Check: EMG2-743 Exch2K3
Microsoft Exchange Server 2003:
EMG2-743 Exch2K3
(in version v1 r5)
Title
SMTP Connectors perform outbound anonymous connections. (Cat I impact)
Discussion
Identification and Authentication provide the foundation for access control. The key to preventing SPAM insertion into the SMTP message transfer path is to require authentication at each ‘hop’ of the journey from sender to receiver. Failure to authenticate increases risk that an attacker can insert unauthenticated mail messages, a form of internally SPOOFED SPAM that can be difficult to trace. Encryption ensures confidentiality of data in motion as it traverses network connections. Failure to specify TLS encryption causes message transfer to be sent unencrypted, (including the authentication password), which makes it susceptible to eavesdropping. This setting controls the authentication and encryption algorithms used for outbound connections using this connector. (That is, the authentication used when delivering outbound mail to another SMTP Virtual Server.) When the SMTP connectors send messages from a locally controlled (internal to the organization) connector, Basic authentication and TLS should be used by the initiating end of the connection. Because no Exchange 2003 servers should directly send to remote SMTP virtual servers, all SMTP outbound connectors should be secured in this way, including the outermost connectors, which should ideally be sending to an Edge Transport Server Role (E-mail Secure Gateway) at the enclave perimeter.
Check Content
Validate outbound connector security on Exchange servers. Procedure: Exchange System Manager>>Administrative Groups>> [Administrative Group]>>Routing Groups>> [routing group]>>Connectors>> [SMTP connector]>> >>Properties >> Advanced tab >> Outbound Security button The “Basic Authentication” and “TLS” choices should be selected. Criteria: If “Basic Authentication” and “TLS” are selected, this is not a finding.
Fix Text
Implement perimeter protection in the form of an Edge Transport Role Server (E-mail Secure Gateway) that performs, among other protections, the ability to perform Anonymous connections to remote E-mail domains. Configure outbound SMTP connectors. Procedure: Exchange System Manager>>Administrative Groups>> [Administrative Group]>>Routing Groups>> [routing group]>>Connectors>> [SMTP connector]>> >>Properties >> Advanced tab>>Outbound Security button For each connector, select “Basic Authentication” and “TLS”
Additional Identifiers
Rule ID: SV-20495r1_rule
Vulnerability ID: V-18784
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |