The Global Recipient Count limit is set to “Unlimited”.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18671	EMG2-006 Exch2K3	SV-20286r1_rule	ECSC-1	Low

Description
E-Mail system availability depends in part on best practices strategies for setting tuning configurations. The Global Recipient Count limit field is used to control the maximum number of recipients that can be specified in a single message sent from this server. Its primary purpose is to minimize the chance of an internal sender spamming other recipients, since SPAM messages often have a large number of recipients. SPAM prevention can originate from both outside and inside organizations. While inbound SPAM is evaluated as it arrives, controls such as this one help prevent SPAM that might originate inside the organization. The Recipient Count Limit is global to the Exchange implementation. Lower-level refinements are possible; however, in this configuration strategy, setting the value once at the global level ensures a more available system by eliminating potential conflicts among multiple settings. A value of less than or equal to 5000 is probably larger than is needed for most organizations, but is small enough to minimize usefulness to spammers, and is easily handled by Exchange. Selecting the “no limit” radio button for this item is likely to result in abuse.

Description

E-Mail system availability depends in part on best practices strategies for setting tuning configurations. The Global Recipient Count limit field is used to control the maximum number of recipients that can be specified in a single message sent from this server. Its primary purpose is to minimize the chance of an internal sender spamming other recipients, since SPAM messages often have a large number of recipients. SPAM prevention can originate from both outside and inside organizations. While inbound SPAM is evaluated as it arrives, controls such as this one help prevent SPAM that might originate inside the organization. The Recipient Count Limit is global to the Exchange implementation. Lower-level refinements are possible; however, in this configuration strategy, setting the value once at the global level ensures a more available system by eliminating potential conflicts among multiple settings. A value of less than or equal to 5000 is probably larger than is needed for most organizations, but is small enough to minimize usefulness to spammers, and is easily handled by Exchange. Selecting the “no limit” radio button for this item is likely to result in abuse.

STIG	Date
Microsoft Exchange Server 2003	2014-08-19

Details

Check Text ( C-22390r1_chk )
Ensure that Global Recipient Count is not set to "Unlimited". Proceure: Exchange System Manager >> Global Settings >> Message Delivery>> Properties >> Defaults tab >> Recipient Limits The "Recipient Count" should be set to a value, not "Unlimited". Criteria: If "Recipient Count" is set to a value, not "Unlimited", this is not a finding.

Fix Text (F-19318r1_fix)
Set the Recipient Count limit. Procedure: Exchange System Manager >> Global Settings >> Message Delivery>> Properties >> Defaults tab Set "Recipients" to a value (do not select Unlimited). The default value is 5000, but can be set lower if local site conditions warrant it and the reason is documented in the System Security Plan.