UCF STIG Viewer Logo

MS Exchange 2013 Edge Transport Server Security Technical Implementation Guide


Overview

Date Finding Count (63)
2019-03-11 CAT I (High): 3 CAT II (Med): 51 CAT III (Low): 9
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
V-69933 High Exchange internal Send connectors must require encryption.
V-69931 High Exchange internal Receive connectors must require encryption.
V-69927 High Exchange must provide redundancy.
V-69937 Medium The applications built-in Malware Agent must be disabled.
V-69913 Medium The Exchange software baseline copy must exist.
V-69817 Medium Exchange Internet-facing Receive connectors must offer Transport Layer Security (TLS) before using basic authentication.
V-69915 Medium Exchange software must be monitored for unauthorized changes.
V-69811 Medium The Exchange local machine policy must require signed scripts.
V-69917 Medium Exchange services must be documented and unnecessary services must be removed or disabled.
V-69813 Medium Exchange Internet-facing Send connectors must specify a Smart Host.
V-69919 Medium Exchange software must be installed on a separate partition from the OS.
V-69835 Medium Exchange Receive connector Maximum Hop Count must be 60.
V-69855 Medium Exchange Receive connectors must control the number of recipients per message.
V-69939 Medium A DoD-approved third party Exchange-aware malicious code protection application must be implemented.
V-69935 Medium Exchange must have the most current, approved service pack installed.
V-69795 Medium Exchange Connectivity logging must be enabled.
V-69807 Medium Exchange audit data must be protected against unauthorized access for deletion.
V-69785 Medium Exchange servers must use approved DoD certificates.
V-69787 Medium Exchange must have accepted domains configured.
V-69865 Medium Exchange filtered messages must be archived.
V-69867 Medium The Exchange Sender filter must block unaccepted domains.
V-69861 Medium Exchange messages with a blank sender field must be rejected.
V-69863 Medium Exchange messages with a blank sender field must be filtered.
V-69869 Medium Exchange nonexistent recipients must not be blocked.
V-69881 Medium Exchange messages with malformed From address must be rejected.
V-69877 Medium The Exchange Spam Evaluation filter must be enabled.
V-69821 Medium Exchange Outbound Connection Limit per Domain Count must be controlled.
V-69889 Medium The Exchange Recipient filter must be enabled.
V-69803 Medium Exchange Send Fatal Errors to Microsoft must be disabled.
V-69921 Medium The Exchange SMTP automated banner response must not reveal server details.
V-69907 Medium Exchange Sender Identification Framework must be enabled.
V-69905 Medium Exchange must have antispam filtering configured.
V-69903 Medium Exchange must have antispam filtering enabled.
V-69809 Medium Exchange audit data must be on separate partitions.
V-69819 Medium Exchange Outbound Connection Timeout must be 10 minutes or less.
V-69801 Medium Exchange Audit data must be protected against unauthorized access (read access).
V-69895 Medium Exchange Simple Mail Transfer Protocol (SMTP) IP Allow List entries must be empty.
V-69901 Medium Exchange must have antispam filtering installed.
V-69799 Medium Exchange must not send Customer Experience reports to Microsoft.
V-69879 Medium The Exchange Block List service provider must be identified.
V-69805 Medium Exchange audit data must be protected against unauthorized access for modification.
V-69793 Medium The Exchange email Diagnostic log level must be set to the lowest level.
V-69791 Medium Exchange external Receive connectors must be domain secure-enabled.
V-69797 Medium Exchange Queue monitoring must be configured with threshold and action.
V-69929 Medium Exchange internal Send connectors must use an authentication level.
V-69873 Medium The Exchange Sender Reputation filter must identify the spam block level.
V-69871 Medium The Exchange Sender Reputation filter must be enabled.
V-69899 Medium The Exchange Simple Mail Transfer Protocol (SMTP) Sender filter must be enabled.
V-69875 Medium Exchange Attachment filtering must remove undesirable attachments by file type.
V-69783 Medium Exchange must limit the Receive connector timeout.
V-69911 Medium The Exchange application directory must be protected from unauthorized access.
V-69897 Medium The Exchange Simple Mail Transfer Protocol (SMTP) IP Allow List Connection filter must be enabled.
V-69891 Medium The Exchange tarpitting interval must be set.
V-69893 Medium Exchange internal Receive connectors must not allow anonymous connections.
V-69859 Low Exchange Message size restrictions must be controlled on Receive connectors.
V-69837 Low Exchange Receive connectors must be clearly named.
V-69831 Low Exchange Send connectors delivery retries must be controlled.
V-69839 Low Exchange Receive connectors must control the number of recipients chunked on a single message.
V-69823 Low Exchange Global Outbound Message size must be controlled.
V-69827 Low Exchange Send connector connections count must be limited.
V-69829 Low Exchange message size restrictions must be controlled on Send connectors.
V-69857 Low The Exchange Internet Receive connector connections count must be set to default.
V-69833 Low Exchange Send connectors must be clearly named.