E-mail Services accounts are not restricted to named services.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18795	EMG3-119 Exch2K3	SV-20514r1_rule	ECLP-1	Medium

Description
Applications introduce some of the most common database attack avenues, and can provide a pathway for an unlimited number of malicious users to access sensitive data. An account responsible for Service execution, if compromised, may subject the data to unauthorized exposure if it is granted more privileges than necessary. Typically, service accounts must run only their designated services, and must not be shared with other applications or people. Audit Log Monitoring can then assume an ‘expected’ set of activities for each service account, and administrators can more readily recognize events that are unexpected. A discrete history of account activity is valuable if an attack of the host system needs to be investigated. If accounts are shared among multiple services or people, it increases the risk that firewall Administrators will not have an accurate history for investigation and troubleshooting purposes. In the case of Microsoft Exchange Server 2003, attempting to run Exchange services on an alternate service account (rather than the default SYSTEM account) is not a supported Microsoft configuration. Due to the nature of the Exchange services access required within the server and the network, Exchange 2003 services must run under the Microsoft Windows SYSTEM account.

Description

Applications introduce some of the most common database attack avenues, and can provide a pathway for an unlimited number of malicious users to access sensitive data. An account responsible for Service execution, if compromised, may subject the data to unauthorized exposure if it is granted more privileges than necessary. Typically, service accounts must run only their designated services, and must not be shared with other applications or people. Audit Log Monitoring can then assume an ‘expected’ set of activities for each service account, and administrators can more readily recognize events that are unexpected. A discrete history of account activity is valuable if an attack of the host system needs to be investigated. If accounts are shared among multiple services or people, it increases the risk that firewall Administrators will not have an accurate history for investigation and troubleshooting purposes. In the case of Microsoft Exchange Server 2003, attempting to run Exchange services on an alternate service account (rather than the default SYSTEM account) is not a supported Microsoft configuration. Due to the nature of the Exchange services access required within the server and the network, Exchange 2003 services must run under the Microsoft Windows SYSTEM account.

STIG	Date
Microsoft Exchange Server 2003	2014-08-19

Details

Check Text ( C-22504r1_chk )
Interview the E-mail Administrator or the IAO. Access the System Security Plan and verify the Exchange Services names active for the site. View Exchange Services to verify service account scope. Procedure: Start >> settings >> Control Panel >> Administrative tools >> Services For each service beginning "MS Exchange…. "service, look for Active Services in the list: Right Click >> Properties >> LogOn tab >> “Log on As” field. Criteria: If E-mail service accounts are operating as SYSTEM, this is not a finding.

Check Text ( C-22504r1_chk )

Interview the E-mail Administrator or the IAO. Access the System Security Plan and verify the Exchange Services names active for the site.

View Exchange Services to verify service account scope.

Procedure: Start >> settings >> Control Panel >> Administrative tools >> Services

For each service beginning "MS Exchange…. "service, look for Active Services in the list:

Right Click >> Properties >> LogOn tab >> “Log on As” field.

Criteria: If E-mail service accounts are operating as SYSTEM, this is not a finding.

Fix Text (F-19450r1_fix)
Ensure that E-mail services use only the SYSTEM account. Procedure: Start >> Settings >> Control Panel >> Administrative Tools >> Services For each "MS Exchange ..." service, look for Active Services in the list, Right Click >> Propterties >> LogOn tab In the "Log On As" field, select "Local SYSTEM account". Ensure the changes are reflected in the DIACAP Scorecard.