Exchange must provide Mailbox databases in a highly available and redundant configuration.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-207332	EX13-MB-000335	SV-207332r615936_rule		Medium

Description
To protect Exchange Server mailbox databases and the data they contain by configuring Mailbox servers and databases for high availability and site resilience. A database availability group (DAG) is a component of the Mailbox server high availability and site resilience framework built into Microsoft Exchange Server 2013. A DAG is a group of Mailbox servers that hosts a set of databases and provides automatic database-level recovery from failures that affect individual servers or databases. A DAG is a boundary for mailbox database replication and database and server switchovers and failovers. Any server in a DAG can host a copy of a mailbox database from any other server in the DAG. When a server is added to a DAG, it works with the other servers in the DAG to provide automatic recovery from failures that affect mailbox databases, such as a disk, server, or network failure.

Description

To protect Exchange Server mailbox databases and the data they contain by configuring Mailbox servers and databases for high availability and site resilience. A database availability group (DAG) is a component of the Mailbox server high availability and site resilience framework built into Microsoft Exchange Server 2013. A DAG is a group of Mailbox servers that hosts a set of databases and provides automatic database-level recovery from failures that affect individual servers or databases. A DAG is a boundary for mailbox database replication and database and server switchovers and failovers. Any server in a DAG can host a copy of a mailbox database from any other server in the DAG. When a server is added to a DAG, it works with the other servers in the DAG to provide automatic recovery from failures that affect mailbox databases, such as a disk, server, or network failure.

STIG	Date
Microsoft Exchange 2013 Mailbox Server Security Technical Implementation Guide	2021-12-16

Details

Check Text ( C-7590r393509_chk )
Review the Email Domain Security Plan (EDSP). Determine if the Exchange Mailbox databases are using redundancy. Open an Exchange Admin Center. Navigate to and select Microsoft Exchange >> Microsoft Exchange On - Premises >> Organization Configuration >> Mailbox. In the right pane, if two or more Mailbox servers are not listed, this is a finding. Note: The EDSP must indicate what availability the system must have, as approved by the ISSO. This can be used for justification when determining finding and possibly a severity downgrade.

Check Text ( C-7590r393509_chk )

Review the Email Domain Security Plan (EDSP).

Determine if the Exchange Mailbox databases are using redundancy.

Open an Exchange Admin Center.

Navigate to and select Microsoft Exchange >> Microsoft Exchange On - Premises >> Organization Configuration >> Mailbox.

In the right pane, if two or more Mailbox servers are not listed, this is a finding.

Note: The EDSP must indicate what availability the system must have, as approved by the ISSO. This can be used for justification when determining finding and possibly a severity downgrade.

Fix Text (F-7590r393510_fix)
Update the EDSP. Add two or more Mailbox servers to the database availability group.