<div>
Please post original.<br />
From your question i understand that you want to take your server off the net. Since exchange uses only TCP7IP you can just disconnect the network cable.
</div>


<div>
The setting to allow TCP/IP clients to access the entire network should be disabled on the Microsoft Server The setting to allow TCP/IP clients to access the entire network should be disabled on the Microsoft Server <br />
<br />
&gt;&gt;&nbsp;which server they are talking about mbx, cas or hub.<br />
<br />
IMO, all these servers needs to be accessed from any machines in your network<br />
similarly exchange-server should also notifiy the mail-updates\alerts to lots of other machines (Outlook clients) and wireless devices<br />
<br />
&gt;&gt;&nbsp;Auditors wants the exchange-server to be accessed only from few clients?<br />
In that case the emails from Internet would get affected
</div>


<div>
Can you post audit advice in original language in plain text?<br />

</div>


<div>
Does anyone have the registry entry required for this ... the Auditors are quoting the Cobit framework as this being a requirement ?
</div>


<div>
No products are directly mentioned in COBIT. You can get it in PDF format from isaca.org<br />
<br />
Which part of Cobit they are quoting?<br />
<br />
It is a netcard setting once you configure Dial-in you have it configurable.
</div>


<div>
I've requested that this question be deleted for the following reason:<br />
<br />
none of the responses anwered the question. It turns out that this functionality is only available in the registry in exchange 2010 and not 2007
</div>


<div>
w2003 enables router, you can disable it. All in all parameter has no effect at all unless you have multiple networks on same machine. It was a problem in Year 2000 when there is one SBS per office and has dial-in on the same machine as exchange and even if dial-in is meant for exchange people can dial into internet over same connection. Once it is known - does change in this setting make any effect in your environment at all? Or tell auditor there is no risk involved since there is only one network on the exchange server and it cannot be involved into routing at all.<br />
<a href="http://www.windowsnetworking.com/articles_tutorials/w2kprout.html" rel="ugc">http://www.windowsnetworking.com/articles_tutorials/w2kprout.html</a><br />
<br />
There is no mention of Dial-In or Exchange in whole COBIT. &nbsp;You have to just say their scan yielded a false positive - got it finally?<br />

</div>


<div>
It turns out that this functionality is only available in the registry in exchange 2010 and not 2007 <br />
<br />
&gt;&gt;&nbsp;Can you share the registry keys for the E2010, so we can try for the E2k7 settings?
</div>


<div>
That looks really strange...<br />
It uses RAS for dial-in - that has registry settings.<br />
Since you mention 2007/2010 i doubt there are any settings for CAS in registry. Would be nice to get value tested from testers themselves....<br />
<br />
Did the test involve remote registry access? (RAS registry is of help)<br />
Exchange admin access? (then I would lean towards PowerShell)<br />
<br />
I really do not see such parameter in Exchange...
</div>


<div>
I am going back to the auditors to try and get the exact registry keys.<br />
Our investigation and the comments above seem to show that there is no setting in registry and the option to perform this in the GUI only exists in Exchange 2010 and not earlier versions 
</div>


<div>
There is similar setting in RAS, which exchange up to 2003 used for dial-in access. But it is not plainly a vulnerability - it is a matter of educated choice - you want it or not....<br />
<br />
It really needs more explanation ;)
</div>


<div>
When we went back to the auditors to get the actual keys (which what we were trying to avoid as we didn't want to look like we didn't know what we were doing :) ). This is what we got back: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<br />
<i>This registry setting has been observed during the time of the audit on a Windows Server 2003 platform. The weak setting observed on the exchange server is located in the following registry path “HKEY_LOCAL_MACHINE\SYSTEM<wbr />\CurrentCo<wbr />ntrolSet\S<wbr />ervices\Re<wbr />moteAccess<wbr />\Parameter<wbr />s\Ip”. The key name in that profile is “AllowNetworkAccess” and its value has been set to “1”, which means that it is enabled.<br />
&nbsp;<br />
The risk behind this observation lies in the fact that if a RAS server were to be configured for remote access by internal or external clients, the current setting on the exchange server will allow access for these clients to the entire network by default, and as discussed, this setting could be a residual setting from an old RAS configuration that no longer exists</i>.<br />

</div>


<div>
The risk behind this observation lies in the fact that <u><b>IF</b></u> a .... blah blah blah<br />
<br />
So there is no risk or vulnerability in either case.... 
</div>


<div>
I've requested that this question be deleted for the following reason:<br />
<br />
Not enough information to confirm an answer.
</div>


<div>
<a href="http://msdn.microsoft.com/en-us/library/ee791095%28v=prot.10%29.aspx" rel="ugc">http://msdn.microsoft.com/en-us/library/ee791095%28v=prot.10%29.aspx</a><br />
<br />
Named parameter exists and has expected meaning from Windows 2008 Windos 7 onwards.<br />
It has no effect on 2003 (hopefully)
</div>


<div>
Basically:<br />
<br />
1) Detection is FALSE POSITIVE ask your auditors to RTFM and fix the scanner (or give plumbing .REG file which has all parameters that have no effect on older windows version)<br />
<br />
2) Parameter to diasable routing altogether disables all sorts of routing, RAS,RRAS, or be it VPN<br />
<br />
3) There is no present risk with routing enabled unless you find a dial-in modem to attach to your server and phone line (3G modems do not count as dial-in)
</div>


<div>
4) named setting might be fed to legacy systems' registry if they have GPO updates installed.<br />
there is a clear and present risk stemming from wrong GPO on all w2008 servers, luckily enough time-proven older systems are not at risk. (Root cause analysis)
</div>


<div>
<a href="http:#35791964" rel="ugc">http:#35791964</a> is first correct guess. Named tickmark uses different place in registry than scanner detects, and by default is off.
</div>


<div>
<div class="content wysiwyg-content">
We have a report from our auditors that &nbsp;states: <br />
<br />
The option to allow any TCP/IP client to the entire network is enabled in the registry settings on the Microsoft Windows Server (ECAE-MSG-SRV) hosting Microsoft Exchange.&quot;• &nbsp; <br />
<br />
<b>The required action is </b><br />
The setting to allow TCP/IP clients to access the entire network should be disabled on the Microsoft Server that is hosting the Microsoft Exchange Server.<br />
<br />
I have searched and searched on the net and for the life of me can not find where in the registry this setting can be changed... any ideas
</div>
</div>


We have a report from our auditors that  states: 

The option to allow any TCP/IP client to the entire network is enabled in the registry settings on the Microsoft Windows Server (ECAE-MSG-SRV) hosting Microsoft Exchange."•   

The required action is 
The setting to allow TCP/IP clients to access the entire network should be disabled on the Microsoft Server that is hosting the Microsoft Exchange Server.

I have searched and searched on the net and for the life of me can not find where in the registry this setting can be changed... any ideas

Exchange server disable TCP/IP Client access to entire network

Windows Server 2003 was based on Windows XP and was released in four editions: Web, Standard, Enterprise and Datacenter. It also had derivative versions for clusters, storage and Microsoft’s Small Business Server. Important upgrades included integrating Internet Information Services (IIS), improvements to Active Directory (AD) and Group Policy (GP), and the migration to Automated System Recovery (ASR).

Windows Server 2003

Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.