{
"stig": {
"date": "2012-05-31",
"description": "The Microsoft Exchange Server 2010 STIGs cover four of the five roles available with Microsoft Exchange Server 2010, plus core Exchange Server 2010 global requirements. The Email Services Policy STIG must also be reviewed for each site hosting email services. The core Exchange Server guidance must be reviewed on each server role prior to the role-specific guidance. Also, for the Client Access server, the IIS guidance must be reviewed prior to the OWA checks.",
"findings": {
"Exch-ED-200": {
"checkid": "C-_chk",
"checktext": "Open the Exchange Management Shell and enter the following command.\n\nGet-ReceiveConnector | Select Name, Identity, Banner\n\nIf the value of \"Banner\" is not set to <'DomainName'> \"SMTP Server Ready\", this is a finding.",
"description": "Automated connection responses occur as a result of FTP or Telnet connections, when connecting to those services. They report a successful connection by greeting the connecting client, stating the name, release level, and (often) additional information regarding the responding product. While useful to the connecting client, connection responses can also be used by a third party to determine operating system (OS) or product release levels on the target server. The result can include disclosure of configuration information to third parties, paving the way for possible future attacks. \nFor example, when querying the SMTP service on port 25, the default response looks similar to this one: \n\n220 exchange.mydomain.org Microsoft ESMTP MAIL Service, Version: 6.0.3790.211 ready at Wed, 2 Feb 2005 23:40:00 -0500\n\nChanging the response to hide local configuration details reduces the attack profile of the target.",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-ReceiveConnector -Identity <'ReceiveConnector'> -Banner \"DomainName SMTP Server Ready\"",
"iacontrols": null,
"id": "Exch-ED-200",
"ruleID": "Exch-ED-200_rule",
"severity": "medium",
"title": "SMTP automated banner response must be set.",
"version": "Exch-ED-200"
},
"Exch-ED-201": {
"checkid": "C-_chk",
"checktext": "Obtain the Email Domain Security Plan (EDSP) and locate the maximum message size for the Receive Connector. \n\nOpen the Exchange Management Shell and enter the following command.\n\nGet-ReceiveConnector | Select Identity, MaxMessageSize\n\nIf the value of \"MaxMessageSize\" is set to 10MB or less, this is not a finding.\n\nIf the value of \"MaxMessageSize\" is set to more than 10MB, and has signoff and risk acceptance in the EDSP, this is not a finding.",
"description": "This setting can be used to limit the total size of messages at the connector level. This includes the message header, the message body, and any attachments. For internal message flow, Exchange Server uses the custom X-MS-Exchange-Organization-OriginalSize: message header to record the original message size of the message as it enters the Exchange Server organization. Whenever the message is checked against the specified message size limits, the lower value of the current message size or the original message size header is used. The size of the message can change because of content conversion, encoding, and agent processing. This setting somewhat limits the impact a malicious user or a computer with malware can have on the Exchange infrastructure by restricting the size of incoming messages.",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-ReceivedConnector -Identity <'ReceiveConnector'> -MaxMessageSize 10MB or other value as identified by the Email Domain Security Plan.",
"iacontrols": null,
"id": "Exch-ED-201",
"ruleID": "Exch-ED-201_rule",
"severity": "medium",
"title": "Receive Connector message size must be controlled.",
"version": "Exch-ED-201"
},
"Exch-ED-202": {
"checkid": "C-_chk",
"checktext": "Obtain the Email Domain Security Plan (EDSP) and locate the \"Maximum Inbound connections\" value. \n\nOpen the Exchange Management Shell and enter the following command.\n\nGet-ReceiveConnector | Select Name, Identity, MaxInboundConnection\n\nIf the value of \"MaxInboundConnection\" is set to 5000 or less, this is not a finding.\n\nIf \"MaxInboundConnection\" is set to more than 5000, and has signoff and risk acceptance in the EDSP, this is not a finding.",
"description": "Email system availability depends in part on best practices strategies for setting tuning. This configuration controls the maximum number of simultaneous inbound connections allowed to the server. By default, the number of simultaneous inbound connections is unlimited. If a limit is set and is too low, the connections pool may get filled. If attackers perceive there is a limit, they could deny service to the Simple Mail Transfer Protocol (SMTP) server using a limited connection count.\n",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-ReceiveConnector -Identity <'ReceiveConnector'> -MaxInboundConnection 5000 or other value as identified by the Email Domain Security Plan.",
"iacontrols": null,
"id": "Exch-ED-202",
"ruleID": "Exch-ED-202_rule",
"severity": "low",
"title": "Receive Connector connections count must be controlled.",
"version": "Exch-ED-202"
},
"Exch-ED-203": {
"checkid": "C-_chk",
"checktext": "Obtain the Email Domain Security Plan (EDSP) and locate the \"Connection Timeout\" value. \n\nOpen the Exchange Management Shell and enter the following command.\n\nGet-ReceiveConnector | Select Name, Identity, ConnectionTimeout\n\nIf the value of \"ConnectionTimeout\" is set to 00:10:00 or less, this is not a finding.\n\nIf \"ConnectionTimeout\" is set to more than 00:10:00, and has signoff and risk acceptance in the EDSP, this is not a finding.",
"description": "Email system availability depends in part on best practices strategies for setting tuning. This configuration controls the number of idle minutes before the connection is dropped. It works in conjunction with the Maximum Inbound Connections Count setting. \n\nConnections, once established, may incur delays in message transfer. If the timeout period is too long, there is risk that idle connections may be maintained for unnecessarily long time periods, preventing new connections from being established. \n",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-ReceiveConnector -Identity <'ReceiveConnector'> -ConnectionTimeout 00:10:00 or other value as identified by the Email Domain Security Plan.",
"iacontrols": null,
"id": "Exch-ED-203",
"ruleID": "Exch-ED-203_rule",
"severity": "low",
"title": "Receive Connector timeout must be limited.",
"version": "Exch-ED-203"
},
"Exch-ED-204": {
"checkid": "C-_chk",
"checktext": "Open the Exchange Management Shell and enter the following command.\n\nGet-ReceiveConnector | Select Name, Identity, PermissionGroups\n\nIf the value of \"PermissionGroups\" is \"AnonymousUsers\" for any non-internet connector, this is a finding.",
"description": "This control is used to limit the servers that may use this server as a relay. If a Simple Mail Transport Protocol (SMTP) sender does not have a direct connection to the Internet (for example, an application that produces reports to be emailed) then it will need to use an SMTP Receive Connector that does have a path to the Internet (for example, a local email server) as a relay.\n\nSMTP relay functions must be protected so third parties are not able to hijack a relay service for their own purposes. Most commonly, hijacking of relays is done by SPAMMERS to disguise the source of their messages, and may also be used to cover the source of more destructive attacks. \n \nRelays can be restricted in one of three ways; by blocking relays (restrict to a blank list of servers), by restricting use to lists of valid servers, or by restricting use to servers that can authenticate. A fourth configuration, \"allow all except the list below\", should never be used. Because authenticated connections are the most secure for SMTP Receive Connectors, it is recommended that relays allow only servers that can authenticate.",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-ReceiveConnector -Identity <'ReceiveConnector'> -PermissionGroups 'ExchangeUsers'",
"iacontrols": null,
"id": "Exch-ED-204",
"ruleID": "Exch-ED-204_rule",
"severity": "medium",
"title": "Receive Connector must restrict relay access.",
"version": "Exch-ED-204"
},
"Exch-ED-205": {
"checkid": "C-_chk",
"checktext": "Open the Exchange Management Shell and enter the following command.\n\nGet-ReceiveConnector | Select Name, Identity, AuthMechanism\n\nIf the value of \"AuthMechanism\" is not set to \"Tls\", this is a finding.",
"description": "The Simple Mail Transfer Protocol (SMTP) Receive Connector is used by Exchange to send and receive messages from server to server using SMTP protocol. This setting controls the encryption strength used for client connections to the SMTP Receive Connector. With this feature enabled, only clients capable of supporting secure communications will be able to send mail using this SMTP server. Where secure channels are required, encryption can also be selected. \n\nThe use of secure communication prevents eavesdroppers from reading or modifying communications between mail clients and servers. While sensitive message bodies should be encrypted by the sender at the client, requiring a secure connection from the client to the server adds protection by encrypting the sender and recipient information that cannot be encrypted by the sender. \n\nIndividually, channel security and encryption have been compromised by attackers. Used together, email becomes a more difficult target, and security is heightened. Failure to enable this feature gives eavesdroppers an opportunity to read or modify messages between the client and server.",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-ReceiveConnector -Identity <'ReceiveConnector'> -AuthMechanism 'Tls'",
"iacontrols": null,
"id": "Exch-ED-205",
"ruleID": "Exch-ED-205_rule",
"severity": "medium",
"title": "Internal Receive Connectors must be encrypted.",
"version": "Exch-ED-205"
},
"Exch-ED-206": {
"checkid": "C-_chk",
"checktext": "Open the Exchange Management Shell and enter the following command.\n\nGet-ReceiveConnector | Select Name, Identity, DomainSecureEnabled\n\nIf the value of \"DomainSecureEnabled\" is not set to \"True\", this is a finding.",
"description": "The Simple Mail Transfer Protocol (SMTP) connector is used by Exchange to send and receive messages from server to server. There are several controls that work together to provide security between internal servers. This setting controls the authentication method used for communications between servers. With this feature enabled, only servers capable of supporting domain authentication will be able to send and receive mail within the domain.\n\nThe use of secure communication prevents eavesdroppers from reading or modifying communications between mail clients and servers. While sensitive message bodies should be encrypted by the sender at the client, requiring a secure connection from the server to server adds protection by encrypting the sender and recipient information that cannot be encrypted by the sender. \n\nIndividually, channel security and encryption can be compromised by attackers. Used together, email becomes a more difficult target, and security is heightened. Failure to enable this feature gives eavesdroppers an opportunity to read or modify messages between servers.",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-ReceiveConnector -Identity <'ReceiveConnector'> -DomainSecureEnabled $true",
"iacontrols": null,
"id": "Exch-ED-206",
"ruleID": "Exch-ED-206_rule",
"severity": "medium",
"title": "Internal Receive Connectors must use Domain Security (Mutual Authentication TLS).",
"version": "Exch-ED-206"
},
"Exch-ED-207": {
"checkid": "C-_chk",
"checktext": "Open the Exchange Management Shell and enter the following command.\n\nGet-ReceiveConnector -Identity <'ServerUnderReview\\ReceiveConnector'> | Select AuthMechanism\n\nIf the value of \"AuthMechanism\" is not set to \"Tls, BasicAuth, BasicAuthRequire TLS\", this is a finding.",
"description": "Sending unencrypted email over the Internet increases the risk that messages can be intercepted or altered. Transport Layer Security (TLS) is designed to protect confidentiality and data integrity by encrypting email messages between servers and thereby reducing the risk of eavesdropping, interception, and alteration. This setting forces Exchange to offer TLS before using basic authentication.",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-ReceiveConnector -Identity <'ReceiveConnector'> -AuthMechanism 'Tls, BasicAuth, BasicAuthRequire TLS'",
"iacontrols": null,
"id": "Exch-ED-207",
"ruleID": "Exch-ED-207_rule",
"severity": "medium",
"title": "Internet Receive Connectors must offer TLS before using basic authentication.",
"version": "Exch-ED-207"
},
"Exch-ED-208": {
"checkid": "C-_chk",
"checktext": "Obtain the Email Domain Security Plan (EDSP) and locate the \"Maximum Recipients per Message\" value.\n\nOpen the Exchange Management Shell and enter the following command.\n\nGet-ReceiveConnector | Select Name, Identity, MaxRecipientsPerMessage\n\nFor each Receive Connector, evaluate the \"MaxRecipientsPerMessage\" value. \n\nIf the value of \"MaxRecipientsPerMessage\" is set to 300, this is not a finding. \n\nIf the value of \"Maximum Recipients per Message\" is set to a value other than 300, and has signoff and risk acceptance in the EDSP, this is not a finding.",
"description": "Email system availability depends in part on best practices strategies for setting tuning configurations. This setting controls the maximum number of messages allowed in a single SMTP session by breaking large numbers of messages into multiple sessions. Failure to control message counts as they arrive adds risk that a sending domain could monopolize email resources by not controlling message counts per session as inbound messages arrive. Microsoft best practice recommends setting this to a value of 300.",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-ReceiveConnector -Identity <'ReceiveConnector'> -MaxRecipientsPerMessage 300 or other value as identified by the Email Domain Security Plan.",
"iacontrols": null,
"id": "Exch-ED-208",
"ruleID": "Exch-ED-208_rule",
"severity": "low",
"title": "Receive Connectors must control the message count per inbound session.",
"version": "Exch-ED-208"
},
"Exch-ED-209": {
"checkid": "C-_chk",
"checktext": "Open the Exchange Management Shell and enter the following command.\n\nGet-ReceiveConnector | Select Name, Identity, ChunkingEnabled\n\nIf the value of \"ChunkingEnabled\" is set to \"True\", this is not a finding.",
"description": "Email system availability depends in part on best practices strategies for setting tuning configurations. This setting is used when two Exchange servers send or receive email. The chunking setting enables large message bodies to be relayed by the remote server to the Receive Connector in multiple, smaller chunks.",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-ReceiveConnector -Identity <'ReceiveConnector'> -ChunkingEnabled &true",
"iacontrols": null,
"id": "Exch-ED-209",
"ruleID": "Exch-ED-209_rule",
"severity": "low",
"title": "Receive Connectors must control the number of recipients 'chunked' on a single message.",
"version": "Exch-ED-209"
},
"Exch-ED-210": {
"checkid": "C-_chk",
"checktext": "Open the Exchange Management Shell and enter the following command.\n\nGet-ReceiveConnector | Select Name, Identity\n\nReview the naming convention for the connectors. If the connectors are not clearly named, this is a finding.",
"description": "For Receive Connectors, unclear naming as to direction and purpose increases risk that messages may not flow as intended, troubleshooting efforts may be impaired, or incorrect assumptions made about the completeness of the configuration. \n\nCollectively, connectors should account for all connections required for the overall email topology design. Simple Mail Transfer Protocol (SMTP) connectors, when listed, must name purpose and direction clearly, and their counterparts on servers to which they connect should be recognizable as their partners.\n",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-ReceiveConnector -Name <'NewName'> -Identity <'ReceiveConnector'>",
"iacontrols": null,
"id": "Exch-ED-210",
"ruleID": "Exch-ED-210_rule",
"severity": "low",
"title": "Receive Connectors must be clearly named.",
"version": "Exch-ED-210"
},
"Exch-ED-211": {
"checkid": "C-_chk",
"checktext": "Open the Exchange Management Shell and enter the following command.\n\nGet-SendConnector | Select Name, Identity\n\nReview the naming convention for the connectors. If the connectors are not clearly named, this is a finding.\n",
"description": "For Send Connectors, unclear naming as to direction and purpose increases risk that messages may not flow as intended, troubleshooting efforts may be impaired, or incorrect assumptions made about the completeness of the configuration. \n\nCollectively, connectors should account for all connections required for the overall email topology design. Simple Mail Transfer Protocol (SMTP) connectors, when listed, must name purpose and direction clearly, and their counterparts on servers to which they connect should be recognizable as their partners.\n",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-SendConnector -Name <'NewName'> -Identity <'SendConnector'>",
"iacontrols": null,
"id": "Exch-ED-211",
"ruleID": "Exch-ED-211_rule",
"severity": "low",
"title": "Send Connectors must be clearly named.",
"version": "Exch-ED-211"
},
"Exch-ED-212": {
"checkid": "C-_chk",
"checktext": "Obtain the Email Domain Security Plan (EDSP) and locate the value for \"Transient Failure Retry Count\".\n\nOpen the Exchange Management Shell and enter the following command.\n\nGet-TransportServer -Identity <'ServerUnderReview'> | Select Name, Identity, TransientFailureRetryCount\n\nIf the value of \"TransientFailureRetryCount\" is set to 10 or less, this is not a finding.\n\nIf the value of \"TransientFailureRetryCount\" is set to more than 10, and has signoff and risk acceptance in the EDSP, this is not a finding.",
"description": "This setting controls the rate at which delivery attempts from the home domain are retried, user notification is issued, and expiration timeout when the message will be discarded. \n\nIf delivery retry attempts are too frequent, servers will generate network congestion. If too far apart, then messages may remain queued longer than necessary, potentially raising disk resource requirements. \n\nThe default values of these fields should be adequate for most environments. Administrators may wish to modify the values as a result, but changes should be documented in the System Security Plan.\n\nNote: Transport configuration settings apply to the organization/global level of Exchange by checking and setting them at the Hub server the setting will apply to both Hub and Edge roles.",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-TransportServer -Identity <'ServerUnderReview'> -TransientFailureRetryCount 10 or other value as identified by the Email Domain Security Plan.",
"iacontrols": null,
"id": "Exch-ED-212",
"ruleID": "Exch-ED-212_rule",
"severity": "low",
"title": "Send Connectors delivery retries must be controlled.",
"version": "Exch-ED-212"
},
"Exch-ED-213": {
"checkid": "C-_chk",
"checktext": "Obtain the Email Domain Security Plan (EDSP) and locate the maximum message size for the Send Connector. \n\nOpen the Exchange Management Shell and enter the following command.\n\nGet-SendConnector | Select Identity, MaxMessageSize\n\nIf the value of \"MaxMessageSize\" is set to 10MB or less, this is not a finding.\n\nIf the value of \"MaxMessageSize\" is set to more than 10MB, and has signoff and risk acceptance in the EDSP, this is not a finding.",
"description": "This setting can be used to limit the total size of messages at the connector level. This includes the message header, the message body, and any attachments. For internal message flow, Exchange Server uses the custom X-MS-Exchange-Organization-OriginalSize: message header to record the original message size of the message as it enters the Exchange Server organization. Whenever the message is checked against the specified message size limits, the lower value of the current message size or the original message size header is used. The size of the message can change because of content conversion, encoding, and agent processing. This setting somewhat limits the impact a malicious user or a computer with malware can have on the Exchange infrastructure by restricting the size of incoming messages.",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-SendConnector -Identity <'SendConnector'> -MaxMessageSize 10MB or other value as identified by the Email Domain Security Plan.",
"iacontrols": null,
"id": "Exch-ED-213",
"ruleID": "Exch-ED-213_rule",
"severity": "medium",
"title": "Send Connector message size must be controlled.",
"version": "Exch-ED-213"
},
"Exch-ED-214": {
"checkid": "C-_chk",
"checktext": "Obtain the Email Domain Security Plan (EDSP) and locate the value for \"Maximum Outbound Connections\".\n\nOpen the Exchange Management Shell and enter the following command.\n\nGet-TransportServer -Identity <'ServerUnderReview'> | Select Name, Identity, MaxOutboundConnections\n\nIf the value of \"MaxOutboundConnections\" is set to 1000 or less, this is not a finding.\n\nIf the value of \"MaxOutboundConnections\" is set to more than 1000, and has signoff and risk acceptance in the EDSP, this is not a finding.\n",
"description": "This setting controls the maximum number of simultaneous outbound connections allowed for a given SMTP Connector, and can be used to throttle the SMTP service if resource constraints warrant it. If the limit is too low, connections may be dropped. If too high, some domains may use a disproportionate resource share, denying access to other domains. Appropriate tuning reduces risk of data delay or loss.\n\nNote: Transport configuration settings apply to the organization/global level of Exchange by checking and setting them at the Hub server the setting will apply to both Hub and Edge roles. \n",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-TransportServer -Identity <'ServerUnderReview'> -MaxOutboundConnections 1000 or other value as identified by the Email Domain Security Plan.",
"iacontrols": null,
"id": "Exch-ED-214",
"ruleID": "Exch-ED-214_rule",
"severity": "low",
"title": "Send Connector connections count must be limited.",
"version": "Exch-ED-214"
},
"Exch-ED-215": {
"checkid": "C-_chk",
"checktext": "Obtain the Email Domain Security Plan (EDSP) and locate the value for \" Maximum Domain Connections\".\n\nOpen the Exchange Management Shell and enter the following command.\n\nGet-TransportServer -Identity <'ServerUnderReview'> | Select Name, Identity, MaxPerDomainOutboundConnections\n\nIf the value of \"MaxPerDomainOutboundConnections\" is set to 100 or less, this is not a finding.\n\nIf the value of \"MaxPerDomainOutboundConnections\" is set to more than 100, and has signoff and risk acceptance in the EDSP, this is not a finding.\n\n",
"description": "This configuration controls the maximum number of simultaneous outbound connections to a domain, and works in conjunction with the Maximum Outbound Connections Count setting as a delivery tuning mechanism. If the limit is too low, connections may be dropped. If too high, some domains may use a disproportionate resource share, denying access to other domains. Appropriate tuning reduces risk of data delay or loss. \n\nBy default, a limit of 100 simultaneous outbound connections from a domain should be sufficient. The value may be adjusted if justified by local site conditions..\n\nNote: Transport configuration settings apply to the organization/global level of Exchange by checking and setting them at the Hub server the setting will apply to both Hub and Edge roles.\n",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-TransportServer -Identity <'ServerUnderReview'> -MaxPerDomainOutboundConnections 100 or other value as identified by the Email Domain Security Plan.",
"iacontrols": null,
"id": "Exch-ED-215",
"ruleID": "Exch-ED-215_rule",
"severity": "low",
"title": "Send connections per domain must be set.",
"version": "Exch-ED-215"
},
"Exch-ED-216": {
"checkid": "C-_chk",
"checktext": "Open the Exchange Management Shell and enter the following command.\n\nGet-SendConnector | Select Name, Identity, DomainSecureEnabled\n\nIf the value of \"DomainSecureEnabled\" is not set to \"True\", this is a finding.\n",
"description": "The Simple Mail Transfer Protocol (SMTP) connector is used by Exchange to send and receive messages from server to server. There are several controls that work together to provide security between internal servers. This setting controls the authentication method used for communications between servers. With this feature enabled, only servers capable of supporting domain authentication will be able to send and receive mail within the domain.\n\nThe use of secure communication prevents eavesdroppers from reading or modifying communications between mail clients and servers. While sensitive message bodies should be encrypted by the sender at the client, requiring a secure connection from the server to server adds protection by encrypting the sender and recipient information that cannot be encrypted by the sender. \n\nIndividually, channel security and encryption can be compromised by attackers. Used together, email becomes a more difficult target, and security is heightened. Failure to enable this feature gives eavesdroppers an opportunity to read or modify messages between servers.",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-SendConnector <'InternalSendConnector'> -DomainSecureEnabled:$true",
"iacontrols": null,
"id": "Exch-ED-216",
"ruleID": "Exch-ED-216_rule",
"severity": "medium",
"title": "Internal Send Connectors must use Domain Security (Mutual Authentication TLS).",
"version": "Exch-ED-216"
},
"Exch-ED-217": {
"checkid": "C-_chk",
"checktext": "Open the Exchange Management Shell and enter the following command.\n\nGet-SendConnector | Select Name, Identity, TlsDomain\n\nIf the value of \"TlsDomain\" is not set to \"True\", this is a finding.",
"description": "The Simple Mail Transfer Protocol (SMTP) connector is used by Exchange to send and receive messages from server to server. There are several controls that work together to provide security between internal servers. This setting controls the encryption method used for communications between servers. With this feature enabled, only servers capable of supporting Transport Layer Security (TLS) will be able to send and receive mail within the domain.\n\nThe use of secure communication prevents eavesdroppers from reading or modifying communications between mail clients and servers. While sensitive message bodies should be encrypted by the sender at the client, requiring a secure connection from the server to server adds protection by encrypting the sender and recipient information that cannot be encrypted by the sender. \n\nIndividually, channel security and encryption can be compromised by attackers. Used together, email becomes a more difficult target, and security is heightened. Failure to enable this feature gives eavesdroppers an opportunity to read or modify messages between servers.",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-SendConnector -Identity <'Domain\\SendConnector'> -TlsDomain $true",
"iacontrols": null,
"id": "Exch-ED-217",
"ruleID": "Exch-ED-217_rule",
"severity": "medium",
"title": "Internal Send Connectors must be encrypted.",
"version": "Exch-ED-217"
},
"Exch-ED-219": {
"checkid": "C-_chk",
"checktext": "Open the Exchange Management Shell and enter the following command.\n\nGet-TransportServer -Identity <'ServerUnderReview'> | Select Name, Identity, ConnectivityLogEnabled\n\nIf the value of \"ConnectivityLogEnabled\" is not set to \"True\", this is a finding.\n\n",
"description": "A connectivity log is a record of the SMTP connection activity of the outbound message delivery queues to the destination Mailbox server, smart host, or domain. Connectivity logging is available on Hub Transport servers and Edge Transport servers. By default, connectivity logging is disabled. If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users..\n\nNote: Transport configuration settings apply to the organization/global level of Exchange by checking and setting them at the Hub server the setting will apply to both Hub and Edge roles.",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\n Set-TransportServer -Identity <'ServerUnderReview'> -ConnectivityLogEnabled $true",
"iacontrols": null,
"id": "Exch-ED-219",
"ruleID": "Exch-ED-219_rule",
"severity": "medium",
"title": "Connectivity logging must be enabled.",
"version": "Exch-ED-219"
},
"Exch-ED-220": {
"checkid": "C-_chk",
"checktext": "Open the Exchange Management Shell and enter the following command.\n \nGet-RemoteDomain | select identity, DeliveryReportEnabled\n\nIf the value of \"DeliveryReportEnabled\" is not set to \"False\", this is a finding.\n",
"description": "Attackers can use automated messages to determine whether a user account is active, in the office, traveling, and so on. An attacker might use this information to conduct future attacks. Ensure that delivery reports to remote domains are disabled. Before enabling this setting first configure a remote domain using the EMC or the New-RemoteDomain cmdlet.",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-RemoteDomain -Identity <'RemoteDomainName'> -DeliveryReportEnabled $false",
"iacontrols": null,
"id": "Exch-ED-220",
"ruleID": "Exch-ED-220_rule",
"severity": "medium",
"title": "Exchange must not send delivery reports to remote domains.",
"version": "Exch-ED-220"
},
"Exch-ED-221": {
"checkid": "C-_chk",
"checktext": "Open the Exchange Management Shell and enter the following command.\n\nGet-RemoteDomain | select identity, NDREnabled\n\nIf the value of \"NDREnabled\" is not set to \"False\", this is a finding.",
"description": "Attackers can use automated messages to determine whether a user account is active, in the office, traveling, and so on. An attacker might use this information to conduct future attacks. Ensure that non-delivery reports to remote domains are disabled. Before enabling this setting first configure a remote domain using the EMC or the New-RemoteDomain cmdlet.",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-RemoteDomain -Identity <'RemoteDomainName'> -NDREnabled $false",
"iacontrols": null,
"id": "Exch-ED-221",
"ruleID": "Exch-ED-221_rule",
"severity": "medium",
"title": "Exchange must not send non-delivery reports to remote domains.",
"version": "Exch-ED-221"
},
"Exch-ED-222": {
"checkid": "C-_chk",
"checktext": "Open the Exchange Management Shell and enter the following command.\n\nGet-RemoteDomain -Identity 'default' | Select Name, Identity, AllowedOOFType\n\nIf the value of \"AllowedOOFType\" is set to \"External\" or \"ExternalLegacy\", this is a finding.",
"description": "SPAM originators, in an effort to refine mailing lists, sometimes use a technique where they monitor transmissions for automated bounce back messages such as \"Out of Office\" messages. Automated messages include such items as Out of Office responses, non-delivery messages, or automated message forwarding.\n\nAutomated bounce back messages can be used by a third party to determine if users exist on the server. This can result in the disclosure of active user accounts to third parties, paving the way for possible future attacks. \n \nThe \"Default\" format applies to all domains. However, if a new format is created and applied to a specific domain, that domain will use the new format's configuration while all other domains (those without specially designated formats) will use the Default format. Automated messages must be disabled to prevent inadvertent information disclosure about email recipients.",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-RemoteDomain -AllowedOOFType 'InternalLegacy' -Identity 'default'",
"iacontrols": null,
"id": "Exch-ED-222",
"ruleID": "Exch-ED-222_rule",
"severity": "medium",
"title": "External/Internet bound automated response messages must be disabled.",
"version": "Exch-ED-222"
},
"Exch-ED-223": {
"checkid": "C-_chk",
"checktext": "Open the Exchange Management Shell and enter the following command.\n\nGet-RemoteDomain | select identity, AutoForwardEnabled\n\nIf the value of \"AutoForwardEnabled\" is set to \"True\", this is a finding.",
"description": "Attackers can use automated messages to determine whether a user account is active, in the office, traveling, and so on. An attacker might use this information to conduct future attacks. Ensure Automatic Forwards to remote domains are disabled. Before enabling this setting first configure a remote domain.",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-RemoteDomain -Identity <'RemoteDomainName'> -AutoForwardEnabled $false",
"iacontrols": null,
"id": "Exch-ED-223",
"ruleID": "Exch-ED-223_rule",
"severity": "medium",
"title": "Auto-forwarding email must be disabled.\n",
"version": "Exch-ED-223"
},
"Exch-ED-224": {
"checkid": "C-_chk",
"checktext": "Open the Exchange Management Shell and enter the following command.\n\nGet-RemoteDomain | select identity, AutoReplyEnabled\n\nIf the value of \"AutoReplyEnabled\" is set to \"True\", this is a finding.",
"description": "Attackers can use automated messages to determine whether a user account is active, in the office, traveling, and so on. An attacker might use this information to conduct future attacks. Remote users will not receive automated Out-Of-Office delivery reports. This setting can be used to determine if all the servers in the Organization can send Out-of-Office messages.",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-RemoteDomain -Identity <'RemoteDomainName'> -AutoReplyEnabled $false",
"iacontrols": null,
"id": "Exch-ED-224",
"ruleID": "Exch-ED-224_rule",
"severity": "medium",
"title": "Exchange must not send auto replies to remote domains.",
"version": "Exch-ED-224"
},
"Exch-ED-225": {
"checkid": "C-_chk",
"checktext": "Obtain the Email Domain Security Plan (EDSP) and locate the list of acceptable attachment types. \n\nOpen the Exchange Management Shell and enter the following command.\n\nGet-AttachmentFilterEntry \n\nIf the value returned is different from the EDSP acceptable attachment types, this is a finding.",
"description": "By performing filtering at the perimeter, up to 90% of SPAM, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the Mail server environment. Attachments are being used more frequently for different forms of attacks. By filtering undesirable attachments a large percent of malicious code can be prevented from entering the system. Attachments must be controlled at the entry point into the email environment to prevent successful attachment-based attacks. The following is a basic list of known attachments that should be filtered from Internet mail attachments.\n\n*.ade *.crt *.jse *.msi *.scr *.wsh *.dir\n*.adp *.csh *.ksh *.msp *.sct *.htm *.dcr\n*.app *.exe *.lnk *.mst *.shb *.html *.plg\n*.asx *.fxp *.mda *.ops *.shs *.htc *.spl\n*.bas *.hlp *.mdb *.pcd *.url *.mht *.swf\n*.bat *.hta *.mde *.pif *.vb *.mhtml *.zip\n*.chm *.inf *.mdt *.prf *.vbe *.shtm \n*.cmd *.ins *.mdw *.prg *.vbs *.shtml \n*.com *.isp *.mdz *.reg *.wsc *.stm \n*.cpl *.js *.msc *.scf *.wsf *.xml \n",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nAdd-AttachmentFilterEntry -Name <'*.FileExtension'> -Type FileName",
"iacontrols": null,
"id": "Exch-ED-225",
"ruleID": "Exch-ED-225_rule",
"severity": "medium",
"title": "Attachment filtering must remove undesirable attachments by file type.",
"version": "Exch-ED-225"
},
"Exch-ED-227": {
"checkid": "C-_chk",
"checktext": "Open the Exchange Management Shell and enter the following command.\n\nGet-RecipientFilterConfig | Select RecipientValidationEnabled\n\nIf the value of \"RecipientValidationEnabled\" is set to \"False\", this is a finding.\n",
"description": "SPAM originators, in an effort to refine mailing lists, sometimes use a technique where they first create fictitious names, and then monitor rejected emails for non-existent recipients. \nThose not rejected, of course, are deemed to exist, and are therefore used in future SPAM mailings. \n\nTo prevent this disclosure of existing email accounts to Spammers, this feature should not be employed. Instead, it is recommended that all messages be received, then evaluated and disposed of without enabling the sender to determine recipients that are existing vs. non-existing.\n",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-RecipientFilterConfig -RecipientValidationEnabled $False",
"iacontrols": null,
"id": "Exch-ED-227",
"ruleID": "Exch-ED-227_rule",
"severity": "medium",
"title": "Non-existent recipients must not be blocked.",
"version": "Exch-ED-227"
},
"Exch-ED-228": {
"checkid": "C-_chk",
"checktext": "Open the Exchange Management Shell and enter the following command.\n\nGet-ReceiveConnector | Select Name, Identity, TarpitInterval\n\nIf the value of \"TarpitInterval\" is not set to 00:00:05 or greater, this is a finding.\n",
"description": "Tarpitting is the practice of artificially delaying server responses for specific SMTP communication patterns that indicate high volumes of spam or other unwelcome messages. The intent of tarpitting is to slow down the communication process for such email traffic so that the cost of sending spam increases for the person or organization sending the spam. Tarpitting makes directory harvest attacks too costly to automate efficiently.\n\nRecipient Lookup functionality enables the sending server to determine whether an email address is valid or invalid. As mentioned earlier, when the recipient of an inbound message is a known recipient, the Edge Transport server sends back a \"OK\" SMTP response to the sending server. This functionality provides an ideal environment for a directory harvest attack.\n\nA directory harvest attack is an attempt to collect valid email addresses from a particular organization so that the email addresses can be added to a spam database. Because all spam income relies on trying to make people open email messages, addresses known to be active are a commodity that malicious users, or spammers, pay for. Because the SMTP protocol provides feedback for known senders and unknown senders, a spammer can write an automated program that uses common names or dictionary terms to construct email addresses to a specific domain. The program collects all email addresses that return a \"Recipient OK\" SMTP response and discards all email addresses that return a \"User unknown\" SMTP session error. The spammer can then sell the valid email addresses or use them as recipients for unsolicited messages.\n",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-ReceiveConnector -Identity <'ReceiveConnector'> -TarpitInterval 00:00:05",
"iacontrols": null,
"id": "Exch-ED-228",
"ruleID": "Exch-ED-228_rule",
"severity": "medium",
"title": "Tarpitting interval must be set.\n",
"version": "Exch-ED-228"
},
"Exch-ED-229": {
"checkid": "C-_chk",
"checktext": "Open the Exchange Management Shell and enter the following command.\n\nGet-ContentFilterConfig | Select QuarantineMailbox\n\nIf no SMTP address is assigned to \"QuarantineMailbox\", this is a finding.\n",
"description": "As messages are filtered by the Email sanitization process, an archive must be specified and managed by the Email administrators. The archive may be used to recover messages that might have been inappropriately filtered, preventing data loss, and to provide a base of analysis that can provide future filter refinements. The archive repository may also serve as a base for analysis of filtered content, to report and trend the types of undesirable Email content being captured. Failure to specify and manage a filtered message archive adds to the risk of email environment pollution. By not archiving filtered messages it is less likely administrators would be able to analyze and refine the filtering process. The act of identifying a mailbox causes this feature to be enabled.\n",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-ContentFilterConfig -QuarantineMailbox <'SmtpAddressOfMailbox'>",
"iacontrols": null,
"id": "Exch-ED-229",
"ruleID": "Exch-ED-229_rule",
"severity": "medium",
"title": "Filtered messages must be archived.",
"version": "Exch-ED-229"
},
"Exch-ED-230": {
"checkid": "C-_chk",
"checktext": "Open the Exchange Management Shell and enter the following command.\n\nGet-SenderFilterConfig | Select BlankSenderBlockingEnabled\n\nIf the value of \"BlankSenderBlockingEnabled\" is not set to \"False\", this is a finding.",
"description": "By performing filtering at the perimeter, up to 90% of SPAM, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the mail server environment. Anonymous email (messages with blank sender fields) cannot be replied to. Messages formatted in this way may be attempting to hide their true origin to avoid responses, or to SPAM any receiver with impunity while hiding their source of origination. \n\nRather than spend resource and risk infection while evaluating them, it is recommended that these messages be filtered immediately upon receipt and not forwarded to end users.\n",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-SenderFilterConfig -BlankSenderBlockingEnabled $false",
"iacontrols": null,
"id": "Exch-ED-230",
"ruleID": "Exch-ED-230_rule",
"severity": "medium",
"title": "Messages with a blank sender field must be filtered.",
"version": "Exch-ED-230"
},
"Exch-ED-231": {
"checkid": "C-_chk",
"checktext": "Open the Exchange Management Shell and enter the following command.\n\nGet-SenderFilterConfig | Select Action\n\nIf the value of \"Action\" is not set to \"StampStatus\", this is a finding.",
"description": "By performing filtering at the perimeter, up to 90% of SPAM, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the mail server environment. Anonymous email (messages with blank sender fields) cannot be replied to. Messages formatted in this way may be attempting to hide their true origin to avoid responses, or to SPAM any receiver with impunity while hiding their source of origination. \n\nRather than spend resource and risk infection while evaluating them, it is recommended that these messages be filtered immediately upon receipt and not forwarded to end users.\n",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-SenderFilterConfig -Action StampStatus",
"iacontrols": null,
"id": "Exch-ED-231",
"ruleID": "Exch-ED-231_rule",
"severity": "medium",
"title": "Blank sender field action type must be set.",
"version": "Exch-ED-231"
},
"Exch-ED-232": {
"checkid": "C-_chk",
"checktext": "Obtain the Email Domain Security Plan (EDSP) and locate the \"Accepted Domain\" value. \n\nOpen the Exchange Management Shell and enter the following command.\n \nGet-AcceptedDomain\n\nIf the value for \"AcceptedDomains\" is not set to the value in the EDSP, this is a finding.",
"description": "Exchange may be configured to except email for multiple domain names. This setting controls which domains the server will accept mail. This check verifies the email server is not excepting email for unauthorized domains.",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n \nSet-AcceptedDomain -Identity <'ValueInEDSP'> -MakeDefault $true",
"iacontrols": null,
"id": "Exch-ED-232",
"ruleID": "Exch-ED-232_rule",
"severity": "medium",
"title": "Accepted domains must be verified.",
"version": "Exch-ED-232"
},
"Exch-ED-233": {
"checkid": "C-_chk",
"checktext": "Open the Exchange Management Shell and enter the following command.\n \nGet-SenderReputationConfig | Select SenderBlockingEnabled\n\nIf the value of \"SenderBlockingEnabled\" is not set to \"True\", this is a finding.\n\n",
"description": "By performing filtering at the perimeter, up to 90% of SPAM, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the Mail server environment. Sender reputation is anti-spam functionality that blocks messages according to many characteristics of the sender. Sender reputation relies on persisted data about the sender to determine what action, if any, to take on an inbound message. This setting enables the sender reputation function.",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n \nSet-SenderReputationConfig -SenderBlockingEnabled $true",
"iacontrols": null,
"id": "Exch-ED-233",
"ruleID": "Exch-ED-233_rule",
"severity": "medium",
"title": "Sender reputation must be enabled.",
"version": "Exch-ED-233"
},
"Exch-ED-234": {
"checkid": "C-_chk",
"checktext": "Open the Exchange Management Shell and enter the following command.\n \nGet-SenderReputationConfig | Select SrlBlockThreshold\n\nIf the value of \" SrlBlockThreshold\" is not set to \"6\" or less, this is a finding.",
"description": "By performing filtering at the perimeter, up to 90% of SPAM, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the Mail server environment. Sender reputation is anti-spam functionality that blocks messages according to many characteristics of the sender. Sender reputation relies on persisted data about the sender to determine what action, if any, to take on an inbound message. This setting enables the threshold at which an email will be considered spam.",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-SenderReputationConfig -SrlBlockThreshold 6 -SenderBlockingPeiod 36",
"iacontrols": null,
"id": "Exch-ED-234",
"ruleID": "Exch-ED-234_rule",
"severity": "medium",
"title": "Sender reputation must be configured.",
"version": "Exch-ED-234"
},
"Exch-ED-236": {
"checkid": "C-_chk",
"checktext": "Open the Exchange Management Shell and enter the following command.\n\nGet-ContentFilterConfig | Select Name, Identity, Enabled\n\nIf the value of \"Enabled\" is not set to \"True\", this is a finding.\n\n",
"description": "By performing filtering at the perimeter, up to 90% of SPAM, malware, and other undesirable messages may be eliminated from the transport message stream, preventing their entry into the Exchange environment. This significantly reduces the attack vector for inbound email-borne SPAM and malware.\nSPAM evaluation (heuristic) filters scan inbound email messages for evidence of SPAM and other attacks that primarily use 'Social Engineering' techniques. Upon evaluation completion, a rating is assigned to each message estimating the likelihood of its being SPAM. Upon arrival at the destination mailbox, the junk mail filter threshold (also configurable) determines whether the message will be withheld from delivery, delivered to the junk mail folder, or delivered to the user's inbox.",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-ContentFilterConfig -Enabled $true",
"iacontrols": null,
"id": "Exch-ED-236",
"ruleID": "Exch-ED-236_rule",
"severity": "medium",
"title": "SPAM evaluation filter must be enabled.",
"version": "Exch-ED-236"
},
"Exch-ED-237": {
"checkid": "C-_chk",
"checktext": "Obtain the Email Domain Security Plan (EDSP) and locate the \"Block List Service Providers\" names.\n\nOpen the Exchange Management Shell and enter the following command.\n\nGet-IPBlockListProvider | Select Name, Identity\n\nIf the value of \"IPBlockListProviderConfig\" does not return a list of Providers or are not listed in the ESDP, this is a finding.\n",
"description": "Block List filtering is a sanitization process performed on email messages prior to their arrival at the destination mailbox. By performing this process at the email perimeter, threats can be eliminated outside the enclave, where there is less risk they can do harm. \n \nBlock List Services (sometimes called Reputation Data Services) are fee based data providers that collect the IP addresses of known Spammers and other malware purveyors. Block List Service Subscribers benefit from more effective SPAM elimination, which has been estimated as comprising up to 90% of inbound mail volume. Failure to specify a Block List provider risks that manual email Administration effort would be needed to maintain and update larger block lists than a single email site administrator could conveniently or accurately maintain. \n\nThe 'Block List' Services vendor provides a value for this field usually the DNS suffix for their domain.\n",
"fixid": "F-_fix",
"fixtext": "Obtain the names of the block list service providers from the EDSP document and update the system as indicated below.\n\nOpen the Exchange Management Shell and enter the following command.\n\nAdd-IPBlockListProvider -Name <'ListProvider'> -LookupDomain <'Domain.com'> -BitMaskMatch <'127.0.0.1'>",
"iacontrols": null,
"id": "Exch-ED-237",
"ruleID": "Exch-ED-237_rule",
"severity": "medium",
"title": "Block list service provider must be identified.",
"version": "Exch-ED-237"
},
"Exch-ED-238": {
"checkid": "C-_chk",
"checktext": "Open the Exchange Management Shell and enter the following command.\n\nGet-SenderIdConfig | Select Name, Identity, SpoofedDomainAction Reject\n\nIf the value of \"SpoofedDomainAction\" is not set to \"Reject\", this is a finding.\n\n",
"description": "Sender Identification (SID) is an email anti-spam sanitization process. Sender ID uses DNS MX record lookups to verify the SMTP sending server is authorized to send email for the originating domain.\n \nFailure to implement Sender ID risks that SPAM could be admitted into the email domain that originates from rogue servers. Most SPAM content originates from domains where the IP address has been spoofed prior to sending, thereby avoiding detection. \n\nBy rejecting session initiations from senders who cannot be validated via Sender ID, potential SPAM is eliminated because it is evaluated prior to being admitted to the domain. \n",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-SenderIdConfig -SpoofedDomainAction Reject\n",
"iacontrols": null,
"id": "Exch-ED-238",
"ruleID": "Exch-ED-238_rule",
"severity": "medium",
"title": "Session request from unauthorized senders must be rejected.",
"version": "Exch-ED-238"
},
"Exch-ED-239": {
"checkid": "C-_chk",
"checktext": "Open the Exchange Management Shell and enter the following command.\n\nGet-SenderIdConfig | Name, Identity, Enabled\n\nIf the value of \"Enabled\" is not set to \"True\", this is a finding.\n\n",
"description": "Sender Identification (SID) is an email anti-spam sanitization process. Sender ID uses DNS MX record lookups to verify the SMTP sending server is authorized to send email for the originating domain.\n \nFailure to implement Sender ID risks that SPAM could be admitted into the email domain that originates from rogue servers. Most SPAM content originates from domains where the IP address has been spoofed prior to sending, thereby avoiding detection.",
"fixid": "F-_fix",
"fixtext": "Open the Exchange Management Shell and enter the following command.\n\nSet-SenderIdConfig -Enable $true\n",
"iacontrols": null,
"id": "Exch-ED-239",
"ruleID": "Exch-ED-239_rule",
"severity": "medium",
"title": "Sender Identification process must be enabled.",
"version": "Exch-ED-239"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"Exch-ED-200": "true",
"Exch-ED-201": "true",
"Exch-ED-202": "true",
"Exch-ED-203": "true",
"Exch-ED-204": "true",
"Exch-ED-205": "true",
"Exch-ED-206": "true",
"Exch-ED-207": "true",
"Exch-ED-208": "true",
"Exch-ED-209": "true",
"Exch-ED-210": "true",
"Exch-ED-211": "true",
"Exch-ED-212": "true",
"Exch-ED-213": "true",
"Exch-ED-214": "true",
"Exch-ED-215": "true",
"Exch-ED-216": "true",
"Exch-ED-217": "true",
"Exch-ED-219": "true",
"Exch-ED-220": "true",
"Exch-ED-221": "true",
"Exch-ED-222": "true",
"Exch-ED-223": "true",
"Exch-ED-224": "true",
"Exch-ED-225": "true",
"Exch-ED-227": "true",
"Exch-ED-228": "true",
"Exch-ED-229": "true",
"Exch-ED-230": "true",
"Exch-ED-231": "true",
"Exch-ED-232": "true",
"Exch-ED-233": "true",
"Exch-ED-234": "true",
"Exch-ED-235": "true",
"Exch-ED-236": "true",
"Exch-ED-237": "true",
"Exch-ED-238": "true",
"Exch-ED-239": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"Exch-ED-200": "true",
"Exch-ED-201": "true",
"Exch-ED-202": "true",
"Exch-ED-203": "true",
"Exch-ED-204": "true",
"Exch-ED-205": "true",
"Exch-ED-206": "true",
"Exch-ED-207": "true",
"Exch-ED-208": "true",
"Exch-ED-209": "true",
"Exch-ED-210": "true",
"Exch-ED-211": "true",
"Exch-ED-212": "true",
"Exch-ED-213": "true",
"Exch-ED-214": "true",
"Exch-ED-215": "true",
"Exch-ED-216": "true",
"Exch-ED-217": "true",
"Exch-ED-219": "true",
"Exch-ED-220": "true",
"Exch-ED-221": "true",
"Exch-ED-222": "true",
"Exch-ED-223": "true",
"Exch-ED-224": "true",
"Exch-ED-225": "true",
"Exch-ED-227": "true",
"Exch-ED-228": "true",
"Exch-ED-229": "true",
"Exch-ED-230": "true",
"Exch-ED-231": "true",
"Exch-ED-232": "true",
"Exch-ED-233": "true",
"Exch-ED-234": "true",
"Exch-ED-235": "true",
"Exch-ED-236": "true",
"Exch-ED-237": "true",
"Exch-ED-238": "true",
"Exch-ED-239": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"Exch-ED-200": "true",
"Exch-ED-201": "true",
"Exch-ED-202": "true",
"Exch-ED-203": "true",
"Exch-ED-204": "true",
"Exch-ED-205": "true",
"Exch-ED-206": "true",
"Exch-ED-207": "true",
"Exch-ED-208": "true",
"Exch-ED-209": "true",
"Exch-ED-210": "true",
"Exch-ED-211": "true",
"Exch-ED-212": "true",
"Exch-ED-213": "true",
"Exch-ED-214": "true",
"Exch-ED-215": "true",
"Exch-ED-216": "true",
"Exch-ED-217": "true",
"Exch-ED-219": "true",
"Exch-ED-220": "true",
"Exch-ED-221": "true",
"Exch-ED-222": "true",
"Exch-ED-223": "true",
"Exch-ED-224": "true",
"Exch-ED-225": "true",
"Exch-ED-227": "true",
"Exch-ED-228": "true",
"Exch-ED-229": "true",
"Exch-ED-230": "true",
"Exch-ED-231": "true",
"Exch-ED-232": "true",
"Exch-ED-233": "true",
"Exch-ED-234": "true",
"Exch-ED-235": "true",
"Exch-ED-236": "true",
"Exch-ED-237": "true",
"Exch-ED-238": "true",
"Exch-ED-239": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"Exch-ED-200": "true",
"Exch-ED-201": "true",
"Exch-ED-202": "true",
"Exch-ED-203": "true",
"Exch-ED-204": "true",
"Exch-ED-205": "true",
"Exch-ED-206": "true",
"Exch-ED-207": "true",
"Exch-ED-208": "true",
"Exch-ED-209": "true",
"Exch-ED-210": "true",
"Exch-ED-211": "true",
"Exch-ED-212": "true",
"Exch-ED-213": "true",
"Exch-ED-214": "true",
"Exch-ED-215": "true",
"Exch-ED-216": "true",
"Exch-ED-217": "true",
"Exch-ED-219": "true",
"Exch-ED-220": "true",
"Exch-ED-221": "true",
"Exch-ED-222": "true",
"Exch-ED-223": "true",
"Exch-ED-224": "true",
"Exch-ED-225": "true",
"Exch-ED-227": "true",
"Exch-ED-228": "true",
"Exch-ED-229": "true",
"Exch-ED-230": "true",
"Exch-ED-231": "true",
"Exch-ED-232": "true",
"Exch-ED-233": "true",
"Exch-ED-234": "true",
"Exch-ED-235": "true",
"Exch-ED-236": "true",
"Exch-ED-237": "true",
"Exch-ED-238": "true",
"Exch-ED-239": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"Exch-ED-200": "true",
"Exch-ED-201": "true",
"Exch-ED-202": "true",
"Exch-ED-203": "true",
"Exch-ED-204": "true",
"Exch-ED-205": "true",
"Exch-ED-206": "true",
"Exch-ED-207": "true",
"Exch-ED-208": "true",
"Exch-ED-209": "true",
"Exch-ED-210": "true",
"Exch-ED-211": "true",
"Exch-ED-212": "true",
"Exch-ED-213": "true",
"Exch-ED-214": "true",
"Exch-ED-215": "true",
"Exch-ED-216": "true",
"Exch-ED-217": "true",
"Exch-ED-219": "true",
"Exch-ED-220": "true",
"Exch-ED-221": "true",
"Exch-ED-222": "true",
"Exch-ED-223": "true",
"Exch-ED-224": "true",
"Exch-ED-225": "true",
"Exch-ED-227": "true",
"Exch-ED-228": "true",
"Exch-ED-229": "true",
"Exch-ED-230": "true",
"Exch-ED-231": "true",
"Exch-ED-232": "true",
"Exch-ED-233": "true",
"Exch-ED-234": "true",
"Exch-ED-235": "true",
"Exch-ED-236": "true",
"Exch-ED-237": "true",
"Exch-ED-238": "true",
"Exch-ED-239": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"Exch-ED-200": "true",
"Exch-ED-201": "true",
"Exch-ED-202": "true",
"Exch-ED-203": "true",
"Exch-ED-204": "true",
"Exch-ED-205": "true",
"Exch-ED-206": "true",
"Exch-ED-207": "true",
"Exch-ED-208": "true",
"Exch-ED-209": "true",
"Exch-ED-210": "true",
"Exch-ED-211": "true",
"Exch-ED-212": "true",
"Exch-ED-213": "true",
"Exch-ED-214": "true",
"Exch-ED-215": "true",
"Exch-ED-216": "true",
"Exch-ED-217": "true",
"Exch-ED-219": "true",
"Exch-ED-220": "true",
"Exch-ED-221": "true",
"Exch-ED-222": "true",
"Exch-ED-223": "true",
"Exch-ED-224": "true",
"Exch-ED-225": "true",
"Exch-ED-227": "true",
"Exch-ED-228": "true",
"Exch-ED-229": "true",
"Exch-ED-230": "true",
"Exch-ED-231": "true",
"Exch-ED-232": "true",
"Exch-ED-233": "true",
"Exch-ED-234": "true",
"Exch-ED-235": "true",
"Exch-ED-236": "true",
"Exch-ED-237": "true",
"Exch-ED-238": "true",
"Exch-ED-239": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"Exch-ED-200": "true",
"Exch-ED-201": "true",
"Exch-ED-202": "true",
"Exch-ED-203": "true",
"Exch-ED-204": "true",
"Exch-ED-205": "true",
"Exch-ED-206": "true",
"Exch-ED-207": "true",
"Exch-ED-208": "true",
"Exch-ED-209": "true",
"Exch-ED-210": "true",
"Exch-ED-211": "true",
"Exch-ED-212": "true",
"Exch-ED-213": "true",
"Exch-ED-214": "true",
"Exch-ED-215": "true",
"Exch-ED-216": "true",
"Exch-ED-217": "true",
"Exch-ED-219": "true",
"Exch-ED-220": "true",
"Exch-ED-221": "true",
"Exch-ED-222": "true",
"Exch-ED-223": "true",
"Exch-ED-224": "true",
"Exch-ED-225": "true",
"Exch-ED-227": "true",
"Exch-ED-228": "true",
"Exch-ED-229": "true",
"Exch-ED-230": "true",
"Exch-ED-231": "true",
"Exch-ED-232": "true",
"Exch-ED-233": "true",
"Exch-ED-234": "true",
"Exch-ED-235": "true",
"Exch-ED-236": "true",
"Exch-ED-237": "true",
"Exch-ED-238": "true",
"Exch-ED-239": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"Exch-ED-200": "true",
"Exch-ED-201": "true",
"Exch-ED-202": "true",
"Exch-ED-203": "true",
"Exch-ED-204": "true",
"Exch-ED-205": "true",
"Exch-ED-206": "true",
"Exch-ED-207": "true",
"Exch-ED-208": "true",
"Exch-ED-209": "true",
"Exch-ED-210": "true",
"Exch-ED-211": "true",
"Exch-ED-212": "true",
"Exch-ED-213": "true",
"Exch-ED-214": "true",
"Exch-ED-215": "true",
"Exch-ED-216": "true",
"Exch-ED-217": "true",
"Exch-ED-219": "true",
"Exch-ED-220": "true",
"Exch-ED-221": "true",
"Exch-ED-222": "true",
"Exch-ED-223": "true",
"Exch-ED-224": "true",
"Exch-ED-225": "true",
"Exch-ED-227": "true",
"Exch-ED-228": "true",
"Exch-ED-229": "true",
"Exch-ED-230": "true",
"Exch-ED-231": "true",
"Exch-ED-232": "true",
"Exch-ED-233": "true",
"Exch-ED-234": "true",
"Exch-ED-235": "true",
"Exch-ED-236": "true",
"Exch-ED-237": "true",
"Exch-ED-238": "true",
"Exch-ED-239": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"Exch-ED-200": "true",
"Exch-ED-201": "true",
"Exch-ED-202": "true",
"Exch-ED-203": "true",
"Exch-ED-204": "true",
"Exch-ED-205": "true",
"Exch-ED-206": "true",
"Exch-ED-207": "true",
"Exch-ED-208": "true",
"Exch-ED-209": "true",
"Exch-ED-210": "true",
"Exch-ED-211": "true",
"Exch-ED-212": "true",
"Exch-ED-213": "true",
"Exch-ED-214": "true",
"Exch-ED-215": "true",
"Exch-ED-216": "true",
"Exch-ED-217": "true",
"Exch-ED-219": "true",
"Exch-ED-220": "true",
"Exch-ED-221": "true",
"Exch-ED-222": "true",
"Exch-ED-223": "true",
"Exch-ED-224": "true",
"Exch-ED-225": "true",
"Exch-ED-227": "true",
"Exch-ED-228": "true",
"Exch-ED-229": "true",
"Exch-ED-230": "true",
"Exch-ED-231": "true",
"Exch-ED-232": "true",
"Exch-ED-233": "true",
"Exch-ED-234": "true",
"Exch-ED-235": "true",
"Exch-ED-236": "true",
"Exch-ED-237": "true",
"Exch-ED-238": "true",
"Exch-ED-239": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "microsoft_exchange_2010_edge_transport_server_role",
"title": "Microsoft Exchange 2010 Edge Transport Server Role",
"version": "1"
}
}