UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

MS Exchange 2013 Client Access Server Security Technical Implementation Guide


Overview

Date Finding Count (33)
2019-12-18 CAT I (High): 1 CAT II (Med): 28 CAT III (Low): 4
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Public)

Finding ID Severity Title
V-69775 High Exchange OWA must use https.
V-69767 Medium Exchange services must be documented and unnecessary services must be removed or disabled.
V-69729 Medium Exchange must have IIS map client certificates to an approved certificate server.
V-69763 Medium Exchange software baseline copy must exist.
V-69761 Medium Exchange application directory must be protected from unauthorized access.
V-69723 Medium Exchange must have Administrator audit logging enabled.
V-69721 Medium Exchange must have authenticated access set to Integrated Windows Authentication only.
V-69727 Medium Exchange ActiveSync (EAS) must only use certificate-based authentication to access email.
V-69725 Medium Exchange Servers must use approved DoD certificates.
V-69765 Medium Exchange software must be monitored for unauthorized changes.
V-69745 Medium Exchange must have audit data protected against unauthorized deletion.
V-69717 Medium Exchange must use Encryption for OWA access.
V-69741 Medium Exchange must not send Customer Experience reports to Microsoft.
V-69743 Medium Exchange must have Audit data protected against unauthorized modification.
V-69753 Medium Exchange IMAP4 service must be disabled.
V-69755 Medium Exchange POP3 service must be disabled.
V-69751 Medium Exchange Local machine policy must require signed scripts.
V-69719 Medium Exchange must have Forms-based Authentication disabled.
V-69739 Medium Exchange must have Audit data protected against unauthorized read access.
V-69715 Medium Exchange must use Encryption for RPC client access.
V-69735 Medium Exchange must have Queue monitoring configured with threshold and action.
V-69737 Medium Exchange must have Send Fatal Errors to Microsoft disabled.
V-69731 Medium Exchange Email Diagnostic log level must be set to lowest level.
V-69779 Medium Exchange must have the most current, approved service pack installed.
V-69771 Medium Exchange software must be installed on a separate partition from the OS.
V-69773 Medium Exchange must provide redundancy.
V-69769 Medium Exchange Outlook Anywhere (OA) clients must use NTLM authentication to access email.
V-69777 Medium Exchange OWA must have S/MIME Certificates enabled.
V-69781 Medium Exchange must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-69757 Low Exchange must have the Public Folder virtual directory removed if not in use by the site.
V-69747 Low Exchange must have Audit data on separate partitions.
V-69733 Low Exchange must have Audit record parameters set.
V-69759 Low Exchange must have the Microsoft Active Sync directory removed.