UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

E-Mail audit trails are not protected against unauthorized access.


Overview

Finding ID Version Rule ID IA Controls Severity
V-18819 EMG3-150 Exch2K3 SV-20559r1_rule ECTP-1 Medium
Description
Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit log content must always be considered sensitive, and in need of protection. Audit data available for modification by a malicious user can be altered to conceal malicious activity. Audit data might also provide a means for the malicious user to plan unauthorized activities that exploit weaknesses. The contents of audit logs are protected against unauthorized access, modification, or deletion. Only authorized auditors and the audit functions should be granted Read and Write to audit log data.
STIG Date
Microsoft Exchange Server 2003 2014-08-19

Details

Check Text ( C-22529r1_chk )
Verify that audit logs are protected from unauthorized access or modification.

Interview the E-mail Administrator or IAO.

Procedure: Access the System Security Plan documents that describe audit data location and protection measures. Included should be server locations and directory security that limits access to appropriate and authorized individuals or processes.

Only E-mail administrators and System Administrators should have both "read" and "write" ability. E-mail users should be restricted to "write" only.

Criteria: If E-mail users are authorized to "write", and only E-mail and System administrators may "read" and "write" to audit trails, this is not a finding.
Fix Text (F-19489r1_fix)
Configure E-mail audit trail protection against unauthorized access.

Procedure: Access the E-mail Services log files. Ensure that only E-mail Administators and System Administrators have "Read" and "Write" permissions, and that everyone else has only "Write".

Enumerate the access criteria into the System Security Plan.