Users do not have correct permissions in the OWA Virtual Server.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18806	EMG2-263 Exch2K3	SV-20534r1_rule	ECLP-1	Medium

Description
The principle of Least Privilege ordinarily requires analysis to ensure that users and processes are granted only as much privilege as is required to function effectively, but no additional privileges that could enable mischief, either accidental or intentional. The Exchange Virtual Server (OWA) enables web access for user E-mail mailboxes, however, users to not access the virtual server directly. This control determines whether users will have read, write, script source access, and/or directory browsing capabilities under this virtual server. The OWA Virtual Server requires that users have read, write, script source access, and directory browsing permissions since these are required for the proper functioning of OWA.

Description

The principle of Least Privilege ordinarily requires analysis to ensure that users and processes are granted only as much privilege as is required to function effectively, but no additional privileges that could enable mischief, either accidental or intentional. The Exchange Virtual Server (OWA) enables web access for user E-mail mailboxes, however, users to not access the virtual server directly. This control determines whether users will have read, write, script source access, and/or directory browsing capabilities under this virtual server. The OWA Virtual Server requires that users have read, write, script source access, and directory browsing permissions since these are required for the proper functioning of OWA.

STIG	Date
Microsoft Exchange Server 2003	2014-08-19

Details

Check Text ( C-22516r1_chk )
Validate that users have correct OWA Virtual Server permissions. Procedure: Exchange system Manager >>Administrative Groups>> [administrative group]>> Servers >> [server name] >> protocols >> HTTP >> Exchange Virtual Server >> Exchange >> Properties >> Access tab For Access Control, ‘read, write, script source access, directory browsing’ should be selected. Criteria: If Access Control has ‘read, write, script source access, directory browsing’ selected, this is not a finding.

Check Text ( C-22516r1_chk )

Validate that users have correct OWA Virtual Server permissions.

Procedure: Exchange system Manager >>Administrative Groups>> [administrative group]>> Servers >> [server name] >> protocols >> HTTP >> Exchange Virtual Server >> Exchange >> Properties >> Access tab

For Access Control, ‘read, write, script source access, directory browsing’ should be selected.

Criteria: If Access Control has ‘read, write, script source access, directory browsing’ selected, this is not a finding.

Fix Text (F-19466r1_fix)
Set user permissions for the OWA virtual server. Exchange system Manager >>Administrative Groups>> [administrative group]>> Servers >> [server name] >> protocols >> HTTP >> Exchange Virtual Server >> Exchange >> Properties >> Access tab For Access Control, select ‘read, write, script source access, directory browsing’.