E-Mail audit trails are not protected against unauthorized access.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18819	EMG3-150 Exch2K3	SV-20559r1_rule	ECTP-1	Medium

Description
Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit log content must always be considered sensitive, and in need of protection. Audit data available for modification by a malicious user can be altered to conceal malicious activity. Audit data might also provide a means for the malicious user to plan unauthorized activities that exploit weaknesses. The contents of audit logs are protected against unauthorized access, modification, or deletion. Only authorized auditors and the audit functions should be granted Read and Write to audit log data.

Description

Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit log content must always be considered sensitive, and in need of protection. Audit data available for modification by a malicious user can be altered to conceal malicious activity. Audit data might also provide a means for the malicious user to plan unauthorized activities that exploit weaknesses. The contents of audit logs are protected against unauthorized access, modification, or deletion. Only authorized auditors and the audit functions should be granted Read and Write to audit log data.

STIG	Date
Microsoft Exchange Server 2003	2014-08-19

Details

Check Text ( C-22529r1_chk )
Verify that audit logs are protected from unauthorized access or modification. Interview the E-mail Administrator or IAO. Procedure: Access the System Security Plan documents that describe audit data location and protection measures. Included should be server locations and directory security that limits access to appropriate and authorized individuals or processes. Only E-mail administrators and System Administrators should have both "read" and "write" ability. E-mail users should be restricted to "write" only. Criteria: If E-mail users are authorized to "write", and only E-mail and System administrators may "read" and "write" to audit trails, this is not a finding.

Check Text ( C-22529r1_chk )

Verify that audit logs are protected from unauthorized access or modification.

Interview the E-mail Administrator or IAO.

Procedure: Access the System Security Plan documents that describe audit data location and protection measures. Included should be server locations and directory security that limits access to appropriate and authorized individuals or processes.

Only E-mail administrators and System Administrators should have both "read" and "write" ability. E-mail users should be restricted to "write" only.

Criteria: If E-mail users are authorized to "write", and only E-mail and System administrators may "read" and "write" to audit trails, this is not a finding.

Fix Text (F-19489r1_fix)
Configure E-mail audit trail protection against unauthorized access. Procedure: Access the E-mail Services log files. Ensure that only E-mail Administators and System Administrators have "Read" and "Write" permissions, and that everyone else has only "Write". Enumerate the access criteria into the System Security Plan.