UCF STIG Viewer Logo

Microsoft Exchange 2013 Client Access Server Security Technical Implementation Guide


Date Finding Count (33)
2021-12-16 CAT I (High): 1 CAT II (Med): 28 CAT III (Low): 4
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles

Findings (MAC III - Administrative Public)

Finding ID Severity Title
V-234794 High Exchange OWA must use https.
V-234792 Medium Exchange software must be installed on a separate partition from the OS.
V-234793 Medium Exchange must provide redundancy.
V-234790 Medium Exchange services must be documented and unnecessary services must be removed or disabled.
V-234791 Medium Exchange Outlook Anywhere (OA) clients must use NTLM authentication to access email.
V-234796 Medium Exchange must have the most current, approved service pack installed.
V-234797 Medium Exchange must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-234795 Medium Exchange OWA must have S/MIME Certificates enabled.
V-234778 Medium Exchange must not send Customer Experience reports to Microsoft.
V-234779 Medium Exchange must have Audit data protected against unauthorized modification.
V-234770 Medium Exchange Servers must use approved DoD certificates.
V-234771 Medium Exchange ActiveSync (EAS) must only use certificate-based authentication to access email.
V-234772 Medium Exchange must have IIS map client certificates to an approved certificate server.
V-234773 Medium Exchange Email Diagnostic log level must be set to lowest level.
V-234775 Medium Exchange must have Queue monitoring configured with threshold and action.
V-234776 Medium Exchange must have Send Fatal Errors to Microsoft disabled.
V-234777 Medium Exchange must have Audit data protected against unauthorized read access.
V-234784 Medium Exchange POP3 service must be disabled.
V-234787 Medium Exchange application directory must be protected from unauthorized access.
V-234780 Medium Exchange must have audit data protected against unauthorized deletion.
V-234783 Medium Exchange IMAP4 service must be disabled.
V-234782 Medium Exchange Local machine policy must require signed scripts.
V-234789 Medium Exchange software must be monitored for unauthorized changes.
V-234788 Medium Exchange software baseline copy must exist.
V-234769 Medium Exchange must have Administrator audit logging enabled.
V-234768 Medium Exchange must have authenticated access set to Integrated Windows Authentication only.
V-234767 Medium Exchange must have Forms-based Authentication disabled.
V-234766 Medium Exchange must use Encryption for OWA access.
V-234765 Medium Exchange must use Encryption for RPC client access.
V-234774 Low Exchange must have Audit record parameters set.
V-234785 Low Exchange must have the Public Folder virtual directory removed if not in use by the site.
V-234786 Low Exchange must have the Microsoft Active Sync directory removed.
V-234781 Low Exchange must have Audit data on separate partitions.