Title

E-mail restore permissions are not restricted to E-mail administrators. (Cat II impact)

Discussion

Good security practice demands both the separation of duties and the assignment of least privilege. Role Based Access Control (RBAC) is the most accepted method for meeting these two criteria. The right to restore e-mail applications or data following a service interruption must align with the E-mail Installation and E-mail Administration role, excluding all other user roles. Because this elevated privilege has the ability to change the application functionality or data from its initial version, it must be carefully assigned, monitored, and controlled.

Check Content

Verify that restore privilege is restricted to only E-mail Administrators and Installers. Procedure: Exchange System Manager >> Administrative Group >> [administrative group] >> Servers >> [server name] >> [recovery storage group] >> Mailbox store >> Properties >> Security tab >> Advanced button Exchange Administrators and Installers should have full control. No other group should have ‘write’ permissions. Criteria: If Exchange Administrators and Installers have full control and No other group has ‘write’ permissions, this is not a finding.

Fix Text

Ensure that E-mail Restore Permissions are restricted to E-mail Administrators and Installers. Procedure: Exchange System Manager >> Administrative Group >> [administrative group] >> servers >> [server name] >> [recovery storage group] >> Mailbox store >> properties >> security tab >> advanced tab Select “Allow Exchange application administrator full control”. Nobody else should have ‘write’ permissions.

Additional Identifiers

Rule ID: SV-20520r1_rule

Vulnerability ID: V-18799

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.