Exchange Core Services Monitors are not configured with threshold and actions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18717	EMG2-817 Exch2K3	SV-20377r1_rule	ECSC-1	Medium

Description
Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Exchange 2003 built-in monitors enable the administrator to generate alerts if thresholds are reached, better enabling them to react in a timely fashion. This field allows the administrator to control notifications when a ‘warning’ or ‘critical’ trigger is issued in response to an Exchange Core service being down. If exchange core services are down, the service status state should be set to critical, as this will require immediate attention. Notification choices include E-Mail alert to an E-Mail enabled account, for example, an E-Mail Administrator, or invoke a script to take other action, for example, to add an Event to the Microsoft Application Event Log, where external monitors might detect it.

Description

Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Exchange 2003 built-in monitors enable the administrator to generate alerts if thresholds are reached, better enabling them to react in a timely fashion. This field allows the administrator to control notifications when a ‘warning’ or ‘critical’ trigger is issued in response to an Exchange Core service being down. If exchange core services are down, the service status state should be set to critical, as this will require immediate attention. Notification choices include E-Mail alert to an E-Mail enabled account, for example, an E-Mail Administrator, or invoke a script to take other action, for example, to add an Event to the Microsoft Application Event Log, where external monitors might detect it.

STIG	Date
Microsoft Exchange Server 2003	2014-08-19

Details

Check Text ( C-22437r1_chk )
If Exchange Core Services monitoring is performed via a third party tool as part of an overall data center monitoring strategy, then this is N/A. Review Exchange Core Services monitoring and notification. Note: List content may differ depending on specific Exchange components implemented. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> Servers >> [server] >> Properties >> Monitoring Tab >> [Default Microsoft Exchange Services] >> Details Button For each item listed, the "When Service is not Running, Change State to" should be "Critical" and the minimum action should be an E-mail to an E-mail Administrator or to an Incident Response team account. Criteria: If, for each service the "When Service is not Running, Change State to" is"Critical", and the minimum action is an E-mail to an Administrator or to an Incident Response Team account, this is not a finding.

Check Text ( C-22437r1_chk )

If Exchange Core Services monitoring is performed via a third party tool as part of an overall data center monitoring strategy, then this is N/A.

Review Exchange Core Services monitoring and notification. Note: List content may differ depending on specific Exchange components implemented.

Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> Servers >> [server] >> Properties >> Monitoring Tab >> [Default Microsoft Exchange Services] >> Details Button

For each item listed, the "When Service is not Running, Change State to" should be "Critical" and the minimum action should be an E-mail to an E-mail Administrator or to an Incident Response team account.

Criteria: If, for each service the "When Service is not Running, Change State to" is"Critical", and the minimum action is an E-mail to an Administrator or to an Incident Response Team account, this is not a finding.

Fix Text (F-19365r1_fix)
Configure Exchange Core Services monitoring. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> Servers >> [server] >> Properties >> Monitoring tab >> [Windows 2003 Service] >> Details button 1) Add the monitor, if needed: Click ADD, select desired Exchange core Service. 2) Set the warning and critical thresholds for each service Set “When service is not running change state to” Critical. 3) Create the notifications for each service: Exchange System Manager >> Tools >> Monitoring and Status >> Notifications Declare notifications and communication methods as required by the local organization policy. At minimum, E-mail an on-call Exchange Administrator or an Incident Response administrator.

Fix Text (F-19365r1_fix)

Configure Exchange Core Services monitoring.

Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> Servers >> [server] >> Properties >> Monitoring tab >> [Windows 2003 Service] >> Details button

1) Add the monitor, if needed:
Click ADD, select desired Exchange core Service.

2) Set the warning and critical thresholds for each service
Set “When service is not running change state to” Critical.

3) Create the notifications for each service:
Exchange System Manager >> Tools >> Monitoring and Status >> Notifications

Declare notifications and communication methods as required by the local organization policy. At minimum, E-mail an on-call Exchange Administrator or an Incident Response administrator.