Exchange application memory is not zeroed out after message deletion.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18812	EMG2-303 Exch2K3	SV-20546r1_rule	ECRC-1	Low

Description
Residual data left in memory after a transaction is completed adds risk that it can be used for malicious purposes in the event that access to the data is achieved. Applications may perform ‘logical delete’ functions, which make the data invisible to the application user, but in fact leave it resident in memory (recoverable, for example, by a forensics tool). While not malicious, it has the effect of sacrificing security for performance. This feature enables overwrite of memory storage before reuse to negate the potential disclosure of sensitive information that may reside in reallocated memory space. This means that by the time the memory is returned to the operating system, it essentially no longer contains any information that would allow the message to be retrieved. Using this feature may make batch message deletion more time consuming (the server must actually overwrite the entire message). However, off-hours process performance degradation is not likely to be visible to users. Performance degradation should not be used as a reason to disable this feature, as the security benefit outweighs the risk.

Description

Residual data left in memory after a transaction is completed adds risk that it can be used for malicious purposes in the event that access to the data is achieved. Applications may perform ‘logical delete’ functions, which make the data invisible to the application user, but in fact leave it resident in memory (recoverable, for example, by a forensics tool). While not malicious, it has the effect of sacrificing security for performance. This feature enables overwrite of memory storage before reuse to negate the potential disclosure of sensitive information that may reside in reallocated memory space. This means that by the time the memory is returned to the operating system, it essentially no longer contains any information that would allow the message to be retrieved. Using this feature may make batch message deletion more time consuming (the server must actually overwrite the entire message). However, off-hours process performance degradation is not likely to be visible to users. Performance degradation should not be used as a reason to disable this feature, as the security benefit outweighs the risk.

STIG	Date
Microsoft Exchange Server 2003	2014-08-19

Details

Check Text ( C-22522r1_chk )
Verify memory zero overwrite configuration. Procedure: Exchange System Manager >> administrative groups >> [administrative group] >> Servers >> [Server] >> [storage group] >> properties >> General tab The “Zero out deleted database pages” checkbox should be checked. Criteria: If “Zero out deleted database pages” checkbox is checked, this is not a finding.

Fix Text (F-19472r1_fix)
Enable 'Memory Zero Overwrite' after deletion. Procedure: Exchange System Manager >> administrative groups >> [administrative group] >> Servers >> [Server] >> [storage group] >> properties >> General tab Select the “Zero out deleted database pages” checkbox.