Title

Exchange queue database must reside on a dedicated partition. (Cat II impact)

Discussion

In the same way that added security layers can provide a cumulative positive effect on security posture, multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit to one application can lead to an exploit of other applications sharing the same security context. For example, an exploit to a web server process that leads to unauthorized administrative access to the host system can most likely lead to a compromise of all applications hosted by the same system. Email services should be installed to a discrete set of directories on a partition that does not host other applications. Email services should never be installed on a Domain Controller/Directory Services server.

Check Content

Open the Exchange Management Shell and run the following command: Get-Content $exbin\EdgeTransport.exe.config |Select-String "QueueDatabasePath" -SimpleMatch Example Output: <add key="QueueDatabasePath" value="F:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\Queue" /> If the path of the Queue Database is in the same volume as the installation of Exchange, this is a finding. If the path of the Queue Database is on the same volume of existing applications, this is a finding.

Fix Text

It is recommended to follow the instructions found in the following documentation: https://learn.microsoft.com/en-us/exchange/mail-flow/queues/relocate-queue-database?view=exchserver-2019 Set aside time for maintenance before correcting the issue, as this will affect mail flow through the Edge role on that server. Open an Exchange Management Shell and use the automated script (shipped with Exchange) to move the queue database and its existing files to the new destination. The following parameters must be answered to successfully complete the move: -queueDatabasePath #New destination for the Queue Database. If destination does not exist, the script will create it with the appropriate permissions. -queueDatabaseLoggingPath #New destination for the Queue Database Logs. If destination does not exist, the script will create it with the appropriate permissions. -ipFilterDatabasePath #New destination for the IP filtering Database. If the destination does not exist, the script will create it with the appropriate permissions. -ipFilterDatabaseLoggingPath #New destination for the IP filtering Database Logs. If the destination does not exist, the script will create it with the appropriate permissions. -temporaryStorage #This will be the path that the script moves the old version of the EdgeTransport.exe.config. The new version will have the updated path. Note: Always back up the configuration file as CUs will overwrite any added custom configuration.

Additional Identifiers

Rule ID: SV-259592r961095_rule

Vulnerability ID: V-259592

Group Title: SRG-APP-000211

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.