UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide


Overview

Date Finding Count (70)
2019-12-20 CAT I (High): 4 CAT II (Med): 58 CAT III (Low): 8
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Classified)

Finding ID Severity Title
V-80599 High Exchange must provide redundancy.
V-80587 High Exchange must strip hyperlink email sources from non-.mil domains.
V-80753 High Exchange internal Receive connectors must require encryption.
V-80603 High Exchange internal Send connectors must require encryption.
V-80491 Medium Exchange must have auto-forwarding of email to remote domains disabled or restricted.
V-80595 Medium Exchange software must be installed on a separate partition from the OS.
V-80493 Medium Exchange external Receive connectors must be domain secure-enabled.
V-80597 Medium The Exchange SMTP automated banner response must not reveal server details.
V-80495 Medium The Exchange email Diagnostic log level must be set to the lowest level.
V-80591 Medium The Exchange software baseline copy must exist.
V-80497 Medium Exchange Connectivity logging must be enabled.
V-80593 Medium Exchange services must be documented and unnecessary services must be removed or disabled.
V-80499 Medium Exchange Queue monitoring must be configured with threshold and action.
V-80511 Medium Exchange audit data must be on separate partitions.
V-80539 Medium Exchange Receive connectors must control the number of recipients per message.
V-80557 Medium The Exchange Sender Reputation filter must identify the spam block level.
V-80547 Medium Exchange messages with a blank sender field must be filtered.
V-80545 Medium Exchange messages with a blank sender field must be rejected.
V-80565 Medium Exchange messages with a malformed From address must be rejected.
V-80567 Medium The Exchange Recipient filter must be enabled.
V-80561 Medium The Exchange Spam Evaluation filter must be enabled.
V-80573 Medium Exchange Simple Mail Transfer Protocol (SMTP) IP Allow List entries must be empty.
V-80563 Medium The Exchange Block List service provider must be identified.
V-80617 Medium The application must update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.
V-80615 Medium The application must update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.
V-80613 Medium The application must be configured to block and quarantine malicious code upon detection, then send an immediate alert to appropriate individuals.
V-80509 Medium Exchange audit data must be protected against unauthorized access for deletion.
V-80521 Medium Exchange Outbound Connection Timeout must be 10 minutes or less.
V-80523 Medium Exchange Outbound Connection Limit per Domain Count must be controlled.
V-80501 Medium Exchange must not send Customer Experience reports to Microsoft.
V-80601 Medium Exchange internal Send connectors must use an authentication level.
V-80619 Medium The applications built-in Malware Agent must be disabled.
V-80585 Medium Exchange Sender Identification Framework must be enabled.
V-80533 Medium Exchange Receive connector Maximum Hop Count must be 60.
V-80583 Medium Exchange must have antispam filtering configured.
V-80611 Medium The application must be configured to block and quarantine malicious code upon detection, then send an immediate alert to appropriate individuals.
V-80581 Medium Exchange must have antispam filtering enabled.
V-80489 Medium Exchange must have accepted domains configured.
V-80487 Medium Exchange servers must use approved DoD certificates.
V-80485 Medium Exchange must limit the Receive connector timeout.
V-80589 Medium The Exchange application directory must be protected from unauthorized access.
V-80507 Medium Exchange audit data must be protected against unauthorized access for modification.
V-80553 Medium Exchange nonexistent recipients must not be blocked.
V-80569 Medium The Exchange tarpitting interval must be set.
V-80505 Medium Exchange Send Fatal Errors to Microsoft must be disabled.
V-80609 Medium The application must configure malicious code protection mechanisms to perform periodic scans of the information system every seven days.
V-80551 Medium The Exchange Sender filter must block unaccepted domains.
V-80519 Medium Exchange Internet-facing Receive connectors must offer Transport Layer Security (TLS) before using basic authentication.
V-80579 Medium Exchange must have antispam filtering installed.
V-80555 Medium The Exchange Sender Reputation filter must be enabled.
V-80503 Medium Exchange Audit data must be protected against unauthorized access (read access).
V-80513 Medium The Exchange local machine policy must require signed scripts.
V-80571 Medium Exchange internal Receive connectors must not allow anonymous connections.
V-80577 Medium The Exchange Simple Mail Transfer Protocol (SMTP) Sender filter must be enabled.
V-80575 Medium The Exchange Simple Mail Transfer Protocol (SMTP) IP Allow List Connection filter must be enabled.
V-80605 Medium Exchange must have the most current, approved service pack installed.
V-80607 Medium The application must configure malicious code protection mechanisms to perform periodic scans of the information system every seven days.
V-80559 Medium Exchange Attachment filtering must remove undesirable attachments by file type.
V-80515 Medium Exchange Internet-facing Send connectors must specify a Smart Host.
V-80517 Medium Exchange internal Send connectors must use domain security (mutual authentication Transport Layer Security).
V-80549 Medium Exchange filtered messages must be archived.
V-80621 Medium A DoD-approved third-party Exchange-aware malicious code protection application must be implemented.
V-80543 Low Exchange Message size restrictions must be controlled on Receive connectors.
V-80529 Low Exchange Send connectors delivery retries must be controlled.
V-80541 Low The Exchange Internet Receive connector connections count must be set to default.
V-80535 Low Exchange Receive connectors must be clearly named.
V-80525 Low Exchange Send connector connections count must be limited.
V-80531 Low Exchange Send connectors must be clearly named.
V-80537 Low Exchange Receive connectors must control the number of recipients chunked on a single message.
V-80527 Low Exchange message size restrictions must be controlled on Send connectors.