Microsoft Exchange 2010 Mailbox Server Role

Overview

Version	Date	Finding Count (16)			Downloads
1	2012-05-31	CAT I (High): 0	CAT II (Med): 8	CAT III (Low): 8	Excel	JSON	XML

STIG Description
The Microsoft Exchange Server 2010 STIGs cover four of the five roles available with Microsoft Exchange Server 2010, plus core Exchange Server 2010 global requirements. The Email Services Policy STIG must also be reviewed for each site hosting email services. The core Exchange Server guidance must be reviewed on each server role prior to the role-specific guidance. Also, for the Client Access server, the IIS guidance must be reviewed prior to the OWA checks.

STIG Description

The Microsoft Exchange Server 2010 STIGs cover four of the five roles available with Microsoft Exchange Server 2010, plus core Exchange Server 2010 global requirements. The Email Services Policy STIG must also be reviewed for each site hosting email services. The core Exchange Server guidance must be reviewed on each server role prior to the role-specific guidance. Also, for the Client Access server, the IIS guidance must be reviewed prior to the OWA checks.

Available Profiles

Classified	Public	Sensitive
I - Mission Critical Classified	I - Mission Critical Public	I - Mission Critical Sensitive	II - Mission Support Classified	II - Mission Support Public	II - Mission Support Sensitive	III - Administrative Classified	III - Administrative Public	III - Administrative Sensitive

Findings (MAC II - Mission Support Sensitive)

Finding ID	Severity	Title	Description
EXCH-MB-407	Medium	Email "Subject Line" logging must be enabled.	Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. When "message tracking" is enabled,...
EXCH-MB-405	Medium	The Public Folder Stores must mount at startup.	Administrator responsibilities include the ability to react to unplanned maintenance tasks or emergency situations that may require Public Folder Store data manipulation. Occasionally, there may...
EXCH-MB-415	Medium	Email SMTP forwarding must be restricted.	Auto-forwarding email to external email accounts is prohibited. Auto-forwarded e-mail to non-CAC enabled e-mail accounts does not meet requirement for digital signature and encryption of CUI and...
EXCH-MB-414	Medium	Mailbox databases must reside on a dedicated partition.	In the same way that added security layers can provide a cumulative positive effect on security posture, multiple applications can provide a cumulative negative effect. A vulnerability and...
EXCH-MB-408	Medium	Message Tracking Logging must be disabled.	A message tracking log provides a detailed log of all message activity as messages are transferred to and from a computer running Exchange. Message tracking is available on Hub Transport servers,...
EXCH-MB-409	Medium	Queue monitoring must be configured with threshold and action.	Monitors are automated "process watchers" that respond to performance changes, and can be useful in detecting outages and alerting administrators where attention is needed. Exchange has built-in...
EXCH-MB-411	Medium	Public Folder stores must be retained until backups are complete.	Backup and recovery procedures are an important part of overall system availability and integrity. Complete backups reduce the chance of accidental deletion of important information, and ensure...
EXCH-MB-410	Medium	Mail must be retained until backups are complete.	Backup and recovery procedures are an important part of overall system availability and integrity. Complete backups reduce the chance of accidental deletion of important information, and ensure...
EXCH-MB-402	Low	Mail Store storage quota must issue a warning.	Mail quota settings control the maximum sizes of a user's mailbox and the system's response if these limits are exceeded. Mailbox data that is not monitored against a quota increases the risk of...
EXCH-MB-403	Low	Public Store storage quota must be limited.	This setting controls the maximum sizes of a Public Folder and the system's response if these limits are exceeded. There are two available controls and the system response when the quota has been...
EXCH-MB-400	Low	Mail quota settings must not restrict receiving mail.	Mail quota settings control the maximum sizes of a user's mailbox and the system's response if these limits are exceeded. Mailbox data that is not monitored against a quota increases the risk of...
EXCH-MB-401	Low	Mail Store storage quota must be limited.	Mail quota settings control the maximum sizes of a user's mailbox and the system's response if these limits are exceeded. Mailbox data that is not monitored against a quota increases the risk of...
EXCH-MB-406	Low	The email server Circular Logging must be disabled.	Logging provides a history of events performed, and can also provide evidence of tampering or attack. Failure to create and preserve logs adds to the risk that suspicious events may go unnoticed,...
EXCH-MB-404	Low	The Mailbox Stores must mount at startup.	Administrator responsibilities include the ability to react to unplanned maintenance tasks or emergency situations that may require Mailbox data manipulation. Occasionally, there may be a need to...
EXCH-MB-413	Low	Public Folder database must not be overwritten by a restore.	Email system availability depends in part on best practices strategies for setting tuning configurations. Unauthorized or accidental restoration of public folder data risks data loss or...
EXCH-MB-412	Low	Mailbox database must not be overwritten by a restore.	Email system availability depends in part on best practices strategies for setting tuning configurations. Unauthorized or accidental restoration of mailbox data risks data loss or corruption. ...