UCF STIG Viewer Logo

Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide


Date Finding Count (64)
2021-06-23 CAT I (High): 1 CAT II (Med): 47 CAT III (Low): 16
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles

Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-228397 High Exchange servers must have an approved DoD email-aware virus protection software installed.
V-228371 Medium The Exchange Internet Message Access Protocol 4 (IMAP4) service must be disabled.
V-228409 Medium Exchange Internal Send connectors must use an authentication level.
V-228408 Medium The Exchange SMTP automated banner response must not reveal server details.
V-228368 Medium Exchange must protect audit data against unauthorized deletion.
V-228369 Medium Exchange Audit data must be on separate partitions.
V-228366 Medium Exchange must not send Customer Experience reports to Microsoft.
V-228367 Medium Exchange must protect audit data against unauthorized access.
V-228364 Medium Exchange Send Fatal Errors to Microsoft must be disabled.
V-228365 Medium Exchange must protect audit data against unauthorized read access.
V-228362 Medium Exchange Message Tracking Logging must be enabled.
V-228363 Medium Exchange Queue monitoring must be configured with threshold and action.
V-228361 Medium Exchange Email Subject Line logging must be disabled.
V-228358 Medium The Exchange Email Diagnostic log level must be set to the lowest level.
V-228404 Medium Exchange Outlook Anywhere clients must use NTLM authentication to access email.
V-228396 Medium Exchange must not send automated replies to remote domains.
V-228395 Medium Exchange must have anti-spam filtering configured.
V-228394 Medium Exchange must have anti-spam filtering enabled.
V-228393 Medium Exchange must have anti-spam filtering installed.
V-228392 Medium Exchange external/Internet-bound automated response messages must be disabled.
V-228391 Medium Exchange Internal Receive connectors must not allow anonymous connections.
V-228403 Medium Exchange services must be documented and unnecessary services must be removed or disabled.
V-228402 Medium Exchange software must be monitored for unauthorized changes.
V-228401 Medium An Exchange software baseline copy must exist.
V-228418 Medium Exchange must have authenticated access set to Integrated Windows Authentication only.
V-228370 Medium Exchange Local machine policy must require signed scripts.
V-228373 Medium Exchange Mailbox databases must reside on a dedicated partition.
V-228372 Medium The Exchange Post Office Protocol 3 (POP3) service must be disabled.
V-228375 Medium Exchange internal Receive connectors must require encryption.
V-228374 Medium Exchange Internet-facing Send connectors must specify a Smart Host.
V-228377 Medium Exchange email forwarding must be restricted.
V-228376 Medium Exchange Mailboxes must be retained until backups are complete.
V-228378 Medium Exchange email-forwarding SMTP domains must be restricted.
V-228412 Medium The application must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-228413 Medium The applications built-in Malware Agent must be disabled.
V-228357 Medium Exchange Connectivity logging must be enabled.
V-228356 Medium Exchange auto-forwarding email to remote domains must be disabled or restricted.
V-228416 Medium Exchange must use encryption for Outlook Web App (OWA) access.
V-228417 Medium Exchange must have forms-based authentication disabled.
V-228355 Medium Exchange servers must use approved DoD certificates.
V-228354 Medium Exchange must have Administrator audit logging enabled.
V-228410 Medium Exchange must provide Mailbox databases in a highly available and redundant configuration.
V-228400 Medium The Exchange application directory must be protected from unauthorized access.
V-228407 Medium Exchange must not send nondelivery reports to remote domains.
V-228406 Medium Exchange must not send delivery reports to remote domains.
V-228415 Medium Exchange must use encryption for RPC client access.
V-228405 Medium The Exchange Email application must not share a partition with another application.
V-228411 Medium Exchange must have the most current, approved service pack installed.
V-228360 Low Exchange Circular Logging must be disabled.
V-228399 Low The Exchange Receive connector timeout must be limited.
V-228398 Low The Exchange Global Recipient Count Limit must be set.
V-228390 Low The Exchange Outbound Connection Timeout must be 10 minutes or less.
V-228379 Low Exchange Mail quota settings must not restrict receiving mail.
V-228388 Low The Exchange global outbound message size must be controlled.
V-228389 Low The Exchange Outbound Connection Limit per Domain Count must be controlled.
V-228384 Low The Exchange Receive Connector Maximum Hop Count must be 60.
V-228385 Low Exchange Message size restrictions must be controlled on Send connectors.
V-228387 Low The Exchange global inbound message size must be controlled.
V-228380 Low Exchange Mail Quota settings must not restrict receiving mail.
V-228381 Low Exchange Mailbox Stores must mount at startup.
V-228382 Low Exchange Message size restrictions must be controlled on Receive connectors.
V-228383 Low Exchange Receive connectors must control the number of recipients per message.
V-228359 Low Exchange Audit record parameters must be set.
V-228386 Low The Exchange Send connector connections count must be limited.