Check: EMG2-030 Exch2K3BE
Microsoft Exchange Server 2003:
EMG2-030 Exch2K3BE
(in version v1 r5)
Title
E-mail servers are not protected by an Edge Transport Server role (E-mail Secure Gateway) removing disallowed message attachments at the network perimeter. (Cat II impact)
Discussion
By performing filtering at the perimeter, up to 90% of SPAM, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the Mail server environment. Attachments have been known to carry malware, although the file type and malware types have changed over time. Attachments must be controlled at the entry point into the E-mail environment to prevent successful attachment-based attacks. For outbound messages, the entry point is at E-mail creation, for example, in Outlook or Outlook Web Access (OWA). For inbound messages, it is at the perimeter. By using this practice, attachments that are disallowed or are found to be malware carriers can be stripped before the attachment is forwarded to the mailbox server. In the case of 0-day threats, attachment configuration can be modified to add specific attachment types if they are known to be associated with a newly devised attack. For Microsoft E-Mail services, attachments are controlled by the E-mail client applications, in this case OWA or Outlook. The attachment file types list should be coordinated among other Microsoft client applications, such as OWA or Outlook, and with other E-mail services that may act upon message attachments, such as a perimeter-based attachment filter used by a non-Microsoft product.
Check Content
Interview the E-mail Administrator or the IAO. Review documentation that describes attachment filtering at the perimeter, as performed by the Edge Transport Server (E-mail Secure Gateway). Criteria: If E-mail attachments are filtered by an Edge Transport Server (E-mail Secure Gateway) at the perimeter, this is not a finding.
Fix Text
Procedure: Deploy attachment filtering at the perimeter on an Edge Transport Server (E-mail Secure Gateway) that supports attachment filtering. The following list suggests the minimum attachments that should be disallowed. Exceptions should be documented in the System Security Plan explaining the reason for addition or removal. As well, attachment filtering lists should align with client application direction such as Microsoft Outlook and Microsoft Outlook Web Access (OWA) or other platforms that perform attachment filtering. For Level1FileTypes: Value Data: ade, adp, app, asx, bas, bat, chm, cmd, com, cpl, crt, csh, exe, fxp, hlp, hta, inf, ins, isp, js, jse, ksh, lnk, mda, mdb, mde, mdt, mdw, mdz, msc, msi, msp, mst, ops, pcd, pif, prf, prg, reg, scf, scr, sct, shb, shs, url, vb, vbe, vbs, wsc, wsf, wsh For Level2FileTypes: Value Data: ade, adp, asx, bas, bat, chm, cmd, com, cpl, crt, exe, hlp, hta, htm, html, htc, inf, ins, isp, js, jse, lnk, mda, mdb, mde, mdz, mht, mhtml, msc, msi, msp, mst, pcd, pif, prf, reg, scf, scr, sct, shb, shs, shtm, shtml, stm, url, vb, vbe, vbs, wsc, wsf, wsh, xml, dir, dcr, plg, spl, swf
Additional Identifiers
Rule ID: SV-20385r1_rule
Vulnerability ID: V-18721
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |