UCF STIG Viewer Logo

Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide


Overview

Date Finding Count (69)
2022-06-09 CAT I (High): 4 CAT II (Med): 57 CAT III (Low): 8
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-221259 High Exchange must provide redundancy.
V-221253 High Exchange must render hyperlinks from email sources from non-.mil domains as unclickable.
V-221261 High Exchange internal Receive connectors must require encryption.
V-221262 High Exchange internal Send connectors must require encryption.
V-221221 Medium Exchange Outbound Connection Limit per Domain Count must be controlled.
V-221220 Medium Exchange Outbound Connection Timeout must be 10 minutes or less.
V-221209 Medium Exchange Queue monitoring must be configured with threshold and action.
V-221258 Medium The Exchange SMTP automated banner response must not reveal server details.
V-221229 Medium Exchange Receive connectors must control the number of recipients per message.
V-221255 Medium The Exchange software baseline copy must exist.
V-221254 Medium The Exchange application directory must be protected from unauthorized access.
V-221257 Medium Exchange software must be installed on a separate partition from the OS.
V-221256 Medium Exchange services must be documented and unnecessary services must be removed or disabled.
V-221251 Medium Exchange must have antispam filtering configured.
V-221250 Medium Exchange must have antispam filtering enabled.
V-221252 Medium Exchange Sender Identification Framework must be enabled.
V-221211 Medium Exchange Audit data must be protected against unauthorized access (read access).
V-221210 Medium Exchange must not send Customer Experience reports to Microsoft.
V-221213 Medium Exchange audit data must be protected against unauthorized access for modification.
V-221238 Medium The Exchange Sender Reputation filter must identify the spam block level.
V-221215 Medium Exchange audit data must be on separate partitions.
V-221214 Medium Exchange audit data must be protected against unauthorized access for deletion.
V-221217 Medium Exchange Internet-facing Send connectors must specify a Smart Host.
V-221216 Medium The Exchange local machine policy must require signed scripts.
V-221233 Medium Exchange messages with a blank sender field must be filtered.
V-221212 Medium Exchange Send Fatal Errors to Microsoft must be disabled.
V-221237 Medium The Exchange Sender Reputation filter must be enabled.
V-221236 Medium Exchange nonexistent recipients must not be blocked.
V-221235 Medium The Exchange Sender filter must block unaccepted domains.
V-221234 Medium Exchange filtered messages must be archived.
V-221208 Medium Exchange Connectivity logging must be enabled.
V-221232 Medium Exchange messages with a blank sender field must be rejected.
V-221263 Medium Exchange must have the most current, approved service pack installed.
V-221202 Medium Exchange must limit the Receive connector timeout.
V-221219 Medium Exchange Internet-facing Receive connectors must offer Transport Layer Security (TLS) before using basic authentication.
V-221203 Medium Exchange servers must use approved DoD certificates.
V-221270 Medium The applications built-in Malware Agent must be disabled.
V-221218 Medium Exchange internal Send connectors must use domain security (mutual authentication Transport Layer Security).
V-221248 Medium The Exchange Simple Mail Transfer Protocol (SMTP) Sender filter must be enabled.
V-221249 Medium Exchange must have antispam filtering installed.
V-221242 Medium Exchange messages with a malformed From address must be rejected.
V-221243 Medium The Exchange Recipient filter must be enabled.
V-221240 Medium The Exchange Spam Evaluation filter must be enabled.
V-221241 Medium The Exchange Block List service provider must be identified.
V-221246 Medium Exchange Simple Mail Transfer Protocol (SMTP) IP Allow List entries must be empty.
V-221247 Medium The Exchange Simple Mail Transfer Protocol (SMTP) IP Allow List Connection filter must be enabled.
V-221244 Medium The Exchange tarpitting interval must be set.
V-221245 Medium Exchange internal Receive connectors must not allow anonymous connections.
V-221264 Medium The application must configure malicious code protection mechanisms to perform periodic scans of the information system every seven days.
V-221265 Medium The application must configure malicious code protection mechanisms to perform periodic scans of the information system every seven days.
V-221266 Medium The application must be configured to block and quarantine malicious code upon detection, then send an immediate alert to appropriate individuals.
V-221267 Medium The application must be configured to block and quarantine malicious code upon detection, then send an immediate alert to appropriate individuals.
V-221260 Medium Exchange internal Send connectors must use an authentication level.
V-221239 Medium Exchange Attachment filtering must remove undesirable attachments by file type.
V-221206 Medium Exchange external Receive connectors must be domain secure-enabled.
V-221207 Medium The Exchange email Diagnostic log level must be set to the lowest level.
V-221204 Medium Exchange must have accepted domains configured.
V-221205 Medium Exchange must have auto-forwarding of email to remote domains disabled or restricted.
V-221268 Medium The application must update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.
V-221269 Medium The application must update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.
V-221226 Medium Exchange Receive connector Maximum Hop Count must be 60.
V-221224 Low Exchange Send connectors delivery retries must be controlled.
V-221228 Low Exchange Receive connectors must control the number of recipients chunked on a single message.
V-221231 Low Exchange Message size restrictions must be controlled on Receive connectors.
V-221230 Low The Exchange Internet Receive connector connections count must be set to default.
V-221225 Low Exchange Send connectors must be clearly named.
V-221223 Low Exchange message size restrictions must be controlled on Send connectors.
V-221222 Low Exchange Send connector connections count must be limited.
V-221227 Low Exchange Receive connectors must be clearly named.