Title

E-Mail server has unneeded processes or services active. (Cat II impact)

Discussion

Unneeded, but running, services offer attackers an enhanced attack profile, and attackers are constantly watching to discover open ports with running services. By analyzing and disabling unneeded services, the associated open ports become unresponsive to outside queries, and servers become more secure as a result. Exchange 2003 has role-based server deployment to enable protocol path control and logical separation of network traffic types. For example, a server implemented in the Client Access role (i.e., Outlook Web Access [OWA]) is configured and tuned as a web server using web protocols. A client access server exposes only web protocols (HTTP/HTTPS) enabling System Administrators to optimize the protocol path and disable all services unnecessary for Exchange web services. Similarly, Back-End servers created to host mailboxes are dedicated to that task, and operate only the services needed for mailbox hosting. (Back-end servers must also operate some Web services, but only to the degree that Exchange 2003 requires the IIS engine in order to function). To restrict attack vectors available with E-mail message access, the protocols on the E-mail servers should match offerings on the DoD standard desktop deployment. These include Microsoft Outlook using MAPI, S/MIME enabled clients, and secured connections. It also includes Outlook via VPN for offsite telework. Browsers may access OWA provided it uses PKI/CAC access brokered through a reverse proxy Application Server. Because NNTP, POP3, and IMAP4 clients are not included in the standard desktop offering, they must be disabled. Guidance is not provided for these protocols in this document.

Check Content

Verify that unneeded Front End services are disabled. Procedure: Microsoft Exchange Information Store Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Registry: HKLM\CCS\Services\MSExchangeIS Key: START Value: Reg_DWORD 0x00000004 Microsoft Exchange MTA Stacks Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Registry: HKLM\CCS\Services\MSExchangeMTA Key: START Value: Reg_DWORD 0x00000004 Microsoft Exchange Routing Engine Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Registry: HKLM\CCS\Services\RESVC Key: START Value: Reg_DWORD 0x00000004 Microsoft Exchange IMAP4 Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Registry: HKLM\CCS\Services\IMAP4SVC Key: START Value: Reg_DWORD 0x00000004. Microsoft Exchange POP3 Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Registry: HKLM\CCS\Services\POP3SVC Key: START Value: Reg_DWORD 0x00000004 Microsoft Exchange Event Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Registry: HKLM\CCS\Services\MSExchangeES Key: START Value: Reg_DWORD 0x00000004 Network News Transfer Protocol (NNTP) Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Registry: HKLM\CCS\Services\NNTPSVC Key: START Value: Reg_DWORD 0x00000004 Microsoft Exchange Site Replication Service Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Registry: HKLM\CCS\Services\MSExchangeSRS Key: START Value: Reg_DWORD 0x00000004 Criteria: If unnecessary services are disabled, this is not a finding.

Fix Text

Disable unneeded services. Procedure: Navigate to Start >> Settings >> Administrative Tools >> Services Create correct configurations. Microsoft Exchange IMAP4 – Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Microsoft Exchange Information Store Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Microsoft Exchange POP3 Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Microsoft Search Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Microsoft Exchange Event Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Microsoft Exchange Site Replication Service Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Microsoft Exchange MTA Stacks Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Microsoft Exchange Routing Engine Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable Network News Transfer Protocol (NNTP) Right Click >> Stop Service, if running. Right Click >> Properties >> Start Type change to Disable

Additional Identifiers

Rule ID: SV-20296r1_rule

Vulnerability ID: V-18676

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.