MS Exchange 2010 Edge Transport Server STIG


Overview

Date Finding Count (57)
2019-03-21 CAT I (High): 0 CAT II (Med): 43 CAT III (Low): 14
STIG Description
The Microsoft Exchange Server 2010 STIGs cover four of the five roles available with Microsoft Exchange Server 2010. The Email Services Policy STIG must also be reviewed for each site hosting email services. Also, for the Client Access server, the IIS guidance must be reviewed prior to the OWA checks. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-33560 Medium SMTP IP Allow List entries must be empty.
V-33567 Medium Internal Receive Connectors must require encryption.
V-33566 Medium Internal Receive Connectors must not allow anonymous connections.
V-33620 Medium Email software must be monitored for change on INFOCON frequency schedule.
V-33592 Medium Internal Send Connectors must require encryption.
V-33569 Medium Internet facing receive connectors must offer TLS before using basic authentication.
V-33568 Medium External Receive Connectors must be Domain Secure Enabled.
V-33558 Medium SMTP IP Allow List Connection Filter must be enabled.
V-33625 Medium Email application must not share a partition with another application.
V-33606 Medium Email Diagnostic log level must be set to low or lowest level.
V-33626 Medium Servers must use approved DoD certificates.
V-33608 Medium The Send Fatal Errors to Microsoft must be disabled.
V-33581 Medium Recipient filter must be enabled.
V-33629 Medium The current, approved service pack must be installed.
V-33621 Medium Exchange software baseline copy must exist.
V-33644 Medium Messages with blank senders must be rejected.
V-33623 Medium Services must be documented and unnecessary services must be removed or disabled.
V-33642 Medium Filtered messages must be archived.
V-33643 Medium Messages with blank sender field must be filtered.
V-33640 Medium Non-existent recipients must not be blocked.
V-33641 Medium Sender Filter must block accepted domains at the edge.
V-33631 Medium Messages with malformed from address must be rejected.
V-60981 Medium Internal Send Connectors must use an authentication level
V-33576 Medium Auto-forwarding email to remote domains must be disabled or restricted.
V-33578 Medium Tarpitting interval must be set.
V-33556 Medium Sender Identification Framework must be enabled.
V-33557 Medium SMTP Sender Filter must be enabled.
V-33616 Medium Exchange must not send Customer Experience reports to Microsoft.
V-33611 Medium Audit data must be protected against unauthorized access.
V-33613 Medium Exchange application directory must be protected from unauthorized access.
V-33619 Medium Queue monitoring must be configured with threshold and action.
V-33618 Medium Audit data must be on separate partitions.
V-33639 Medium Sender reputation filter must be enabled.
V-33638 Medium Sender reputation filter must identify SPAM block level.
V-33596 Medium Connectivity logging must be enabled.
V-33632 Medium Local machine policy must require signed scripts.
V-33594 Medium Internet facing send Connectors must specify a Smart Host.
V-33637 Medium Attachment filtering must remove undesirable attachments by file type.
V-33636 Medium SPAM evaluation filter must be enabled.
V-33634 Medium SMTP automated banner response must not reveal server details.
V-33633 Medium Block list service provider must be identified.
V-33622 Medium Accepted domains must be configured.
V-33590 Medium Internal Send Connectors must use Domain Security (Mutual Authentication TLS).
V-33563 Low Internet Receive Connector connections count must be set to default.
V-33561 Low Message size restrictions must be controlled on Receive connectors.
V-33565 Low Receive Connector timeout must be limited.
V-33627 Low Global outbound message size must be controlled.
V-33583 Low Send Connectors must be clearly named.
V-33587 Low Message size restrictions must be controlled on Send connectors.
V-33586 Low Send Connectors delivery retries must be controlled.
V-33589 Low Send Connector connections count must be limited.
V-33572 Low Receive Connectors must control the number of recipients per message.
V-33574 Low Receive Connectors must control the number of recipients chunked on a single message.
V-33575 Low Receive Connectors must be clearly named.
V-33579 Low Receive Connector Maximum Hop Count must be 60.
V-33635 Low Outbound Connection Limit per Domain Count must be controlled.
V-33646 Low Outbound Connection Timeout must be 10 or less.