Title

SMTP Virtual Server Audit Records are not directed to a separate partition. (Cat II impact)

Discussion

Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. This setting controls the location of the SMTP Virtual Server log file. By default, these files will be stored in \WINNT\SYSTEM32\LOGFILES\SMPTVSx (where x is a number used to distinguish between virtual servers in this organization). The drop-down menu is used to select the format of the log file. The properties button next to this dropdown displays configuration information specific to the type of log format selected, but usually has some control to indicate the log rotation schedule (that is, how often the old log file should be closed and a new log file should be started). It is required that all log files be written to separate partitions from those used by the Exchange Stores and separate also from the Operating System. Exchange will dismount its stores if it detects that it has run out of disk space, resulting in a complete loss of Exchange services. To minimize the chance of this happening, log files should write to a separate partition so that if the logs fill this partition it will not result in the failure of Exchange.

Check Content

Interview the E-mail Administrator (EMA) or the System Administrator. Ascertain the partition identifier for the operating system and the Mailbox data partitions. Review the log file configuration. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group}>> Servers >> [server] >> SMTP >> [specific SMTP server] >> Properties >> General tab >> Properties button The “Enable Logging” checkbox in the log file directory box should be selected. The log file path should NOT be the default path (\WINNT\SYSTEM32\LOGFILES\SMPTSVCx (where x is a number used to distinguish between virtual servers in this organization) or on the Mailbox Data partition. Criteria: If SMTP Virtual Servers log is written to a partition that is NOT \WINNT\SYSTEM32\LOGFILES\SMPTSVCx, and also NOT the Mailbox Data partition, this is not a finding.

Fix Text

Configure SMTP Virtual Server log location. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group}>> Servers >> [server] >> SMTP >> [specific SMTP server] >> Properties >> General tab >> Properties button Select the “Enable Logging” checkbox. Enter the log file location. Ensure that the log file path is other than the operating system partition, and other than the Exchange 2003 Mailbox data partition.

Additional Identifiers

Rule ID: SV-20360r1_rule

Vulnerability ID: V-18710

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.