Title

E-mail web applications are operating on non-standard ports. (Cat II impact)

Discussion

PPSM Standard defined ports and protocols must be used for all Exchange services. The standard port for HTTP connections is 80 and the standard port for HTTPS Connections is 443. Changing the ports to non-standard values provides only temporary and limited protection against automated attacks since these attacks will not likely connect to the custom port. However, a determined attacker may still be able to determine which ports are used for the HTTP and HTTPS protocols by performing a comprehensive port scan. Negative impacts to using nonstandard ports include complexity for the system administrator, custom configurations for connecting clients, risk of port conflict with non-exchange applications, and risk of incompatibility with standard port monitoring applications.

Check Content

Verify that E-mail services are deployed on compliant ports and protocols Procedure: IIS Manager >> [server name]>>Web Sites >> Default Web Site >>Properties >> Web Site tab >> Web site identification >> TCP port and SSL port Port 80 for TCP and port 443 for SSL should be entered. Criteria: If Port 80 for TCP and port 443 for SSL is entered, this is not a finding.

Fix Text

Procedure: Enter Web compliant ports and protocols. IIS Manager >> [server name]>>Web Sites >> Default Web Site >>Properties >> Web Site Tab >> Web site identification >> TCP port and SSL port Enter 80 for TCP port and 443 for SSL port.

Additional Identifiers

Rule ID: SV-20409r1_rule

Vulnerability ID: V-18733

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.