Title

Exchange software must be monitored for unauthorized changes. (Cat II impact)

Discussion

Monitoring software files for changes against a baseline on a regular basis may help detect the possible introduction of malicious code on a system.

Check Content

Review the Email Domain Security Plan (EDSP). Determine whether the site monitors system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) on servers for unauthorized changes against a baseline on a weekly basis. If software files are not monitored for unauthorized changes on a weekly basis, this is a finding. Note: A properly configured HBSS Policy Auditor File Integrity Monitor (FIM) module will meet the requirement for file integrity checking. The Asset module within HBSS does not meet this requirement.

Fix Text

Update the EDSP. Monitor the software files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) on Exchange servers for unauthorized changes against a baseline on a weekly basis. Use an approved DoD monitoring tool.

Additional Identifiers

Rule ID: SV-234789r961464_rule

Vulnerability ID: V-234789

Group Title: SRG-APP-000381

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.