UCF STIG Viewer Logo

E-mail application installation is sharing a partition with another application.


Overview

Finding ID Version Rule ID IA Controls Severity
V-18731 EMG3-115 Exch2K3 SV-20405r1_rule DCPA-1 Medium
Description
In the same way that added security layers can provide a cumulative positive effect on security posture, multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit to one application can lead to an exploit of other applications sharing the same security context. For example, an exploit to a web server process that leads to unauthorized administrative access to the host system can most likely lead to a compromise of all applications hosted by the same system. E-Mail services should be installed to a descrete set of directories, on a partition that does not host other applications. E-Mail services should never be installed on a Domain Controller / Directory Services server.
STIG Date
Microsoft Exchange Server 2003 2014-08-19

Details

Check Text ( C-22452r1_chk )
Interview the E-mail Administrator.

Procedure: Start >> Programs >> All Programs.

Review all the programs listed to ensure that no E-mail servers, office programs, database programs, etc., are installed. If they are, ask the E-mail Administrator about their function and purpose.

Criteria: If E-mail services reside on dedicated directories or partitions and do not co-host other applications (without associated approval from the IAO), this is not a finding.
Fix Text (F-19380r1_fix)
Procedure: Install E-mail services on dedicated partitions. E-mail services software must not share a directory or partition with other software or the host operating system.