Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-18796 | EMG3-145 Exch2K3 | SV-20516r1_rule | ECLP-1 | Medium |
Description |
---|
Good security practice demands both the separation of duties and the assignment of least privilege. Role Based Access Control (RBAC) is the most accepted method for meeting these two criteria. A securely designed E-Mail Services implementation includes the definition of E-mail Roles (Servers and services, Users, Administrators, Installers) based on functional requirements for each, then assigning the fewest possible privileges to these roles. Roles are then assigned to people or services based on the application functions they are required to perform. In the case of Microsoft Exchange Server 2003, attempting to run Exchange services on an alternate service account (rather than the default SYSTEM account) is not a supported Microsoft configuration. Due to the nature of the Exchange services access required within the server and the network, Exchange 2003 services must run under the Microsoft Windows SYSTEM account. |
STIG | Date |
---|---|
Microsoft Exchange Server 2003 | 2014-08-19 |
Check Text ( C-22505r1_chk ) |
---|
View Exchange service permissions to verify service account privilege level. Procedure: Start >> Settings >> Control Panel >> Administrative tools >> Services For each "MSExch…." Active service in the list: Right Click >> Properties >> LogOn >> Log On As field. Criteria: If E-mail service accounts are operating with the SYSTEM account, this is not a finding. |
Fix Text (F-19451r1_fix) |
---|
Ensure that E-mail service accounts are operating with the SYSTEM account privilege. Procedure: Start >> settings >> control panel >> administrative tools >> services For each "MSExch…." Active service in the list: Right Click >> Properties >> LogOn >> Log On As field. Select "Local SYSTEM account". |