Unnecessary services must be removed or disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
Exch-112	Exch-112	Exch-112_rule		Medium

Description
Unneeded, but running, services offer attackers an enhanced attack profile, and attackers are constantly watching to discover open ports with running services. By analyzing and disabling unneeded services, the associated open ports become unresponsive to outside queries, and servers become more secure as a result. Exchange Server has role-based server deployment to enable protocol path control and logical separation of network traffic types. For example, a server implemented in the Client Access role (i.e., Outlook Web App [OWA]) is configured and tuned as a web server using web protocols. A client access server exposes only web protocols (HTTP/HTTPS) enabling System Administrators to optimize the protocol path and disable all services unnecessary for Exchange web services. Similarly, Back-end servers created to host mailboxes are dedicated to that task, and operate only the services needed for mailbox hosting. (Back-end servers must also operate some Web services, but only to the degree that Exchange requires the IIS engine in order to function). To restrict attack vectors available with email message access, the protocols on the email servers should match offerings on the DoD standard desktop deployment. These include Microsoft Outlook using MAPI, S/MIME enabled clients, and secured connections. It also includes Outlook via VPN for offsite telework. Browsers may access OWA provided it uses PKI/CAC access brokered through a reverse proxy Application Server. Because NNTP, POP3, and IMAP4 clients are not included in the standard desktop offering, they must be disabled.

Description

Unneeded, but running, services offer attackers an enhanced attack profile, and attackers are constantly watching to discover open ports with running services. By analyzing and disabling unneeded services, the associated open ports become unresponsive to outside queries, and servers become more secure as a result. Exchange Server has role-based server deployment to enable protocol path control and logical separation of network traffic types. For example, a server implemented in the Client Access role (i.e., Outlook Web App [OWA]) is configured and tuned as a web server using web protocols. A client access server exposes only web protocols (HTTP/HTTPS) enabling System Administrators to optimize the protocol path and disable all services unnecessary for Exchange web services. Similarly, Back-end servers created to host mailboxes are dedicated to that task, and operate only the services needed for mailbox hosting. (Back-end servers must also operate some Web services, but only to the degree that Exchange requires the IIS engine in order to function). To restrict attack vectors available with email message access, the protocols on the email servers should match offerings on the DoD standard desktop deployment. These include Microsoft Outlook using MAPI, S/MIME enabled clients, and secured connections. It also includes Outlook via VPN for offsite telework. Browsers may access OWA provided it uses PKI/CAC access brokered through a reverse proxy Application Server. Because NNTP, POP3, and IMAP4 clients are not included in the standard desktop offering, they must be disabled.

STIG	Date
Microsoft Exchange 2010 Core Server	2012-05-31

Details

Check Text ( C-_chk )
To view system services open a windows power shell and enter the following command. Get-Service -Name, Status The command returns a list of installed services and the status of that service. Required services will vary between organizations, and will vary depending on the role of the individual system. Organizations will develop their own list of services which will be documented and justified with the IAO. The Site's list will be provided for any security review. Services that are common to multiple systems can be addressed in one document. Exceptions for individual systems should be identified separately by system. If the site has not documented the services required for their system(s), this is a finding.

Check Text ( C-_chk )

To view system services open a windows power shell and enter the following command.

Get-Service -Name, Status

The command returns a list of installed services and the status of that service.

Required services will vary between organizations, and will vary depending on the role of the individual system. Organizations will develop their own list of services which will be documented and justified with the IAO. The Site's list will be provided for any security review. Services that are common to multiple systems can be addressed in one document. Exceptions for individual systems should be identified separately by system.

If the site has not documented the services required for their system(s), this is a finding.

Fix Text (F-_fix)
Document the services required for the system to operate. Remove or disable any services that are not required.