| Exch-ED-217 | Medium | Internal Send Connectors must be encrypted. | The Simple Mail Transfer Protocol (SMTP) connector is used by Exchange to send and receive messages from server to server. There are several controls that work together to provide security between... |
| Exch-ED-216 | Medium | Internal Send Connectors must use Domain Security (Mutual Authentication TLS). | The Simple Mail Transfer Protocol (SMTP) connector is used by Exchange to send and receive messages from server to server. There are several controls that work together to provide security between... |
| Exch-ED-213 | Medium | Send Connector message size must be controlled. | This setting can be used to limit the total size of messages at the connector level. This includes the message header, the message body, and any attachments. For internal message flow, Exchange... |
| Exch-ED-239 | Medium | Sender Identification process must be enabled. | Sender Identification (SID) is an email anti-spam sanitization process. Sender ID uses DNS MX record lookups to verify the SMTP sending server is authorized to send email for the originating... |
| Exch-ED-238 | Medium | Session request from unauthorized senders must be rejected. | Sender Identification (SID) is an email anti-spam sanitization process. Sender ID uses DNS MX record lookups to verify the SMTP sending server is authorized to send email for the originating... |
| Exch-ED-219 | Medium | Connectivity logging must be enabled. | A connectivity log is a record of the SMTP connection activity of the outbound message delivery queues to the destination Mailbox server, smart host, or domain. Connectivity logging is available... |
| Exch-ED-236 | Medium | SPAM evaluation filter must be enabled. | By performing filtering at the perimeter, up to 90% of SPAM, malware, and other undesirable messages may be eliminated from the transport message stream, preventing their entry into the Exchange... |
| Exch-ED-234 | Medium | Sender reputation must be configured. | By performing filtering at the perimeter, up to 90% of SPAM, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the Mail server... |
| Exch-ED-233 | Medium | Sender reputation must be enabled. | By performing filtering at the perimeter, up to 90% of SPAM, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the Mail server... |
| Exch-ED-232 | Medium | Accepted domains must be verified. | Exchange may be configured to except email for multiple domain names. This setting controls which domains the server will accept mail. This check verifies the email server is not excepting email... |
| Exch-ED-231 | Medium | Blank sender field action type must be set. | By performing filtering at the perimeter, up to 90% of SPAM, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the mail server... |
| Exch-ED-230 | Medium | Messages with a blank sender field must be filtered. | By performing filtering at the perimeter, up to 90% of SPAM, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the mail server... |
| Exch-ED-222 | Medium | External/Internet bound automated response messages must be disabled. | SPAM originators, in an effort to refine mailing lists, sometimes use a technique where they monitor transmissions for automated bounce back messages such as "Out of Office" messages. Automated... |
| Exch-ED-223 | Medium | Auto-forwarding email must be disabled.
| Attackers can use automated messages to determine whether a user account is active, in the office, traveling, and so on. An attacker might use this information to conduct future attacks. Ensure... |
| Exch-ED-206 | Medium | Internal Receive Connectors must use Domain Security (Mutual Authentication TLS). | The Simple Mail Transfer Protocol (SMTP) connector is used by Exchange to send and receive messages from server to server. There are several controls that work together to provide security between... |
| Exch-ED-207 | Medium | Internet Receive Connectors must offer TLS before using basic authentication. | Sending unencrypted email over the Internet increases the risk that messages can be intercepted or altered. Transport Layer Security (TLS) is designed to protect confidentiality and data integrity... |
| Exch-ED-204 | Medium | Receive Connector must restrict relay access. | This control is used to limit the servers that may use this server as a relay. If a Simple Mail Transport Protocol (SMTP) sender does not have a direct connection to the Internet (for example, an... |
| Exch-ED-205 | Medium | Internal Receive Connectors must be encrypted. | The Simple Mail Transfer Protocol (SMTP) Receive Connector is used by Exchange to send and receive messages from server to server using SMTP protocol. This setting controls the encryption... |
| Exch-ED-229 | Medium | Filtered messages must be archived. | As messages are filtered by the Email sanitization process, an archive must be specified and managed by the Email administrators. The archive may be used to recover messages that might have been... |
| Exch-ED-200 | Medium | SMTP automated banner response must be set. | Automated connection responses occur as a result of FTP or Telnet connections, when connecting to those services. They report a successful connection by greeting the connecting client, stating... |
| Exch-ED-201 | Medium | Receive Connector message size must be controlled. | This setting can be used to limit the total size of messages at the connector level. This includes the message header, the message body, and any attachments. For internal message flow, Exchange... |
| Exch-ED-224 | Medium | Exchange must not send auto replies to remote domains. | Attackers can use automated messages to determine whether a user account is active, in the office, traveling, and so on. An attacker might use this information to conduct future attacks. Remote... |
| Exch-ED-225 | Medium | Attachment filtering must remove undesirable attachments by file type. | By performing filtering at the perimeter, up to 90% of SPAM, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the Mail server... |
| Exch-ED-227 | Medium | Non-existent recipients must not be blocked. | SPAM originators, in an effort to refine mailing lists, sometimes use a technique where they first create fictitious names, and then monitor rejected emails for non-existent recipients.
Those... |
| Exch-ED-220 | Medium | Exchange must not send delivery reports to remote domains. | Attackers can use automated messages to determine whether a user account is active, in the office, traveling, and so on. An attacker might use this information to conduct future attacks. Ensure... |
| Exch-ED-221 | Medium | Exchange must not send non-delivery reports to remote domains. | Attackers can use automated messages to determine whether a user account is active, in the office, traveling, and so on. An attacker might use this information to conduct future attacks. Ensure... |
| Exch-ED-237 | Medium | Block list service provider must be identified. | Block List filtering is a sanitization process performed on email messages prior to their arrival at the destination mailbox. By performing this process at the email perimeter, threats can be... |
| Exch-ED-228 | Medium | Tarpitting interval must be set.
| Tarpitting is the practice of artificially delaying server responses for specific SMTP communication patterns that indicate high volumes of spam or other unwelcome messages. The intent of... |
| Exch-ED-211 | Low | Send Connectors must be clearly named. | For Send Connectors, unclear naming as to direction and purpose increases risk that messages may not flow as intended, troubleshooting efforts may be impaired, or incorrect assumptions made about... |
| Exch-ED-210 | Low | Receive Connectors must be clearly named. | For Receive Connectors, unclear naming as to direction and purpose increases risk that messages may not flow as intended, troubleshooting efforts may be impaired, or incorrect assumptions made... |
| Exch-ED-212 | Low | Send Connectors delivery retries must be controlled. | This setting controls the rate at which delivery attempts from the home domain are retried, user notification is issued, and expiration timeout when the message will be discarded.
If delivery... |
| Exch-ED-215 | Low | Send connections per domain must be set. | This configuration controls the maximum number of simultaneous outbound connections to a domain, and works in conjunction with the Maximum Outbound Connections Count setting as a delivery tuning... |
| Exch-ED-214 | Low | Send Connector connections count must be limited. | This setting controls the maximum number of simultaneous outbound connections allowed for a given SMTP Connector, and can be used to throttle the SMTP service if resource constraints warrant it. ... |
| Exch-ED-202 | Low | Receive Connector connections count must be controlled. | Email system availability depends in part on best practices strategies for setting tuning. This configuration controls the maximum number of simultaneous inbound connections allowed to the server.... |
| Exch-ED-208 | Low | Receive Connectors must control the message count per inbound session. | Email system availability depends in part on best practices strategies for setting tuning configurations. This setting controls the maximum number of messages allowed in a single SMTP session by... |
| Exch-ED-209 | Low | Receive Connectors must control the number of recipients 'chunked' on a single message. | Email system availability depends in part on best practices strategies for setting tuning configurations. This setting is used when two Exchange servers send or receive email. The chunking setting... |
| Exch-ED-203 | Low | Receive Connector timeout must be limited. | Email system availability depends in part on best practices strategies for setting tuning. This configuration controls the number of idle minutes before the connection is dropped. It works in... |
