UCF STIG Viewer Logo

Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide


Date Finding Count (68)
2024-01-10 CAT I (High): 2 CAT II (Med): 50 CAT III (Low): 16
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles

Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
V-259686 High Exchange servers must have an approved DOD email-aware virus protection software installed.
V-259710 High The application must protect the confidentiality and integrity of transmitted information.
V-259668 Medium The Exchange Post Office Protocol 3 (POP3) service must be disabled.
V-259649 Medium Exchange servers must use approved DOD certificates.
V-259648 Medium Exchange must have administrator audit logging enabled.
V-259708 Medium Exchange internal send connectors must use an authentication level.
V-259704 Medium The Exchange email application must not share a partition with another application.
V-259705 Medium Exchange must not send delivery reports to remote domains.
V-259706 Medium Exchange must not send nondelivery reports to remote domains.
V-259707 Medium The Exchange SMTP automated banner response must not reveal server details.
V-259645 Medium Exchange must use encryption for RPC client access.
V-259701 Medium Exchange software must be monitored for unauthorized changes.
V-259647 Medium Exchange must have forms-based authentication enabled.
V-259646 Medium Exchange must use encryption for Outlook Web App (OWA) access.
V-259663 Medium Exchange audit data must be on separate partitions.
V-259662 Medium Exchange must protect audit data against unauthorized deletion.
V-259661 Medium Exchange must protect audit data against unauthorized access.
V-259660 Medium Exchange must protect audit data against unauthorized read access.
V-259689 Medium Exchange must have anti-spam filtering installed.
V-259688 Medium Exchange external/internet-bound automated response messages must be disabled.
V-259665 Medium Exchange Send Fatal Errors to Microsoft must be disabled.
V-259664 Medium Exchange local machine policy must require signed scripts.
V-259669 Medium Exchange Mailbox databases must reside on a dedicated partition.
V-259702 Medium Exchange services must be documented, and unnecessary services must be removed or disabled.
V-259700 Medium An Exchange software baseline copy must exist.
V-259687 Medium Exchange internal receive connectors must not allow anonymous connections.
V-259659 Medium Exchange queue monitoring must be configured with threshold and action.
V-259652 Medium Exchange connectivity logging must be enabled.
V-259703 Medium Exchange Outlook Anywhere clients must use NTLM authentication to access email.
V-259656 Medium Exchange email subject line logging must be disabled.
V-259657 Medium Exchange message tracking logging must be enabled.
V-259672 Medium Exchange email forwarding must be restricted.
V-259673 Medium Exchange email-forwarding SMTP domains must be restricted.
V-259653 Medium The Exchange email diagnostic log level must be set to the lowest level.
V-259667 Medium The Exchange Internet Message Access Protocol 4 (IMAP4) service must be disabled.
V-259712 Medium Exchange must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-259711 Medium Exchange must have the most current, approved Cumulative Update installed.
V-259666 Medium Exchange must not send customer experience reports to Microsoft.
V-259670 Medium Exchange internet-facing send connectors must specify a smart host.
V-259671 Medium Exchange mailboxes must be retained until backups are complete.
V-259698 Medium Role-Based Access Control must be defined for privileged and nonprivileged users.
V-259699 Medium The Exchange application directory must be protected from unauthorized access.
V-259651 Medium Exchange auto-forwarding email to remote domains must be disabled or restricted.
V-259690 Medium Exchange must have anti-spam filtering enabled.
V-259691 Medium Exchange must have anti-spam filtering configured.
V-259696 Medium The Exchange built-in malware agent must be disabled.
V-259694 Medium Exchange anti-malware agent must be enabled and configured.
V-259695 Medium The Exchange malware scanning agent must be configured for automatic updates.
V-259692 Medium Exchange must not send automated replies to remote domains.
V-259650 Medium Exchange must have authenticated access set to integrated Windows authentication only.
V-259655 Medium The RBAC role for audit log management must be defined and restricted.
V-259709 Medium Exchange must provide mailbox databases in a highly available and redundant configuration.
V-259658 Low Exchange circular logging must be disabled.
V-259685 Low The Exchange Outbound Connection Timeout must be 10 minutes or less.
V-259684 Low The Exchange Outbound Connection Limit per Domain Count must be controlled.
V-259681 Low Exchange message size restrictions must be controlled on send connectors.
V-259680 Low Exchange receive connectors must control the number of recipients per message.
V-259683 Low The Exchange global outbound message size must be controlled.
V-259682 Low The Exchange global inbound message size must be controlled.
V-259674 Low Exchange mailbox stores must mount at startup.
V-259675 Low Exchange mail quota settings must not restrict receiving mail.
V-259676 Low Exchange mail quota settings must not restrict sending mail.
V-259678 Low The Exchange Receive Connector Maximum Hop Count must be 60.
V-259679 Low The Exchange send connector connections count must be limited.
V-259697 Low The Exchange receive connector timeout must be limited.
V-259693 Low The Exchange Global Recipient Count Limit must be set.
V-259654 Low Exchange audit record parameters must be set.
V-259677 Low Exchange Message size restrictions must be controlled on Receive connectors.