An error occurred:

Check: EMG2-303 Exch2K3

Microsoft Exchange Server 2003: EMG2-303 Exch2K3 (in version v1 r5)

Title

Exchange application memory is not zeroed out after message deletion. (Cat III impact)

Discussion

Residual data left in memory after a transaction is completed adds risk that it can be used for malicious purposes in the event that access to the data is achieved. Applications may perform ‘logical delete’ functions, which make the data invisible to the application user, but in fact leave it resident in memory (recoverable, for example, by a forensics tool). While not malicious, it has the effect of sacrificing security for performance. This feature enables overwrite of memory storage before reuse to negate the potential disclosure of sensitive information that may reside in reallocated memory space. This means that by the time the memory is returned to the operating system, it essentially no longer contains any information that would allow the message to be retrieved. Using this feature may make batch message deletion more time consuming (the server must actually overwrite the entire message). However, off-hours process performance degradation is not likely to be visible to users. Performance degradation should not be used as a reason to disable this feature, as the security benefit outweighs the risk.

Check Content

Verify memory zero overwrite configuration. Procedure: Exchange System Manager >> administrative groups >> [administrative group] >> Servers >> [Server] >> [storage group] >> properties >> General tab The “Zero out deleted database pages” checkbox should be checked. Criteria: If “Zero out deleted database pages” checkbox is checked, this is not a finding.

Fix Text

Enable 'Memory Zero Overwrite' after deletion. Procedure: Exchange System Manager >> administrative groups >> [administrative group] >> Servers >> [Server] >> [storage group] >> properties >> General tab Select the “Zero out deleted database pages” checkbox.

Additional Identifiers

Rule ID: SV-20546r1_rule

Vulnerability ID: V-18812

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
No CCIs are assigned to this check

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
No controls are assigned to this check