Mailbox databases must reside on a dedicated partition.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33604	Exch-1-318	SV-44024r1_rule	ECSC-1	Medium

Description
In the same way that added security layers can provide a cumulative positive effect on security posture, multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit to one application can lead to an exploit of other applications sharing the same security context. For example, an exploit to a web server process that leads to unauthorized administrative access to the host system can most likely lead to a compromise of all applications hosted by the same system. Email services should be installed to a discrete set of directories, on a partition that does not host other applications. Email services should never be installed on a Domain Controller / Directory Services server.

Description

In the same way that added security layers can provide a cumulative positive effect on security posture, multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit to one application can lead to an exploit of other applications sharing the same security context. For example, an exploit to a web server process that leads to unauthorized administrative access to the host system can most likely lead to a compromise of all applications hosted by the same system. Email services should be installed to a discrete set of directories, on a partition that does not host other applications. Email services should never be installed on a Domain Controller / Directory Services server.

STIG	Date
Exchange 2010 Mailbox Server STIG	2014-03-11

Details

Check Text ( C-41710r1_chk )
Obtain the Email Domain Security Plan (EDSP) and locate the assigned directory for the mailbox server under review. Open the Exchange Management Shell and enter the following command to determine the drives the mailbox databases are located. Get-MailboxDatabase \| Select Name, Identity, EdbFilePath Open Windows Explorer and use the file and folder properties function to verify the mailbox databases are on a dedicated partition. If not, this is a finding.

Check Text ( C-41710r1_chk )

Obtain the Email Domain Security Plan (EDSP) and locate the assigned directory for the mailbox server under review.

Open the Exchange Management Shell and enter the following command to determine the drives the mailbox databases are located.

Get-MailboxDatabase | Select Name, Identity, EdbFilePath

Open Windows Explorer and use the file and folder properties function to verify the mailbox databases are on a dedicated partition. If not, this is a finding.

Fix Text (F-37495r1_fix)
Configure the system to meet the separate partition requirement.