UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Exchange email forwarding must be restricted.


Overview

Finding ID Version Rule ID IA Controls Severity
V-259672 EX19-MB-000116 SV-259672r942330_rule Medium
Description
Auto-forwarded email accounts do not meet the requirement for digital signature and encryption of Controlled Unclassified Information (CUI) and Personally Identifiable Information (PII) in accordance with DODI 8520.2 (reference ee) and DOD Director for Administration and Management memorandum, "Safeguarding Against and Responding to the Breach of Personally Identifiable Information". Use of forwarding set by an administrator interferes with nonrepudiation requirements that each end user be responsible for creation and destination of email data.
STIG Date
Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide 2024-01-10

Details

Check Text ( C-63411r942328_chk )
Review the Email Domain Security Plan (EDSP).

Determine any accounts that have been authorized to have email auto-forwarded.

Note: If email auto-forwarding is not being used, this check is not applicable.

Open the Exchange Management Shell and enter the following commands:

Get-Mailbox | Select-Object -Property Name, Identity, Forward*

Note: The asterisk (*) will grab both ForwardingAddress and ForwardingSMTPAddress.

If any user has a forwarding SMTP address and is not documented in the EDSP, this is a finding.

Note: If no remote SMTP domain matching the mail-enabled user or contact that allows forwarding is configured for users identified with a forwarding address, this function will not work properly.
Fix Text (F-63319r942329_fix)
Update the EDSP.

Open the Exchange Management Shell and enter the following command:

Set-Mailbox -Identity <'IdentityName'> -ForwardingSMTPAdddress $null

Note: The value must be in quotes.