Security support data or process is sharing a directory or partition with Exchange.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18742	EMG3-802 Exch2K3	SV-20427r1_rule	DCSP-1	Medium

Description
The Security Support Structure is a security control function or service provided by an external system or application. For example, a Windows Domain Controller that provides Identification and Authentication Services (Active Directory) may be at risk of compromise if a co-resident application becomes compromised. The attacker can then use another system to control access to other parts of the domain. The vulnerabilities and associated risk of Exchange 2003 installed on a system that provides a security support structure is significantly higher than when installed with other functions that do not provide security support. For this reason, applications such as Exchange 2003 should never be co-resident on a server with Active Directory.

Description

The Security Support Structure is a security control function or service provided by an external system or application. For example, a Windows Domain Controller that provides Identification and Authentication Services (Active Directory) may be at risk of compromise if a co-resident application becomes compromised. The attacker can then use another system to control access to other parts of the domain. The vulnerabilities and associated risk of Exchange 2003 installed on a system that provides a security support structure is significantly higher than when installed with other functions that do not provide security support. For this reason, applications such as Exchange 2003 should never be co-resident on a server with Active Directory.

STIG	Date
Microsoft Exchange Server 2003	2014-08-19

Details

Check Text ( C-22464r1_chk )
Review documentation and the E-mail host servers. Procedure: Interview the E-mail Administrator or the IAO. Access System Security Plan documenation and the server being reviewed. Verify that Exchange 2003 is not installed on a Domain Controller or other Directory Services server. Criteria: If Exchange E-mail application is installed on a server that separate from domain security services, this is not a finding.

Check Text ( C-22464r1_chk )

Review documentation and the E-mail host servers.

Procedure: Interview the E-mail Administrator or the IAO. Access System Security Plan documenation and the server being reviewed. Verify that Exchange 2003 is not installed on a Domain Controller or other Directory Services server.

Criteria: If Exchange E-mail application is installed on a server that separate from domain security services, this is not a finding.

Fix Text (F-19392r1_fix)
Procedure: Install Exchange 2003 application to a dedicated host system.