UCF STIG Viewer Logo

Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide


Overview

Date Finding Count (70)
2018-08-28 CAT I (High): 4 CAT II (Med): 58 CAT III (Low): 8
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-80599 High Exchange must provide redundancy.
V-80587 High Exchange must strip hyperlink email sources from non-.mil domains.
V-80753 High Exchange internal Receive connectors must require encryption.
V-80603 High Exchange internal Send connectors must require encryption.
V-80491 Medium Exchange must have auto-forwarding of email to remote domains disabled or restricted.
V-80595 Medium Exchange software must be installed on a separate partition from the OS.
V-80493 Medium Exchange external Receive connectors must be domain secure-enabled.
V-80597 Medium The Exchange SMTP automated banner response must not reveal server details.
V-80495 Medium The Exchange email Diagnostic log level must be set to the lowest level.
V-80591 Medium The Exchange software baseline copy must exist.
V-80497 Medium Exchange Connectivity logging must be enabled.
V-80593 Medium Exchange services must be documented and unnecessary services must be removed or disabled.
V-80499 Medium Exchange Queue monitoring must be configured with threshold and action.
V-80511 Medium Exchange audit data must be on separate partitions.
V-80539 Medium Exchange Receive connectors must control the number of recipients per message.
V-80557 Medium The Exchange Sender Reputation filter must identify the spam block level.
V-80547 Medium Exchange messages with a blank sender field must be filtered.
V-80545 Medium Exchange messages with a blank sender field must be rejected.
V-80565 Medium Exchange messages with a malformed From address must be rejected.
V-80567 Medium The Exchange Recipient filter must be enabled.
V-80561 Medium The Exchange Spam Evaluation filter must be enabled.
V-80573 Medium Exchange Simple Mail Transfer Protocol (SMTP) IP Allow List entries must be empty.
V-80563 Medium The Exchange Block List service provider must be identified.
V-80617 Medium The application must update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.
V-80615 Medium The application must update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.
V-80613 Medium The application must be configured to block and quarantine malicious code upon detection, then send an immediate alert to appropriate individuals.
V-80509 Medium Exchange audit data must be protected against unauthorized access for deletion.
V-80521 Medium Exchange Outbound Connection Timeout must be 10 minutes or less.
V-80523 Medium Exchange Outbound Connection Limit per Domain Count must be controlled.
V-80501 Medium Exchange must not send Customer Experience reports to Microsoft.
V-80601 Medium Exchange internal Send connectors must use an authentication level.
V-80619 Medium The applications built-in Malware Agent must be disabled.
V-80585 Medium Exchange Sender Identification Framework must be enabled.
V-80533 Medium Exchange Receive connector Maximum Hop Count must be 60.
V-80583 Medium Exchange must have antispam filtering configured.
V-80611 Medium The application must be configured to block and quarantine malicious code upon detection, then send an immediate alert to appropriate individuals.
V-80581 Medium Exchange must have antispam filtering enabled.
V-80489 Medium Exchange must have accepted domains configured.
V-80487 Medium Exchange servers must use approved DoD certificates.
V-80485 Medium Exchange must limit the Receive connector timeout.
V-80589 Medium The Exchange application directory must be protected from unauthorized access.
V-80507 Medium Exchange audit data must be protected against unauthorized access for modification.
V-80553 Medium Exchange nonexistent recipients must not be blocked.
V-80569 Medium The Exchange tarpitting interval must be set.
V-80505 Medium Exchange Send Fatal Errors to Microsoft must be disabled.
V-80609 Medium The application must configure malicious code protection mechanisms to perform periodic scans of the information system every seven days.
V-80551 Medium The Exchange Sender filter must block unaccepted domains.
V-80519 Medium Exchange Internet-facing Receive connectors must offer Transport Layer Security (TLS) before using basic authentication.
V-80579 Medium Exchange must have antispam filtering installed.
V-80555 Medium The Exchange Sender Reputation filter must be enabled.
V-80503 Medium Exchange Audit data must be protected against unauthorized access (read access).
V-80513 Medium The Exchange local machine policy must require signed scripts.
V-80571 Medium Exchange internal Receive connectors must not allow anonymous connections.
V-80577 Medium The Exchange Simple Mail Transfer Protocol (SMTP) Sender filter must be enabled.
V-80575 Medium The Exchange Simple Mail Transfer Protocol (SMTP) IP Allow List Connection filter must be enabled.
V-80605 Medium Exchange must have the most current, approved service pack installed.
V-80607 Medium The application must configure malicious code protection mechanisms to perform periodic scans of the information system every seven days.
V-80559 Medium Exchange Attachment filtering must remove undesirable attachments by file type.
V-80515 Medium Exchange Internet-facing Send connectors must specify a Smart Host.
V-80517 Medium Exchange internal Send connectors must use domain security (mutual authentication Transport Layer Security).
V-80549 Medium Exchange filtered messages must be archived.
V-80621 Medium A DoD-approved third-party Exchange-aware malicious code protection application must be implemented.
V-80543 Low Exchange Message size restrictions must be controlled on Receive connectors.
V-80529 Low Exchange Send connectors delivery retries must be controlled.
V-80541 Low The Exchange Internet Receive connector connections count must be set to default.
V-80535 Low Exchange Receive connectors must be clearly named.
V-80525 Low Exchange Send connector connections count must be limited.
V-80531 Low Exchange Send connectors must be clearly named.
V-80537 Low Exchange Receive connectors must control the number of recipients chunked on a single message.
V-80527 Low Exchange message size restrictions must be controlled on Send connectors.