Title

One or more SMTP Virtual Servers do not have a Valid Certificate. (Cat I impact)

Discussion

Server certificates are required for many security features in Exchange, and without them the server cannot engage in many forms of secure communication. Certificates must be manually installed on each virtual server. This means that installing a certificate on one SMTP Virtual Server does not give other SMTP Virtual Servers (or virtual servers of any other protocol) access to this certificate. However, once a certificate is installed on one virtual server, any other virtual server (regardless of protocol used) may easily be configured to use this certificate by selecting “Assign an existing certificate” in the first page of the Wizard. Install certificates on this virtual server. Without it, many other recommendations in this document concerning secure communication will be impossible. For highest security assurance, each virtual server should have its own certificate that it does not share with other servers. This reduces the damage due to server compromises and provides per-server identification. Failure to implement this recommendation makes it virtually impossible to secure Exchange's communications. Use of any virtual server that has not been given a certificate should be considered a highly insecure action.

Check Content

Validate that Virtual Server certificates are installed for each SMTP Virtual Server. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> servers >> [server] >> Protocols >> SMTP >> [specific SMTP server] >> Properties >> Access tab >> Secure Communication tab Select the “Wizard” button to create and install a certificate. View the certificate details. Criteria: If the SMTP virtual servers have a valid DoD-Issued certificate, this is not a finding.

Fix Text

Obtain vaid DoD server certificates for SMTP services. For each SMTP virtual server, install a certificate. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> Servers >> [server] >> Protocols >> SMTP >> [specific SMTP server] >> Properties >> Access Tab >> Secure Communication Tab Select the “Wizard” button to install the certificate.

Additional Identifiers

Rule ID: SV-20455r1_rule

Vulnerability ID: V-18762

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.