Exchange server disable TCP/IP Client access to entire network

ianmac50
ianmac50 used Ask the Experts™
on
We have a report from our auditors that  states:

The option to allow any TCP/IP client to the entire network is enabled in the registry settings on the Microsoft Windows Server (ECAE-MSG-SRV) hosting Microsoft Exchange."•  

The required action is
The setting to allow TCP/IP clients to access the entire network should be disabled on the Microsoft Server that is hosting the Microsoft Exchange Server.

I have searched and searched on the net and for the life of me can not find where in the registry this setting can be changed... any ideas
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2015

Commented:
Please post original.
From your question i understand that you want to take your server off the net. Since exchange uses only TCP7IP you can just disconnect the network cable.
The setting to allow TCP/IP clients to access the entire network should be disabled on the Microsoft Server The setting to allow TCP/IP clients to access the entire network should be disabled on the Microsoft Server

>> which server they are talking about mbx, cas or hub.

IMO, all these servers needs to be accessed from any machines in your network
similarly exchange-server should also notifiy the mail-updates\alerts to lots of other machines (Outlook clients) and wireless devices

>> Auditors wants the exchange-server to be accessed only from few clients?
In that case the emails from Internet would get affected
Top Expert 2015

Commented:
Can you post audit advice in original language in plain text?
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Here is the original post:
We have a report from our auditors that  states:

The option to allow any TCP/IP client to the entire network is enabled in the registry settings on the Microsoft Windows Server (ECAE-MSG-SRV) hosting Microsoft Exchange."•  

The required action is
The setting to allow TCP/IP clients to access the entire network should be disabled on the Microsoft Server that is hosting the Microsoft Exchange Server.

I have searched and searched on the net and for the life of me can not find where in the registry this setting can be changed... any ideas

further comments from the auditors:

The current setup could result in information leakage outside ECAE or in copying virus infected files to the local drives, and consequently result in damages to other network resources in the organization.

Moreover, unrestricted access to the network can lead to unintentional or deliberate tampering of systems stability and security.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           

Top Expert 2015
Commented:
There is such tickmark in RAS configuration which bridges RAS client to network of RAS server
If you do not use RAS (or VPN) dial-in on exchange server (which is normally the case)  the setting does not change anything.

Author

Commented:
Does anyone have the registry entry required for this ... the Auditors are quoting the Cobit framework as this being a requirement ?
Top Expert 2015

Commented:
No products are directly mentioned in COBIT. You can get it in PDF format from isaca.org

Which part of Cobit they are quoting?

It is a netcard setting once you configure Dial-in you have it configurable.

Author

Commented:
I've requested that this question be deleted for the following reason:

none of the responses anwered the question. It turns out that this functionality is only available in the registry in exchange 2010 and not 2007
Top Expert 2015

Commented:
w2003 enables router, you can disable it. All in all parameter has no effect at all unless you have multiple networks on same machine. It was a problem in Year 2000 when there is one SBS per office and has dial-in on the same machine as exchange and even if dial-in is meant for exchange people can dial into internet over same connection. Once it is known - does change in this setting make any effect in your environment at all? Or tell auditor there is no risk involved since there is only one network on the exchange server and it cannot be involved into routing at all.
http://www.windowsnetworking.com/articles_tutorials/w2kprout.html

There is no mention of Dial-In or Exchange in whole COBIT.  You have to just say their scan yielded a false positive - got it finally?
It turns out that this functionality is only available in the registry in exchange 2010 and not 2007

>> Can you share the registry keys for the E2010, so we can try for the E2k7 settings?
Top Expert 2015

Commented:
That looks really strange...
It uses RAS for dial-in - that has registry settings.
Since you mention 2007/2010 i doubt there are any settings for CAS in registry. Would be nice to get value tested from testers themselves....

Did the test involve remote registry access? (RAS registry is of help)
Exchange admin access? (then I would lean towards PowerShell)

I really do not see such parameter in Exchange...

Author

Commented:
I am going back to the auditors to try and get the exact registry keys.
Our investigation and the comments above seem to show that there is no setting in registry and the option to perform this in the GUI only exists in Exchange 2010 and not earlier versions
Top Expert 2015

Commented:
There is similar setting in RAS, which exchange up to 2003 used for dial-in access. But it is not plainly a vulnerability - it is a matter of educated choice - you want it or not....

It really needs more explanation ;)

Author

Commented:
When we went back to the auditors to get the actual keys (which what we were trying to avoid as we didn't want to look like we didn't know what we were doing :) ). This is what we got back:                                                            
This registry setting has been observed during the time of the audit on a Windows Server 2003 platform. The weak setting observed on the exchange server is located in the following registry path “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\Ip”. The key name in that profile is “AllowNetworkAccess” and its value has been set to “1”, which means that it is enabled.
 
The risk behind this observation lies in the fact that if a RAS server were to be configured for remote access by internal or external clients, the current setting on the exchange server will allow access for these clients to the entire network by default, and as discussed, this setting could be a residual setting from an old RAS configuration that no longer exists
.
Top Expert 2015

Commented:
The risk behind this observation lies in the fact that IF a .... blah blah blah

So there is no risk or vulnerability in either case....
Awarded 2009
Top Expert 2010

Commented:
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
Top Expert 2015

Commented:
http://msdn.microsoft.com/en-us/library/ee791095%28v=prot.10%29.aspx

Named parameter exists and has expected meaning from Windows 2008 Windos 7 onwards.
It has no effect on 2003 (hopefully)
Top Expert 2015

Commented:
Basically:

1) Detection is FALSE POSITIVE ask your auditors to RTFM and fix the scanner (or give plumbing .REG file which has all parameters that have no effect on older windows version)

2) Parameter to diasable routing altogether disables all sorts of routing, RAS,RRAS, or be it VPN

3) There is no present risk with routing enabled unless you find a dial-in modem to attach to your server and phone line (3G modems do not count as dial-in)
Top Expert 2015

Commented:
4) named setting might be fed to legacy systems' registry if they have GPO updates installed.
there is a clear and present risk stemming from wrong GPO on all w2008 servers, luckily enough time-proven older systems are not at risk. (Root cause analysis)
Top Expert 2015

Commented:
http:#35791964 is first correct guess. Named tickmark uses different place in registry than scanner detects, and by default is off.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial