Title

Services permissions do not reflect least privilege. (Cat II impact)

Discussion

Good security practice demands both the separation of duties and the assignment of least privilege. Role Based Access Control (RBAC) is the most accepted method for meeting these two criteria. A securely designed E-mail Services Implementation includes the definition of E-mail Roles (Servers and services, Users, Administrators, Installers) based on functions required by each, then assigning the fewest privileges to these roles. Roles are then assigned to people or services on the application functions they are required to perform. The Exchange GPO templates available from Microsoft enable the E-mail Administrator to easily set a Baseline Security Policy that hardens services permissions. Installations configured without use of policy templates must nevertheless meet vendor recommended minimums for service protection.

Check Content

Review Permission Settings for Exchange 2003 Services. Procedure: The following permissions should be set: • Authenticated Users – Read • System – Full Control • Builtin Administrators – Full Control • Auditing for failures against the Everyone security principal For these listed services: • MSExchangeMGMT - %systemroot%\program files\exchsvr\bin\exchmgmt.exe • MSExchangeMTA - %systemroot%\system32\inetwrv\emsmta.exe • MSExchangeSA - %systemroot%\program files\exchsvr\bin\mad.exe • W3Svc - %systemroot%\system32\svchost.exe (IISSVCS) • ISSAdmin - %systemroot%\system32\inetwrv\inetinfo.exe Criteria: If services have vendor recommended permissions, this is not a finding.

Fix Text

Correct the E-Mail Services permissions. Procedure: The following table lists the recommended baseline settings you should start with when hardening the services for an Exchange back-end server (the Exchange_2003-Backend_V1_1.inf file configures these settings automatically). The SDDL sets the following: • Authenticated Users – Read • System – Full Control • Builtin Administrators – Full Control • Auditing for failures against the Everyone security principal For these listed services: • MSExchangeMGMT - %systemroot%\program files\exchsvr\bin\exchmgmt.exe • MSExchangeMTA - %systemroot%\system32\inetwrv\emsmta.exe • MSExchangeSA - %systemroot%\program files\exchsvr\bin\mad.exe • W3Svc - %systemroot%\system32\svchost.exe (IISSVCS) • ISSAdmin - %systemroot%\system32\inetwrv\inetinfo.exe

Additional Identifiers

Rule ID: SV-20524r1_rule

Vulnerability ID: V-18801

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.