UCF STIG Viewer Logo

Services permissions do not reflect least privilege.


Overview

Finding ID Version Rule ID IA Controls Severity
V-18801 EMG3-121 Exch2K3 SV-20524r1_rule ECLP-1 Medium
Description
Good security practice demands both the separation of duties and the assignment of least privilege. Role Based Access Control (RBAC) is the most accepted method for meeting these two criteria. A securely designed E-mail Services Implementation includes the definition of E-mail Roles (Servers and services, Users, Administrators, Installers) based on functions required by each, then assigning the fewest privileges to these roles. Roles are then assigned to people or services on the application functions they are required to perform. The Exchange GPO templates available from Microsoft enable the E-mail Administrator to easily set a Baseline Security Policy that hardens services permissions. Installations configured without use of policy templates must nevertheless meet vendor recommended minimums for service protection.
STIG Date
Microsoft Exchange Server 2003 2014-08-19

Details

Check Text ( C-22510r1_chk )
Review Permission Settings for Exchange 2003 Services.
Procedure:
The following permissions should be set:
• Authenticated Users – Read
• System – Full Control
• Builtin Administrators – Full Control
• Auditing for failures against the Everyone security principal
For these listed services:
• MSExchangeMGMT - %systemroot%\program files\exchsvr\bin\exchmgmt.exe
• MSExchangeMTA - %systemroot%\system32\inetwrv\emsmta.exe
• MSExchangeSA - %systemroot%\program files\exchsvr\bin\mad.exe
• W3Svc - %systemroot%\system32\svchost.exe (IISSVCS)
• ISSAdmin - %systemroot%\system32\inetwrv\inetinfo.exe

Criteria: If services have vendor recommended permissions, this is not a finding.
Fix Text (F-19459r1_fix)
Correct the E-Mail Services permissions.

Procedure: The following table lists the recommended baseline settings you should start with when hardening the services for an Exchange back-end server (the Exchange_2003-Backend_V1_1.inf file configures these settings automatically).

The SDDL sets the following:
• Authenticated Users – Read
• System – Full Control
• Builtin Administrators – Full Control
• Auditing for failures against the Everyone security principal
For these listed services:
• MSExchangeMGMT - %systemroot%\program files\exchsvr\bin\exchmgmt.exe
• MSExchangeMTA - %systemroot%\system32\inetwrv\emsmta.exe
• MSExchangeSA - %systemroot%\program files\exchsvr\bin\mad.exe
• W3Svc - %systemroot%\system32\svchost.exe (IISSVCS)
• ISSAdmin - %systemroot%\system32\inetwrv\inetinfo.exe