UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide


Overview

Date Finding Count (64)
2023-12-18 CAT I (High): 1 CAT II (Med): 47 CAT III (Low): 16
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Classified)

Finding ID Severity Title
V-228397 High Exchange servers must have an approved DoD email-aware virus protection software installed.
V-228371 Medium The Exchange Internet Message Access Protocol 4 (IMAP4) service must be disabled.
V-228409 Medium Exchange Internal Send connectors must use an authentication level.
V-228408 Medium The Exchange SMTP automated banner response must not reveal server details.
V-228368 Medium Exchange must protect audit data against unauthorized deletion.
V-228369 Medium Exchange Audit data must be on separate partitions.
V-228366 Medium Exchange must not send Customer Experience reports to Microsoft.
V-228367 Medium Exchange must protect audit data against unauthorized access.
V-228364 Medium Exchange Send Fatal Errors to Microsoft must be disabled.
V-228365 Medium Exchange must protect audit data against unauthorized read access.
V-228362 Medium Exchange Message Tracking Logging must be enabled.
V-228363 Medium Exchange Queue monitoring must be configured with threshold and action.
V-228361 Medium Exchange Email Subject Line logging must be disabled.
V-228358 Medium The Exchange Email Diagnostic log level must be set to the lowest level.
V-228404 Medium Exchange Outlook Anywhere clients must use NTLM authentication to access email.
V-228396 Medium Exchange must not send automated replies to remote domains.
V-228395 Medium Exchange must have anti-spam filtering configured.
V-228394 Medium Exchange must have anti-spam filtering enabled.
V-228393 Medium Exchange must have anti-spam filtering installed.
V-228392 Medium Exchange external/Internet-bound automated response messages must be disabled.
V-228391 Medium Exchange Internal Receive connectors must not allow anonymous connections.
V-228403 Medium Exchange services must be documented and unnecessary services must be removed or disabled.
V-228402 Medium Exchange software must be monitored for unauthorized changes.
V-228401 Medium An Exchange software baseline copy must exist.
V-228418 Medium Exchange must have authenticated access set to Integrated Windows Authentication only.
V-228370 Medium Exchange Local machine policy must require signed scripts.
V-228373 Medium Exchange Mailbox databases must reside on a dedicated partition.
V-228372 Medium The Exchange Post Office Protocol 3 (POP3) service must be disabled.
V-228375 Medium Exchange internal Receive connectors must require encryption.
V-228374 Medium Exchange Internet-facing Send connectors must specify a Smart Host.
V-228377 Medium Exchange email forwarding must be restricted.
V-228376 Medium Exchange Mailboxes must be retained until backups are complete.
V-228378 Medium Exchange email-forwarding SMTP domains must be restricted.
V-228412 Medium The application must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-228413 Medium The applications built-in Malware Agent must be disabled.
V-228357 Medium Exchange Connectivity logging must be enabled.
V-228356 Medium Exchange auto-forwarding email to remote domains must be disabled or restricted.
V-228416 Medium Exchange must use encryption for Outlook Web App (OWA) access.
V-228417 Medium Exchange must have forms-based authentication disabled.
V-228355 Medium Exchange servers must use approved DoD certificates.
V-228354 Medium Exchange must have Administrator audit logging enabled.
V-228410 Medium Exchange must provide Mailbox databases in a highly available and redundant configuration.
V-228400 Medium The Exchange application directory must be protected from unauthorized access.
V-228407 Medium Exchange must not send nondelivery reports to remote domains.
V-228406 Medium Exchange must not send delivery reports to remote domains.
V-228415 Medium Exchange must use encryption for RPC client access.
V-228405 Medium The Exchange Email application must not share a partition with another application.
V-228411 Medium Exchange must have the most current, approved service pack installed.
V-228360 Low Exchange Circular Logging must be disabled.
V-228399 Low The Exchange Receive connector timeout must be limited.
V-228398 Low The Exchange Global Recipient Count Limit must be set.
V-228390 Low The Exchange Outbound Connection Timeout must be 10 minutes or less.
V-228379 Low Exchange Mail quota settings must not restrict receiving mail.
V-228388 Low The Exchange global outbound message size must be controlled.
V-228389 Low The Exchange Outbound Connection Limit per Domain Count must be controlled.
V-228384 Low The Exchange Receive Connector Maximum Hop Count must be 60.
V-228385 Low Exchange Message size restrictions must be controlled on Send connectors.
V-228387 Low The Exchange global inbound message size must be controlled.
V-228380 Low Exchange Mail Quota settings must not restrict receiving mail.
V-228381 Low Exchange Mailbox Stores must mount at startup.
V-228382 Low Exchange Message size restrictions must be controlled on Receive connectors.
V-228383 Low Exchange Receive connectors must control the number of recipients per message.
V-228359 Low Exchange Audit record parameters must be set.
V-228386 Low The Exchange Send connector connections count must be limited.