Check: EMG2-817 Exch2K3
Microsoft Exchange Server 2003:
EMG2-817 Exch2K3
(in version v1 r5)
Title
Exchange Core Services Monitors are not configured with threshold and actions. (Cat II impact)
Discussion
Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Exchange 2003 built-in monitors enable the administrator to generate alerts if thresholds are reached, better enabling them to react in a timely fashion. This field allows the administrator to control notifications when a ‘warning’ or ‘critical’ trigger is issued in response to an Exchange Core service being down. If exchange core services are down, the service status state should be set to critical, as this will require immediate attention. Notification choices include E-Mail alert to an E-Mail enabled account, for example, an E-Mail Administrator, or invoke a script to take other action, for example, to add an Event to the Microsoft Application Event Log, where external monitors might detect it.
Check Content
If Exchange Core Services monitoring is performed via a third party tool as part of an overall data center monitoring strategy, then this is N/A. Review Exchange Core Services monitoring and notification. Note: List content may differ depending on specific Exchange components implemented. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> Servers >> [server] >> Properties >> Monitoring Tab >> [Default Microsoft Exchange Services] >> Details Button For each item listed, the "When Service is not Running, Change State to" should be "Critical" and the minimum action should be an E-mail to an E-mail Administrator or to an Incident Response team account. Criteria: If, for each service the "When Service is not Running, Change State to" is"Critical", and the minimum action is an E-mail to an Administrator or to an Incident Response Team account, this is not a finding.
Fix Text
Configure Exchange Core Services monitoring. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> Servers >> [server] >> Properties >> Monitoring tab >> [Windows 2003 Service] >> Details button 1) Add the monitor, if needed: Click ADD, select desired Exchange core Service. 2) Set the warning and critical thresholds for each service Set “When service is not running change state to” Critical. 3) Create the notifications for each service: Exchange System Manager >> Tools >> Monitoring and Status >> Notifications Declare notifications and communication methods as required by the local organization policy. At minimum, E-mail an on-call Exchange Administrator or an Incident Response administrator.
Additional Identifiers
Rule ID: SV-20377r1_rule
Vulnerability ID: V-18717
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |