Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-259636 | EX19-ED-000224 | SV-259636r942222_rule | Medium |
Description |
---|
To mitigate the risk of possible erroneous queries that may have been coopted by bad actors, the Exchange Edge server must use DNS servers that utilize DNSSEC to resolve external hosts and internal hosts before routing messages to the appropriate destination. |
STIG | Date |
---|---|
Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide | 2024-01-10 |
Check Text ( C-63375r942220_chk ) |
---|
Verify in the EDSP or consult with the appropriate personnel who manage DNS which servers to use for Internal and External DNS resolution. If the server is not multi-homed, this does not apply. In Exchange Management Shell, run the following command: Get-TransportService |Format-List *dns* If "ExternalDNSAdapterEnabled : True", and no GUID exists, this is a finding. If "ExternalDNSAdapterEnabled : False", and the property "ExternalDNSServers" is not populated with the documented trusted DNS servers for External DNS queries, this is a finding. If "InternalDNSAdapterEnabled : True" and no GUID exists, this is a finding. If "InternalDNSAdapterEnabled : False" and the property "InternalDNSServers" is not populated the documented trusted DNS servers for Internal DNS queries, this is a finding. |
Fix Text (F-63283r942221_fix) |
---|
Verify in the EDSP or consult with the appropriate personnel who manage which DNS servers to use for Internal and External DNS resolution. If a GUID for the External and Internal network adapters are applicable, then gather the values to populate the appropriate properties with the following commands: netsh lan show interfaces This will provide the adapters and the GUIDs for each. Identify the external and internal adapters for the Edge server. Once gathered, run the following: Set-TransportService -Identity If the "ExternalDNSAdapterEnabled" or InternalDNSAdapterEnabled are set to false, use the following to set the DNS configuration: Set-TransportService -Identity Set-TransportService -Identity |