1.1 Ensure access to SharePointEmailws.asmx is limited to only the server farm account

Information

Restrict access to the Microsoft SharePoint Directory Management Service by securing the file associated with this service, which is SharePointEmailws.asmx. Only the SharePoint server farm account requires access.
Rationale:
SharePoint 2016 includes an internal service, the Microsoft SharePoint Directory Management Service, for creating e-mail distribution groups. When you configure e-mail integration, you have the option to enable the Directory Management Service feature, which lets users create distribution lists. When users create a SharePoint group and they select the option to create a distribution list, the Microsoft SharePoint Directory Management Service creates the corresponding Active Directory dist ribution list in the Active Directory environment. Creating distribution lists in Active Directory should be limited to only this account.

Solution

Navigate to the directory %CommonProgramFiles%\Microsoft Shared\Web Server Extensions\16\ISAPI
1. Find the SharePointEmailws.asmx file used by the Microsoft SharePoint Directory Management Service in the following
2. Right-click on the File and view the Properties.
3. On the Security tab verify that only the WSS_RESTRICTED_WPG has access to modify the file.

See Also

https://workbench.cisecurity.org/files/2031