Role-Based Access Control must be defined for privileged and nonprivileged users.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259631	EX19-ED-000174	SV-259631r942207_rule		Medium

Description
Role Based Access Control (RBAC) is the permissions model used in Microsoft Exchange Server 2013, 2016, and 2019. With RBAC, there is no need to modify and manage access control lists (ACLs), which was done in Exchange Server 2007. ACLs created several challenges in Exchange 2007, such as modifying ACLs without causing unintended consequences, maintaining ACL modifications through upgrades, and troubleshooting problems that occurred due to using ACLs in a nonstandard way. RBAC enables users to control, at both broad and granular levels, what administrators and end users can do. RBAC also enables users to more closely align the roles assigned to users and administrators to the actual roles they hold within the organization. In Exchange 2007, the server permissions model applied only to the administrators who managed the Exchange 2007 infrastructure. Starting in Exchange 2013, RBAC now controls both the administrative tasks that can be performed and the extent to which users can now administer their own mailbox and distribution groups.

Description

Role Based Access Control (RBAC) is the permissions model used in Microsoft Exchange Server 2013, 2016, and 2019. With RBAC, there is no need to modify and manage access control lists (ACLs), which was done in Exchange Server 2007. ACLs created several challenges in Exchange 2007, such as modifying ACLs without causing unintended consequences, maintaining ACL modifications through upgrades, and troubleshooting problems that occurred due to using ACLs in a nonstandard way. RBAC enables users to control, at both broad and granular levels, what administrators and end users can do. RBAC also enables users to more closely align the roles assigned to users and administrators to the actual roles they hold within the organization. In Exchange 2007, the server permissions model applied only to the administrators who managed the Exchange 2007 infrastructure. Starting in Exchange 2013, RBAC now controls both the administrative tasks that can be performed and the extent to which users can now administer their own mailbox and distribution groups.

STIG	Date
Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide	2024-01-10

Details

Check Text ( C-63370r942205_chk )
Check the EDSP to verify who should be in each built in RBAC management role group. If this is not found, this is a finding.

Fix Text (F-63278r942206_fix)
Update the EDSP and define who should and should not have elevated privileges within the organization. Follow the rule of least privilege and ensure that administrators are given just enough access to complete their job. Reference document: https://docs.microsoft.com/en-us/exchange/understanding-management-role-groups-exchange-2013-help?view=exchserver-2019