Exchange Server is not protected by an Edge Transport Server (E-mail Secure Gateway) that performs Anonymous Connections interaction with Internet-based E-mail servers.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18780	EMG2-111 Exch2K3	SV-22062r1_rule	EBBD-1	Medium

Description
E-mail is only as secure as the recipient. By ensuring secured connections for all Simple Mail Transfer Protocol (SMTP) servers along the message transfer path, risk of “Anonymous” message transfers by rogue servers is reduced. If all message transfers were authenticated from server to server, most SPAM would be eliminated, because anonymous spammers would be more readily traceable. However, the ability to authenticate a sender from another domain will not be possible until a common authentication method exists between the receiving domain and all of the sending domains that might wish to correspond. For that reason, the Edge Transport Server role (E-Mail Secure Gateway) should be the only role enabled for Anonymous connections (because it will also perform the sanitization steps) and all internal E-mail application server roles must authenticate to each other. This setting controls the authentication method required to allow connection and message transfer to this virtual server (recipient). Authentication options include Anonymous, Basic authentication (with clear text password), and Integrated Windows Authentication. Anonymous requires no authentication, and is therefore not acceptable. NT Lan Manager, or NTLM, (Integrated Windows Authentication checkbox) is negotiated, does not provide encryption of message bodies, and cannot sufficiently secure the connection in Exchange 2003. Risks include the potential of allowing message content to be sniffed over the wire. "Basic authentication" and "Require SSL/TLS" should be selected in this panel. The use of SSL/TLS not only protects the username and password during authentication, but encrypts the mail messages as they are being transmitted, preventing eavesdroppers from reading messages. All Exchange 2003 servers should belong to this category.

Description

E-mail is only as secure as the recipient. By ensuring secured connections for all Simple Mail Transfer Protocol (SMTP) servers along the message transfer path, risk of “Anonymous” message transfers by rogue servers is reduced. If all message transfers were authenticated from server to server, most SPAM would be eliminated, because anonymous spammers would be more readily traceable. However, the ability to authenticate a sender from another domain will not be possible until a common authentication method exists between the receiving domain and all of the sending domains that might wish to correspond. For that reason, the Edge Transport Server role (E-Mail Secure Gateway) should be the only role enabled for Anonymous connections (because it will also perform the sanitization steps) and all internal E-mail application server roles must authenticate to each other. This setting controls the authentication method required to allow connection and message transfer to this virtual server (recipient). Authentication options include Anonymous, Basic authentication (with clear text password), and Integrated Windows Authentication. Anonymous requires no authentication, and is therefore not acceptable. NT Lan Manager, or NTLM, (Integrated Windows Authentication checkbox) is negotiated, does not provide encryption of message bodies, and cannot sufficiently secure the connection in Exchange 2003. Risks include the potential of allowing message content to be sniffed over the wire. "Basic authentication" and "Require SSL/TLS" should be selected in this panel. The use of SSL/TLS not only protects the username and password during authentication, but encrypts the mail messages as they are being transmitted, preventing eavesdroppers from reading messages. All Exchange 2003 servers should belong to this category.

STIG	Date
Microsoft Exchange Server 2003	2014-08-19

Details

Check Text ( C-25489r1_chk )
Interview the IAO or E-mail Administrator. Access documentation that describes placement of an E-mail Secure Gateway that receives inbound messages from Internet-based remote domains. Verify the Exchange 2003 connector authentication configuration. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> servers >> [server] >> Protocols >> SMTP >> [specific SMTP server] >> properties >> Access tab >> Access Control >> Authentication button “Basic authentication” with "TLS" should be selected.

Check Text ( C-25489r1_chk )

Interview the IAO or E-mail Administrator. Access documentation that describes placement of an
E-mail Secure Gateway that receives inbound messages from Internet-based remote domains.

Verify the Exchange 2003 connector authentication configuration.

Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> servers >> [server] >> Protocols >> SMTP >> [specific SMTP server] >> properties >> Access tab >> Access Control >> Authentication button

“Basic authentication” with "TLS" should be selected.

Fix Text (F-20614r1_fix)
Deploy an Edge Transport Server (E-mail Secure Gateway) role at the perimeter. Then, for each Exchange 2003 SMTP virtual server (now internal to the enclave), set authentication. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> servers >> [server] >> Protocols >> SMTP >> [specific SMTP server] >> properties >> Access tab >>Access Control >> Authentication button Select “Basic authentication” and "TLS encryption".

Fix Text (F-20614r1_fix)

Deploy an Edge Transport Server (E-mail Secure Gateway) role at the perimeter.

Then, for each Exchange 2003 SMTP virtual server (now internal to the enclave), set authentication.

Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> servers >> [server] >> Protocols >> SMTP >> [specific SMTP server] >> properties >> Access tab >>Access Control >> Authentication button

Select “Basic authentication” and "TLS encryption".