UCF STIG Viewer Logo

Exchange 2010 Mailbox Server STIG


Date Finding Count (33)
2017-07-05 CAT I (High): 1 CAT II (Med): 22 CAT III (Low): 10
STIG Description
The Microsoft Exchange Server 2010 STIGs cover four of the five roles available with Microsoft Exchange Server 2010. The Email Services Policy STIG must also be reviewed for each site hosting email services. Also, for the Client Access server, the IIS guidance must be reviewed prior to the OWA checks. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles

Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-33628 High Email servers must have Email aware virus protection.
V-33600 Medium Mailboxes must be retained until backups are complete.
V-33606 Medium Email Diagnostic log level must be set to low or lowest level.
V-33604 Medium Mailbox databases must reside on a dedicated partition.
V-33605 Medium Email forwarding must be restricted.
V-33608 Medium The Send Fatal Errors to Microsoft must be disabled.
V-33609 Medium Administrator audit logging must be enabled.
V-33580 Medium Public Folder stores must be retained until backups are complete.
V-33620 Medium Email software must be monitored for change on INFOCON frequency schedule.
V-33621 Medium Exchange software baseline copy must exist.
V-33623 Medium Services must be documented and unnecessary services must be removed or disabled.
V-33625 Medium Email application must not share a partition with another application.
V-33626 Medium Servers must use approved DoD certificates.
V-33629 Medium The current, approved service pack must be installed.
V-33615 Medium Message Tracking Logging must be enabled.
V-33614 Medium Email Subject Line logging must be disabled.
V-33616 Medium Exchange must not send Customer Experience reports to Microsoft.
V-33611 Medium Audit data must be protected against unauthorized access.
V-33613 Medium Exchange application directory must be protected from unauthorized access.
V-33619 Medium Queue monitoring must be configured with threshold and action.
V-33618 Medium Audit data must be on separate partitions.
V-39160 Medium Email forwarding SMTP domains must be restricted.
V-33632 Medium Local machine policy must require signed scripts.
V-33593 Low Mail Store storage quota must limit send.
V-33602 Low Mailbox database must not be overwritten by a restore.
V-33582 Low Public Folder database must not be overwritten by a restore.
V-33573 Low Public Store storage quota must be limited.
V-33577 Low The Public Folder Stores must mount at startup.
V-33617 Low Audit record parameters must be set.
V-33612 Low Circular Logging must be disabled.
V-33597 Low The Mailbox Stores must mount at startup.
V-33595 Low Mail Store storage quota must issue a warning.
V-33591 Low Mail quota settings must not restrict receiving mail.