E-mail Administrator Groups must ensure least privilege.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18877	EMG0-075 EMail	SV-20667r1_rule	ECPA-1	Medium

Description
When an oversight responsibility is assigned to the same person performing the actions being overseen, the function of oversight is compromised. When the responsibility to manage or control one application or activity is assigned to one party yet another party is also assigned the privilege to the same actions, then neither party can logically be held responsible for those action. By separating responsibility and permissions by role, accountability is achieved. Roles, once defined, can then be used as “groups” with permissions granted, in the AD domain. Microsoft names three roles for E-mail administration as a starting point (appearing in diminishing order): E-mail Full Administrator, E-mail Administrator, and E-Mail View-Only Administrator. Because Exchange is an application, all three roles are subordinate to OS Administrator roles. E-mail Full Administrator has the ability to install the application and configure the access and operational parameters, perform user and configuration setup, and view all aspects of E-mail configuration and performance. The Exchange Installation account would be a good candidate for this group. E-mail Administrator is able to perform user and configuration setup, and view all aspects of e-mail configuration and performance. Operational tasks and administrators would be good candidates for this role. E-mail View-Only Administrator is able to view all aspects of E-mail configuration and performance. Persons or utilities that monitor throughput, connector, and queue performance would be a good candidate for this group. Further granularity is possible, and often makes sense to do, enabling each role to operate using the least possible permissions to perform the role.

Description

When an oversight responsibility is assigned to the same person performing the actions being overseen, the function of oversight is compromised. When the responsibility to manage or control one application or activity is assigned to one party yet another party is also assigned the privilege to the same actions, then neither party can logically be held responsible for those action. By separating responsibility and permissions by role, accountability is achieved. Roles, once defined, can then be used as “groups” with permissions granted, in the AD domain. Microsoft names three roles for E-mail administration as a starting point (appearing in diminishing order): E-mail Full Administrator, E-mail Administrator, and E-Mail View-Only Administrator. Because Exchange is an application, all three roles are subordinate to OS Administrator roles. E-mail Full Administrator has the ability to install the application and configure the access and operational parameters, perform user and configuration setup, and view all aspects of E-mail configuration and performance. The Exchange Installation account would be a good candidate for this group. E-mail Administrator is able to perform user and configuration setup, and view all aspects of e-mail configuration and performance. Operational tasks and administrators would be good candidates for this role. E-mail View-Only Administrator is able to view all aspects of E-mail configuration and performance. Persons or utilities that monitor throughput, connector, and queue performance would be a good candidate for this group. Further granularity is possible, and often makes sense to do, enabling each role to operate using the least possible permissions to perform the role.

STIG	Date
Email Services Policy	2012-01-31

Details

Check Text ( C-22520r1_chk )
Procedure: Interview the E-mail administrator or the IAO. Review documentation that describes division of duties by role in the E-mail administration assignments. Criteria: If E-mail Administrator tasks are assigned to a defined role in the organization, and the role is operating at least privilege for the tasks, this is not a finding.

Fix Text (F-19470r1_fix)
Procedure: Create, or have created, Policies / OUs / Security Groups to define roles and permissions for the E-mail Administration team. Verify that each role is commensurate with least possible permission to perform the associated tasks.