Title

Users do not have correct permissions in the Public Virtual Server. (Cat II impact)

Discussion

The principle of Least Privilege ordinarily requires analysis to ensure that users and processes are granted only as much privilege as is required to function effectively, but no additional privileges that could enable mischief, either accidental or intentional. The Pubic Virtual Server enables web access to public folder documents via browser. This control determines whether users will have read, write, script source access, and/or directory browsing capabilities under this virtual server. Public Virtual Server requires that users have read, write, script source access, and directory browsing permissions since these are required for proper functioning Public Folders access.

Check Content

Validate that Public Virtual Server has correct user permissions. Procedure: Exchange system Manager >>Administrative Groups>> [administrative group]>> Servers >> [server name] >> protocols >> HTTP >> Exchange Virtual Server >> Public >> Properties >> Access tab For Access Control, ‘Read, write, Script source access, Directory browsing’ should be selected. Criteria: If Access Control has ‘Read, write, Script source access, Directory browsing’ selected, this is not a finding.

Fix Text

Configure Public Virtual Server user permissions. Procedure: Exchange system Manager >>Administrative Groups>> [administrative group]>> Servers >> [server name] >> protocols >> HTTP >> Exchange Virtual Server >> Public >> Properties >> Access tab For Access Control, select ‘read, write, script source access, directory browsing’.

Additional Identifiers

Rule ID: SV-20381r1_rule

Vulnerability ID: V-18719

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.