Title

E-Mail service accounts are not operating at least privilege. (Cat II impact)

Discussion

Good security practice demands both the separation of duties and the assignment of least privilege. Role Based Access Control (RBAC) is the most accepted method for meeting these two criteria. A securely designed E-Mail Services implementation includes the definition of E-mail Roles (Servers and services, Users, Administrators, Installers) based on functional requirements for each, then assigning the fewest possible privileges to these roles. Roles are then assigned to people or services based on the application functions they are required to perform. In the case of Microsoft Exchange Server 2003, attempting to run Exchange services on an alternate service account (rather than the default SYSTEM account) is not a supported Microsoft configuration. Due to the nature of the Exchange services access required within the server and the network, Exchange 2003 services must run under the Microsoft Windows SYSTEM account.

Check Content

View Exchange service permissions to verify service account privilege level. Procedure: Start >> Settings >> Control Panel >> Administrative tools >> Services For each "MSExch…." Active service in the list: Right Click >> Properties >> LogOn >> Log On As field. Criteria: If E-mail service accounts are operating with the SYSTEM account, this is not a finding.

Fix Text

Ensure that E-mail service accounts are operating with the SYSTEM account privilege. Procedure: Start >> settings >> control panel >> administrative tools >> services For each "MSExch…." Active service in the list: Right Click >> Properties >> LogOn >> Log On As field. Select "Local SYSTEM account".

Additional Identifiers

Rule ID: SV-20516r1_rule

Vulnerability ID: V-18796

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.