Exchange application permissions are not at vendor recommended settings.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-18802 | EMG3-824 Exch2K3 | SV-20526r1_rule | ECLP-1 | Medium |
| Description |
|---|
| Default product installations may provide more generous permissions than are necessary to run the application. By examining and tailoring permissions to more closely provide the least amount of privilege possible, attack vectors that align with user permissions are less likely to access more highly secured areas. Vendor-supplied policies are available to assist in further hardening the permissions set for Exchange. Application file permissions on Exchange 2003 servers can be set by importing the group policy for Exchange Back-End or Front-End servers. To the extent of file permissions, both policies set the same directory permissions as shown here. |
| STIG | Date |
|---|---|
| Microsoft Exchange Server 2003 | 2014-08-19 |
Details
| Check Text ( C-22512r1_chk ) |
|---|
| The following table lists the recommended baseline settings you should start with when hardening the services for an Exchange back-end server (the Exchange_2003-Backend_V1_1.inf file and the Exchange_2003-Frontend_V1_1.inf file configure these settings automatically). File ACL settings configured by Exchange_2003-Backend_V1_1.inf The following permissions: • System – Full Control • Builtin Administrators – Full Control Apply to these directories: %systemdrive%\Inetpub\mailroot\ %systemdrive%\Inetpub\NNTPfile\ The following permissions: • Everyone – Full Control Applies to this directory: %systemdrive%\Inetpub\NNTPfile\root The following permissions: • System – Full Control • Builtin Administrators – Full Control • Server Operators – Modify, Read/Execute, List, Read, Write • Creator Owner – Full Control (subdirectories only) Apply to these directories: %systemdrive%\program files\exchsrvr and subs, but not ADDRESS, OMA, BIN, EXCHWEB, and RES subdirectories. The following permissions: • System – Full Control • Builtin Administrators – Full Control • Server Operators – Modify, Read/Execute, List, Read, Write • Users – Read/Execute, List, Read • Creator Owner – Full Control (subdirectories only) Apply to these directories: %systemdrive%\program files\exchsrvr (subs) >> ADDRESS, OMA, BIN, EXCHWEB, and RES subdirectories Criteria: If files have vendor recommended permissions, this is not a finding. |
| Fix Text (F-19462r1_fix) |
|---|
| Procedure: The following table lists the recommended baseline settings you should start with when hardening the services for an Exchange Back-end server (the Exchange_2003-Backend_V1_1.inf file and the Exchange_2003-Frontend_V1_1.inf file configure these settings automatically). File ACL settings configured by Exchange_2003-Backend_V1_1.inf The following permissions: • System – Full Control • Builtin Administrators – Full Control Apply to these directories: %systemdrive%\Inetpub\mailroot\ %systemdrive%\Inetpub\NNTPfile\ The following permissions: • Everyone – Full Control Applies to this directory: %systemdrive%\Inetpub\NNTPfile\root The following permissions: • System – Full Control • Builtin Administrators – Full Control • Server Operators – Modify, Read/Execute, List, Read, Write • Creator Owner – Full Control (subdirectories only) Apply to these directories: %systemdrive%\program files\exchsrvr and subs, but not ADDRESS, OMA, BIN, EXCHWEB, and RES subdirectories. The following permissions: • System – Full Control • Builtin Administrators – Full Control • Server Operators – Modify, Read/Execute, List, Read, Write • Users – Read/Execute, List, Read • Creator Owner – Full Control (subdirectories only) Apply to these directories: %systemdrive%\program files\exchsrvr (subs) >> ADDRESS, OMA, BIN, EXCHWEB, and RES subdirectories |