UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide


Overview

Date Finding Count (65)
2019-10-01 CAT I (High): 1 CAT II (Med): 48 CAT III (Low): 16
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Classified)

Finding ID Severity Title
V-80709 High Exchange servers must have an approved DoD email-aware virus protection software installed.
V-80623 Medium Exchange must have Administrator audit logging enabled.
V-80641 Medium Exchange Queue monitoring must be configured with threshold and action.
V-80737 Medium The Exchange Email application must not share a partition with another application.
V-80647 Medium Exchange must not send Customer Experience reports to Microsoft.
V-80715 Medium The Exchange application directory must be protected from unauthorized access.
V-80749 Medium The Exchange SMTP automated banner response must not reveal server details.
V-80727 Medium The applications built-in Malware Agent must be disabled.
V-80671 Medium Exchange email-forwarding SMTP domains must be restricted.
V-80649 Medium Exchange must protect audit data against unauthorized access.
V-80697 Medium Exchange Internal Receive connectors must not allow anonymous connections.
V-80699 Medium Exchange external/Internet-bound automated response messages must be disabled.
V-80659 Medium The Exchange Post Office Protocol 3 (POP3) service must be disabled.
V-80703 Medium Exchange must have anti-spam filtering enabled.
V-80669 Medium Exchange email forwarding must be restricted.
V-80631 Medium The Exchange Email Diagnostic log level must be set to the lowest level.
V-80637 Medium Exchange Email Subject Line logging must be disabled.
V-80701 Medium Exchange must have anti-spam filtering installed.
V-80653 Medium Exchange Audit data must be on separate partitions.
V-80651 Medium Exchange must protect audit data against unauthorized deletion.
V-80657 Medium The Exchange Internet Message Access Protocol 4 (IMAP4) service must be disabled.
V-80655 Medium Exchange Local machine policy must require signed scripts.
V-80661 Medium Exchange Mailbox databases must reside on a dedicated partition.
V-80723 Medium Exchange must use encryption for RPC client access.
V-80667 Medium Exchange Mailboxes must be retained until backups are complete.
V-80663 Medium Exchange Internet-facing Send connectors must specify a Smart Host.
V-80629 Medium Exchange Connectivity logging must be enabled.
V-80707 Medium Exchange must not send automated replies to remote domains.
V-80721 Medium Exchange must use encryption for Outlook Web App (OWA) access.
V-80745 Medium Exchange must not send delivery reports to remote domains.
V-80639 Medium Exchange Message Tracking Logging must be enabled.
V-80719 Medium Exchange must have Forms-based Authentication enabled.
V-80741 Medium Exchange must have the most current, approved service pack installed.
V-80743 Medium Exchange must provide Mailbox databases in a highly available and redundant configuration.
V-80735 Medium Exchange Outlook Anywhere clients must use NTLM authentication to access email.
V-80731 Medium Exchange software must be monitored for unauthorized changes.
V-80733 Medium Exchange services must be documented and unnecessary services must be removed or disabled.
V-80643 Medium Exchange Send Fatal Errors to Microsoft must be disabled.
V-80725 Medium A DoD-approved third party Exchange-aware malicious code protection application must be implemented.
V-80751 Medium Exchange Internal Send connectors must use an authentication level.
V-80739 Medium The application must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-80717 Medium Exchange must have authenticated access set to Integrated Windows Authentication only.
V-80665 Medium Exchange internal Receive connectors must require encryption.
V-80705 Medium Exchange must have anti-spam filtering configured.
V-80747 Medium Exchange must not send nondelivery reports to remote domains.
V-80627 Medium Exchange auto-forwarding email to remote domains must be disabled or restricted.
V-80625 Medium Exchange servers must use approved DoD certificates.
V-80729 Medium An Exchange software baseline copy must exist.
V-80645 Medium Exchange must protect audit data against unauthorized read access.
V-80711 Low The Exchange Global Recipient Count Limit must be set.
V-80693 Low The Exchange Outbound Connection Limit per Domain Count must be controlled.
V-80691 Low The Exchange global outbound message size must be controlled.
V-80685 Low Exchange Message size restrictions must be controlled on Send connectors.
V-80689 Low The Exchange global inbound message size must be controlled.
V-80675 Low Exchange Mail Quota settings must not restrict receiving mail.
V-80677 Low Exchange Mailbox Stores must mount at startup.
V-80673 Low Exchange Mail quota settings must not restrict receiving mail.
V-80695 Low The Exchange Outbound Connection Timeout must be 10 minutes or less.
V-80679 Low Exchange Message size restrictions must be controlled on Receive connectors.
V-80633 Low Exchange Audit record parameters must be set.
V-80635 Low Exchange Circular Logging must be disabled.
V-80681 Low Exchange Receive connectors must control the number of recipients per message.
V-80687 Low The Exchange Send connector connections count must be limited.
V-80683 Low The Exchange Receive Connector Maximum Hop Count must be 60.
V-80713 Low The Exchange Receive connector timeout must be limited.