Check: EMG3-119 Exch2K3
Microsoft Exchange Server 2003:
EMG3-119 Exch2K3
(in version v1 r5)
Title
E-mail Services accounts are not restricted to named services. (Cat II impact)
Discussion
Applications introduce some of the most common database attack avenues, and can provide a pathway for an unlimited number of malicious users to access sensitive data. An account responsible for Service execution, if compromised, may subject the data to unauthorized exposure if it is granted more privileges than necessary. Typically, service accounts must run only their designated services, and must not be shared with other applications or people. Audit Log Monitoring can then assume an ‘expected’ set of activities for each service account, and administrators can more readily recognize events that are unexpected. A discrete history of account activity is valuable if an attack of the host system needs to be investigated. If accounts are shared among multiple services or people, it increases the risk that firewall Administrators will not have an accurate history for investigation and troubleshooting purposes. In the case of Microsoft Exchange Server 2003, attempting to run Exchange services on an alternate service account (rather than the default SYSTEM account) is not a supported Microsoft configuration. Due to the nature of the Exchange services access required within the server and the network, Exchange 2003 services must run under the Microsoft Windows SYSTEM account.
Check Content
Interview the E-mail Administrator or the IAO. Access the System Security Plan and verify the Exchange Services names active for the site. View Exchange Services to verify service account scope. Procedure: Start >> settings >> Control Panel >> Administrative tools >> Services For each service beginning "MS Exchange…. "service, look for Active Services in the list: Right Click >> Properties >> LogOn tab >> “Log on As” field. Criteria: If E-mail service accounts are operating as SYSTEM, this is not a finding.
Fix Text
Ensure that E-mail services use only the SYSTEM account. Procedure: Start >> Settings >> Control Panel >> Administrative Tools >> Services For each "MS Exchange ..." service, look for Active Services in the list, Right Click >> Propterties >> LogOn tab In the "Log On As" field, select "Local SYSTEM account". Ensure the changes are reflected in the DIACAP Scorecard.
Additional Identifiers
Rule ID: SV-20514r1_rule
Vulnerability ID: V-18795
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |