E-Mail service accounts are not operating at least privilege.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18796	EMG3-145 Exch2K3	SV-20516r1_rule	ECLP-1	Medium

Description
Good security practice demands both the separation of duties and the assignment of least privilege. Role Based Access Control (RBAC) is the most accepted method for meeting these two criteria. A securely designed E-Mail Services implementation includes the definition of E-mail Roles (Servers and services, Users, Administrators, Installers) based on functional requirements for each, then assigning the fewest possible privileges to these roles. Roles are then assigned to people or services based on the application functions they are required to perform. In the case of Microsoft Exchange Server 2003, attempting to run Exchange services on an alternate service account (rather than the default SYSTEM account) is not a supported Microsoft configuration. Due to the nature of the Exchange services access required within the server and the network, Exchange 2003 services must run under the Microsoft Windows SYSTEM account.

Description

Good security practice demands both the separation of duties and the assignment of least privilege. Role Based Access Control (RBAC) is the most accepted method for meeting these two criteria. A securely designed E-Mail Services implementation includes the definition of E-mail Roles (Servers and services, Users, Administrators, Installers) based on functional requirements for each, then assigning the fewest possible privileges to these roles. Roles are then assigned to people or services based on the application functions they are required to perform. In the case of Microsoft Exchange Server 2003, attempting to run Exchange services on an alternate service account (rather than the default SYSTEM account) is not a supported Microsoft configuration. Due to the nature of the Exchange services access required within the server and the network, Exchange 2003 services must run under the Microsoft Windows SYSTEM account.

STIG	Date
Microsoft Exchange Server 2003	2014-08-19

Details

Check Text ( C-22505r1_chk )
View Exchange service permissions to verify service account privilege level. Procedure: Start >> Settings >> Control Panel >> Administrative tools >> Services For each "MSExch…." Active service in the list: Right Click >> Properties >> LogOn >> Log On As field. Criteria: If E-mail service accounts are operating with the SYSTEM account, this is not a finding.

Fix Text (F-19451r1_fix)
Ensure that E-mail service accounts are operating with the SYSTEM account privilege. Procedure: Start >> settings >> control panel >> administrative tools >> services For each "MSExch…." Active service in the list: Right Click >> Properties >> LogOn >> Log On As field. Select "Local SYSTEM account".