1.1 Ensure access to SharePointEmailws.asmx is limited to only the server farm account

Information

Restrict access to the Microsoft SharePoint Directory Management Service by securing the
file associated with this service, which is SharePointEmailws.asmx. Only the SharePoint
server farm account requires access.

Rationale:

SharePoint 2016 includes an internal service, the Microsoft SharePoint Directory
Management Service, for creating e-mail distribution groups. When you configure e-mail
integration, you have the option to enable the Directory Management Service feature,
which lets users create distribution lists. When users create a SharePoint group and they
select the option to create a distribution list, the Microsoft SharePoint Directory
Management Service creates the corresponding Active Directory distribution list in the
Active Directory environment. Creating distribution lists in Active Directory should be
limited to only this account.

Solution

Navigate to the directory %CommonProgramFiles%\Microsoft Shared\Web Server Extensions\16\ISAPI

1. Find the SharePointEmailws.asmx file used by the Microsoft SharePoint Directory Management Service in the following
2. Right-click on the File and view the Properties.
3. On the Security tab verify that only the WSS_RESTRICTED_WPG has access to modify the file.

See Also

https://workbench.cisecurity.org/files/2395