UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide


Overview

Date Finding Count (68)
2024-06-10 CAT I (High): 2 CAT II (Med): 50 CAT III (Low): 16
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
V-259686 High Exchange servers must have an approved DOD email-aware virus protection software installed.
V-259710 High The application must protect the confidentiality and integrity of transmitted information.
V-259668 Medium The Exchange Post Office Protocol 3 (POP3) service must be disabled.
V-259649 Medium Exchange servers must use approved DOD certificates.
V-259648 Medium Exchange must have administrator audit logging enabled.
V-259708 Medium Exchange internal send connectors must use an authentication level.
V-259704 Medium The Exchange email application must not share a partition with another application.
V-259705 Medium Exchange must not send delivery reports to remote domains.
V-259706 Medium Exchange must not send nondelivery reports to remote domains.
V-259707 Medium The Exchange SMTP automated banner response must not reveal server details.
V-259645 Medium Exchange must use encryption for RPC client access.
V-259701 Medium Exchange software must be monitored for unauthorized changes.
V-259647 Medium Exchange must have forms-based authentication enabled.
V-259646 Medium Exchange must use encryption for Outlook Web App (OWA) access.
V-259663 Medium Exchange audit data must be on separate partitions.
V-259662 Medium Exchange must protect audit data against unauthorized deletion.
V-259661 Medium Exchange must protect audit data against unauthorized access.
V-259660 Medium Exchange must protect audit data against unauthorized read access.
V-259689 Medium Exchange must have anti-spam filtering installed.
V-259688 Medium Exchange external/internet-bound automated response messages must be disabled.
V-259665 Medium Exchange Send Fatal Errors to Microsoft must be disabled.
V-259664 Medium Exchange local machine policy must require signed scripts.
V-259669 Medium Exchange Mailbox databases must reside on a dedicated partition.
V-259702 Medium Exchange services must be documented, and unnecessary services must be removed or disabled.
V-259700 Medium An Exchange software baseline copy must exist.
V-259687 Medium Exchange internal receive connectors must not allow anonymous connections.
V-259659 Medium Exchange queue monitoring must be configured with threshold and action.
V-259652 Medium Exchange connectivity logging must be enabled.
V-259703 Medium Exchange Outlook Anywhere clients must use NTLM authentication to access email.
V-259656 Medium Exchange email subject line logging must be disabled.
V-259657 Medium Exchange message tracking logging must be enabled.
V-259672 Medium Exchange email forwarding must be restricted.
V-259673 Medium Exchange email-forwarding SMTP domains must be restricted.
V-259653 Medium The Exchange email diagnostic log level must be set to the lowest level.
V-259667 Medium The Exchange Internet Message Access Protocol 4 (IMAP4) service must be disabled.
V-259712 Medium Exchange must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-259711 Medium Exchange must have the most current, approved Cumulative Update installed.
V-259666 Medium Exchange must not send customer experience reports to Microsoft.
V-259670 Medium Exchange internet-facing send connectors must specify a smart host.
V-259671 Medium Exchange mailboxes must be retained until backups are complete.
V-259698 Medium Role-Based Access Control must be defined for privileged and nonprivileged users.
V-259699 Medium The Exchange application directory must be protected from unauthorized access.
V-259651 Medium Exchange auto-forwarding email to remote domains must be disabled or restricted.
V-259690 Medium Exchange must have anti-spam filtering enabled.
V-259691 Medium Exchange must have anti-spam filtering configured.
V-259696 Medium The Exchange built-in malware agent must be disabled.
V-259694 Medium Exchange antimalware agent must be enabled and configured.
V-259695 Medium The Exchange malware scanning agent must be configured for automatic updates.
V-259692 Medium Exchange must not send automated replies to remote domains.
V-259650 Medium Exchange must have authenticated access set to integrated Windows authentication only.
V-259655 Medium The RBAC role for audit log management must be defined and restricted.
V-259709 Medium Exchange must provide mailbox databases in a highly available and redundant configuration.
V-259658 Low Exchange circular logging must be disabled.
V-259685 Low The Exchange Outbound Connection Timeout must be 10 minutes or less.
V-259684 Low The Exchange Outbound Connection Limit per Domain Count must be controlled.
V-259681 Low Exchange message size restrictions must be controlled on send connectors.
V-259680 Low Exchange receive connectors must control the number of recipients per message.
V-259683 Low The Exchange global outbound message size must be controlled.
V-259682 Low The Exchange global inbound message size must be controlled.
V-259674 Low Exchange mailbox stores must mount at startup.
V-259675 Low Exchange mail quota settings must not restrict receiving mail.
V-259676 Low Exchange mail quota settings must not restrict sending mail.
V-259678 Low The Exchange Receive Connector Maximum Hop Count must be 60.
V-259679 Low The Exchange send connector connections count must be limited.
V-259697 Low The Exchange receive connector timeout must be limited.
V-259693 Low The Exchange Global Recipient Count Limit must be set.
V-259654 Low Exchange audit record parameters must be set.
V-259677 Low Exchange Message size restrictions must be controlled on Receive connectors.