EXCHANGE 2007 sp3 ru17 Security Finding

Does Exchange 2007 require  the configure the Global .NET Trust Level at  "FULL".
STIG for Exchange 2007 notes it as a finding if it at  "FULL"

The production web-site must configure the Global .NET Trust Level.

An application's trust level determines the permissions granted by the ASP.NET Code Access Security (CAS) policy. An application with full trust permissions may access all resource types on a server
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You can safely reduce .net trust level to Medium.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Radhakrishnan RSenior Technical LeadCommented:

By default, ASP.NET applications that use .NET Framework version 1.1 and 2.0 run with full trust but this can be set to medium as it won't break anything.
btanExec ConsultantCommented:
It is all about going by always grant only the privileges you really need. Likewise for Global .NET trust level, the default setting is Full, which is too "open". It is recommended that the global .NET Trust Level be set to Medium or lower as this is also advocated in CIS compliance benchmark. Note it is for IIS. When you set trust level is high, you can't access to message queuing service queries.
Medium (web_mediumtrust.config) - Specifies a medium level of code access security, which means that, in addition to High Trust Level restrictions, the ASP.NET application cannot do any of the following things by default:
◦ Access files outside the application directory.
◦ Access the registry.
◦ Make network or Web service calls.

if there is application impact which previously I under there may be for running OWA then justify according based on business running and at most ensure the logging and audit is enabled and procedure are in place to monitor for anomalies as mitigation. The exposure for "Full" really should be reduced esp if your application in the server systems having  full trusted (CAS) and running under an account with elevated privileges, the  application can easily delete other applications on the same  server...detect if cannot prevent in this case of balancing the calculated risk
Al 3 comments agree on same, the longer it takes the better explanation.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.