Check: EMG2-013 Exch2K3
Microsoft Exchange Server 2003:
EMG2-013 Exch2K3
(in version v1 r5)
Title
Mailbox server is not protected by E-mail Edge Transport role (E-mail Secure Gateway) performing Global Accept/Deny list filtering. (Cat II impact)
Discussion
SPAM origination sites and other sources of suspected E-Mail borne malware have the ability to corrupt, compromise, or otherwise limit availability of E-Mail servers. Limiting exposure to unfiltered inbound messages can reduce the risk of SPAM and malware impacts. The Global Accept and Deny List settings (sometimes referred to 'Black Lists' and 'White Lists' ) respectively block or admit messages originating from specific sources. Ideally, 'Black List' filtering is done at the perimeter of the network (using a commercial 'Block List' service), because eliminating threats there prevents them being evaluated inside the enclave where there is more risk they can do harm. When no commercial 'Block List Service' is employed as the 'Black List', the values configured here perform similar filtering and can be used to supplement the sites identified in the 'Block List Service'. For example, during a 0-Day threat action, entries can be added, then removed when the threat is mitigated. A common practice is to enter the enterprise’s home domain in the 'Global Deny List', at a minimum, as inbound E-mail where a ‘from’ address of the home domain is very likely to be SPOOFED SPAM. The Accept List field (referring to the ‘White List’) overrides both the ‘Deny List’ and the ‘Block List’ Service. Even if the ‘Block List’ claims that listed domains are spammers, inbound mail will still be received mail from them. Normally, no entry should appear in the Global Accept List. Note: Use of ‘White List’ entries can inadvertently lead to Denial of Service situations due to inbound messages bypassing the filtering mechanism.
Check Content
Interview the E-mail Administrator or the IAO. Request documentation that indicates any manually entered Global Accept and Deny list configurations are in place on an E-mail Secure Gateway at the network perimeter. Ensure that the local domain appears in the 'Deny' list for the domain to prevent spoofed SPAM. Criteria: If Perimeter Gateway configurations indicate that the local domain exists in the 'Deny' List and that no entries exist in the 'Accept' List, this is not a finding.
Fix Text
Procedure: Implement perimeter protection in the form of a secure E-mail filtering mechanism that performs, among other protections, manually configured 'Deny' List entries (that include the local domain, minimally) to supplement the commercial 'Block List' service. Ensure also, that no 'Accept' List entries exist in the configuration.
Additional Identifiers
Rule ID: SV-20266r1_rule
Vulnerability ID: V-18661
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |