Exchange email-forwarding SMTP domains must be restricted.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-228378	EX16-MB-000300	SV-228378r612748_rule		Medium

Description
Auto-forwarded email accounts do not meet the requirement for digital signature and encryption of Controlled Unclassified Information (CUI) and Personally Identifiable Information (PII) in accordance with DoDI 8520.2 (reference ee) and DoD Director for Administration and Management memorandum, "Safeguarding Against and Responding to the Breach of Personally Identifiable Information". Use of forwarding set by an administrator interferes with nonrepudiation requirements that each end user be responsible for creation and destination of email data.

Description

Auto-forwarded email accounts do not meet the requirement for digital signature and encryption of Controlled Unclassified Information (CUI) and Personally Identifiable Information (PII) in accordance with DoDI 8520.2 (reference ee) and DoD Director for Administration and Management memorandum, "Safeguarding Against and Responding to the Breach of Personally Identifiable Information". Use of forwarding set by an administrator interferes with nonrepudiation requirements that each end user be responsible for creation and destination of email data.

STIG	Date
Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide	2021-06-23

Details

Check Text ( C-30611r496930_chk )
Review the Email Domain Security Plan (EDSP) or document that contains this information. Determine any accounts that have been authorized to have email auto-forwarded. Note: If email auto-forwarding is not being used, this check is not applicable (NA). Open the Exchange Management Shell and enter the following commands: Get-RemoteDomain \| Select Name, Identity, DomainName, AutoForwardEnabled If any domain for a user forwarding SMTP address is not documented in the EDSP, this is a finding. Note: If no remote SMTP domain matching the mail-enabled user or contact that allows forwarding is configured for users identified with a forwarding address, this function will not work properly.

Check Text ( C-30611r496930_chk )

Review the Email Domain Security Plan (EDSP) or document that contains this information.

Determine any accounts that have been authorized to have email auto-forwarded.

Note: If email auto-forwarding is not being used, this check is not applicable (NA).

Open the Exchange Management Shell and enter the following commands:

Get-RemoteDomain | Select Name, Identity, DomainName, AutoForwardEnabled

If any domain for a user forwarding SMTP address is not documented in the EDSP, this is a finding.

Note: If no remote SMTP domain matching the mail-enabled user or contact that allows forwarding is configured for users identified with a forwarding address, this function will not work properly.

Fix Text (F-30596r496931_fix)
Update the EDSP to specify any accounts that have been authorized to have email auto-forwarded or verify that this information is documented by the organization. Open the Exchange Management Shell and enter the following command: Set- RemoteDomain -Identity