| V-18762 | High | One or more SMTP Virtual Servers do not have a Valid Certificate. | Server certificates are required for many security features in Exchange, and without them the server cannot engage in many forms of secure communication.
Certificates must be manually installed... |
| V-18760 | High | OWA does not require only Integrated Windows Authentication. | Identification and Authentication provide the foundation for access control. Access to E-mail services applications in the DoD require authentication using DoD Public Key Infrastructure (PKI)... |
| V-18642 | High | E-mail Server does not require S/MIME capable clients. | Identification and Authentication provide the foundation for access control. The ability for receiving users to authenticate the source of E-Mail messages helps to ensure that they are not FORGED... |
| V-18784 | High | SMTP Connectors perform outbound anonymous connections. | Identification and Authentication provide the foundation for access control. The key to preventing SPAM insertion into the SMTP message transfer path is to require authentication at each ‘hop’ of... |
| V-18786 | High | Public Folder access does not require secure channels and encryption. | Failure to require secure connections on a web site increases the potential for unintended decryption and data loss. This setting controls whether client machines should be forced to use secure... |
| V-18787 | High | Outlook Web Access (OWA) does not require secure channels and encryption. | Failure to require secure connections on a web site increases the potential for unintended decryption and data loss. This setting controls whether client machines should be forced to use secure... |
| V-18699 | High | SMTP connectors allow unauthenticated relay. | Identification and Authentication provide the foundation for access control. The key to preventing SPAM insertion into the SMTP message transfer path is to require authentication at each ‘hop’ of... |
| V-53399 | High | Exchange Server Software that is no longer supported by the vendor for security updates must not be installed on a system. | Exchange Server Software that is no longer supported by Microsoft for security updates is not evaluated or updated for vulnerabilities, leaving it open to potential attack. Organizations must... |
| V-18820 | High | E-mail servers do not have E-mail aware virus protection. | With the proliferation of trojans, viruses, and SPAM attaching themselves to E-Mail messages (or attachments), it is necessary to have capable E-Mail Aware Anti-Virus (AV) products to scan... |
| V-18744 | High | E-mail Public Folders do not require S/MIME capable clients. | Identification and Authentication provide the foundation for access control. The ability for receiving users to authenticate the source of Public Folder messages helps to ensure that they are not... |
| V-18745 | High | OWA Virtual Server has Forms-Based Authentication enabled. | Identification and Authentication provide the foundation for access control. Access to E-Mail services applications in the DoD require authentication using DoD Public Key Infrastructure (PKI)... |
| V-18807 | Medium | ExAdmin does not have correct permissions in the ExAdmin Virtual Server. | The principle of Least Privilege ordinarily requires analysis to ensure that users and processes are granted only as much privilege as is required to function effectively, but no additional... |
| V-18674 | Medium | The Mailbox server is not protected by having blank sender messages filtered by the Edge Transport Role server (E-mail Secure Gateway) at the perimeter. | By performing filtering at the perimeter, up to 90% of SPAM, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the mail server... |
| V-18675 | Medium | The E-Mail server is not protected by having connections from “Sender Filter” sources dropped by the Edge Transport Server role (E-Mail Secure Gateway) at the perimeter. | SPAM origination sites and other sources of suspected E-Mail borne malware have the ability to corrupt, compromise, or otherwise limit availability of E-Mail servers. Limiting exposure to... |
| V-18676 | Medium | E-Mail server has unneeded processes or services active. | Unneeded, but running, services offer attackers an enhanced attack profile, and attackers are constantly watching to discover open ports with running services. By analyzing and disabling... |
| V-18670 | Medium | Message Recipient Count Limit is not limited on the SMTP virtual server. | E-Mail system availability depends in part on best practices strategies for setting tuning configurations. Global Message Recipient Limits determine the total number of recipients that can be... |
| V-18672 | Medium | The Exchange E-mail Services environment is not protected by an Edge Transport Server (E-Mail Secure Gateway) performing Non-existent recipient filtering at the perimeter. | SPAM originators, in an effort to refine mailing lists, sometimes use a technique where they first create fictitious names, then monitor rejected E-mails for non-existent recipients.
Those not... |
| V-18673 | Medium | The Mailbox server is not protected by having filtered messages archived by the Edge Transport Role server (E-mail Secure Gateway) at the perimeter. | By performing filtering at the perimeter, up to 90% of SPAM, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the mail server... |
| V-18804 | Medium | Scripts are permitted to execute in the Public Folder web server. | Scripts on virtual servers are a frequent cause of server compromises. Since this virtual (web) server is the primary interface between Exchange and the web, it is particularly at risk of... |
| V-18767 | Medium | The “Disable Server Monitoring” feature is enabled. | Monitors are automated “process watchers” that respond to performance changes, and can be useful in detecting outages and alerting administrators where attention is needed. This setting... |
| V-18641 | Medium | User mailboxes are hosted on non-Mailbox Server role. | Separation of roles supports operational security for application as well as human resources. By isolating a server role such as ‘Mailbox Role’, boundaries that pertain to Mailbox data... |
| V-18770 | Medium | SMTP Virtual Server Auditing is not active. | Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. This setting controls the creation and... |
| V-18805 | Medium | Scripts are Permitted to Execute in the ExAdmin Virtual Server. | The ExAdmin Virtual Server is used by the Exchange System Manager to access mailboxes and Public Folders. As such, it is a required part of the Exchange application. The Exchange System Manager... |
| V-18719 | Medium | Users do not have correct permissions in the Public Virtual Server. | The principle of Least Privilege ordinarily requires analysis to ensure that users and processes are granted only as much privilege as is required to function effectively, but no additional... |
| V-18717 | Medium | Exchange Core Services Monitors are not configured with threshold and actions. | Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Exchange 2003 built-in monitors... |
| V-18716 | Medium | Windows 2003 Services Monitoring Notifications are not configured with thresholds and actions. | Monitors are automated “process watchers” that respond to performance changes, and can be useful in detecting outages and alerting administrators where attention is needed. Exchange 2003... |
| V-18715 | Medium | SMTP Queue Monitor is not configured with a threshold and alert. | Monitors are automated “process watchers” that respond to performance changes, and can be useful in detecting outages and alerting administrators where attention is needed. Exchange 2003... |
| V-18714 | Medium | Virtual memory monitoring notifications are not configured with threshold and action. | Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Exchange 2003 built-in monitors... |
| V-18713 | Medium | CPU Monitoring Notifications are not configured with threshold and action. | Monitors are automated “process watchers” that respond to performance changes, and can be useful in detecting outages and alerting administrators where attention is needed. Exchange 2003... |
| V-18712 | Medium | Disk Space Monitoring is not Configured with Threshold and Action. | Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Exchange 2003 built-in monitors... |
| V-18711 | Medium | Exchange sends fatal errors to Microsoft. | Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. This setting enables an automated log... |
| V-18710 | Medium | SMTP Virtual Server Audit Records are not directed to a separate partition. | Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. This setting controls the location of... |
| V-18796 | Medium | E-Mail service accounts are not operating at least privilege. | Good security practice demands both the separation of duties and the assignment of least privilege. Role Based Access Control (RBAC) is the most accepted method for meeting these two criteria. A... |
| V-18795 | Medium | E-mail Services accounts are not restricted to named services. | Applications introduce some of the most common database attack avenues, and can provide a pathway for an unlimited number of malicious users to access sensitive data. An account responsible for... |
| V-18792 | Medium | SMTP service banner response reveals configuration details. | Automated connection responses occur as a result of FTP or Telnet connections, when connecting to those services. They report a successful connection by greeting the connecting client, stating... |
| V-18655 | Medium | Public Folder Stores "Do not Mount at Startup" is enabled. | Administrator responsibilities include the ability to react to unplanned maintenance tasks or emergency situations that may require Public Folder Store data manipulation. Occasionally, there may... |
| V-18799 | Medium | E-mail restore permissions are not restricted to E-mail administrators. | Good security practice demands both the separation of duties and the assignment of least privilege. Role Based Access Control (RBAC) is the most accepted method for meeting these two... |
| V-19186 | Medium | Mailbox access control mechanisms are not audited for changes. | Unauthorized or malicious data changes can compromise the integrity and usefulness of the data, Automated attacks or malicious users with elevated privileges have the ability to affect change... |
| V-18723 | Medium | Mailboxes and messages are not retained until backups are complete. | Backup and recovery procedures are an important part of overall system availability and integrity. Complete backups reduce the chance of accidental deletion of important information, and ensure... |
| V-18706 | Medium | E-mail Diagnostic Logging is enabled during production operations. | Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Diagnostic logging, however,... |
| V-18707 | Medium | E-mail “Subject Line” logging is enabled during production operations. | Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. When “message tracking” is enabled,... |
| V-18700 | Medium | SMTP virtual Server does not Restrict Relay Access. | E-mail is only as secure as the recipient. This control is used to limit the servers that may use this server as a relay. If an Simple Mail Transport Protocol (SMTP) sender does not have a... |
| V-18701 | Medium | “Smart-Host” is specified at the Virtual Server level. | E-Mail system availability depends in part on best practices strategies for setting tuning configurations. This control determines whether the entire Virtual Server routes its outbound Simple... |
| V-18703 | Medium | Virtual Server default outbound security is not anonymous and TLS. | Identification and Authentication provide the foundation for access control. The key to preventing SPAM insertion into the SMTP message transfer path is to require authentication at each ‘hop’ of... |
| V-18780 | Medium | Exchange Server is not protected by an Edge Transport Server (E-mail Secure Gateway) that performs Anonymous Connections interaction with Internet-based E-mail servers. | E-mail is only as secure as the recipient. By ensuring secured connections for all Simple Mail Transfer Protocol (SMTP) servers along the message transfer path, risk of “Anonymous” message... |
| V-18782 | Medium | SMTP Virtual Servers do not Require Secure Channels and Encryption. | The Simple Mail Transfer Protocol (SMTP) Virtual Server is used by the Exchange System Manager to send and receive messages from server to server using SMTP protocol. This setting controls the... |
| V-19198 | Medium | Message size restriction is specified at the SMTP connector level. . | E-mail system availability depends in part on best practices strategies for setting tuning configurations. For message size restrictions, multiple places exist to set or override inbound or... |
| V-18731 | Medium | E-mail application installation is sharing a partition with another application. | In the same way that added security layers can provide a cumulative positive effect on security posture, multiple applications can provide a cumulative negative effect. A vulnerability and... |
| V-18733 | Medium | E-mail web applications are operating on non-standard ports. | PPSM Standard defined ports and protocols must be used for all Exchange services. The standard port for HTTP connections is 80 and the standard port for HTTPS
Connections is 443.
Changing the... |
| V-18732 | Medium | Audit data is sharing directories or partitions with the E-mail application. | Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit log content must always be... |
| V-18735 | Medium | SMTP Virtual Server is not bound to the PPSM Standard Port. | PPSM Standard defined ports and protocols must be used for all Exchange services.
The default port for SMTP connections is 25.
Changing the ports to non-standard values provides only... |
| V-18734 | Medium | E-mail SMTP services are using Non-PPSM compliant ports. | Standard defined ports and protocols should be used for all Exchange services.
The standard port for regular SMTP connections is 25.
Changing the ports to non-standard values provides only... |
| V-18724 | Medium | Public Folder stores and documents are not retained until backups are complete. | Backup and recovery procedures are an important part of overall system availability and integrity. Complete backups reduce the chance of accidental deletion of important information, and ensure... |
| V-18721 | Medium | E-mail servers are not protected by an Edge Transport Server role (E-mail Secure Gateway) removing disallowed message attachments at the network perimeter. | By performing filtering at the perimeter, up to 90% of SPAM, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the Mail server... |
| V-18803 | Medium | Scripts are permitted to execute in the OWA Virtual Server. | Scripts on virtual servers are a frequent cause of server compromises. Since this virtual (web) server is the primary interface between Exchange and the web, it is particularly at risk of... |
| V-18802 | Medium | Exchange application permissions are not at vendor recommended settings. | Default product installations may provide more generous permissions than are necessary to run the application. By examining and tailoring permissions to more closely provide the least amount of... |
| V-18801 | Medium | Services permissions do not reflect least privilege. | Good security practice demands both the separation of duties and the assignment of least privilege. Role Based Access Control (RBAC) is the most accepted method for meeting these two criteria. A... |
| V-18686 | Medium | Message size restrictions are specified on routing group connectors. | E-Mail system availability depends in part on best practices strategies for setting tuning configurations. For message size restrictions, multiple places exist to set or override inbound or... |
| V-18806 | Medium | Users do not have correct permissions in the OWA Virtual Server. | The principle of Least Privilege ordinarily requires analysis to ensure that users and processes are granted only as much privilege as is required to function effectively, but no additional... |
| V-18818 | Medium | E-mail Services are not protected by having an Edge Transport Server (E-mail Secure Gateway) performing outbound message signing at the perimeter. | Individual messages can be protected by requiring message signing at the creation point (Outlook), at the originator’s discretion, enabling integrity protection for their messages. However,... |
| V-18819 | Medium | E-Mail audit trails are not protected against unauthorized access. | Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit log content must always be... |
| V-18698 | Medium | The SMTP connectors do not specify use of a “Smart Host”. | E-mail system availability depends in part on best practices strategies for setting tuning configurations. In the case of identifying a ‘Smart Host’ for the E-Mail environment, the connector... |
| V-18759 | Medium | Default web site allows anonymous access. | The Default Web site is the virtual server on which all Exchange virtual directories reside. This feature controls the authentication method used to connect to this virtual server and its virtual... |
| V-18696 | Medium | ExAdmin Virtual Directory is not Configured for Integrated Windows Authentication. | Identification and Authentication provide the foundation for access control. The ExAdmin Virtual Directory is used by the Exchange System Manager to access mailboxes and Public Folders. This... |
| V-18694 | Medium | SMTP Connection Restrictions do not use the "Deny All" strategy. | E-mail is only as secure as the recipient. Recipient SMTP servers that accept messages from all sources provide a way for rogue senders (such as SPAMMERS) or malicious users to insert message... |
| V-18697 | Medium | Routing Group is not selected as the SMTP connector scope. | E-mail system availability depends in part on best practices strategies for setting tuning configurations. This setting determines which SMTP Servers are permitted to use this SMTP Connector,... |
| V-18741 | Medium | E-mail software is not monitored for change on INFOCON frequency schedule. | The INFOCON system provides a framework within which the Commander USSTRATCOM regional commanders, service chiefs, base/post/camp/station/vessel commanders, or agency directors can increase the... |
| V-18742 | Medium | Security support data or process is sharing a directory or partition with Exchange. | The Security Support Structure is a security control function or service provided by an external system or application. For example, a Windows Domain Controller that provides Identification and... |
| V-18743 | Medium | Exchange software baseline copy does not exist. | Exchange 2003 software, as with other application software installed on a host system, must be included in a system baseline record and periodically reviewed, otherwise unauthorized changes to the... |
| V-18666 | Medium | E-mail Server Global Sending or Receiving message size is set to Unlimited. | E-Mail system availability depends in part on best practices strategies for setting tuning configurations. Message size limits should be set to 30 megabytes at most, but often are smaller,... |
| V-18665 | Medium | Mailbox Server is not protected by an Edge Transport Server (E-mail Secure Gateway) performing Sender Authentication at the perimeter. | Email is only as secure as the recipient. When the recipient is an E-Mail server accepting inbound messages, authenticating the sender enables the receiver to better assess message quality and to... |
| V-18664 | Medium | Mailbox server is not protected by an Edge Transport Server role (E-mail Secure Gateway) performing Block List exception filtering at the perimeter. | SPAM origination sites and other sources of suspected E-Mail borne malware have the ability to corrupt, compromise, or otherwise limit availability of E-Mail servers. Limiting exposure to inbound... |
| V-18663 | Medium | The Mailbox server is not protected by an Edge Transport Server Role (E-mail Secure Gateway) performing 'Block List' filtering. | SPAM origination sites and other sources of suspected E-Mail borne malware have the ability to corrupt, compromise, or otherwise limit availability of E-Mail servers. Limiting exposure to... |
| V-18662 | Medium | Mailbox Server is not protected by an Edge Transport Server (E-mail Secure Gateway) performing SPAM evaluation. | By performing filtering at the perimeter, up to 90% of SPAM, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the mail server... |
| V-18661 | Medium | Mailbox server is not protected by E-mail Edge Transport role (E-mail Secure Gateway) performing Global Accept/Deny list filtering. | SPAM origination sites and other sources of suspected E-Mail borne malware have the ability to corrupt, compromise, or otherwise limit availability of E-Mail servers. Limiting exposure to... |
| V-18660 | Medium | Automated Response Messages are Enabled. | SPAM originators, in an effort to refine mailing lists, sometimes use a technique where they monitor transmissions for automated bounce back messages such as “Out of Office” messages. Automated... |
| V-18685 | Low | Connectors are not clearly named as to direction or purpose. | E-mail system availability depends in part on best practices strategies for setting tuning configurations. For connectors, unclear naming as to direction and purpose increases risk that messages... |
| V-18687 | Low | The Outbound Delivery Retry Values are not at the Defaults, or do not have alternate values documented in the System Security Plan. | E-Mail system availability depends in part on best practices strategies for setting tuning configurations. This setting controls the rate at which delivery attempts from the home domain are... |
| V-18671 | Low | The Global Recipient Count limit is set to “Unlimited”. | E-Mail system availability depends in part on best practices strategies for setting tuning configurations. The Global Recipient Count limit field is used to control the maximum number of... |
| V-18763 | Low | Audit Records do not contain all required fields. | Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. This item declares the fields that... |
| V-18643 | Low | E-mail user mailboxes do not have Storage Quota Limitations. | E-mail system availability depends in part on best practices strategies for setting tuning configurations. These settings control the maximum sizes of a user’s mailbox and the system’s response... |
| V-18645 | Low | Public Folders Store storage quota limits are overridden. | E-mail system availability depends in part on best practices strategies for setting tuning configurations. Some settings enable more granular control when it is needed for a specific... |
| V-18644 | Low | E-mail Public Folders do not have Storage Quota Limitations. | E-Mail system availability depends in part on best practices strategies for setting tuning configurations. These settings control the maximum sizes of a Public Folder and the system’s response if... |
| V-18646 | Low | Mailbox Stores "Do Not Mount at Startup" is enabled. | Administrator responsibilities include the ability to react to unplanned maintenance tasks or emergency situations that may require Mailbox data manipulation. Occasionally, there may be a need to... |
| V-18658 | Low | Public Folder “Send on Behalf of” feature is in use. | The principle of non-repudiation gives a message recipient the assurance that the message can be attributed to the named sender. If users are allowed to send on behalf of other parties, it... |
| V-18704 | Low | The SMTP Virtual Server is configured to perform DNS lookups for anonymous E-mails. | E-Mail system availability depends in part on best practices strategies for setting tuning configurations. This feature causes the server to use a Directory Naming Service (DNS) lookup to try to... |
| V-18705 | Low | E-mail Server "Circular Logging" is not set appropriately. | Logging provides a history of events performed, and can also provide evidence of tampering or attack. Failure to create and preserve logs adds to the risk that suspicious events may go unnoticed,... |
| V-18702 | Low | The SMTP Virtual Server performs reverse DNS lookups for anonymous message delivery. | E-mail system availability depends in part on best practices strategies for setting tuning configurations. This feature causes the server to use a Directory Naming Service (DNS) lookup to try to... |
| V-18788 | Low | ExAdmin is configured for Secure Channels and Encryption. | ExAdmin Virtual Directory is used by the Exchange System Manager to access mailboxes and Public Folders. Users do not directly access the ExAdmin Virtual Directory.
This feature controls the... |
| V-18726 | Low | Public Folder Stores Restore Overwrite is enabled. | E-mail system availability depends in part on best practices strategies for setting tuning configurations. Unauthorized or accidental restoration of public folder data risks data loss or... |
| V-18727 | Low | E-mail message copies are not archived. | For E-mail environments with sufficiently sensitive requirements (either legal or data classification), local e-mail policy may require that all messages sent or received from a given server be... |
| V-18725 | Low | Mailbox Stores Restore Overwrite is enabled. | E-mail system availability depends in part on best practices strategies for setting tuning configurations. Unauthorized or accidental restoration of mailbox data risks data loss or corruption. ... |
| V-18689 | Low | SMTP Maximum outbound connections are not at 1000, or an alternate value is not documented in System Security Plan. | E-Mail system availability depends in part on best practices strategies for setting tuning configurations. This setting controls the maximum number of simultaneous outbound connections allowed... |
| V-18688 | Low | SMTP Maximum Hop Count is not 30. | E-mail system availability depends in part on best practices strategies for setting tuning configurations. This setting controls the maximum number of hops (E-mail servers traversed) a message... |
| V-18681 | Low | Unneeded OMA E-mail Web Virtual Directory is not removed. | To reduce the vectors through which a server can be attacked, unneeded application components should be disabled or removed. By default, a virtual directory is installed for OMA, and the... |
| V-18683 | Low | Unneeded "Public" E-mail Virtual Directory is not removed. | To reduce the vectors through which a server can be attacked, unneeded application components should be disabled or removed. By default, a virtual directory is installed for Public Folders. If... |
| V-18682 | Low | Unneeded Active Sync E-mail Web Virtual Directory is not removed. | To reduce the vectors through which a server can be attacked, unneeded application components should be disabled or removed. By default, a virtual directory is installed for Active Sync, and the... |
| V-18692 | Low | Inbound Connection Count Limit is not set to "Unlimited". | E-Mail system availability depends in part on best practices strategies for setting tuning configurations. This configuration controls the maximum number of simultaneous inbound connections... |
| V-18693 | Low | Maximum Inbound Connection Timeout Limit is not 10 or less. | E-Mail system availability depends in part on best practices strategies for setting tuning configurations. This configuration controls the number of idle minutes before the connection is... |
| V-18691 | Low | Outbound Connection Limit per Domain Count is not 100 or less. | E-Mail system availability depends in part on best practices strategies for setting tuning configurations. This configuration controls the maximum number of simultaneous outbound connections from... |
| V-18690 | Low | Maximum outbound connection timeout limit is not at 10 minutes or less. | E-mail system availability depends in part on best practices strategies for setting tuning configurations. This configuration controls the number of idle minutes before the connection is... |
| V-18695 | Low | SMTP Sender, Recipient, or Connection Filters are not engaged. | E-mail system availability depends in part on best practices strategies for setting tuning configurations. Careful tuning reduces the risk that system or network congestion will contribute to... |
| V-18812 | Low | Exchange application memory is not zeroed out after message deletion. | Residual data left in memory after a transaction is completed adds risk that it can be used for malicious purposes in the event that access to the data is achieved. Applications may perform... |
| V-18667 | Low | Sending or Receiving message size is not set to Unlimited on the SMTP virtual server. | E-mail system availability depends in part on best practices strategies for setting tuning configurations. E-mail system availability has become a necessary feature in information sharing, and... |
| V-18669 | Low | The SMTP Virtual Server Message Count Limit is not 20. | E-Mail system availability depends in part on best practices strategies for setting tuning configurations. This setting controls the maximum number of messages allowed in a single SMTP session by... |
| V-18668 | Low | The SMTP Virtual Server Session Size is not set to "Unlimited". | E-Mail system availability depends in part on best practices strategies for setting tuning configurations. This setting controls the maximum SMTP Virtual Server session sizes (inbound and... |
