E-mail servers are not protected by an Edge Transport Server role (E-mail Secure Gateway) removing disallowed message attachments at the network perimeter.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18721	EMG2-030 Exch2K3BE	SV-20385r1_rule	ECSC-1	Medium

Description
By performing filtering at the perimeter, up to 90% of SPAM, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the Mail server environment. Attachments have been known to carry malware, although the file type and malware types have changed over time. Attachments must be controlled at the entry point into the E-mail environment to prevent successful attachment-based attacks. For outbound messages, the entry point is at E-mail creation, for example, in Outlook or Outlook Web Access (OWA). For inbound messages, it is at the perimeter. By using this practice, attachments that are disallowed or are found to be malware carriers can be stripped before the attachment is forwarded to the mailbox server. In the case of 0-day threats, attachment configuration can be modified to add specific attachment types if they are known to be associated with a newly devised attack. For Microsoft E-Mail services, attachments are controlled by the E-mail client applications, in this case OWA or Outlook. The attachment file types list should be coordinated among other Microsoft client applications, such as OWA or Outlook, and with other E-mail services that may act upon message attachments, such as a perimeter-based attachment filter used by a non-Microsoft product.

Description

By performing filtering at the perimeter, up to 90% of SPAM, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the Mail server environment. Attachments have been known to carry malware, although the file type and malware types have changed over time. Attachments must be controlled at the entry point into the E-mail environment to prevent successful attachment-based attacks. For outbound messages, the entry point is at E-mail creation, for example, in Outlook or Outlook Web Access (OWA). For inbound messages, it is at the perimeter. By using this practice, attachments that are disallowed or are found to be malware carriers can be stripped before the attachment is forwarded to the mailbox server. In the case of 0-day threats, attachment configuration can be modified to add specific attachment types if they are known to be associated with a newly devised attack. For Microsoft E-Mail services, attachments are controlled by the E-mail client applications, in this case OWA or Outlook. The attachment file types list should be coordinated among other Microsoft client applications, such as OWA or Outlook, and with other E-mail services that may act upon message attachments, such as a perimeter-based attachment filter used by a non-Microsoft product.

STIG	Date
Microsoft Exchange Server 2003	2014-08-19

Details

Check Text ( C-22441r1_chk )
Interview the E-mail Administrator or the IAO. Review documentation that describes attachment filtering at the perimeter, as performed by the Edge Transport Server (E-mail Secure Gateway). Criteria: If E-mail attachments are filtered by an Edge Transport Server (E-mail Secure Gateway) at the perimeter, this is not a finding.

Fix Text (F-19369r1_fix)
Procedure: Deploy attachment filtering at the perimeter on an Edge Transport Server (E-mail Secure Gateway) that supports attachment filtering. The following list suggests the minimum attachments that should be disallowed. Exceptions should be documented in the System Security Plan explaining the reason for addition or removal. As well, attachment filtering lists should align with client application direction such as Microsoft Outlook and Microsoft Outlook Web Access (OWA) or other platforms that perform attachment filtering. For Level1FileTypes: Value Data: ade, adp, app, asx, bas, bat, chm, cmd, com, cpl, crt, csh, exe, fxp, hlp, hta, inf, ins, isp, js, jse, ksh, lnk, mda, mdb, mde, mdt, mdw, mdz, msc, msi, msp, mst, ops, pcd, pif, prf, prg, reg, scf, scr, sct, shb, shs, url, vb, vbe, vbs, wsc, wsf, wsh For Level2FileTypes: Value Data: ade, adp, asx, bas, bat, chm, cmd, com, cpl, crt, exe, hlp, hta, htm, html, htc, inf, ins, isp, js, jse, lnk, mda, mdb, mde, mdz, mht, mhtml, msc, msi, msp, mst, pcd, pif, prf, reg, scf, scr, sct, shb, shs, shtm, shtml, stm, url, vb, vbe, vbs, wsc, wsf, wsh, xml, dir, dcr, plg, spl, swf

Fix Text (F-19369r1_fix)

Procedure: Deploy attachment filtering at the perimeter on an Edge Transport Server (E-mail Secure Gateway) that supports attachment filtering.

The following list suggests the minimum attachments that should be disallowed. Exceptions should be documented in the System Security Plan explaining the reason for addition or removal. As well, attachment filtering lists should align with client application direction such as Microsoft Outlook and Microsoft Outlook Web Access (OWA) or other platforms that perform attachment filtering.

For Level1FileTypes:
Value Data: ade, adp, app, asx, bas, bat, chm, cmd, com, cpl, crt, csh, exe, fxp, hlp, hta, inf, ins, isp, js, jse, ksh, lnk, mda, mdb, mde, mdt, mdw, mdz, msc, msi, msp, mst, ops, pcd, pif, prf, prg, reg, scf, scr, sct, shb, shs, url, vb, vbe, vbs, wsc, wsf, wsh

For Level2FileTypes:
Value Data: ade, adp, asx, bas, bat, chm, cmd, com, cpl, crt, exe, hlp, hta, htm, html, htc, inf, ins, isp, js, jse, lnk, mda, mdb, mde, mdz, mht, mhtml, msc, msi, msp, mst, pcd, pif, prf, reg, scf, scr, sct, shb, shs, shtm, shtml, stm, url, vb, vbe, vbs, wsc, wsf, wsh, xml, dir, dcr, plg, spl, swf