Title

Exchange Server is not protected by an Edge Transport Server (E-mail Secure Gateway) that performs Anonymous Connections interaction with Internet-based E-mail servers. (Cat II impact)

Discussion

E-mail is only as secure as the recipient. By ensuring secured connections for all Simple Mail Transfer Protocol (SMTP) servers along the message transfer path, risk of “Anonymous” message transfers by rogue servers is reduced. If all message transfers were authenticated from server to server, most SPAM would be eliminated, because anonymous spammers would be more readily traceable. However, the ability to authenticate a sender from another domain will not be possible until a common authentication method exists between the receiving domain and all of the sending domains that might wish to correspond. For that reason, the Edge Transport Server role (E-Mail Secure Gateway) should be the only role enabled for Anonymous connections (because it will also perform the sanitization steps) and all internal E-mail application server roles must authenticate to each other. This setting controls the authentication method required to allow connection and message transfer to this virtual server (recipient). Authentication options include Anonymous, Basic authentication (with clear text password), and Integrated Windows Authentication. Anonymous requires no authentication, and is therefore not acceptable. NT Lan Manager, or NTLM, (Integrated Windows Authentication checkbox) is negotiated, does not provide encryption of message bodies, and cannot sufficiently secure the connection in Exchange 2003. Risks include the potential of allowing message content to be sniffed over the wire. "Basic authentication" and "Require SSL/TLS" should be selected in this panel. The use of SSL/TLS not only protects the username and password during authentication, but encrypts the mail messages as they are being transmitted, preventing eavesdroppers from reading messages. All Exchange 2003 servers should belong to this category.

Check Content

Interview the IAO or E-mail Administrator. Access documentation that describes placement of an E-mail Secure Gateway that receives inbound messages from Internet-based remote domains. Verify the Exchange 2003 connector authentication configuration. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> servers >> [server] >> Protocols >> SMTP >> [specific SMTP server] >> properties >> Access tab >> Access Control >> Authentication button “Basic authentication” with "TLS" should be selected.

Fix Text

Deploy an Edge Transport Server (E-mail Secure Gateway) role at the perimeter. Then, for each Exchange 2003 SMTP virtual server (now internal to the enclave), set authentication. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> servers >> [server] >> Protocols >> SMTP >> [specific SMTP server] >> properties >> Access tab >>Access Control >> Authentication button Select “Basic authentication” and "TLS encryption".

Additional Identifiers

Rule ID: SV-22062r1_rule

Vulnerability ID: V-18780

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.