Scripts are Permitted to Execute in the ExAdmin Virtual Server.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18805	EMG2-255 Exch2K3	SV-20532r1_rule	ECLP-1	Medium

Description
The ExAdmin Virtual Server is used by the Exchange System Manager to access mailboxes and Public Folders. As such, it is a required part of the Exchange application. The Exchange System Manager is a central part of the Exchange application and without these capabilities it will be unable to function properly. Scripts on servers are a frequent cause of server compromises. Since virtual servers are the primary interface between Exchange and the web, they are particularly at risk of compromise. Therefore, attack vectors via scripts and executables running on the server should be minimized. The ExAdmin Virtual Server is used by the Exchange System Manager to access mailboxes and Public Folders. This control allows the administrator to specify whether scripts and/or executables may be run on this virtual server. Scripts and executables should be denied the ability to run on this server. The Exchange System Manager is the only entity that interfaces with it, and since the default provides all of the capabilities needed, there should be no reason to change it.

Description

The ExAdmin Virtual Server is used by the Exchange System Manager to access mailboxes and Public Folders. As such, it is a required part of the Exchange application. The Exchange System Manager is a central part of the Exchange application and without these capabilities it will be unable to function properly. Scripts on servers are a frequent cause of server compromises. Since virtual servers are the primary interface between Exchange and the web, they are particularly at risk of compromise. Therefore, attack vectors via scripts and executables running on the server should be minimized. The ExAdmin Virtual Server is used by the Exchange System Manager to access mailboxes and Public Folders. This control allows the administrator to specify whether scripts and/or executables may be run on this virtual server. Scripts and executables should be denied the ability to run on this server. The Exchange System Manager is the only entity that interfaces with it, and since the default provides all of the capabilities needed, there should be no reason to change it.

STIG	Date
Microsoft Exchange Server 2003	2014-08-19

Details

Check Text ( C-22515r1_chk )
Validate the ExAdmin script permissions. Procedure: Exchange system Manager >>Administrative Groups>> [administrative group]>> Servers >> [server name] >> protocols >> HTTP >> Exchange Virtual Server >> ExAdmin >> Properties >> Access tab For Execute Permissions, ‘None’ should be selected. Criteria: If ‘None’ is selected for Execute Permissions, this is not a finding.

Fix Text (F-19465r1_fix)
Configure the ExAdmin Script Permissions. Procedure: Exchange system Manager >>Administrative Groups>> [administrative group]>> Servers >> [server name] >> protocols >> HTTP >> Exchange Virtual Server >> ExAdmin >> Properties >> Access tab Select ‘None’ on Execute Permissions.