UCF STIG Viewer Logo

Exchange 2010 Client Access Server STIG


Date Finding Count (28)
2017-01-03 CAT I (High): 0 CAT II (Med): 25 CAT III (Low): 3
STIG Description
The Microsoft Exchange Server 2010 STIGs cover four of the five roles available with Microsoft Exchange Server 2010. The Email Services Policy STIG must also be reviewed for each site hosting email services. Also, for the Client Access server, the IIS guidance must be reviewed prior to the OWA checks. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles

Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-33562 Medium The Microsoft Exchange IMAP4 service must be disabled.
V-33645 Medium HTTP authenticated access must be set to Integrated Windows Authentication only.
V-33606 Medium Email Diagnostic log level must be set to low or lowest level.
V-33607 Medium Outlook Anywhere (OA) clients must use NTLM authentication to access email.
V-33608 Medium The Send Fatal Errors to Microsoft must be disabled.
V-33609 Medium Administrator audit logging must be enabled.
V-33629 Medium The current, approved service pack must be installed.
V-33585 Medium Encryption must be used for OWA access.
V-33584 Medium Web email must use standard ports protocols.
V-33620 Medium Email software must be monitored for change on INFOCON frequency schedule.
V-33588 Medium Forms-based Authentication must not be enabled.
V-33623 Medium Services must be documented and unnecessary services must be removed or disabled.
V-33625 Medium Email application must not share a partition with another application.
V-33626 Medium Servers must use approved DoD certificates.
V-33570 Medium The Microsoft Exchange POP3 service must be disabled.
V-33559 Medium Encryption must be used for RPC client access.
V-33616 Medium Exchange must not send Customer Experience reports to Microsoft.
V-33611 Medium Audit data must be protected against unauthorized access.
V-33613 Medium Exchange application directory must be protected from unauthorized access.
V-33619 Medium Queue monitoring must be configured with threshold and action.
V-33618 Medium Audit data must be on separate partitions.
V-33632 Medium Local machine policy must require signed scripts.
V-39167 Medium Exchange ActiveSync (EAS) must only use certificate-based authentication to access email.
V-39172 Medium IIS must map client certificates to an approved certificate server
V-33621 Medium Exchange software baseline copy must exist.
V-33571 Low The Public Folder virtual directory must be removed if not in use by the site.
V-33617 Low Audit record parameters must be set.
V-33610 Low The Microsoft Active Sync directory must be removed.