UCF STIG Viewer Logo

Role-Based Access Control must be defined for privileged and nonprivileged users.


Finding ID Version Rule ID IA Controls Severity
V-259698 EX19-MB-000173 SV-259698r945441_rule Medium
Role Based Access Control (RBAC) is the permissions model used in Microsoft Exchange Server 2013, 2016, and 2019. With RBAC, there is no need to modify and manage access control lists (ACLs), which was done in Exchange Server 2007. ACLs created several challenges in Exchange 2007, such as modifying ACLs without causing unintended consequences, maintaining ACL modifications through upgrades, and troubleshooting problems that occurred due to using ACLs in a nonstandard way. RBAC enables users to control, at both broad and granular levels, what administrators and end-users can do. RBAC also enables users to more closely align the roles assigned to users and administrators to the actual roles they hold within the organization. In Exchange 2007, the server permissions model applied only to the administrators who managed the Exchange 2007 infrastructure. Starting with Exchange 2013, RBAC now controls both the administrative tasks that can be performed and the extent to which users can now administer their own mailbox and distribution groups.
Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide 2024-01-10


Check Text ( C-63437r945441_chk )
Review the Email Domain Security Plan (EDSP) to verify which users should be in each built-in RBAC management role group.

If this is not found, this is a finding.
Fix Text (F-63345r942407_fix)
Update the EDSP and define which users should and should not have elevated privileges within the organization.

Follow the rule of least privilege and ensure that administrators are given just enough access to complete their job.

Referenced Document: https://docs.microsoft.com/en-us/exchange/understanding-management-role-groups-exchange-2013-help?view=exchserver-2019