A public web server will limit e-mail to outbound only.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-2261 | WG330 | SV-2261r4_rule | ECSC-1 | Medium |
| Description |
|---|
| Incoming e-mails have been known to provide hackers with access to servers. Disabling the incoming mail service prevents this type of attacks. Additionally, e-mail is a specialized application that requires the dedication of server resources. A production web server should only provide hosting services for web sites. Supporting mail services on a web server opens the server to the risk of abuse as an e-mail relay. |
| STIG | Date |
|---|---|
| Web Server STIG | 2010-10-07 |
Details
| Check Text ( C-29976r1_chk ) |
|---|
| This check verifies, by checking the OS, that incoming e-mail is not supported. Windows: Select START >> Programs >> Administrative Tools >> Services. Scroll down and review all the entries. If there is a mail program (SMTP service), then the reviewer must run that program to see if it will accept incoming e-mails. (There are too many different programs for detailed instructions.) The reviewer should also check the Programs menu and sub-menus under Start to see if there are any installed mail programs. The reviewer can also check the Add/Delete programs icon in the Control Panel to see if there are any e-mail programs installed. If there is an e-mail program installed and that program has been configured to accept inbound e-mail, this is a finding. |
| Fix Text (F-26834r1_fix) |
|---|
| Isolate e-mail, if running on a public web server, to outbound e-mail only. This would allow the web-based application to send timely notices to users and administrators. On the SMTP or other e-mail server, the mail relay option must be disabled. |