Scripts are permitted to execute in the OWA Virtual Server.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18803	EMG2-259 Exch2K3	SV-20528r1_rule	ECLP-1	Medium

Description
Scripts on virtual servers are a frequent cause of server compromises. Since this virtual (web) server is the primary interface between Exchange and the web, it is particularly at risk of compromise. Therefore, attack vectors via scripts and executables running on the server, should be minimized. The Exchange Virtual Server enables web access (OWA) for user mailbox stores. It is designed to provide much of the same functionality as the Outlook client, but through a web browser. This control allows the administrator to specify whether scripts and/or executables may be run on this virtual server. Scripts and executables should be denied permissions to run, eliminating this attack vector from the security profile.

Description

Scripts on virtual servers are a frequent cause of server compromises. Since this virtual (web) server is the primary interface between Exchange and the web, it is particularly at risk of compromise. Therefore, attack vectors via scripts and executables running on the server, should be minimized. The Exchange Virtual Server enables web access (OWA) for user mailbox stores. It is designed to provide much of the same functionality as the Outlook client, but through a web browser. This control allows the administrator to specify whether scripts and/or executables may be run on this virtual server. Scripts and executables should be denied permissions to run, eliminating this attack vector from the security profile.

STIG	Date
Microsoft Exchange Server 2003	2014-08-19

Details

Check Text ( C-22513r1_chk )
Verify that OWA Virtual Server does not permit script execution. Procedure: Exchange system Manager >>Administrative Groups>> [administrative group]>> Servers >> [server name] >> protocols >> HTTP >> Exchange Virtual Server >> Exchange >> Properties >> Access tab For Execute Permissions, ‘None’ should be selected. Criteria: If "None" is selected for Execute Permissions, this is not a finding.

Check Text ( C-22513r1_chk )

Verify that OWA Virtual Server does not permit script execution.

Procedure: Exchange system Manager >>Administrative Groups>> [administrative group]>> Servers >> [server name] >> protocols >> HTTP >> Exchange Virtual Server >> Exchange >> Properties >> Access tab

For Execute Permissions, ‘None’ should be selected.

Criteria: If "None" is selected for Execute Permissions, this is not a finding.

Fix Text (F-19463r1_fix)
Ensure that OWA Virtual Server does not permit scripts to execute. Procedure: Exchange system Manager >>Administrative Groups>> [administrative group]>> Servers >> [server name] >> protocols >> HTTP >> Exchange Virtual Server >> Exchange >> Properties >> Access tab For Execute Permissions, select ‘None’.