E-mail restore permissions are not restricted to E-mail administrators.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18799	EMG3-828 Exch2K3	SV-20520r1_rule	ECLP-1	Medium

Description
Good security practice demands both the separation of duties and the assignment of least privilege. Role Based Access Control (RBAC) is the most accepted method for meeting these two criteria. The right to restore e-mail applications or data following a service interruption must align with the E-mail Installation and E-mail Administration role, excluding all other user roles. Because this elevated privilege has the ability to change the application functionality or data from its initial version, it must be carefully assigned, monitored, and controlled.

Description

Good security practice demands both the separation of duties and the assignment of least privilege. Role Based Access Control (RBAC) is the most accepted method for meeting these two criteria. The right to restore e-mail applications or data following a service interruption must align with the E-mail Installation and E-mail Administration role, excluding all other user roles. Because this elevated privilege has the ability to change the application functionality or data from its initial version, it must be carefully assigned, monitored, and controlled.

STIG	Date
Microsoft Exchange Server 2003	2014-08-19

Details

Check Text ( C-22508r1_chk )
Verify that restore privilege is restricted to only E-mail Administrators and Installers. Procedure: Exchange System Manager >> Administrative Group >> [administrative group] >> Servers >> [server name] >> [recovery storage group] >> Mailbox store >> Properties >> Security tab >> Advanced button Exchange Administrators and Installers should have full control. No other group should have ‘write’ permissions. Criteria: If Exchange Administrators and Installers have full control and No other group has ‘write’ permissions, this is not a finding.

Check Text ( C-22508r1_chk )

Verify that restore privilege is restricted to only E-mail Administrators and Installers.

Procedure: Exchange System Manager >> Administrative Group >> [administrative group] >> Servers >> [server name] >> [recovery storage group] >> Mailbox store >> Properties >> Security tab >> Advanced button

Exchange Administrators and Installers should have full control. No other group should have ‘write’ permissions.

Criteria: If Exchange Administrators and Installers have full control and No other group has ‘write’ permissions, this is not a finding.

Fix Text (F-19457r1_fix)
Ensure that E-mail Restore Permissions are restricted to E-mail Administrators and Installers. Procedure: Exchange System Manager >> Administrative Group >> [administrative group] >> servers >> [server name] >> [recovery storage group] >> Mailbox store >> properties >> security tab >> advanced tab Select “Allow Exchange application administrator full control”. Nobody else should have ‘write’ permissions.

Fix Text (F-19457r1_fix)

Ensure that E-mail Restore Permissions are restricted to E-mail Administrators and Installers.

Procedure: Exchange System Manager >> Administrative Group >> [administrative group] >> servers >> [server name] >> [recovery storage group] >> Mailbox store >> properties >> security tab >> advanced tab

Select “Allow Exchange application administrator full control”. Nobody else should have ‘write’ permissions.