UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide


Overview

Date Finding Count (69)
2020-12-10 CAT I (High): 4 CAT II (Med): 57 CAT III (Low): 8
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Public)

Finding ID Severity Title
V-221259 High Exchange must provide redundancy.
V-221253 High Exchange must render hyperlinks from email sources from non-.mil domains as unclickable.
V-221261 High Exchange internal Receive connectors must require encryption.
V-221262 High Exchange internal Send connectors must require encryption.
V-221221 Medium Exchange Outbound Connection Limit per Domain Count must be controlled.
V-221220 Medium Exchange Outbound Connection Timeout must be 10 minutes or less.
V-221209 Medium Exchange Queue monitoring must be configured with threshold and action.
V-221258 Medium The Exchange SMTP automated banner response must not reveal server details.
V-221229 Medium Exchange Receive connectors must control the number of recipients per message.
V-221255 Medium The Exchange software baseline copy must exist.
V-221254 Medium The Exchange application directory must be protected from unauthorized access.
V-221257 Medium Exchange software must be installed on a separate partition from the OS.
V-221256 Medium Exchange services must be documented and unnecessary services must be removed or disabled.
V-221251 Medium Exchange must have antispam filtering configured.
V-221250 Medium Exchange must have antispam filtering enabled.
V-221252 Medium Exchange Sender Identification Framework must be enabled.
V-221211 Medium Exchange Audit data must be protected against unauthorized access (read access).
V-221210 Medium Exchange must not send Customer Experience reports to Microsoft.
V-221213 Medium Exchange audit data must be protected against unauthorized access for modification.
V-221238 Medium The Exchange Sender Reputation filter must identify the spam block level.
V-221215 Medium Exchange audit data must be on separate partitions.
V-221214 Medium Exchange audit data must be protected against unauthorized access for deletion.
V-221217 Medium Exchange Internet-facing Send connectors must specify a Smart Host.
V-221216 Medium The Exchange local machine policy must require signed scripts.
V-221233 Medium Exchange messages with a blank sender field must be filtered.
V-221212 Medium Exchange Send Fatal Errors to Microsoft must be disabled.
V-221237 Medium The Exchange Sender Reputation filter must be enabled.
V-221236 Medium Exchange nonexistent recipients must not be blocked.
V-221235 Medium The Exchange Sender filter must block unaccepted domains.
V-221234 Medium Exchange filtered messages must be archived.
V-221208 Medium Exchange Connectivity logging must be enabled.
V-221232 Medium Exchange messages with a blank sender field must be rejected.
V-221263 Medium Exchange must have the most current, approved service pack installed.
V-221202 Medium Exchange must limit the Receive connector timeout.
V-221219 Medium Exchange Internet-facing Receive connectors must offer Transport Layer Security (TLS) before using basic authentication.
V-221203 Medium Exchange servers must use approved DoD certificates.
V-221270 Medium The applications built-in Malware Agent must be disabled.
V-221218 Medium Exchange internal Send connectors must use domain security (mutual authentication Transport Layer Security).
V-221248 Medium The Exchange Simple Mail Transfer Protocol (SMTP) Sender filter must be enabled.
V-221249 Medium Exchange must have antispam filtering installed.
V-221242 Medium Exchange messages with a malformed From address must be rejected.
V-221243 Medium The Exchange Recipient filter must be enabled.
V-221240 Medium The Exchange Spam Evaluation filter must be enabled.
V-221241 Medium The Exchange Block List service provider must be identified.
V-221246 Medium Exchange Simple Mail Transfer Protocol (SMTP) IP Allow List entries must be empty.
V-221247 Medium The Exchange Simple Mail Transfer Protocol (SMTP) IP Allow List Connection filter must be enabled.
V-221244 Medium The Exchange tarpitting interval must be set.
V-221245 Medium Exchange internal Receive connectors must not allow anonymous connections.
V-221264 Medium The application must configure malicious code protection mechanisms to perform periodic scans of the information system every seven days.
V-221265 Medium The application must configure malicious code protection mechanisms to perform periodic scans of the information system every seven days.
V-221266 Medium The application must be configured to block and quarantine malicious code upon detection, then send an immediate alert to appropriate individuals.
V-221267 Medium The application must be configured to block and quarantine malicious code upon detection, then send an immediate alert to appropriate individuals.
V-221260 Medium Exchange internal Send connectors must use an authentication level.
V-221239 Medium Exchange Attachment filtering must remove undesirable attachments by file type.
V-221206 Medium Exchange external Receive connectors must be domain secure-enabled.
V-221207 Medium The Exchange email Diagnostic log level must be set to the lowest level.
V-221204 Medium Exchange must have accepted domains configured.
V-221205 Medium Exchange must have auto-forwarding of email to remote domains disabled or restricted.
V-221268 Medium The application must update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.
V-221269 Medium The application must update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.
V-221226 Medium Exchange Receive connector Maximum Hop Count must be 60.
V-221224 Low Exchange Send connectors delivery retries must be controlled.
V-221228 Low Exchange Receive connectors must control the number of recipients chunked on a single message.
V-221231 Low Exchange Message size restrictions must be controlled on Receive connectors.
V-221230 Low The Exchange Internet Receive connector connections count must be set to default.
V-221225 Low Exchange Send connectors must be clearly named.
V-221223 Low Exchange message size restrictions must be controlled on Send connectors.
V-221222 Low Exchange Send connector connections count must be limited.
V-221227 Low Exchange Receive connectors must be clearly named.