Microsoft ISA Server 2006 (OWA Proxy)

Microsoft ISA Server 2006 configured in a Web Proxy Profile for Microsoft Exchange 2003 OWA Server

Details

Version / Release: V1R2

Published:

Updated At: 2018-09-23 02:54:47

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-23918r1_rule ISA3-015 ISA MEDIUM Procedural Reviews for ISA Services must be done annually. A regular review of current security policies and procedures is necessary to maintain the desired security posture of application proxies and firewalls such as Microsoft Internet Security and Acceleration (ISA). Policies and procedures should be measured
    SV-23920r2_rule ISA3-002 ISA MEDIUM ISA-Unique security requirements, such as Interface Model, server role, and protected assets must be documented. Functional Architecture documentation must be developed and maintained for ISA servers at each location. For example, if the ISA server is performing an Exchange 2003 Proxy role vs. an Exchange 2007 Proxy role, the specifics of that implementation should
    SV-23922r1_rule ISA3-045 ISA MEDIUM Configuration Management (CM) procedures must be implemented for ISA services. Uncontrolled, untested, or unmanaged changes result in an unreliable security posture. All software libraries related to ISA services need to be reviewed, considered, and the responsibility for CM assigned. CM responsibilities may appear to cross bounda
    SV-23924r2_rule ISA0-056 ISA LOW ISA Server Administrator role must be assigned or authorized by the IAO. Separation of roles supports operational security for application as well as human resources. Roles accompanied by elevated privileges, such as that of the Firewall Administrator, must be carefully regulated and monitored. All appointments to IA roles,
    SV-23926r1_rule ISA3-050 ISA MEDIUM ISA services must be documented in the System Security Plan. A System Security Plan defines the security procedures and policies applicable to the AIS. It includes definition of responsibilities and qualifications for those responsible for administering the AIS security. For ISA services, this includes specifical
    SV-23929r1_rule ISA3-007 ISA MEDIUM ISA Recovery Data must be restricted to Administrators and Backup/Recovery processes. All automated information systems are at risk of data loss due to disaster or compromise. Failure to provide adequate protection to the backup and recovery data exposes it to risk of potential theft or damage that may ultimately prevent a successful rest
    SV-23931r1_rule ISA3-079 ISA MEDIUM Automated tools must be available for review and reporting on ISA Services audit records. Monitors are automated “process watchers” that respond to performance changes, and can be useful in detecting outages and alerting administrators where attention is needed. ISA 2006 built-in monitors enable the administrator to generate alerts if thr
    SV-23933r1_rule ISA3-071 ISA MEDIUM ISA audit records must be retained for at least one year. Audit data retention serves as a history that can aid in determining actions executed by users and administrators. Reasons for such research include both malicious actions that may have been perpetrated, as well as legal evidence that might be needed for
    SV-23935r1_rule ISA3-006 ISA MEDIUM Audit Logs must be included in Backups. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit logs are essential to the investigation and prosecution of unauthorized access to ISA softwar
    SV-23939r1_rule ISA3-005 ISA MEDIUM The ISA Backup and Recovery strategy must be documented and must be tested according to the INFOCON schedule. All automated information systems are at risk of data loss due to disaster or compromise. Threat identification and risk analysis serve to define elements of a comprehensive Disaster Recovery Plan with objectives that provide for the smooth transfer of a
    SV-23938r1_rule ISA3-010 ISA MEDIUM Software Critical Copies for ISA Services must be backed up and available for restore action. There is always potential that accidental loss can cause system loss and that restoration will be needed. In the event that the installation site is compromised, damaged or destroyed, copies of critical software media may be needed to recover the systems