf.xml

Guidance for Microsoft Exhange Server 2003 in the Mailbox Server, MTA, and the Client Access (OWA) Server Roles.
Details

Version / Release: V1R5

Published: 2014-08-19

Updated At: 2018-09-23 02:27:56

Actions

Download

Filter


Vuln Rule Version CCI Severity Title Description
SV-20214r1_rule EMG2-313 Exch2K3 MEDIUM User mailboxes are hosted on non-Mailbox Server role. Separation of roles supports operational security for application as well as human resources. By isolating a server role such as ‘Mailbox Role’, boundaries that pertain to Mailbox data protection need only be focused in the Mailbox data server. In this way, any Mailbox-specific attack vectors, protocol traffic requirements are more optimally secured. Mailbox data repositories should only be hosted on the Mailbox Server Role. E-Mail AdministratorECSC-1
SV-20216r1_rule EMG2-323 Exch2K3 HIGH E-mail Server does not require S/MIME capable clients. Identification and Authentication provide the foundation for access control. The ability for receiving users to authenticate the source of E-Mail messages helps to ensure that they are not FORGED or SPOOFED before they arrive. MIME (Multipurpose Internet Mail Extensions) is an Internet standard that extends the format of e-mail and other web content to support ASCII and other character sets in both the message and header, text and non-text attachments, and multi-part message bodies. All human-originating E-Mail messages are transmitted in MIME format. S/MIME (Secure / Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of e-mail encapsulated in MIME. Participants in S/MIME message exchanges must obtain and install an individual key/certificate from the DoD. S/MIME clients will require that each participant own a certificate before allowing them to encrypt messages to others. To minimize attack vectors revealed by lack of signed or encrypted E-Mail, all clients in the enterprise must be updated to support S/MIME, and all mail servers must require S/MIME capability.Information Assurance OfficerE-Mail AdministratorECSC-1
SV-20218r1_rule EMG2-136 Exch2K3 LOW E-mail user mailboxes do not have Storage Quota Limitations. E-mail system availability depends in part on best practices strategies for setting tuning configurations. These settings control the maximum sizes of a user’s mailbox and the system’s response if these limits are exceeded. Mailbox data that is not monitored against a quota increases the risk of mail loss due to filled disk space, which can also render the system unavailable. There are three controls, which supply graduated levels of opportunity to respond before risking data loss. The first control sends an E-mail warning to users stating that they have exceeded their mailbox quota. The second level sends the warning, and causes users to receive, but not send, mail. The third level sends a warning message, and causes users to neither receive nor send mail. Quota limits should be set as multiples of “Maximum Message Size” to ensure no level is skipped. As a practical matter, levels 1 and 2 serve the purpose of prompting users to manage their E-mail. Level 3 impedes users in their ability to work, and is not required as mail interruption is not acceptable. User Mailbox Quota limitations are not a substitute for overall disk space monitoring. Information Assurance OfficerE-Mail AdministratorECSC-1
SV-20220r1_rule EMG2-139 Exch2K3 LOW E-mail Public Folders do not have Storage Quota Limitations. E-Mail system availability depends in part on best practices strategies for setting tuning configurations. These settings control the maximum sizes of a Public Folder and the system’s response if these limits are exceeded. There are two available controls and the system response when the quota has been exceeded. The first control sends an E-mail warning to Folder Owners roles alerting them that the folder has exceeded its quota. The second level prevents posting any additional items to the folder. As a practical matter, level 1 serves the purpose of prompting owners to manage their folders. Level 2 impedes users in their ability to work, and is not required where folder use interruption is not acceptable. Public Folder Storage Quota Limitations are not a substitute for overall disk space monitoring. Information Assurance OfficerE-Mail AdministratorECSC-1
SV-20222r1_rule EMG2-507 Exch2K3 LOW Public Folders Store storage quota limits are overridden. E-mail system availability depends in part on best practices strategies for setting tuning configurations. Some settings enable more granular control when it is needed for a specific circumstance, however, if a sound strategy is not planned for configuration placement, it increases the risk that system integrity and availability could be compromised. This setting gives the Administrator a choice to either “Use Public Store Defaults”, or choose to override with different values. If the “Use Public Store Defaults” is chosen, then the Public Folder store’s settings are applied to this folder and the other alert fields in this group are disabled. If the “Use Public Store Defaults” is NOT selected then ALL of the storage limit controls in the Public Folder store will be ignored for this folder, and ALL behaviors will then have to be set in this panel and administered separately for this store. If overrides are needed for a Public Folder, they should be documented in the System Security Plan. EMG2-507If “Use public store defaults” is NOT selected, then ALL of the storage limit controls in the Public Folder store will be ignored for this folder, and ALL behaviors will then have to be set in this panel and administered separately for this store. If overrides are needed for a Public Folder, they should be documented in the System Security Plan. If these criteria are met, then this is an acceptable solution and "not a finding". E-Mail AdministratorECSD-1
SV-20224r1_rule EMG2-318 Exch2K3 LOW Mailbox Stores "Do Not Mount at Startup" is enabled. Administrator responsibilities include the ability to react to unplanned maintenance tasks or emergency situations that may require Mailbox data manipulation. Occasionally, there may be a need to start the server with ‘unmounted’ data stores, if manual maintenance is being performed on them. Failure to uncheck the ‘do not mount on startup’ condition will result in unavailability of mail services. Correct configuration of this control will prevent unplanned outages due to being enabled. On occasions when it is needed, care should be taken in process steps to clear the check box upon task completion, so that mail stores are available to users (unmounted mailbox stores are not available to users). E-Mail Administrator
SV-20254r1_rule EMG2-320 Exch2K3 MEDIUM Public Folder Stores "Do not Mount at Startup" is enabled. Administrator responsibilities include the ability to react to unplanned maintenance tasks or emergency situations that may require Public Folder Store data manipulation. Occasionally, there may be a need to start the server with ‘unmounted ’ data stores, if manual maintenance is being performed on them. Failure to uncheck the ‘do not mount on startup’ condition will result in unavailability of Public Folder services. Correct configuration of this control will prevent unplanned outages due to being enabled. On occasions when it is needed, care should be taken in process steps to clear the checkbox task completion, so that public folder stores are available to users (unmounted public folder stores are not available to users). E-Mail AdministratorECSC-1
SV-20260r1_rule EMG2-511 Exch2K3 LOW Public Folder “Send on Behalf of” feature is in use. The principle of non-repudiation gives a message recipient the assurance that the message can be attributed to the named sender. If users are allowed to send on behalf of other parties, it introduces risk that receivers may never realize the identity of the actual sender of the message. This can enable nefarious senders to mask their activities. The “Send on Behalf” field should be cleared (messages are not sent on behalf of any party). While the full “from” field displays both the actual sender as well as who the message is on behalf of, in many instances only the party on whose behalf the message was sent may be seen. If “Send on behalf” is used, accounts with the ability should be documented and monitored to ensure this privilege is not being abused.EMG2-511If “Send on behalf of” is used, accounts with the ability should be documented and monitored to ensure this privilege is not being abused. If documentation exists in the System Security Plan, then the finding can be closed. E-Mail AdministratorECSC-1
SV-20264r1_rule EMG2-046 Exch2K3 MEDIUM Automated Response Messages are Enabled. SPAM originators, in an effort to refine mailing lists, sometimes use a technique where they monitor transmissions for automated bounce back messages such as “Out of Office” messages. Automated messages include such items as Out of Office responses, non-delivery messages, or automated message forwarding. Automated bounce back messages can be used by a third party to determine user “liveness” on the server. This can result in the disclosure of active user accounts to third parties, paving the way for possible future attacks. Mail forwarding is an automated feature that does not provide information to third parties, but it poses a potential risk on networks where classified or confidential information may be sent. For example, if auto-forwarding is configured, sensitive information sent to this user’s account may automatically be transferred outside the control of the organization. The “Default” format applies to all domains. However, if a new format is created and applied to a specific domain, that domain will use the new format's configuration while all other domains (those without specially designated formats) will use the Default format. Automated messages must be disabled to prevent inadvertent information disclosure about E-mail recipients. E-Mail AdministratorECSC-1
SV-20266r1_rule EMG2-013 Exch2K3 MEDIUM Mailbox server is not protected by E-mail Edge Transport role (E-mail Secure Gateway) performing Global Accept/Deny list filtering. SPAM origination sites and other sources of suspected E-Mail borne malware have the ability to corrupt, compromise, or otherwise limit availability of E-Mail servers. Limiting exposure to unfiltered inbound messages can reduce the risk of SPAM and malware impacts. The Global Accept and Deny List settings (sometimes referred to 'Black Lists' and 'White Lists' ) respectively block or admit messages originating from specific sources. Ideally, 'Black List' filtering is done at the perimeter of the network (using a commercial 'Block List' service), because eliminating threats there prevents them being evaluated inside the enclave where there is more risk they can do harm. When no commercial 'Block List Service' is employed as the 'Black List', the values configured here perform similar filtering and can be used to supplement the sites identified in the 'Block List Service'. For example, during a 0-Day threat action, entries can be added, then removed when the threat is mitigated. A common practice is to enter the enterprise’s home domain in the 'Global Deny List', at a minimum, as inbound E-mail where a ‘from’ address of the home domain is very likely to be SPOOFED SPAM. The Accept List field (referring to the ‘White List’) overrides both the ‘Deny List’ and the ‘Block List’ Service. Even if the ‘Block List’ claims that listed domains are spammers, inbound mail will still be received mail from them. Normally, no entry should appear in the Global Accept List. Note: Use of ‘White List’ entries can inadvertently lead to Denial of Service situations due to inbound messages bypassing the filtering mechanism. EMG2-013Severity can be overridden to Category III if terms of the mitigation are met by configuring this SPAM protection on an Exchange Server processing inbound messages. Configure Global Accept and Deny List configurations on the first Exchange server receiving messages directly from the public Internet. Note: This mitigation is preferred to having no SPAM protection employed; however, it does not qualify as closing the open finding for perimeter protection. Procedure: Exchange System Manager >> Global Settings >> Message Delivery>> Properties >> Connection Filtering tab >> Global Accept and Deny List configuration >> {List of entries} Enter the Home domain in the Global Deny List. Justify or remove other entries. The Global Accept list should remain empty. Information Assurance OfficerE-Mail AdministratorECSC-1
SV-20268r1_rule EMG2-029 Exch2K3 MEDIUM Mailbox Server is not protected by an Edge Transport Server (E-mail Secure Gateway) performing SPAM evaluation. By performing filtering at the perimeter, up to 90% of SPAM, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the mail server environment. SPAM origination sites and other sources of suspected E-Mail borne malware have the ability to corrupt, compromise, or otherwise limit availability of E-Mail servers. Limiting exposure to unfiltered inbound messages can reduce the risk of SPAM and malware impacts. By performing filtering at the perimeter, SPAM, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the mail server environment. This significantly reduces the attack vector for inbound E-mail-borne SPAM and malware. SPAM evaluation (heuristic) filters scan inbound email messages for evidence of SPAM and other attacks that primarily use ‘Social Engineering’ techniques. Upon evaluation, a rating is assigned to each message estimating the likelihood of its being SPAM. When the message is received in the user’s mailbox, the junk mail filter threshold determines whether the message will be withheld from delivery, delivered to the junk mail folder, or delivered to the user’s inbox. For Exchange 2003 servers, Microsoft introduced the Intelligent Message Filter (IMF). Beginning with Exchange 2003 SP2 it was included as part of the application. Since that time, however, it is recommended that such filtering occur at the network perimeter. That said, risk of inbound SPAM can be somewhat mitigated by using the Microsoft IMF on the Exchange 2003 Mail server, even as an interim measure, while planning for a more comprehensive, Edte Transport Server (E-Mail Secure Gateway). EMG2-029Severity can be overridden to Category III if terms of the mitigation are met by configuring this SPAM protection on an Exchange Server processing inbound messages. Exchange Intelligent Message Filter (IMF) is engaged on the first Exchange 2003 Bridgehead server or Mailbox Server that receives inbound messages from anonymous Internet connection. Note: This mitigation is preferred to having no SPAM protection employed; however, it does not qualify as closing the open finding for perimeter protection. Configure IMF on the Exchange 2003 server. Procedure: Exchange System Manager >> Global Settings >> Message Delivery>> Properties >> Intelligent Message Filtering tab Set the Gateway Blocking Configuration. A usual first choice is 8. The “When blocking Messages” choices are "Archive", "Delete", "No action", or "Reject". Note: An action of "Archive" will require sufficient disk space to host the archived messages. However, actions of "Delete" or "Reject" may contribute to inadvertent data loss. Action of "No Action" will cause the message to be forwarded to the user, carrying the evaluation score, where it may eventually be placed in the user's Junk Mail folder. Set the “Store Junk E-mail Configuration". A usual first choice is 4. Check the IMF filter “Yes” checkbox. Exchange System Manager >> Administrative Groups >> [administrator group] >> Servers >> [server] >> Protocols >> SMTP >> [specific SMTP server] >> Properties>>General Tab>> Advanced >> Edit Check "Intelligent Message Filter (IMF)" to activate the filter. Information Assurance OfficerE-Mail AdministratorECSC-1
SV-20270r1_rule EMG2-015 Exch2K3 MEDIUM The Mailbox server is not protected by an Edge Transport Server Role (E-mail Secure Gateway) performing 'Block List' filtering. SPAM origination sites and other sources of suspected E-Mail borne malware have the ability to corrupt, compromise, or otherwise limit availability of E-Mail servers. Limiting exposure to unfiltered inbound messages can reduce the risk of SPAM and malware impacts. Ideally, 'Block List' filtering is done at the perimeter of the network (using a commercial 'Block List' service), because eliminating threats there prevents them being evaluated inside the enclave where there is more risk they can do harm. Block List Services are fee based data providers that collect the IP addresses of known SPAMmers and other malware purveyors. Subscribers to these services benefit from more effective SPAM elimination (up to 90% of inbound mail volume) as well as leveraging the E-Mail Administration effort needed to maintain and update larger block lists than a single E-Mail site administrator could conveniently maintain. Neglecting to specify a 'Block List' would require E-Mail Administrators to manually specify addresses in the ‘Deny List’ field as they are discovered. The 'Block List' Services provider will provide a value for this field – usually the DNS suffix for their domain.EMG2-015Severity can be overridden to Category III if terms of the mitigation are met by configuring this SPAM protection on an Exchange Server processing inbound messages.The Block List Services provider is configured on the Exchange 2003 Bridgehead server (MTA role) or the Exchange 2003 Mailbox server that is the first Exchange server receiving inbound SMTP messages from the public Internet. Procedure: Exchange System Manager >> Global Settings >> Message Delivery>> Properties >> Connection Filtering tab >> Block List Service Configuration >> {List of entries} Click the ADD button, enter Block List Service as specified by vendor. Note: This mitigation is preferred to having no Block List filtering protection employed; however, it does not qualify as closing the open finding for perimeter protection. Information Assurance OfficerE-Mail AdministratorECSC-1
SV-20272r1_rule EMG2-017 Exch2K3 MEDIUM Mailbox server is not protected by an Edge Transport Server role (E-mail Secure Gateway) performing Block List exception filtering at the perimeter. SPAM origination sites and other sources of suspected E-Mail borne malware have the ability to corrupt, compromise, or otherwise limit availability of E-Mail servers. Limiting exposure to inbound messages is one type of filtering that can reduce the risk of SPAM and malware impacts. Ideally, 'Block List' filtering is done at the perimeter of the network (using a commercial 'Block List' service), because eliminating threats there prevents them being evaluated inside the enclave where there is more risk they can do harm. Block List Exceptions are used to specify sources that should not be blocked despite their presence in a block list. Exceptions, if used, should be carefully vetted to ensure they are sources of legitimate email. EMG2-017Severity can be overridden to Category III if terms of the mitigation are met by configuring this SPAM protection on an Exchange Server processing inbound messages. Block List Services Exceptions are configured on the Exchange 2003 Bridgehead (MTA role) server or Mailbox server where Block List subscription content is configured. Note: This mitigation is preferred to having no Block List filtering protection employed; however, it does not qualify as closing the open finding for perimeter protection. Procedure: Configure (with documentation) or clear Block List exceptions on the Exchange server as follows: Exchange System Manager >> Global Settings >> Message Delivery>> Properties >> Connection Filtering Tab >> Block List Service Configuration >> Exception Button >> {List of IP addresses}. Information Assurance OfficerE-Mail AdministratorECSC-1
SV-20274r1_rule EMG2-043 Exch2K3 MEDIUM Mailbox Server is not protected by an Edge Transport Server (E-mail Secure Gateway) performing Sender Authentication at the perimeter. Email is only as secure as the recipient. When the recipient is an E-Mail server accepting inbound messages, authenticating the sender enables the receiver to better assess message quality and to validate the sending domain as authentic. One or more authentication techniques used in combination can be effective in reducing SPAM, PHISHING, and FORGERY attacks. There are two primary methods of sender authentication; Sender ID Framework (SIDF), and Domain Keys Identified Mail (DKIM). The Sender ID Framework (SIDF) receiver accesses specially formatted DNS records (SPF format) that contain the IP address of authorized sending servers for the sending domain that can be compared to data in the email message header. Receivers are able to validate the authenticity of the sending domain, eliminate PHISHING SPAM, and can be used in combination with DKIM. SIDF is a Microsoft creation, and is available on Exchange 2003 Servers. The DKIM receiver accesses specially formatted DNS records that contain the Public Key for the sending domain’s authorized outbound mail servers. The key is used to decrypt the hash in the message header and determine whether the message has been modified. DKIM is not effective against replay attacks, but can detect forgeries. Some false positives are possible if interim E-Mail forwarders append text to the message body. DKIM is a Cisco creation, and is available on most Edge Transport Server (E-mail Secure Gateway) products. EMG2-043Note: This mitigation is preferred over not having any SIDF protection at all. however, it does not qualify as closing the open finding for perimeter protection. If SIDF methods are in place, finding to be downgraded to a CAT III.SIDF is configured on the Exchange 2003 Bridgehead server or Mailbox Server that receives inbound messages from Internet sources. Note: This mitigation is preferred over not having any SIDF protection at all. however, it does not qualify as closing the open finding for perimeter protection. If SIDF methods are in place, finding to be downgraded to a CAT III. Configure SIDF on the Exchange server that receives inbound E-mail from the public Internet. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> Severs >> [server] >> Protocols >> SMTP >> [specific SMTP server] >> Properties >> General Tab >> Advanced Button >> Edit Select “Sender ID Filter” Note: Microsoft Exchange includes only the SIDF method of sender authentication. Senders that are successfully authenticated using this method are scored higher for non-spam likelyhood. Senders that do not successfully authenticate are scored lower, or are immediately declared SPAM and processed according to configured SPAM removal process for the site. Information Assurance OfficerE-Mail AdministratorECSC-1
SV-20276r1_rule EMG2-005 Exch2K3 MEDIUM E-mail Server Global Sending or Receiving message size is set to Unlimited. E-Mail system availability depends in part on best practices strategies for setting tuning configurations. Message size limits should be set to 30 megabytes at most, but often are smaller, depending on the organization. The key point in message size is that it should be set globally, and it should not be set to ‘unlimited’. Selecting the “no limit” radio button on either field is likely to result in abuse and can lead to rapid filling of server disk space. Message size limits may be applied in Routing Group connectors, SMTP connectors, Public Folders, and on the user account under AD. Changes at these lower levels are discouraged, as the single global setting is usually sufficient. This practice prevents conflicts that could impact availability and it simplifies server administration. E-Mail AdministratorECSC-1
SV-20278r1_rule EMG2-010 Exch2K3 LOW Sending or Receiving message size is not set to Unlimited on the SMTP virtual server. E-mail system availability depends in part on best practices strategies for setting tuning configurations. E-mail system availability has become a necessary feature in information sharing, and controlling message size limit reduces risk that servers become unavailable due to message size conflicts. By setting “unlimited” at the virtual server level, it enables the global setting to prevail without being overridden at this level. The message size limit applies to E-mail and other features that use Simple Message Transfer Protocol (SMTP), such as Public Folders. The default setting of ‘no limit’ at the virtual server level is recommended and should provide sufficient protection against excessively large messages passing through the virtual server. Message size limits may be applied in Virtual Servers, Routing Group connectors, SMTP connectors, Public Folders, and on the user account under Active Directory. Changes at these lower levels are discouraged, as the single global setting is usually sufficient. This practice prevents conflicts that could impact availability and it simplifies server administration. E-Mail AdministratorECSC-1
SV-20280r1_rule EMG2-129 Exch2K3 LOW The SMTP Virtual Server Session Size is not set to "Unlimited". E-Mail system availability depends in part on best practices strategies for setting tuning configurations. This setting controls the maximum SMTP Virtual Server session sizes (inbound and outbound) and applies globally to the Simple Mail Transfer Protocol (SMTP) protocol. If the session size limit is set too low, the SMTP server may increase the number of sessions spawned, which increases the risk that other set limits will be reached. Controlling session resource usage is best done by controlling the number of messages in a session. It is is recommended that this setting remain at the default of ‘Unlimited’. E-Mail AdministratorECSC-1
SV-20282r1_rule EMG2-149 Exch2K3 LOW The SMTP Virtual Server Message Count Limit is not 20. E-Mail system availability depends in part on best practices strategies for setting tuning configurations. This setting controls the maximum number of messages allowed in a single SMTP session by breaking large numbers of messages into multiple sessions. This configuration is the preferred place to control session size. EMG2-149 Exch2K3The default value of 20 will be appropriate for most environments. If the message limit is set too high or disabled, it will increase the chance that a batch of messages will fit in a single session, and not use parallel sessions. If the limit is set too low, additional session startup costs may outweigh the advantages in processing sets of messages in parallel. By balancing use of resources, system availability is optimized. In some environments there may exist valid reason to modify this setting. If a change to the setting is justified and documented in the security plan, this is an acceptable solution and 'not a finding'.E-Mail AdministratorECSC-1
SV-20284r1_rule EMG2-107 Exch2K3 MEDIUM Message Recipient Count Limit is not limited on the SMTP virtual server. E-Mail system availability depends in part on best practices strategies for setting tuning configurations. Global Message Recipient Limits determine the total number of recipients that can be addressed on a single message. At the virtual server level, this field is set to a limited size, and is used to control the maximum number of recipients who will receive a copy of this message at one time. It is intended to improve efficiency by forcing messages sent to a greater number of recipients to be sent out in multiple messages. EMG2-107 Exch2K3The default value of 64000 will be appropriate for most environments. In some environments there may exist valid reason to modify this setting. If settings are changed to a lower value, is justified, authorized by the IAO, and documented in the System Security Plan, this is an acceptable solution and 'not a finding'. E-Mail AdministratorECSC-1
SV-20286r1_rule EMG2-006 Exch2K3 LOW The Global Recipient Count limit is set to “Unlimited”. E-Mail system availability depends in part on best practices strategies for setting tuning configurations. The Global Recipient Count limit field is used to control the maximum number of recipients that can be specified in a single message sent from this server. Its primary purpose is to minimize the chance of an internal sender spamming other recipients, since SPAM messages often have a large number of recipients. SPAM prevention can originate from both outside and inside organizations. While inbound SPAM is evaluated as it arrives, controls such as this one help prevent SPAM that might originate inside the organization. The Recipient Count Limit is global to the Exchange implementation. Lower-level refinements are possible; however, in this configuration strategy, setting the value once at the global level ensures a more available system by eliminating potential conflicts among multiple settings. A value of less than or equal to 5000 is probably larger than is needed for most organizations, but is small enough to minimize usefulness to spammers, and is easily handled by Exchange. Selecting the “no limit” radio button for this item is likely to result in abuse.E-Mail AdministratorECSC-1
SV-20288r1_rule EMG2-031 Exch2K3 MEDIUM The Exchange E-mail Services environment is not protected by an Edge Transport Server (E-Mail Secure Gateway) performing Non-existent recipient filtering at the perimeter. SPAM originators, in an effort to refine mailing lists, sometimes use a technique where they first create fictitious names, then monitor rejected E-mails for non-existent recipients. Those not rejected, of course, are deemed to exist, and are therefore used in future SPAM mailings. To prevent this disclosure of existing E-Mail accounts to SPAMmers, this feature should not be employed. Instead, it is recommended that all messages be received, then evaluated and disposed of without enabling the sender to determine recipients that are existing vs. non-existing. EMG2-031Severity can be overridden to Category III if terms of the mitigation are met by configuring this SPAM protection on an Exchange Server processing inbound messages. Non-existent recipient filtering is configured on the MTA Server role (Exchange 2003 Bridgehead server) or Exchange 2003 Mailbox server where Recipient Filtering is configured. Note: This mitigation is preferred to having no recipient filtering protection employed: however, it does not qualify as closing the open finding for perimeter protection. Procedure: Exchange System Manager >> Global Settings >> Message Delivery>> Properties >> Recipient Filtering Clear the “filter recipients who are not in the directory” check box. Information Assurance OfficerE-Mail AdministratorECSC-1
SV-20290r1_rule EMG2-024 Exch2K3 MEDIUM The Mailbox server is not protected by having filtered messages archived by the Edge Transport Role server (E-mail Secure Gateway) at the perimeter. By performing filtering at the perimeter, up to 90% of SPAM, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the mail server environment. This significantly reduces the attack vector for inbound E-mail-borne SPAM and malware. As messages are filtered, it is prudent to temporarily host them in an archive for evaluation by administrators or users. The archive can be used to recover messages that might have been inappropriately filtered, preventing data loss, and to provide a base of analysis that can provide future filter refinements. EMG2-024Severity can be overridden to Category III if terms of the mitigation are met by configuring this SPAM protection on an Exchange Server processing inbound messages. Filtered message archiving is configured on the Exchange 2003 Bridgehead server or Mailbox server where Sender Filtering is configured. Note: This mitigation is preferred to having no sender filtering protection employed; however, it does not qualify as closing the open finding for perimeter protection. Procedure: Exchange System Manager >> Global Settings >> Message Delivery>> Properties >> Sender Filtering Procedure: Select the Archive Filtered Messages checkbox. Note: If a reminder dialog appears advising that the sender filter must be enabled, click ‘ok’. There is a separate checklist item that requires filter enabling. A finding will be produced if the filter is not enabled, and can be addressed at the resolution of that finding. Information Assurance OfficerE-Mail AdministratorECSC-1
SV-20292r1_rule EMG2-026 Exch2K3 MEDIUM The Mailbox server is not protected by having blank sender messages filtered by the Edge Transport Role server (E-mail Secure Gateway) at the perimeter. By performing filtering at the perimeter, up to 90% of SPAM, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the mail server environment. Anonymous E-mail (messages with blank sender fields) cannot be replied to. Messages formatted in this way may be attempting to hide their true origin to avoid responses, or to SPAM any receiver with impunity while hiding their source of origination. Rather than spend resource and risk infection while evaluating them, it is recommended that these messages be filtered immediately upon receipt and not forwarded to end users. EMG2-026Severity can be overridden to Category III if terms of the mitigation are met by configuring this SPAM protection on an Exchange Server processing inbound messages.Messages with blank sender filter are configured on the MTA Server Role (Exchange 2003 Bridgehead Server) or Exchange 2003 Mailbox server where Sender Filtering is configured. Note: This mitigation is preferred to having no sender filtering protection employed; however, it does not qualify as closing the open finding for perimeter protection. Procedure: Exchange System Manager >> Global Settings >> Message Delivery>> Properties >> Sender Filtering Select the “Filter Messages with Blank Sender” checkbox. Information Assurance OfficerE-Mail AdministratorECSC-1
SV-20294r1_rule EMG2-021 Exch2K3 MEDIUM The E-Mail server is not protected by having connections from “Sender Filter” sources dropped by the Edge Transport Server role (E-Mail Secure Gateway) at the perimeter. SPAM origination sites and other sources of suspected E-Mail borne malware have the ability to corrupt, compromise, or otherwise limit availability of E-Mail servers. Limiting exposure to unfiltered inbound messages can reduce the risk of SPAM and malware impacts. It is recommended that “drop connections” action be taken when inbound requests are from addresses that match sender filters (such as those on Block List) and be performed in the perimeter network by an E-Mail Secure Gateway server, because eliminating threats there prevents them being evaluated inside the enclave where there is more risk they can do harm. If the other party has other messages to send, it must re-initiate the Simple Message Transfer Protocol (SMTP) connection to start sending the next message (as opposed to simply continuing the current connection). This will slow down the rate at which this blocked sender is able to send messages to the server, further mitigating the potential for a Denial of Service attack. EMG2-021Severity can be overridden to Category III if terms of the mitigation are met by configuring this SPAM protection on an Exchange Server processing inbound messages. “Drop connections from ‘sender filter’ sources” is configured on the MTA Server Role (Exchange 2003 Bridgehead) server or Exchange 2003 Mailbox server where Sender Filtering is configured. Note: This mitigation is preferred to having no sender filtering protection employed; however, it does not qualify as closing the open finding for perimeter protection. Procedure: Exchange System Manager >> Global Settings >> Message Delivery>> Properties >> Sender Filtering Select the “Drop Connection if Sender Matches Filter” checkbox. Information Assurance OfficerE-Mail AdministratorECSC-1
SV-20302r1_rule EMG1-002 Exch2K3 LOW Unneeded OMA E-mail Web Virtual Directory is not removed. To reduce the vectors through which a server can be attacked, unneeded application components should be disabled or removed. By default, a virtual directory is installed for OMA, and the Exchange application default has OMA disabled. If an attacker were to intrude into an Exchange Front-End server and reactivate OMA, this attack vector could once again be open, provided the virtual directory were present. Once removed, the OMA functionality cannot be used without restoring the virtual directory, not a trivial process. E-Mail AdministratorECSC-1
SV-20304r1_rule EMG1-004 Exch2K3 LOW Unneeded Active Sync E-mail Web Virtual Directory is not removed. To reduce the vectors through which a server can be attacked, unneeded application components should be disabled or removed. By default, a virtual directory is installed for Active Sync, and the Exchange application default has Active Sync disabled. If an attacker were to intrude into an Exchange Front-End server and reactivate Active Sync, this attack vector could once again be open, provided the virtual directory were present. Once removed, the Active Sync functionality cannot be used without restoring the virtual directory, not a trivial process. E-Mail AdministratorECSC-1
SV-20306r1_rule EMG1-012 Exch2K3 LOW Unneeded "Public" E-mail Virtual Directory is not removed. To reduce the vectors through which a server can be attacked, unneeded application components should be disabled or removed. By default, a virtual directory is installed for Public Folders. If an attacker were to intrude into an Exchange Front-End server and be able to access the public folder web site, it would provide an additional attack vector, provided the virtual directory were present. Once removed, the Public functionality cannot be used without restoring the virtual directory, not a trivial process. E-Mail AdministratorECSC-1
SV-20310r1_rule EMG2-713 Exch2K3 LOW Connectors are not clearly named as to direction or purpose. E-mail system availability depends in part on best practices strategies for setting tuning configurations. For connectors, unclear naming as to direction and purpose increases risk that messages may not flow as intended, troubleshooting efforts may be impaired, or incorrect assumptions made about the completeness of the configuration. Collectively, connectors should account for all connections required for the overall E-Mail topology design. Simple Mail Transfer Protocol (SMTP) connectors, when listed, must name purpose and direction clearly, and their counterparts on servers to which they connect should be recognizable as their partners. E-Mail AdministratorECSC-1
SV-20312r1_rule EMG2-710 Exch2K3 MEDIUM Message size restrictions are specified on routing group connectors. E-Mail system availability depends in part on best practices strategies for setting tuning configurations. For message size restrictions, multiple places exist to set or override inbound or outbound message size. Failure to control the configuration strategy can result in loss of data or system availability. This setting enables the administrator to control the maximum size of outgoing messages on a Routing Group connector. It is recommended that, in general, no limits are applied at the connector level. This is done so that connectors do not end up prohibiting the delivery of messages that would otherwise be permitted by the Exchange configuration at the virtual server level. Using connectors to control size limits at an enterprise-wide level is discouraged since the limits would need to be applied to every potential connector in order to create an effective enterprise-wide limit.E-Mail AdministratorECSC-1
SV-20314r1_rule EMG2-123 Exch2K3 LOW The Outbound Delivery Retry Values are not at the Defaults, or do not have alternate values documented in the System Security Plan. E-Mail system availability depends in part on best practices strategies for setting tuning configurations. This setting controls the rate at which delivery attempts from the home domain are retried, user notification is issued, and expiration timeout when the message will be discarded. If delivery retry attempts are too frequent, servers will generate network congestion. If too far apart, then messages may remain queued longer than necessary, potentially raising disk resource requirements. The default values of these fields should be adequate for most environments. Administrators may wish to modify the values as a result, but changes should be documented in the System Security Plan.E-Mail AdministratorECSC-1
SV-20316r1_rule EMG2-130 Exch2K3 LOW SMTP Maximum Hop Count is not 30. E-mail system availability depends in part on best practices strategies for setting tuning configurations. This setting controls the maximum number of hops (E-mail servers traversed) a message may take as it travels to its destination. Part of the original Internet protocol implementation, the hop count limit prevents a message being passed in a routing loop indefinitely. Messages exceeding the maximum hop count are discarded undelivered. Recent studies indicate that virtually all messages can be delivered in fewer than 25 hops, well within the current default of 30. If the hop count is set too low, messages may expire before they reach their destinations. If set too high, an undeliverable message may cycle between servers, raising the risk of network congestion.E-Mail AdministratorECSC-1
SV-20318r1_rule EMG2-126 Exch2K3 LOW SMTP Maximum outbound connections are not at 1000, or an alternate value is not documented in System Security Plan. E-Mail system availability depends in part on best practices strategies for setting tuning configurations. This setting controls the maximum number of simultaneous outbound connections allowed for a given SMTP Virtual Server, and can be used to throttle the SMTP service if resource constraints warrant it. If the limit is too low, connections may be dropped. If too high, some domains may use a disproportionate resource share, denying access to other domains. Appropriate tuning reduces risk of data delay or loss. E-Mail AdministratorECSC-1
SV-20320r1_rule EMG2-114 Exch2K3 LOW Maximum outbound connection timeout limit is not at 10 minutes or less. E-mail system availability depends in part on best practices strategies for setting tuning configurations. This configuration controls the number of idle minutes before the connection is dropped. It works in conjunction with the Maximum Outbound Connections Count setting. Connections, once established, may incur delays in message transfer. The default of 10 minutes is a reasonable window in which to resume activities without maintaining idle connections for excessive intervals. If the timeout period is too long, idle connections may be maintained for unnecessarily long time periods, preventing new connections from being established. Sluggish connectivity increases the risk of lost data. A value of 10 or less is optimal.E-Mail AdministratorECSC-1
SV-20322r1_rule EMG2-120 Exch2K3 LOW Outbound Connection Limit per Domain Count is not 100 or less. E-Mail system availability depends in part on best practices strategies for setting tuning configurations. This configuration controls the maximum number of simultaneous outbound connections from a domain, and works in conjunction with the Maximum Outbound Connections Count setting as a delivery tuning mechanism. If the limit is too low, connections may be dropped. If too high, some domains may use a disproportionate resource share, denying access to other domains. Appropriate tuning reduces risk of data delay or loss. By default, a limit of 100 simultaneous outbound connections from a domain should be sufficient. The value may be adjusted downward if justified by local site conditions.E-Mail AdministratorECSC-1
SV-20324r1_rule EMG2-125 Exch2K3 LOW Inbound Connection Count Limit is not set to "Unlimited". E-Mail system availability depends in part on best practices strategies for setting tuning configurations. This configuration controls the maximum number of simultaneous inbound connections allowed to the SMTP server. By default, the number of simultaneous inbound connections is unlimited. If a limit is set and is too low, the connections pool may get filled. If attackers perceive there is a limit, they could deny service to the Simple Mail Transfer Protocol (SMTP) server using a limited connection count (set to unlimited), attackers would need many more connections to cause denial of service.E-Mail AdministratorECSC-1
SV-20326r1_rule EMG2-117 Exch2K3 LOW Maximum Inbound Connection Timeout Limit is not 10 or less. E-Mail system availability depends in part on best practices strategies for setting tuning configurations. This configuration controls the number of idle minutes before the connection is dropped. It works in conjunction with the Maximum Inbound Connections Count setting. Connections, once established, may incur delays in message transfer. The default of 10 minutes is a reasonable window in which to resume activities without maintaining idle connections for excessive intervals. If the timeout period is too long, idle connections may be maintained for unnecessarily long time periods, preventing new connections from being established. Sluggish connectivity increases the risk of lost data. A value of 10 or less is optimal. E-Mail AdministratorECSC-1
SV-20328r1_rule EMG2-250 Exch2K3 MEDIUM SMTP Connection Restrictions do not use the "Deny All" strategy. E-mail is only as secure as the recipient. Recipient SMTP servers that accept messages from all sources provide a way for rogue senders (such as SPAMMERS) or malicious users to insert message batches (that may be SPOOFED or FORGED) into the message transfer path. This setting controls which IP addresses are allowed to connect to this Virtual Server to download messages. Two strategies exist for this control, “Deny None” or “Deny All”. Exceptions can be listed in the form of IP addresses, which can also be wildcarded as subnet groups. To significantly reduce the attack vector for unauthorized connections, the “Deny All” approach must be used, stating authorized connections from “only the list below”. Depending on the server’s role in the infrastructure, the list of clients or other SMTP servers authorized to connect to this virtual server should be specified.E-Mail AdministratorECSC-1
SV-20330r1_rule EMG2-272 Exch2K3 LOW SMTP Sender, Recipient, or Connection Filters are not engaged. E-mail system availability depends in part on best practices strategies for setting tuning configurations. Careful tuning reduces the risk that system or network congestion will contribute to availability impacts. Filters that govern inbound E-mail evaluation can significantly reduce SPAM, PHISHING, and SPOOFED E-mails. Messages from blank senders, known SPAMMERS, or 0-day attack modifications must be enabled to be effective. Even if filtering is not being performed on the Exchange servers, there is no adverse effect from having them enabled (even if no configuration exist for the filter itself). It may prevent accidental omission in the event that a filter is configured in the future. If one of the filters does have configuration values, failure to enable the filter will result in no action taken. This setting should always be enabled. E-Mail AdministratorECSC-1
SV-20332r1_rule EMG2-251 Exch2K3 MEDIUM ExAdmin Virtual Directory is not Configured for Integrated Windows Authentication. Identification and Authentication provide the foundation for access control. The ExAdmin Virtual Directory is used by the Exchange System Manager to access mailboxes and Public Folders. This feature controls the authentication method used to connect to this virtual directory. This setting should be set to Integrated Windows Authentication only. Anonymous access provides for no access control of this virtual directory, Basic authentication transmits the password in the clear, and the other methods are not recommended by Microsoft for this control. Failure to configure this as per the recommendations may result in unrestricted access to this directory, passwords being sent in the clear, and/or the inability to correctly authenticate, depending on which change is made.E-Mail AdministratorECSC-1
SV-20334r1_rule EMG2-730 Exch2K3 MEDIUM Routing Group is not selected as the SMTP connector scope. E-mail system availability depends in part on best practices strategies for setting tuning configurations. This setting determines which SMTP Servers are permitted to use this SMTP Connector, identifying those for which it is the most efficient link. Failure to control SMTP network connections risks slow or lost data due to inefficient links between SMTP connections. Selecting “Entire Organization” allows any computer in the Exchange organization to use this connector. Selecting “Routing Group” means only those members of the connector's routing group may use the connector. Use of the connector should be limited to the Routing Group in order to limit and control general network connectivity.E-Mail AdministratorECSC-1
SV-20336r1_rule EMG2-721 Exch2K3 MEDIUM The SMTP connectors do not specify use of a “Smart Host”. E-mail system availability depends in part on best practices strategies for setting tuning configurations. In the case of identifying a ‘Smart Host’ for the E-Mail environment, the connector level is the preferred location for this configuration because flow control in this routing group will be retained even if future changes occur at the virtual server level. A ‘Smart Host’ (Edge Transport Server) Role acts as an Internet Facing Concentrator for other E-mail servers. Appropriate hardening can be applied to the Edge Transport Server (E-Mail Secure Gateway) role rather than at multiple locations throughout the enterprise. The ‘Smart Host’ performs all Domain Name Service (DNS) lookups to determine mail routing and offers some proxy-type benefits. Failure to identify a ‘Smart Host’ could default to each E-mail server performing its own lookups (potentially through protective firewalls). Exchange 2003 servers should not be Internet facing, and should therefore not perform any ‘Smart Host’ functions. They must, however, be configured to identify the server that is performing the “Smart Host” function. EMG2-721Note: Implementations may have this feature configured as pointing to a “Smart-Host” function on the Exchange 2003 Bridgehead or Mailbox Server where no E-mail Secure Gateway exists outside the enclave firewall. This configuration is preferred when no E-mail Secure Gateway server is in use; however, it does not qualify as closing the open finding for perimeter protection. If this configuration is in place, finding to be downgraded to a CAT III.Implementations may have this feature configured as pointing to a “Smart-Host” function on the Exchange 2003 Bridgehead or Mailbox Server where no E-mail Secure Gateway exists outside the enclave firewall. This configuration is preferred when no E-mail Secure Gateway server is in use; however, it does not qualify as closing the open finding for perimeter protection. If this configuration is in place, finding to be downgraded to a CAT III. Configure the 'Smart Host'. Exchange System Manager>>Administrative Groups>> [Administrative Group]>>Routing Groups>> [routing group]>>Connectors>> [SMTP connector]>> >>Properties >> General tab>>Radio Group The “Smart-Host” should be selected and the designated E-Mail server should be identified. E-Mail AdministratorECSC-1
SV-20338r1_rule EMG2-736 Exch2K3 HIGH SMTP connectors allow unauthenticated relay. Identification and Authentication provide the foundation for access control. The key to preventing SPAM insertion into the SMTP message transfer path is to require authentication at each ‘hop’ of the journey from sender to receiver. Allowing unauthenticated relaying on an internal host allows internal users or applications to submit unauthenticated mail messages, a form of internally spoofed SPAM that can be difficult to trace. Allowing unauthenticated relaying on an “Internet Facing” host would enable any unauthenticated party to use your Exchange Server to resend mail. This practice is often employed by spammers to obfuscate the source of their messages. Allowing unauthenticated relaying will almost inevitably result in abuse of the relay by spammers and increased load on the connector. It can also result in the appearance of the host’s domain on Reputation Black Lists. This setting controls whether unauthenticated computers are allowed to resend (relay) E-mail messages through this connector to external domains. (Authenticated users and computers can always relay messages regardless of this control's setting.) It is recommended that no unauthenticated connections be allowed in the SMTP path. E-Mail AdministratorECSC-1
SV-20340r1_rule EMG2-146 Exch2K3 MEDIUM SMTP virtual Server does not Restrict Relay Access. E-mail is only as secure as the recipient. This control is used to limit the servers that may use this server as a relay. If an Simple Mail Transport Protocol (SMTP) sender does not have a direct connection to the Internet (for example, an application that produces reports to be E-mailed) then it will need to use an SMTP Virtual Server that does have a path to the Internet (for example, a local E-mail server) as a relay. SMTP relay functions must be protected so that third parties are not able to hijack a relay service for their own purposes. Most commonly, hijacking of relays is done by SPAMMERS to disguise the source of their messages, and may also be used to cover the source of more destructive attacks. Relays can be restricted in one of three ways; by blocking relays (restrict to a blank list of servers), by restricting use to lists of valid servers, or by restricting use to servers that can authenticate. A fourth configuration, ‘allow all except the list below’, should never be used. Because authenticated connections are the most secure for SMTP virtual servers, it is recommended that relays allow only servers that can authenticate. E-Mail AdministratorECSC-1
SV-20342r1_rule EMG2-131 Exch2K3 MEDIUM “Smart-Host” is specified at the Virtual Server level. E-Mail system availability depends in part on best practices strategies for setting tuning configurations. This control determines whether the entire Virtual Server routes its outbound Simple Mail Transfer Protocol (SMTP) messages through a single “Smart-Host”. “Smart-Hosts” can help secure communication, but configuring the virtual server level to use the same “Smart-Host” can lead to congestion problems and inflexibility. As such, it is recommended that administrators NOT use “Smart-Hosts” at the virtual server level. Instead, use of “Smart-Hosts” should be configured at the SMTP connector level. E-Mail AdministratorECSC-1
SV-20344r1_rule EMG2-148 Exch2K3 LOW The SMTP Virtual Server performs reverse DNS lookups for anonymous message delivery. E-mail system availability depends in part on best practices strategies for setting tuning configurations. This feature causes the server to use a Directory Naming Service (DNS) lookup to try to resolve the source of incoming E-mail for anonymous messages as part of the delivery feature. While enabling this feature does not pose an attack hazard, it is recommended that this feature be disabled to avoid impacting resource availability. It is relatively easy to fool the DNS lookup, and therefore creates unnecessary risk to the E-mail system.E-Mail AdministratorECSC-1
SV-20346r1_rule EMG2-803 Exch2K3 MEDIUM Virtual Server default outbound security is not anonymous and TLS. Identification and Authentication provide the foundation for access control. The key to preventing SPAM insertion into the SMTP message transfer path is to require authentication at each ‘hop’ of the journey from sender to receiver. Failure to authenticate increases risk that an attacker can insert unauthenticated mail messages, a form of internally SPOOFED SPAM that can be difficult to trace. Encryption ensures confidentiality of data in motion as it traverses network connections. Failure to specify TLS encryption causes message transfer to be sent unencrypted, (including the authentication password), which makes it susceptible to eavesdropping. This setting controls the default authentication and encryption algorithms used for outbound connections using this connector. (That is, the authentication used when delivering outbound mail to another SMTP Virtual Server.) Because E-Mail services environments typically support multi-directional message flow at the Connector level, it is preferred that specific requirements be set there, and let this configuration at the Virtual Server level serve as a default. Authentication type of Anonymous and use of TLS are recommended for this setting. Information Assurance OfficerE-Mail AdministratorECSC-1
SV-20348r1_rule EMG2-143 Exch2K3 LOW The SMTP Virtual Server is configured to perform DNS lookups for anonymous E-mails. E-Mail system availability depends in part on best practices strategies for setting tuning configurations. This feature causes the server to use a Directory Naming Service (DNS) lookup to try to determine the source of each anonymous E-mail message. While enabling this feature does not pose an attack hazard, it is recommended that this feature be disabled to avoid impacting resource availability. Anonymous E-mail is invariably SPAM and should be filtered when received at the perimeter. In this context, DNS lookup is not a reliable indicator of perpetrator information, due to its likelihood of SPAM content and therefore likelihood of altered DNS entries. The DNS lookup result does not add value, and therefore should not be an enabled feature. E-Mail AdministratorECSC-1
SV-20352r1_rule EMG2-811 Exch2K3 MEDIUM E-mail Diagnostic Logging is enabled during production operations. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Diagnostic logging, however, characteristically produces large volumes of data and requires care in managing the logs to prevent risk of disk capacity denial of service conditions. Exchange Diagnostic Logging is broken up into 14 main “services” each of which has anywhere from 2 to 26 “categories” of events to be monitored. Moreover, each category may be set to one of four levels of logging: None (logging disabled), Minimum, Medium, and Maximum, depending on how much detail one desires. The higher the level of detail, the more disk space required to store the audit material. Diagnostic logging is intended to help administrators debug problems with their systems, not as a general purpose auditing tool. The diagnostic logs collect a great deal of information – diagnostic log files can grow huge very quickly. Diagnostic logs should be enabled for limited periods of time when attempting to debug relevant pieces of Exchange functionality. Once debugging has finished, diagnostic logging should be disabled again.E-Mail AdministratorECSC-1
SV-20354r1_rule EMG2-810 Exch2K3 MEDIUM E-mail “Subject Line” logging is enabled during production operations. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. When “message tracking” is enabled, only the sender, recipients, time, and other delivery information is included by default. Information such as the subject and message body is not included. However, the absence of the message subject line can make it difficult to locate a specific message in the log unless one knows roughly what time the message was sent. To simplify searches through these logs, Exchange offers the ability to include the message “subject line” in the log files and in the Message Tracking Center display. This can make it significantly easier to locate a specific Message. This feature creates larger log files and will contain information that may raise privacy and legal concerns - enterprise policy should be consulted before this feature is enabled. Also, since the log files may contain sensitive information in the form of the subject line, the log files will need to be protected, commensurate with the sensitivity level, as the content may be of interest to an attacker. For these reasons, it is recommended that subject logging not be enabled during regular production operations, but instead treat this feature as a diagnostic that can be used if needed. The tradeoff of this is that finding the correct message in the message tracking logs will become more difficult since the administrator will need to search using only the time the message was sent and the message’s sender. This control will have no effect unless Message Tracking is enabled. That said, the setting should be disabled in case message tracking is perchance enabled at a future time. E-Mail AdministratorECSC-1
SV-20360r1_rule EMG2-825 Exch2K3 MEDIUM SMTP Virtual Server Audit Records are not directed to a separate partition. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. This setting controls the location of the SMTP Virtual Server log file. By default, these files will be stored in \WINNT\SYSTEM32\LOGFILES\SMPTVSx (where x is a number used to distinguish between virtual servers in this organization). The drop-down menu is used to select the format of the log file. The properties button next to this dropdown displays configuration information specific to the type of log format selected, but usually has some control to indicate the log rotation schedule (that is, how often the old log file should be closed and a new log file should be started). It is required that all log files be written to separate partitions from those used by the Exchange Stores and separate also from the Operating System. Exchange will dismount its stores if it detects that it has run out of disk space, resulting in a complete loss of Exchange services. To minimize the chance of this happening, log files should write to a separate partition so that if the logs fill this partition it will not result in the failure of Exchange.System AdministratorE-Mail AdministratorECSC-1
SV-20611r1_rule EMG2-831 Exch2K3 MEDIUM Exchange sends fatal errors to Microsoft. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. This setting enables an automated log entry to be sent to Microsoft giving general details about the nature and location of the error. Microsoft, in turn, uses this information to improve the robustness of their product. While this type of debugging information would not ordinarily contain sensitive information, it may alert eavesdroppers to the existence of problems in your Exchange organization. At the very least, it could alert them to (possibly) advantageous timing to mount an attack. At worst, it may provide them with information as to which aspects of Exchange are causing problems and might be vulnerable (or at least sensitive) to attack. All system errors in Exchange will result in outbound traffic that may be identified by an eavesdropper. For this reason, the “Report errors to Microsoft” feature must be disabled at all times.E-Mail AdministratorECSC-1
SV-20612r1_rule EMG2-835 Exch2K3 MEDIUM Disk Space Monitoring is not Configured with Threshold and Action. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Exchange 2003 built-in monitors enable the administrator to generate alerts if thresholds are reached, better enabling them to react in a timely fashion. If the server were ever to run out of disk space, the server could fail catastrophically, possibly with data loss. This field allows the administrator to control notifications when a ‘warning’ or ‘critical’ trigger is issued in response to low disk availability. A good rule of thumb is to issue warnings when free space falls under 15% and critical messages when it falls under 5% of total disk space. Notification choices include E-Mail alert to an E-Mail enabled account, for example, an E-Mail Administrator, or invoke a script to take other action, for example, to add an Event to the Microsoft Application Event Log, where external monitors might detect it. E-Mail AdministratorECSC-1
SV-20367r1_rule EMG2-807 Exch2K3 MEDIUM CPU Monitoring Notifications are not configured with threshold and action. Monitors are automated “process watchers” that respond to performance changes, and can be useful in detecting outages and alerting administrators where attention is needed. Exchange 2003 built-in monitors enable the administrator to generate alerts if thresholds are reached, better enabling them to react in a timely fashion. This field offers choices of alerts when a ‘warning’ or ‘critical’ threshold is reached on CPU utilization. A good rule of thumb (default) is to issue warnings when CPU utilization exceeds 70% for a duration of 10 minutes and critical messages when it exceeds 80% for a duration of 10 minutes, which should only exist occasionally. Frequent alerts against this counter may indicate that additional capacity is needed, or a network or other issue (such as inbound SPAMMER traffic) that directly impacts E-mail delivery. CPU availability should be monitored. If the server were ever to exceed the maximum CPU threshold, the server could effectively experience a denial of service (DOS) condition. Notification choices include E-Mail alert to an E-Mail enabled account, for example, an E-Mail Administrator, or invoke a script to take other action, for example, to add an Event to the Microsoft Application Event Log, where external monitors might detect it. E-Mail AdministratorECSC-1
SV-20369r1_rule EMG2-813 Exch2K3 MEDIUM Virtual memory monitoring notifications are not configured with threshold and action. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Exchange 2003 built-in monitors enable the administrator to generate alerts if thresholds are reached, better enabling them to react in a timely fashion. This field offers choices of alerts when a ‘warning’ or ‘critical’ threshold is reached on low virtual memory. A good rule of thumb (default) is to issue warnings when virtual memory is less than 25% for a duration of 3 minutes, and critical messages when less than 10% for a duration of 3 minutes, which should only exist occasionally. Frequent alerts against this counter may indicate that additional capacity is needed, or a network or other issue (such as inbound SPAMMER traffic) that directly impacts e-mail delivery. Virtual Memory availability should be monitored. Frequent alerts on this counter could indicate that the server is nearing capacity and that load mitigation measures may be needed. E-Mail AdministratorECSC-1
SV-20371r1_rule EMG2-806 Exch2K3 MEDIUM SMTP Queue Monitor is not configured with a threshold and alert. Monitors are automated “process watchers” that respond to performance changes, and can be useful in detecting outages and alerting administrators where attention is needed. Exchange 2003 built-in monitors enable the administrator to generate alerts if thresholds are reached, better enabling them to react in a timely fashion. This field offers choices of alerts when a ‘warning’ or ‘critical’ threshold is reached on the SMTP queue. A good rule of thumb (default) is to issue warnings when SMTP queue growth exceeds 10 minutes and critical messages when it exceeds 20 minutes, which should only exist occasionally. Frequent alerts against this counter may indicate a network or other issue (such as inbound SPAMMER traffic) that directly impacts E-mail delivery. Notification choices include E-Mail alert to an E-Mail enabled account, for example, an E-Mail Administrator, or invoke a script to take other action, for example, to add an Event to the Microsoft Application Event Log, where external monitors might detect it. E-Mail AdministratorECSC-1
SV-20377r1_rule EMG2-817 Exch2K3 MEDIUM Exchange Core Services Monitors are not configured with threshold and actions. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Exchange 2003 built-in monitors enable the administrator to generate alerts if thresholds are reached, better enabling them to react in a timely fashion. This field allows the administrator to control notifications when a ‘warning’ or ‘critical’ trigger is issued in response to an Exchange Core service being down. If exchange core services are down, the service status state should be set to critical, as this will require immediate attention. Notification choices include E-Mail alert to an E-Mail enabled account, for example, an E-Mail Administrator, or invoke a script to take other action, for example, to add an Event to the Microsoft Application Event Log, where external monitors might detect it. E-Mail AdministratorECSC-1
SV-20381r1_rule EMG2-266 Exch2K3 MEDIUM Users do not have correct permissions in the Public Virtual Server. The principle of Least Privilege ordinarily requires analysis to ensure that users and processes are granted only as much privilege as is required to function effectively, but no additional privileges that could enable mischief, either accidental or intentional. The Pubic Virtual Server enables web access to public folder documents via browser. This control determines whether users will have read, write, script source access, and/or directory browsing capabilities under this virtual server. Public Virtual Server requires that users have read, write, script source access, and directory browsing permissions since these are required for proper functioning Public Folders access. E-Mail AdministratorECSC-1
SV-20389r1_rule EMG2-340 Exch2K3 MEDIUM Mailboxes and messages are not retained until backups are complete. Backup and recovery procedures are an important part of overall system availability and integrity. Complete backups reduce the chance of accidental deletion of important information, and ensure that complete recoveries are possible. It is not uncommon for users to receive and delete messages in the scope of a single backup cycle. This setting ensures that at least one backup has been run on the mailbox store before the message physically disappears. By enabling this setting, all messages written to recipients who have accounts on this store will reside in backups even if they have been deleted by the user before the backup has run.E-Mail AdministratorECSC-1
SV-20391r1_rule EMG2-344 Exch2K3 MEDIUM Public Folder stores and documents are not retained until backups are complete. Backup and recovery procedures are an important part of overall system availability and integrity. Complete backups reduce the chance of accidental deletion of important information, and ensure that complete recoveries are possible. It is not uncommon for users to receive and delete documents in the scope of a single backup cycle. This setting ensures that at least one backup has been run on the folder store before the message physically disappears. By enabling this setting, all messages written to recipients who have accounts on this store will reside in backups even if they have been deleted by the user before the backup has run.E-Mail AdministratorECSC-1
SV-20393r1_rule EMG2-307 Exch2K3 LOW Mailbox Stores Restore Overwrite is enabled. E-mail system availability depends in part on best practices strategies for setting tuning configurations. Unauthorized or accidental restoration of mailbox data risks data loss or corruption. This setting controls whether the mailbox store can be overwritten by a backup, which will cause loss of all information added after the backup was created. It should only be enabled during maintenance windows or following an outage (immediately before a restore is to be made), and cleared again immediately afterwards. During production windows, this setting must be disabled. E-Mail AdministratorECSC-1
SV-20395r1_rule EMG2-311 Exch2K3 LOW Public Folder Stores Restore Overwrite is enabled. E-mail system availability depends in part on best practices strategies for setting tuning configurations. Unauthorized or accidental restoration of public folder data risks data loss or corruption. This setting controls whether the public folder store can be overwritten by a restore from backup, which will cause loss of all information added after the backup was created. It should only be enabled during maintenance windows or following an outage (immediately before a restore is to be made), and cleared again immediately afterwards. During production windows, this setting must be disabled. E-Mail AdministratorECSC-1
SV-20397r1_rule EMG2-317 Exch2K3 LOW E-mail message copies are not archived. For E-mail environments with sufficiently sensitive requirements (either legal or data classification), local e-mail policy may require that all messages sent or received from a given server be preserved. If local policy requires it for historical or litigation purposes, this feature enables Exchange 2003 to retain a full copy of each message that is received by or sent from this mailbox store. Additional setup is also needed, in that a user, distribution list, contact, or Public Folder to whom all messages will be copied, must be selected. Also known as “Journaling”, this setting is used to provide a “paper trail” of all correspondence that passes through the server. Journaled messages should always be stored on a separate dedicated journaling server, with protections similar to those granted log and audit files. The System Security plan should document the remote location, user account, and mailbox store that is used to host the message copy data.Information Assurance OfficerE-Mail AdministratorECSC-1
SV-20405r1_rule EMG3-115 Exch2K3 MEDIUM E-mail application installation is sharing a partition with another application. In the same way that added security layers can provide a cumulative positive effect on security posture, multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit to one application can lead to an exploit of other applications sharing the same security context. For example, an exploit to a web server process that leads to unauthorized administrative access to the host system can most likely lead to a compromise of all applications hosted by the same system. E-Mail services should be installed to a descrete set of directories, on a partition that does not host other applications. E-Mail services should never be installed on a Domain Controller / Directory Services server. Information Assurance OfficerE-Mail AdministratorDCPA-1
SV-20407r1_rule EMG3-823 Exch2K3 MEDIUM Audit data is sharing directories or partitions with the E-mail application. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit log content must always be considered sensitive, and in need of protection. Successful exploit of an application server vulnerability may well be logged by monitoring or audit processes when it occurs. By writing log and audit data to a separate directory or partition where separate security contexts protect them, it offers the ability to protect this information from being modified or removed by the exploit mechanism. E-Mail AdministratorDCPA-1
SV-20409r1_rule EMG1-110 Exch2K3 MEDIUM E-mail web applications are operating on non-standard ports. PPSM Standard defined ports and protocols must be used for all Exchange services. The standard port for HTTP connections is 80 and the standard port for HTTPS Connections is 443. Changing the ports to non-standard values provides only temporary and limited protection against automated attacks since these attacks will not likely connect to the custom port. However, a determined attacker may still be able to determine which ports are used for the HTTP and HTTPS protocols by performing a comprehensive port scan. Negative impacts to using nonstandard ports include complexity for the system administrator, custom configurations for connecting clients, risk of port conflict with non-exchange applications, and risk of incompatibility with standard port monitoring applications. E-Mail AdministratorDCPP-1
SV-20411r1_rule EMG2-105 Exch2K3 MEDIUM E-mail SMTP services are using Non-PPSM compliant ports. Standard defined ports and protocols should be used for all Exchange services. The standard port for regular SMTP connections is 25. Changing the ports to non-standard values provides only temporary and limited protection against automated attacks since these attacks will not connect to the custom port. A determined attacker may still be able to determine which ports are used for the SMTP by performing a comprehensive port scan Negative impacts of using non-standard ports include complexity for the system administrator, custom configurations for connecting clients, risk of port conflict with non-exchange applications, and risk of incompatibility with standard port monitoring applications. E-Mail AdministratorDCPP-1
SV-20413r1_rule EMG2-109 Exch2K3 MEDIUM SMTP Virtual Server is not bound to the PPSM Standard Port. PPSM Standard defined ports and protocols must be used for all Exchange services. The default port for SMTP connections is 25. Changing the ports to non-standard values provides only temporary and limited protection against automated attacks since these attacks will not likely connect to the custom port. A determined attacker may still be able to determine which ports are used for the SMTP by performing a comprehensive port scan. Negative impacts of using non-standard ports include complexity for the system administrator, custom configurations required for connecting clients, risk of port conflict with non-exchange applications, and risk of incompatibility with port monitoring applications. Since changing the port introduces a large amount of complexity for a relatively small gain, the DoD PPSM requires that standard SMTP ports be used.E-Mail AdministratorDCPP-1
SV-20425r1_rule EMG3-058 Exch2K3 MEDIUM E-mail software is not monitored for change on INFOCON frequency schedule. The INFOCON system provides a framework within which the Commander USSTRATCOM regional commanders, service chiefs, base/post/camp/station/vessel commanders, or agency directors can increase the measurable readiness of their networks to match operational priorities. The readiness strategy provides the ability to continuously maintain and sustain one’s own information systems and networks throughout their schedule of deployments, exercises and operational readiness life cycle independent of network attacks or threats. The system provides a framework of prescribed actions and cycles necessary for reestablishing the confidence level and security of information systems for the commander and thereby supporting the entire Global Information Grid (GIG) (SD 527-1 Purpose). The Exchange software files and directories as well as the files and directories of dependent applications are vulnerable to unauthorized changes if not adequately protected. An unauthorized change could affect the integrity or availability of e-mail services overall. For this reason, all application software installations must monitor for change against a software baseline that is preserved when installed, and updated periodically as patches or upgrades are installed. Automated and manual schedules for software change monitoring must be compliant with SD527-1 frequencies. Information Assurance OfficerE-Mail AdministratorDCSL-1
SV-20427r1_rule EMG3-802 Exch2K3 MEDIUM Security support data or process is sharing a directory or partition with Exchange. The Security Support Structure is a security control function or service provided by an external system or application. For example, a Windows Domain Controller that provides Identification and Authentication Services (Active Directory) may be at risk of compromise if a co-resident application becomes compromised. The attacker can then use another system to control access to other parts of the domain. The vulnerabilities and associated risk of Exchange 2003 installed on a system that provides a security support structure is significantly higher than when installed with other functions that do not provide security support. For this reason, applications such as Exchange 2003 should never be co-resident on a server with Active Directory. Information Assurance OfficerE-Mail AdministratorDCSP-1
SV-20429r1_rule EMG3-805 Exch2K3 MEDIUM Exchange software baseline copy does not exist. Exchange 2003 software, as with other application software installed on a host system, must be included in a system baseline record and periodically reviewed, otherwise unauthorized changes to the software may not be discovered. This effort is a vital step to securing the host and the applications, as it is the only method that may provide the ability to detect and recover from otherwise undetected changes, such as those that result from worm or bot intrusions. The Exchange 2003 software and configuration baseline is created and maintained for comparison during scanning efforts. Operational procedures must include baseline updates as part of configuration management tasks that change the software and configuration. Information Assurance OfficerE-Mail AdministratorDCSW-1
SV-20431r1_rule EMG2-327 Exch2K3 HIGH E-mail Public Folders do not require S/MIME capable clients. Identification and Authentication provide the foundation for access control. The ability for receiving users to authenticate the source of Public Folder messages helps to ensure that they are not FORGED or SPOOFED before they arrive. MIME (Multipurpose Internet Mail Extensions) is an Internet standard that extends the format of E-mail and other web content to support ASCII and other character sets in both the message and header, text and non-text attachments, and multi-part message bodies. All human-originating E-Mail messages are transmitted in MIME format. S/MIME (Secure / Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of e-mail encapsulated in MIME. Participants in S/MIME message exchanges must obtain and install an individual key/certificate from the DoD. S/MIME clients will require that each participant own a certificate before allowing message encrypting to others. To minimize attack vectors revealed by lack of signed or encrypted documents, all clients in the enterprise must be updated to support S/MIME, and all mail servers must require S/MIME capability.E-Mail AdministratorECSC-1
SV-20433r1_rule EMG2-271 Exch2K3 HIGH OWA Virtual Server has Forms-Based Authentication enabled. Identification and Authentication provide the foundation for access control. Access to E-Mail services applications in the DoD require authentication using DoD Public Key Infrastructure (PKI) certificates. The Exchange Virtual Server, which operates Outlook Web Access (OWA), is used to enable web access to user E-mail mailboxes. This setting controls whether Forms-based login should be used by the OWA web site. Forms-based login enables a user to enter an Account and Password for the web session. The form stores the username and password information in browser cookies, and enables the user’s mailbox server to be located without user participation. The cookies persist throughout the OWA session after which they are destroyed. Because the DoD requires Common Access Card (CAC)-based authentication to applications, OWA access must be brokered through a an application proxy (for example, Internet Security and Acceleration [ISA]), which performs CAC authentication using a proxy-hosted OWA form. The authenticated request is then forwarded directly to OWA, where authentication is repeated without requiring the user to repeat authentication steps. For this scenario to work, the Application Proxy server is must have Forms-based authentication enabled, and Exchange 2003 must have Forms-based Authentication disabled. If Forms-based Authentication is enabled on the Exchange 2003 Front End server, it is evidence that the application proxy server is either not correctly configured, or it may be missing.Information Assurance OfficerE-Mail AdministratorIATS-1
SV-20449r1_rule EMG1-007 Exch2K3 MEDIUM Default web site allows anonymous access. The Default Web site is the virtual server on which all Exchange virtual directories reside. This feature controls the authentication method used to connect to this virtual server and its virtual directories. Ensure that this is set to Integrated Windows Authentication only. Anonymous access provides for no access control of this virtual server, Basic Authentication transmits the password in the clear and risks exposure, and the other methods are not recommended by Microsoft for this control. Failure to configure this as per the recommendation may result in unrestricted access to this virtual server, passwords being sent in the clear, and/or the inability to correctly authenticate, depending on which change is made. Because CAC authentication will be required and configured via a proxy server such as ISA, settings in this area must assume the presence of an application proxy (such as ISA) between the Public Internet and the Exchange Client Access (Front End) server role. E-Mail AdministratorIAIA-1
SV-20451r1_rule EMG2-256 Exch2K3 HIGH OWA does not require only Integrated Windows Authentication. Identification and Authentication provide the foundation for access control. Access to E-mail services applications in the DoD require authentication using DoD Public Key Infrastructure (PKI) certificates. The Exchange Virtual Server, which controls Outlook Web Access (OWA), is used to link Web Access for user E-mail accounts to the Exchange Mailbox store. OWA is designed to provide much of the same functionality provided by using an Outlook client, but through a web browser. This setting controls the authentication method used to connect to this virtual server. OWA does not natively provide Common Access Card (CAC)-Authentication ability. For this reason, access to OWA must be brokered by an application proxy authentication point where CAC (certificate) authentication is available for Internet-based access to E-Mail services. It is the proxy server that must authenticate the user’s membership in domain directory services (for example, Microsoft Active Directory) before establishing an authenticated connection to the OWA server. For this reason, only Integrated Windows Authentication should be selected as the authentication method at this point in the process. E-Mail AdministratorIAIA-1
SV-20455r1_rule EMG2-133 Exch2K3 HIGH One or more SMTP Virtual Servers do not have a Valid Certificate. Server certificates are required for many security features in Exchange, and without them the server cannot engage in many forms of secure communication. Certificates must be manually installed on each virtual server. This means that installing a certificate on one SMTP Virtual Server does not give other SMTP Virtual Servers (or virtual servers of any other protocol) access to this certificate. However, once a certificate is installed on one virtual server, any other virtual server (regardless of protocol used) may easily be configured to use this certificate by selecting “Assign an existing certificate” in the first page of the Wizard. Install certificates on this virtual server. Without it, many other recommendations in this document concerning secure communication will be impossible. For highest security assurance, each virtual server should have its own certificate that it does not share with other servers. This reduces the damage due to server compromises and provides per-server identification. Failure to implement this recommendation makes it virtually impossible to secure Exchange's communications. Use of any virtual server that has not been given a certificate should be considered a highly insecure action. E-Mail AdministratorIAKM-2
SV-20457r1_rule EMG2-840 Exch2K3 LOW Audit Records do not contain all required fields. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. This item declares the fields that must be available in audit log file records in order to adequately research events that are logged. Audit records should include the following fields to supply useful event accounting: • Account • Event Code and Type • Success or Failure Indication • Time/date • Interface IP address • Manufacturer-specific event name • Source and destination IP addresses • Source and destination port numbers • Network ProtocolInformation Assurance OfficerE-Mail AdministratorECAR-1
SV-20464r1_rule EMG2-833 Exch2K3 MEDIUM The “Disable Server Monitoring” feature is enabled. Monitors are automated “process watchers” that respond to performance changes, and can be useful in detecting outages and alerting administrators where attention is needed. This setting controls whether all monitoring processes on this server are enabled or disabled. Monitoring should never be disabled on the server during production hours. The processing cycles needed for monitoring should be incorporated into server sizing. If the configuration disables monitoring, it stops Exchange's built in safety checks to warn the administrators of malfunctions.E-Mail AdministratorECAR-2
SV-20470r1_rule EMG2-124 Exch2K3 MEDIUM SMTP Virtual Server Auditing is not active. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. This setting controls the creation and format of log files used to monitor the interaction between this SMTP Virtual Server and other SMTP hosts. E-Mail AdministratorECAT-1
SV-22062r1_rule EMG2-111 Exch2K3 MEDIUM Exchange Server is not protected by an Edge Transport Server (E-mail Secure Gateway) that performs Anonymous Connections interaction with Internet-based E-mail servers. E-mail is only as secure as the recipient. By ensuring secured connections for all Simple Mail Transfer Protocol (SMTP) servers along the message transfer path, risk of “Anonymous” message transfers by rogue servers is reduced. If all message transfers were authenticated from server to server, most SPAM would be eliminated, because anonymous spammers would be more readily traceable. However, the ability to authenticate a sender from another domain will not be possible until a common authentication method exists between the receiving domain and all of the sending domains that might wish to correspond. For that reason, the Edge Transport Server role (E-Mail Secure Gateway) should be the only role enabled for Anonymous connections (because it will also perform the sanitization steps) and all internal E-mail application server roles must authenticate to each other. This setting controls the authentication method required to allow connection and message transfer to this virtual server (recipient). Authentication options include Anonymous, Basic authentication (with clear text password), and Integrated Windows Authentication. Anonymous requires no authentication, and is therefore not acceptable. NT Lan Manager, or NTLM, (Integrated Windows Authentication checkbox) is negotiated, does not provide encryption of message bodies, and cannot sufficiently secure the connection in Exchange 2003. Risks include the potential of allowing message content to be sniffed over the wire. "Basic authentication" and "Require SSL/TLS" should be selected in this panel. The use of SSL/TLS not only protects the username and password during authentication, but encrypts the mail messages as they are being transmitted, preventing eavesdroppers from reading messages. All Exchange 2003 servers should belong to this category. EMG2-111Severity can be overridden to Category III if terms of the mitigation are met by configuring this SPAM protection on an Exchange Server processing inbound messages.Exchange servers deployed at sites without an Edge Transport Server (E-mail Secure Gateway) role may need to receive inbound connections from remote domains using anonymous connections. If this situation exists, anonymous connections should be confined to one or more servers that perform E-mail sanitization steps on the same server before forwarding the messages to the Mailbox server role. For these sites, "Anonymous" security (with TLS) may be configured on the MTA server role (Exchange 2003 Bridgehead server) or the Exchange 2003 Mailbox Server where SMTP virtual server receives connections from external mail servers. Note: This mitigation is necessary when no secure e-mail gateway server exists; however, it does not qualify as closing the open finding for perimeter protection. For each SMTP virtual server that connects to an external E-mail domain, set authentication on the SMTP Virtual Server. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> servers >> [server] >> Protocols >> SMTP >> [specific SMTP server] >> properties >> Access tab >> Access Control >> Authentication button Select “Basic authentication” and "Anonymous", with TLS encryption. Information Assurance OfficerE-Mail AdministratorEBBD-1
SV-20491r1_rule EMG2-144 Exch2K3 MEDIUM SMTP Virtual Servers do not Require Secure Channels and Encryption. The Simple Mail Transfer Protocol (SMTP) Virtual Server is used by the Exchange System Manager to send and receive messages from server to server using SMTP protocol. This setting controls the encryption strength used for client connections to the SMTP Virtual Server. With this feature enabled, only clients capable of supporting secure communications will be able to send mail using this SMTP server. Where secure channels are required, 128 bit encryption can also be selected. The use of secure communication prevents eavesdroppers from reading or modifying communications between mail clients and servers. While sensitive message bodies should be encrypted by the sender at the client, requiring a secure connection from the client to the server adds protection by encrypting the sender and recipient information that cannot be encrypted by the sender. Individually, channel security and encryption have been compromised by attackers. Used together, E-mail becomes a more difficult target, and security is heightened. Failure to enable this feature gives eavesdroppers an opportunity to read or modify messages between the client and server.E-Mail AdministratorECCT-1
SV-20495r1_rule EMG2-743 Exch2K3 HIGH SMTP Connectors perform outbound anonymous connections. Identification and Authentication provide the foundation for access control. The key to preventing SPAM insertion into the SMTP message transfer path is to require authentication at each ‘hop’ of the journey from sender to receiver. Failure to authenticate increases risk that an attacker can insert unauthenticated mail messages, a form of internally SPOOFED SPAM that can be difficult to trace. Encryption ensures confidentiality of data in motion as it traverses network connections. Failure to specify TLS encryption causes message transfer to be sent unencrypted, (including the authentication password), which makes it susceptible to eavesdropping. This setting controls the authentication and encryption algorithms used for outbound connections using this connector. (That is, the authentication used when delivering outbound mail to another SMTP Virtual Server.) When the SMTP connectors send messages from a locally controlled (internal to the organization) connector, Basic authentication and TLS should be used by the initiating end of the connection. Because no Exchange 2003 servers should directly send to remote SMTP virtual servers, all SMTP outbound connectors should be secured in this way, including the outermost connectors, which should ideally be sending to an Edge Transport Server Role (E-mail Secure Gateway) at the enclave perimeter.EMG2-743Severity can be overridden to Category II if terms of the mitigation are met by configuring this protection on an Exchange Server processing outbound messages where there is no E-Mail Secure Gateway at the perimeter. Because early Exchange 2003 servers may have been deployed as Internet-facing servers, some organizations may have SMTP connectors that must allow anonymous connections. Both authentication and encryption require that the recipient of the outbound communication be capable of supporting the corresponding ID, password authentication and decryption steps. Connections to remote domains may not be securable in this way. Anonymous connections may be allowed on the Exchange 2003 Bridgehead or Mailbox Server at sites where no Edge Transport Role Server (E-mail Secure Gateway) exists outside the enclave firewall, but only for connectors that must send to Internet-based remote domains. This configuration is preferred when no Edge Transport Role Server (E-mail Secure Gateway) is in use; however, it does not qualify as closing the open finding for perimeter protection. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> Routing Groups >> [routing group] >> Connectors >> [SMTP Connector] >> Properties >> Advanced Tab >> Outbound Security button Configure "Anonymous" and "TLS". E-Mail AdministratorECCT-1
SV-20498r1_rule EMG1-103 Exch2K3 HIGH Public Folder access does not require secure channels and encryption. Failure to require secure connections on a web site increases the potential for unintended decryption and data loss. This setting controls whether client machines should be forced to use secure channels to communicate with this virtual directory. If this feature is enabled, clients will only be able to communicate with the directory if they are capable of supporting secure communication with the server. If secure channels are required, the server can also require the channel to be strongly secured by requiring Federal Information Processing Standard (FIPS) 140-2 encryption. If Public Folders / Web is approved for use, secure channels and FIPS level encryption are required, as well as appropriate certificate setting. The use of secure communication prevents eavesdroppers from reading or modifying communications between servers and clients. The network and DMZ STIG identify criteria for OWA and Public Folder configuration in the network, including CAC enabled pre-authentication through an application firewall proxy, such as Microsoft ISA. Note: if Public Folder is not approved for use, this control is not applicable and the Public Folder virtual directory should be removed to eliminate the possibility of attack through this vector.E-Mail AdministratorECCT-1
SV-20500r1_rule EMG1-105 Exch2K3 HIGH Outlook Web Access (OWA) does not require secure channels and encryption. Failure to require secure connections on a web site increases the potential for unintended decryption and data loss. This setting controls whether client machines should be forced to use secure channels to communicate with this virtual directory. If this feature is enabled, clients will only be able to communicate with the directory if they are capable of supporting secure communication with the server. If secure channels are required, the server can also require the channel to be strongly secure by requiring FIPS 140-2 encryption. If Outlook Web Access is approved for use, secure channels and FIPS level encryption are required, as well as appropriate certificate setting. The use of secure communication prevents eavesdroppers from reading or modifying communications between servers and clients. The network and DMZ STIG identify criteria for OWA and Public Folder configuration in the network, including CAC enabled pre-authentication through an application firewall proxy, such as Microsoft ISA. Note: if OWA is not approved for use, this control is not applicable and the OWA virtual directory should be removed to eliminate the possibility of attack through this vector.E-Mail AdministratorECCT-1
SV-20502r1_rule EMG2-305 Exch2K3 LOW ExAdmin is configured for Secure Channels and Encryption. ExAdmin Virtual Directory is used by the Exchange System Manager to access mailboxes and Public Folders. Users do not directly access the ExAdmin Virtual Directory. This feature controls the security setting used to determine whether client machines should be required to connect to this virtual directory using secure channels and encryption. The services that use the ExAdmin Virtual Directory do not support the use of secure channels. Secure channels should not be configured on this virtual directory, as it will effectively disable the Exchange Mail and Public Folder functionality.E-Mail AdministratorECCT-1
SV-21318r1_rule EMG3-116 Exch2K3 MEDIUM SMTP service banner response reveals configuration details. Automated connection responses occur as a result of FTP or Telnet connections, when connecting to those services. They report a successful connection by greeting the connecting client, stating the name, release level, and (often) additional information regarding the responding product. While useful to the connecting client, connection responses can also be used by a third party to determine operating system (OS) or product release levels on the target server. The result can include disclosure of configuration information to third parties, paving the way for possible future attacks. For example, when querying the SMTP service on port 25, the default response looks similar to this one: 220 exchange.mydomain.org Microsoft ESMTP MAIL Service, Version: 6.0.3790.211 ready at Wed, 2 Feb 2005 23:40:00 -0500 Changing the response to hide local configuration details reduces the attack profile of the target. E-Mail AdministratorECIC-1
SV-20514r1_rule EMG3-119 Exch2K3 MEDIUM E-mail Services accounts are not restricted to named services. Applications introduce some of the most common database attack avenues, and can provide a pathway for an unlimited number of malicious users to access sensitive data. An account responsible for Service execution, if compromised, may subject the data to unauthorized exposure if it is granted more privileges than necessary. Typically, service accounts must run only their designated services, and must not be shared with other applications or people. Audit Log Monitoring can then assume an ‘expected’ set of activities for each service account, and administrators can more readily recognize events that are unexpected. A discrete history of account activity is valuable if an attack of the host system needs to be investigated. If accounts are shared among multiple services or people, it increases the risk that firewall Administrators will not have an accurate history for investigation and troubleshooting purposes. In the case of Microsoft Exchange Server 2003, attempting to run Exchange services on an alternate service account (rather than the default SYSTEM account) is not a supported Microsoft configuration. Due to the nature of the Exchange services access required within the server and the network, Exchange 2003 services must run under the Microsoft Windows SYSTEM account. Information Assurance OfficerE-Mail AdministratorECLP-1
SV-20516r1_rule EMG3-145 Exch2K3 MEDIUM E-Mail service accounts are not operating at least privilege. Good security practice demands both the separation of duties and the assignment of least privilege. Role Based Access Control (RBAC) is the most accepted method for meeting these two criteria. A securely designed E-Mail Services implementation includes the definition of E-mail Roles (Servers and services, Users, Administrators, Installers) based on functional requirements for each, then assigning the fewest possible privileges to these roles. Roles are then assigned to people or services based on the application functions they are required to perform. In the case of Microsoft Exchange Server 2003, attempting to run Exchange services on an alternate service account (rather than the default SYSTEM account) is not a supported Microsoft configuration. Due to the nature of the Exchange services access required within the server and the network, Exchange 2003 services must run under the Microsoft Windows SYSTEM account.E-Mail AdministratorECLP-1
SV-20520r1_rule EMG3-828 Exch2K3 MEDIUM E-mail restore permissions are not restricted to E-mail administrators. Good security practice demands both the separation of duties and the assignment of least privilege. Role Based Access Control (RBAC) is the most accepted method for meeting these two criteria. The right to restore e-mail applications or data following a service interruption must align with the E-mail Installation and E-mail Administration role, excluding all other user roles. Because this elevated privilege has the ability to change the application functionality or data from its initial version, it must be carefully assigned, monitored, and controlled. E-Mail AdministratorE-Mail InstallerECLP-1
SV-20524r1_rule EMG3-121 Exch2K3 MEDIUM Services permissions do not reflect least privilege. Good security practice demands both the separation of duties and the assignment of least privilege. Role Based Access Control (RBAC) is the most accepted method for meeting these two criteria. A securely designed E-mail Services Implementation includes the definition of E-mail Roles (Servers and services, Users, Administrators, Installers) based on functions required by each, then assigning the fewest privileges to these roles. Roles are then assigned to people or services on the application functions they are required to perform. The Exchange GPO templates available from Microsoft enable the E-mail Administrator to easily set a Baseline Security Policy that hardens services permissions. Installations configured without use of policy templates must nevertheless meet vendor recommended minimums for service protection.E-Mail AdministratorECLP-1
SV-20526r1_rule EMG3-824 Exch2K3 MEDIUM Exchange application permissions are not at vendor recommended settings. Default product installations may provide more generous permissions than are necessary to run the application. By examining and tailoring permissions to more closely provide the least amount of privilege possible, attack vectors that align with user permissions are less likely to access more highly secured areas. Vendor-supplied policies are available to assist in further hardening the permissions set for Exchange. Application file permissions on Exchange 2003 servers can be set by importing the group policy for Exchange Back-End or Front-End servers. To the extent of file permissions, both policies set the same directory permissions as shown here. E-Mail AdministratorE-Mail InstallerECLP-1
SV-20528r1_rule EMG2-259 Exch2K3 MEDIUM Scripts are permitted to execute in the OWA Virtual Server. Scripts on virtual servers are a frequent cause of server compromises. Since this virtual (web) server is the primary interface between Exchange and the web, it is particularly at risk of compromise. Therefore, attack vectors via scripts and executables running on the server, should be minimized. The Exchange Virtual Server enables web access (OWA) for user mailbox stores. It is designed to provide much of the same functionality as the Outlook client, but through a web browser. This control allows the administrator to specify whether scripts and/or executables may be run on this virtual server. Scripts and executables should be denied permissions to run, eliminating this attack vector from the security profile. E-Mail AdministratorECLP-1
SV-20530r1_rule EMG2-275 Exch2K3 MEDIUM Scripts are permitted to execute in the Public Folder web server. Scripts on virtual servers are a frequent cause of server compromises. Since this virtual (web) server is the primary interface between Exchange and the web, it is particularly at risk of compromise. Therefore, attack vectors via scripts and executables running on the server, should be minimized. The Public Virtual Server enables web access for shared public folders. This control allows the administrator to specify whether scripts and/or executables may be run on this virtual server. Scripts and executables should be denied permissions to run on this server, eliminating this attack vector from the security profile. E-Mail AdministratorECLP-1
SV-20532r1_rule EMG2-255 Exch2K3 MEDIUM Scripts are Permitted to Execute in the ExAdmin Virtual Server. The ExAdmin Virtual Server is used by the Exchange System Manager to access mailboxes and Public Folders. As such, it is a required part of the Exchange application. The Exchange System Manager is a central part of the Exchange application and without these capabilities it will be unable to function properly. Scripts on servers are a frequent cause of server compromises. Since virtual servers are the primary interface between Exchange and the web, they are particularly at risk of compromise. Therefore, attack vectors via scripts and executables running on the server should be minimized. The ExAdmin Virtual Server is used by the Exchange System Manager to access mailboxes and Public Folders. This control allows the administrator to specify whether scripts and/or executables may be run on this virtual server. Scripts and executables should be denied the ability to run on this server. The Exchange System Manager is the only entity that interfaces with it, and since the default provides all of the capabilities needed, there should be no reason to change it. E-Mail AdministratorECLP-1
SV-20534r1_rule EMG2-263 Exch2K3 MEDIUM Users do not have correct permissions in the OWA Virtual Server. The principle of Least Privilege ordinarily requires analysis to ensure that users and processes are granted only as much privilege as is required to function effectively, but no additional privileges that could enable mischief, either accidental or intentional. The Exchange Virtual Server (OWA) enables web access for user E-mail mailboxes, however, users to not access the virtual server directly. This control determines whether users will have read, write, script source access, and/or directory browsing capabilities under this virtual server. The OWA Virtual Server requires that users have read, write, script source access, and directory browsing permissions since these are required for the proper functioning of OWA. E-Mail AdministratorECLP-1
SV-20536r1_rule EMG2-269 Exch2K3 MEDIUM ExAdmin does not have correct permissions in the ExAdmin Virtual Server. The principle of Least Privilege ordinarily requires analysis to ensure that users and processes are granted only as much privilege as is required to function effectively, but no additional privileges that could enable mischief, either accidental or intentional. The ExAdmin Virtual Directory enables web access to E-mail and public folder documents for the Exchange 2003 System Manager. No users access this part of the application. This control determines whether the ExAdmin user will have read, write, script source access, and/or directory browsing capabilities under this virtual server. ExAdmin requires read, write, script source access, and directory browsing permissions since these are required for all of Exchange Web access. E-Mail AdministratorECLP-1
SV-20546r1_rule EMG2-303 Exch2K3 LOW Exchange application memory is not zeroed out after message deletion. Residual data left in memory after a transaction is completed adds risk that it can be used for malicious purposes in the event that access to the data is achieved. Applications may perform ‘logical delete’ functions, which make the data invisible to the application user, but in fact leave it resident in memory (recoverable, for example, by a forensics tool). While not malicious, it has the effect of sacrificing security for performance. This feature enables overwrite of memory storage before reuse to negate the potential disclosure of sensitive information that may reside in reallocated memory space. This means that by the time the memory is returned to the operating system, it essentially no longer contains any information that would allow the message to be retrieved. Using this feature may make batch message deletion more time consuming (the server must actually overwrite the entire message). However, off-hours process performance degradation is not likely to be visible to users. Performance degradation should not be used as a reason to disable this feature, as the security benefit outweighs the risk. E-Mail AdministratorECRC-1
SV-20557r1_rule EMG2-038 Exch2K3 MEDIUM E-mail Services are not protected by having an Edge Transport Server (E-mail Secure Gateway) performing outbound message signing at the perimeter. Individual messages can be protected by requiring message signing at the creation point (Outlook), at the originator’s discretion, enabling integrity protection for their messages. However, messages can also be created by report generators and other applications using automated processes that do not typically sign messages. By signing outbound messages as they exit into the public Internet, the sending SMTP server gives all receivers the opportunity to authenticate the sending domain and server as authentic. (using the DNS-based DKIM record), and validate the message content as unaltered in transit (using the DKIM public key to rehash). In this way, forgeries are prevented, SPAMMERs are more easily tracked. To be effective, it should be noted that unless both senders and receivers participate, sender authentication techniques are of limited effectiveness. For receivers not configured to recognize signed messages, there is no impact to processing – they default to treating the messages as if from anonymous sender origin, and examine it with the evaluation methods that are available. The DKIM (Domain Keys Identified Mail) process is not part of Exchange 2003 functionality; so inbound messages that reach an Exchange server as the first receiving touchpoint will not be able to perform this type of sender authentication. However, most e-mail Secure Gateway products now offer this feature. EMG2-038None. Exchange 2003 does not possess DKIM signing or validation featuresInformation Assurance OfficerE-Mail AdministratorECTM-1
SV-20559r1_rule EMG3-150 Exch2K3 MEDIUM E-Mail audit trails are not protected against unauthorized access. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit log content must always be considered sensitive, and in need of protection. Audit data available for modification by a malicious user can be altered to conceal malicious activity. Audit data might also provide a means for the malicious user to plan unauthorized activities that exploit weaknesses. The contents of audit logs are protected against unauthorized access, modification, or deletion. Only authorized auditors and the audit functions should be granted Read and Write to audit log data. Information Assurance OfficerE-Mail AdministratorECTP-1
SV-20561r1_rule EMG3-829 Exch2K3 HIGH E-mail servers do not have E-mail aware virus protection. With the proliferation of trojans, viruses, and SPAM attaching themselves to E-Mail messages (or attachments), it is necessary to have capable E-Mail Aware Anti-Virus (AV) products to scan messages and identify any resident malware. Because E-Mail messages and their attachments are formatted to the MIME standard, a flat-file AV scanning engine is not suitable for scanning E-Mail message stores. E-mail aware Anti-Virus engines must use AntiVirus Application Program Interface (AVAPI) version 2.5 or higher, which is able to scan E-Mail content safely. Competent E-Mail scanners will have the ability to scan mail stores, attachments (including zip or other archive files) and mail queues, and to issue warnings or alerts if malware is detected. As with other AV products, a necessary feature to include is the ability for automatic updates.Information Assurance OfficerE-Mail AdministratorECVP-1
SV-21025r1_rule EMG2-863 Exch2K3 MEDIUM Mailbox access control mechanisms are not audited for changes. Unauthorized or malicious data changes can compromise the integrity and usefulness of the data, Automated attacks or malicious users with elevated privileges have the ability to affect change using the same mechanisms as E-mail administrators. Auditing changes to access mechanisms supports accountability and non-repudiation for those authorized to define the environment but also enables investigation of changes made by others who may not be authorized. E-Mail AdministratorECAT-1
SV-21038r1_rule EMG2-718 Exch2K3 MEDIUM Message size restriction is specified at the SMTP connector level. . E-mail system availability depends in part on best practices strategies for setting tuning configurations. For message size restrictions, multiple places exist to set or override inbound or outbound message size. Failure to control the configuration strategy can result in loss of data or system availability. This setting enables the Administrator to control the maximum size of outgoing messages on an SMTP Connector. It is recommended that, in general, no limits are applied at the connector level. This is done so that connectors do not end up prohibiting the delivery of messages that would otherwise be permitted by the Exchange configuration at the virtual server level. Using connectors to control size limits at an enterprise-wide level is discouraged since the limits would need to be applied to every potential connector in order to create an effective enterprise-wide limit.E-Mail AdministratorECSC-1
SV-67615r1_rule EMG1-009 Exch2K3 HIGH Exchange Server Software that is no longer supported by the vendor for security updates must not be installed on a system. Exchange Server Software that is no longer supported by Microsoft for security updates is not evaluated or updated for vulnerabilities, leaving it open to potential attack. Organizations must transition to a supported Exchange Server Software to ensure continued support.E-Mail AdministratorECSC-1