Exchange software baseline copy does not exist.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18743	EMG3-805 Exch2K3	SV-20429r1_rule	DCSW-1	Medium

Description
Exchange 2003 software, as with other application software installed on a host system, must be included in a system baseline record and periodically reviewed, otherwise unauthorized changes to the software may not be discovered. This effort is a vital step to securing the host and the applications, as it is the only method that may provide the ability to detect and recover from otherwise undetected changes, such as those that result from worm or bot intrusions. The Exchange 2003 software and configuration baseline is created and maintained for comparison during scanning efforts. Operational procedures must include baseline updates as part of configuration management tasks that change the software and configuration.

Description

Exchange 2003 software, as with other application software installed on a host system, must be included in a system baseline record and periodically reviewed, otherwise unauthorized changes to the software may not be discovered. This effort is a vital step to securing the host and the applications, as it is the only method that may provide the ability to detect and recover from otherwise undetected changes, such as those that result from worm or bot intrusions. The Exchange 2003 software and configuration baseline is created and maintained for comparison during scanning efforts. Operational procedures must include baseline updates as part of configuration management tasks that change the software and configuration.

STIG	Date
Microsoft Exchange Server 2003	2014-08-19

Details

Check Text ( C-22465r1_chk )
Interview the E-Mail Administrator or the IAO. Reference a copy of the System Security Plan. Procedure: Review the application software baseline procedures and implementation evidence. Review the list of files and directories included in the baseline procedure for completeness. Criteria: If E-mail software copy exists to serve as a baseline and is available for comparison during scanning efforts, this is not a finding.

Check Text ( C-22465r1_chk )

Interview the E-Mail Administrator or the IAO. Reference a copy of the System Security Plan.

Procedure: Review the application software baseline procedures and implementation evidence. Review the list of files and directories included in the baseline procedure for completeness.

Criteria: If E-mail software copy exists to serve as a baseline and is available for comparison during scanning efforts, this is not a finding.

Fix Text (F-19393r1_fix)
Procedure: Implement E-mail software baseline process. Ensure that a plan exists for periodic comparison and is incorporated into the configuration management procedures.