EX16-MB-000600 - Exchange services must be documented and unnecessary services must be removed or disabled.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Unneeded but running services offer attackers an enhanced attack profile, and attackers are constantly watching to discover open ports with running services. By analyzing and disabling unneeded services, the associated open ports become unresponsive to outside queries, and servers become more secure as a result.

Exchange Server has role-based server deployment to enable protocol path control and logical separation of network traffic types.

For example, a server implemented in the Client Access role (i.e., Outlook Web App [OWA]) is configured and tuned as a web server using web protocols. A client access server exposes only web protocols (HTTP/HTTPS), enabling system administrators to optimize the protocol path and disable all services unnecessary for Exchange web services. Similarly, servers created to host mailboxes are dedicated to that task and must operate only the services needed for mailbox hosting. (Exchange servers must also operate some web services, but only to the degree that Exchange requires the IIS engine in order to function).

Because Post Office Protocol 3 (POP3) and Internet Message Access Protocol 4 (IMAP4) clients are not included in the standard desktop offering, they must be disabled. While IMAP4 is restricted, IMAP Secure is not restricted and does not apply to this requirement.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Update the EDSP to specify the services required for the system to function.

Remove or disable any services that are not required.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Exchange_2016_Y22M07_STIG.zip

Item Details

References: CAT|II, CCI|CCI-001762, Rule-ID|SV-228403r612748_rule, STIG-ID|EX16-MB-000600, STIG-Legacy|SV-95443, STIG-Legacy|V-80733, Vuln-ID|V-228403

Plugin: Windows

Control ID: c84b344f22aa09db80c0a91ee7427f43ea2f484d9c37fd55a19fb84673b37ec4