UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

E-Mail service accounts are not operating at least privilege.


Overview

Finding ID Version Rule ID IA Controls Severity
V-18796 EMG3-145 Exch2K3 SV-20516r1_rule ECLP-1 Medium
Description
Good security practice demands both the separation of duties and the assignment of least privilege. Role Based Access Control (RBAC) is the most accepted method for meeting these two criteria. A securely designed E-Mail Services implementation includes the definition of E-mail Roles (Servers and services, Users, Administrators, Installers) based on functional requirements for each, then assigning the fewest possible privileges to these roles. Roles are then assigned to people or services based on the application functions they are required to perform. In the case of Microsoft Exchange Server 2003, attempting to run Exchange services on an alternate service account (rather than the default SYSTEM account) is not a supported Microsoft configuration. Due to the nature of the Exchange services access required within the server and the network, Exchange 2003 services must run under the Microsoft Windows SYSTEM account.
STIG Date
Microsoft Exchange Server 2003 2014-08-19

Details

Check Text ( C-22505r1_chk )
View Exchange service permissions to verify service account privilege level.
Procedure: Start >> Settings >> Control Panel >> Administrative tools >> Services

For each "MSExch…." Active service in the list:
Right Click >> Properties >> LogOn >> Log On As field.

Criteria: If E-mail service accounts are operating with the SYSTEM account, this is not a finding.
Fix Text (F-19451r1_fix)
Ensure that E-mail service accounts are operating with the SYSTEM account privilege.

Procedure:
Start >> settings >> control panel >> administrative tools >> services

For each "MSExch…." Active service in the list:
Right Click >> Properties >> LogOn >> Log On As field. Select "Local SYSTEM account".