Services permissions do not reflect least privilege.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18801	EMG3-121 Exch2K3	SV-20524r1_rule	ECLP-1	Medium

Description
Good security practice demands both the separation of duties and the assignment of least privilege. Role Based Access Control (RBAC) is the most accepted method for meeting these two criteria. A securely designed E-mail Services Implementation includes the definition of E-mail Roles (Servers and services, Users, Administrators, Installers) based on functions required by each, then assigning the fewest privileges to these roles. Roles are then assigned to people or services on the application functions they are required to perform. The Exchange GPO templates available from Microsoft enable the E-mail Administrator to easily set a Baseline Security Policy that hardens services permissions. Installations configured without use of policy templates must nevertheless meet vendor recommended minimums for service protection.

Description

Good security practice demands both the separation of duties and the assignment of least privilege. Role Based Access Control (RBAC) is the most accepted method for meeting these two criteria. A securely designed E-mail Services Implementation includes the definition of E-mail Roles (Servers and services, Users, Administrators, Installers) based on functions required by each, then assigning the fewest privileges to these roles. Roles are then assigned to people or services on the application functions they are required to perform. The Exchange GPO templates available from Microsoft enable the E-mail Administrator to easily set a Baseline Security Policy that hardens services permissions. Installations configured without use of policy templates must nevertheless meet vendor recommended minimums for service protection.

STIG	Date
Microsoft Exchange Server 2003	2014-08-19

Details

Check Text ( C-22510r1_chk )
Review Permission Settings for Exchange 2003 Services. Procedure: The following permissions should be set: • Authenticated Users – Read • System – Full Control • Builtin Administrators – Full Control • Auditing for failures against the Everyone security principal For these listed services: • MSExchangeMGMT - %systemroot%\program files\exchsvr\bin\exchmgmt.exe • MSExchangeMTA - %systemroot%\system32\inetwrv\emsmta.exe • MSExchangeSA - %systemroot%\program files\exchsvr\bin\mad.exe • W3Svc - %systemroot%\system32\svchost.exe (IISSVCS) • ISSAdmin - %systemroot%\system32\inetwrv\inetinfo.exe Criteria: If services have vendor recommended permissions, this is not a finding.

Check Text ( C-22510r1_chk )

Review Permission Settings for Exchange 2003 Services.
Procedure:
The following permissions should be set:
• Authenticated Users – Read
• System – Full Control
• Builtin Administrators – Full Control
• Auditing for failures against the Everyone security principal
For these listed services:
• MSExchangeMGMT - %systemroot%\program files\exchsvr\bin\exchmgmt.exe
• MSExchangeMTA - %systemroot%\system32\inetwrv\emsmta.exe
• MSExchangeSA - %systemroot%\program files\exchsvr\bin\mad.exe
• W3Svc - %systemroot%\system32\svchost.exe (IISSVCS)
• ISSAdmin - %systemroot%\system32\inetwrv\inetinfo.exe

Criteria: If services have vendor recommended permissions, this is not a finding.

Fix Text (F-19459r1_fix)
Correct the E-Mail Services permissions. Procedure: The following table lists the recommended baseline settings you should start with when hardening the services for an Exchange back-end server (the Exchange_2003-Backend_V1_1.inf file configures these settings automatically). The SDDL sets the following: • Authenticated Users – Read • System – Full Control • Builtin Administrators – Full Control • Auditing for failures against the Everyone security principal For these listed services: • MSExchangeMGMT - %systemroot%\program files\exchsvr\bin\exchmgmt.exe • MSExchangeMTA - %systemroot%\system32\inetwrv\emsmta.exe • MSExchangeSA - %systemroot%\program files\exchsvr\bin\mad.exe • W3Svc - %systemroot%\system32\svchost.exe (IISSVCS) • ISSAdmin - %systemroot%\system32\inetwrv\inetinfo.exe

Fix Text (F-19459r1_fix)

Correct the E-Mail Services permissions.

Procedure: The following table lists the recommended baseline settings you should start with when hardening the services for an Exchange back-end server (the Exchange_2003-Backend_V1_1.inf file configures these settings automatically).

The SDDL sets the following:
• Authenticated Users – Read
• System – Full Control
• Builtin Administrators – Full Control
• Auditing for failures against the Everyone security principal
For these listed services:
• MSExchangeMGMT - %systemroot%\program files\exchsvr\bin\exchmgmt.exe
• MSExchangeMTA - %systemroot%\system32\inetwrv\emsmta.exe
• MSExchangeSA - %systemroot%\program files\exchsvr\bin\mad.exe
• W3Svc - %systemroot%\system32\svchost.exe (IISSVCS)
• ISSAdmin - %systemroot%\system32\inetwrv\inetinfo.exe