EX19-ED-000174 - Role-Based Access Control must be defined for privileged and nonprivileged users.

Information

Role Based Access Control (RBAC) is the permissions model used in Microsoft Exchange Server 2013, 2016, and 2019. With RBAC, there is no need to modify and manage access control lists (ACLs), which was done in Exchange Server 2007. ACLs created several challenges in Exchange 2007, such as modifying ACLs without causing unintended consequences, maintaining ACL modifications through upgrades, and troubleshooting problems that occurred due to using ACLs in a nonstandard way.

RBAC enables users to control, at both broad and granular levels, what administrators and end users can do. RBAC also enables users to more closely align the roles assigned to users and administrators to the actual roles they hold within the organization. In Exchange 2007, the server permissions model applied only to the administrators who managed the Exchange 2007 infrastructure. Starting in Exchange 2013, RBAC now controls both the administrative tasks that can be performed and the extent to which users can now administer their own mailbox and distribution groups.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Update the EDSP and define who should and should not have elevated privileges within the organization.

Follow the rule of least privilege and ensure that administrators are given just enough access to complete their job.

Reference document: https://docs.microsoft.com/en-us/exchange/understanding-management-role-groups-exchange-2013-help?view=exchserver-2019

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Exchange_2019_Y24M10_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(10), CAT|II, CCI|CCI-002235, Rule-ID|SV-259631r961353_rule, STIG-ID|EX19-ED-000174, Vuln-ID|V-259631

Plugin: Windows

Control ID: b2fcde71618774d097f9600d6e5089c6e73b05874e6fc57090ae0cd5df397cd9