E-Mail server has unneeded processes or services active.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18676	EMG3-801 Exch2K3FE	SV-20296r1_rule	ECSC-1	Medium

Description
Unneeded, but running, services offer attackers an enhanced attack profile, and attackers are constantly watching to discover open ports with running services. By analyzing and disabling unneeded services, the associated open ports become unresponsive to outside queries, and servers become more secure as a result. Exchange 2003 has role-based server deployment to enable protocol path control and logical separation of network traffic types. For example, a server implemented in the Client Access role (i.e., Outlook Web Access [OWA]) is configured and tuned as a web server using web protocols. A client access server exposes only web protocols (HTTP/HTTPS) enabling System Administrators to optimize the protocol path and disable all services unnecessary for Exchange web services. Similarly, Back-End servers created to host mailboxes are dedicated to that task, and operate only the services needed for mailbox hosting. (Back-end servers must also operate some Web services, but only to the degree that Exchange 2003 requires the IIS engine in order to function). To restrict attack vectors available with E-mail message access, the protocols on the E-mail servers should match offerings on the DoD standard desktop deployment. These include Microsoft Outlook using MAPI, S/MIME enabled clients, and secured connections. It also includes Outlook via VPN for offsite telework. Browsers may access OWA provided it uses PKI/CAC access brokered through a reverse proxy Application Server. Because NNTP, POP3, and IMAP4 clients are not included in the standard desktop offering, they must be disabled. Guidance is not provided for these protocols in this document.

Description

Unneeded, but running, services offer attackers an enhanced attack profile, and attackers are constantly watching to discover open ports with running services. By analyzing and disabling unneeded services, the associated open ports become unresponsive to outside queries, and servers become more secure as a result. Exchange 2003 has role-based server deployment to enable protocol path control and logical separation of network traffic types. For example, a server implemented in the Client Access role (i.e., Outlook Web Access [OWA]) is configured and tuned as a web server using web protocols. A client access server exposes only web protocols (HTTP/HTTPS) enabling System Administrators to optimize the protocol path and disable all services unnecessary for Exchange web services. Similarly, Back-End servers created to host mailboxes are dedicated to that task, and operate only the services needed for mailbox hosting. (Back-end servers must also operate some Web services, but only to the degree that Exchange 2003 requires the IIS engine in order to function). To restrict attack vectors available with E-mail message access, the protocols on the E-mail servers should match offerings on the DoD standard desktop deployment. These include Microsoft Outlook using MAPI, S/MIME enabled clients, and secured connections. It also includes Outlook via VPN for offsite telework. Browsers may access OWA provided it uses PKI/CAC access brokered through a reverse proxy Application Server. Because NNTP, POP3, and IMAP4 clients are not included in the standard desktop offering, they must be disabled. Guidance is not provided for these protocols in this document.

STIG	Date
Microsoft Exchange Server 2003	2014-08-19

Details

Check Text ( C-22395r1_chk )
Verify that unneeded Front End services are disabled. Procedure: Microsoft Exchange Information Store Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Registry: HKLM\CCS\Services\MSExchangeIS Key: START Value: Reg_DWORD 0x00000004 Microsoft Exchange MTA Stacks Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Registry: HKLM\CCS\Services\MSExchangeMTA Key: START Value: Reg_DWORD 0x00000004 Microsoft Exchange Routing Engine Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Registry: HKLM\CCS\Services\RESVC Key: START Value: Reg_DWORD 0x00000004 Microsoft Exchange IMAP4 Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Registry: HKLM\CCS\Services\IMAP4SVC Key: START Value: Reg_DWORD 0x00000004. Microsoft Exchange POP3 Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Registry: HKLM\CCS\Services\POP3SVC Key: START Value: Reg_DWORD 0x00000004 Microsoft Exchange Event Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Registry: HKLM\CCS\Services\MSExchangeES Key: START Value: Reg_DWORD 0x00000004 Network News Transfer Protocol (NNTP) Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Registry: HKLM\CCS\Services\NNTPSVC Key: START Value: Reg_DWORD 0x00000004 Microsoft Exchange Site Replication Service Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Registry: HKLM\CCS\Services\MSExchangeSRS Key: START Value: Reg_DWORD 0x00000004 Criteria: If unnecessary services are disabled, this is not a finding.

Check Text ( C-22395r1_chk )

Verify that unneeded Front End services are disabled.

Procedure:
Microsoft Exchange Information Store
Right Click >> Stop Service, if running.
Right Click >> Properties >> Start Type change to Disable

Registry:
HKLM\CCS\Services\MSExchangeIS Key: START Value: Reg_DWORD 0x00000004

Microsoft Exchange MTA Stacks
Right Click >> Stop Service, if running.
Right Click >> Properties >> Start Type change to Disable

Registry:
HKLM\CCS\Services\MSExchangeMTA Key: START Value: Reg_DWORD 0x00000004

Microsoft Exchange Routing Engine
Right Click >> Stop Service, if running.
Right Click >> Properties >> Start Type change to Disable

Registry:
HKLM\CCS\Services\RESVC Key: START Value: Reg_DWORD 0x00000004

Microsoft Exchange IMAP4
Right Click >> Stop Service, if running.
Right Click >> Properties >> Start Type change to Disable

Registry:
HKLM\CCS\Services\IMAP4SVC Key: START Value: Reg_DWORD 0x00000004.

Microsoft Exchange POP3
Right Click >> Stop Service, if running.
Right Click >> Properties >> Start Type change to Disable

Registry:
HKLM\CCS\Services\POP3SVC Key: START Value: Reg_DWORD 0x00000004

Microsoft Exchange Event
Right Click >> Stop Service, if running.
Right Click >> Properties >> Start Type change to Disable

Registry:
HKLM\CCS\Services\MSExchangeES Key: START Value: Reg_DWORD 0x00000004

Network News Transfer Protocol (NNTP)
Right Click >> Stop Service, if running.
Right Click >> Properties >> Start Type change to Disable

Registry:
HKLM\CCS\Services\NNTPSVC Key: START Value: Reg_DWORD 0x00000004

Microsoft Exchange Site Replication Service
Right Click >> Stop Service, if running.
Right Click >> Properties >> Start Type change to Disable

Registry:
HKLM\CCS\Services\MSExchangeSRS Key: START Value: Reg_DWORD 0x00000004

Criteria: If unnecessary services are disabled, this is not a finding.

Fix Text (F-19323r1_fix)
Disable unneeded services. Procedure: Navigate to Start >> Settings >> Administrative Tools >> Services Create correct configurations. Microsoft Exchange IMAP4 – Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Microsoft Exchange Information Store Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Microsoft Exchange POP3 Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Microsoft Search Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Microsoft Exchange Event Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Microsoft Exchange Site Replication Service Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Microsoft Exchange MTA Stacks Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Microsoft Exchange Routing Engine Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Network News Transfer Protocol (NNTP) Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable

Fix Text (F-19323r1_fix)

Disable unneeded services.

Procedure: Navigate to Start >> Settings >> Administrative Tools >> Services

Create correct configurations.

Microsoft Exchange IMAP4 – Right Click >> Stop Service, if running.
Right Click >> Properties >> Start Type change to Disable

Microsoft Exchange Information Store
Right Click >> Stop Service, if running.
Right Click >> Properties >> Start Type change to Disable

Microsoft Exchange POP3
Right Click >> Stop Service, if running.
Right Click >> Properties >> Start Type change to Disable

Microsoft Search
Right Click >> Stop Service, if running.
Right Click >> Properties >> Start Type change to Disable

Microsoft Exchange Event
Right Click >> Stop Service, if running.
Right Click >> Properties >> Start Type change to Disable

Microsoft Exchange Site Replication Service
Right Click >> Stop Service, if running.
Right Click >> Properties >> Start Type change to Disable

Microsoft Exchange MTA Stacks
Right Click >> Stop Service, if running.
Right Click >> Properties >> Start Type change to Disable

Microsoft Exchange Routing Engine
Right Click >> Stop Service, if running.
Right Click >> Properties >> Start Type change to Disable

Network News Transfer Protocol (NNTP)
Right Click >> Stop Service, if running.
Right Click >> Properties >> Start Type change to Disable