UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

A public web server will limit e-mail to outbound only.


Overview

Finding ID Version Rule ID IA Controls Severity
V-2261 WG330 SV-2261r4_rule ECSC-1 Medium
Description
Incoming e-mails have been known to provide hackers with access to servers. Disabling the incoming mail service prevents this type of attacks. Additionally, e-mail is a specialized application that requires the dedication of server resources. A production web server should only provide hosting services for web sites. Supporting mail services on a web server opens the server to the risk of abuse as an e-mail relay.
STIG Date
Web Server STIG 2010-10-07

Details

Check Text ( C-29976r1_chk )
This check verifies, by checking the OS, that incoming e-mail is not supported.

Windows:
Select START >> Programs >> Administrative Tools >> Services.

Scroll down and review all the entries. If there is a mail program (SMTP service), then the reviewer must run that program to see if it will accept incoming e-mails. (There are too many different programs for detailed instructions.)

The reviewer should also check the Programs menu and sub-menus under Start to see if there are any installed mail programs. The reviewer can also check the Add/Delete programs icon in the Control Panel to see if there are any e-mail programs installed.

If there is an e-mail program installed and that program has been configured to accept inbound e-mail, this is a finding.
Fix Text (F-26834r1_fix)
Isolate e-mail, if running on a public web server, to outbound e-mail only. This would allow the web-based application to send timely notices to users and administrators. On the SMTP or other e-mail server, the mail relay option must be disabled.