E-mail services and servers must be protected by routing all SMTP traffic through an Edge Transport Server.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19546	EMG3-106 Exch2K3	SV-21609r1_rule	EBBD-1	High

Description
Separation of roles supports operational security for application and protocol services. Since 2006, Microsoft best practices had taken the direction of creating operational “roles” for servers within E-mail services. The Edge Transport server role (also called the E-mail Secure Gateway) was created to focus authentication and sanitization tasks in one server, to provide Internet facing protection for internal E-mail servers. In the E-mail services infrastructure, it has become imperative that inbound messages be examined prior to their being forwarded into the enclave, primarily due to the amount of SPAM and malware contained in the message stream. Similarly, outbound messages must be examined so that an organization might locate, or perhaps intercept, messages with potential data spillage of sensitive or important information. The Edge Transport E-mail server role, which could be ‘appliances’ such as “Iron Port”, “Iron Mail” or Microsoft Exchange 2010 Edge Transport server, is designed to group protective measures for both inbound and outbound messages. Its charter is to face the Internet, and to scrutinize all SMTP traffic, to determine whether to grant continued passage to its destination Inbound E-mail sanitization steps include (but are not limited to) the following: • Sender Authentication • Sender Reputation Evaluation (White-listing and Black-listing) • SPAM content scoring • Virus and Malware removal • Web Link URL evaluation • Absent sender information • SPOOFED domain sources (such as the local domain appearing as inbound mail) • 0-Day attack detection • Archiving or Quarantining trapped messages • Alerting and Reporting when configured items are identified. Failure to implement an E-mail Secure Gateway increases risk that raw messages will reach the internal servers and networks, thereby increasing risk of their compromise. Even though there are E-mail Services that are able to perform many of these evaluations, their Windows domain membership requires that they be internal to the enclave rather than expose the domain interaction to the Public Internet. Attempting to sanitize E-mail after it arrives inside the domain is not an acceptable or effective security measure. By using an Edge Transport Server (E-mail Secure Gateway), any SMPT-specific attack vectors are more optimally secured.

Description

Separation of roles supports operational security for application and protocol services. Since 2006, Microsoft best practices had taken the direction of creating operational “roles” for servers within E-mail services. The Edge Transport server role (also called the E-mail Secure Gateway) was created to focus authentication and sanitization tasks in one server, to provide Internet facing protection for internal E-mail servers. In the E-mail services infrastructure, it has become imperative that inbound messages be examined prior to their being forwarded into the enclave, primarily due to the amount of SPAM and malware contained in the message stream. Similarly, outbound messages must be examined so that an organization might locate, or perhaps intercept, messages with potential data spillage of sensitive or important information. The Edge Transport E-mail server role, which could be ‘appliances’ such as “Iron Port”, “Iron Mail” or Microsoft Exchange 2010 Edge Transport server, is designed to group protective measures for both inbound and outbound messages. Its charter is to face the Internet, and to scrutinize all SMTP traffic, to determine whether to grant continued passage to its destination Inbound E-mail sanitization steps include (but are not limited to) the following: • Sender Authentication • Sender Reputation Evaluation (White-listing and Black-listing) • SPAM content scoring • Virus and Malware removal • Web Link URL evaluation • Absent sender information • SPOOFED domain sources (such as the local domain appearing as inbound mail) • 0-Day attack detection • Archiving or Quarantining trapped messages • Alerting and Reporting when configured items are identified. Failure to implement an E-mail Secure Gateway increases risk that raw messages will reach the internal servers and networks, thereby increasing risk of their compromise. Even though there are E-mail Services that are able to perform many of these evaluations, their Windows domain membership requires that they be internal to the enclave rather than expose the domain interaction to the Public Internet. Attempting to sanitize E-mail after it arrives inside the domain is not an acceptable or effective security measure. By using an Edge Transport Server (E-mail Secure Gateway), any SMPT-specific attack vectors are more optimally secured.

STIG	Date
Email Services Policy	2012-01-31

Details

Check Text ( C-23795r1_chk )
Procedure: Interview the IAO. Review documentation that describes the infrastructure for E-mail services. Verify that an Edge Transport Server (or E-mail Secure Gateway) is installed and active on the network. Ensure that all inbound and outbound E-mail messages pass through and are examined by a perimeter-based Edge Transport Server. Criteria: If the site employs an Edge Transport Server or E-mail Secure Gateway, that performs the required protection, this is not a finding.

Check Text ( C-23795r1_chk )

Procedure: Interview the IAO. Review documentation that describes the infrastructure for E-mail services. Verify that an Edge Transport Server (or E-mail Secure Gateway) is installed and active on the network. Ensure that all inbound and outbound E-mail messages pass through and are examined by a perimeter-based Edge Transport Server.

Criteria: If the site employs an Edge Transport Server or E-mail Secure Gateway, that performs the required protection, this is not a finding.

Fix Text (F-20241r1_fix)
Procedure: Install and configure an Edge Transport Server role in the infrastructure. Ensure that all SMTP traffic passes through this gateway, prior to forwarding messages into the enclave mail servers.