Title

Exchange application permissions are not at vendor recommended settings. (Cat II impact)

Discussion

Default product installations may provide more generous permissions than are necessary to run the application. By examining and tailoring permissions to more closely provide the least amount of privilege possible, attack vectors that align with user permissions are less likely to access more highly secured areas. Vendor-supplied policies are available to assist in further hardening the permissions set for Exchange. Application file permissions on Exchange 2003 servers can be set by importing the group policy for Exchange Back-End or Front-End servers. To the extent of file permissions, both policies set the same directory permissions as shown here.

Check Content

The following table lists the recommended baseline settings you should start with when hardening the services for an Exchange back-end server (the Exchange_2003-Backend_V1_1.inf file and the Exchange_2003-Frontend_V1_1.inf file configure these settings automatically). File ACL settings configured by Exchange_2003-Backend_V1_1.inf The following permissions: • System – Full Control • Builtin Administrators – Full Control Apply to these directories: %systemdrive%\Inetpub\mailroot\ %systemdrive%\Inetpub\NNTPfile\ The following permissions: • Everyone – Full Control Applies to this directory: %systemdrive%\Inetpub\NNTPfile\root The following permissions: • System – Full Control • Builtin Administrators – Full Control • Server Operators – Modify, Read/Execute, List, Read, Write • Creator Owner – Full Control (subdirectories only) Apply to these directories: %systemdrive%\program files\exchsrvr and subs, but not ADDRESS, OMA, BIN, EXCHWEB, and RES subdirectories. The following permissions: • System – Full Control • Builtin Administrators – Full Control • Server Operators – Modify, Read/Execute, List, Read, Write • Users – Read/Execute, List, Read • Creator Owner – Full Control (subdirectories only) Apply to these directories: %systemdrive%\program files\exchsrvr (subs) >> ADDRESS, OMA, BIN, EXCHWEB, and RES subdirectories Criteria: If files have vendor recommended permissions, this is not a finding.

Fix Text

Procedure: The following table lists the recommended baseline settings you should start with when hardening the services for an Exchange Back-end server (the Exchange_2003-Backend_V1_1.inf file and the Exchange_2003-Frontend_V1_1.inf file configure these settings automatically). File ACL settings configured by Exchange_2003-Backend_V1_1.inf The following permissions: • System – Full Control • Builtin Administrators – Full Control Apply to these directories: %systemdrive%\Inetpub\mailroot\ %systemdrive%\Inetpub\NNTPfile\ The following permissions: • Everyone – Full Control Applies to this directory: %systemdrive%\Inetpub\NNTPfile\root The following permissions: • System – Full Control • Builtin Administrators – Full Control • Server Operators – Modify, Read/Execute, List, Read, Write • Creator Owner – Full Control (subdirectories only) Apply to these directories: %systemdrive%\program files\exchsrvr and subs, but not ADDRESS, OMA, BIN, EXCHWEB, and RES subdirectories. The following permissions: • System – Full Control • Builtin Administrators – Full Control • Server Operators – Modify, Read/Execute, List, Read, Write • Users – Read/Execute, List, Read • Creator Owner – Full Control (subdirectories only) Apply to these directories: %systemdrive%\program files\exchsrvr (subs) >> ADDRESS, OMA, BIN, EXCHWEB, and RES subdirectories

Additional Identifiers

Rule ID: SV-20526r1_rule

Vulnerability ID: V-18802

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.