UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

MS Exchange 2013 Mailbox Server Security Technical Implementation Guide


Overview

Date Finding Count (71)
2019-01-02 CAT I (High): 1 CAT II (Med): 46 CAT III (Low): 24
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
V-70045 High Exchange servers must have an approved DoD email-aware virus protection software installed.
V-69979 Medium Exchange Mailbox databases must reside on a dedicated partition.
V-70033 Medium Exchange Internal Receive connectors must not allow anonymous connections.
V-69973 Medium Exchange Local machine policy must require signed scripts.
V-70039 Medium Exchange must have antispam filtering enabled.
V-69971 Medium Exchange Audit data must be on separate partitions.
V-69977 Medium The Exchange POP3 service must be disabled.
V-69975 Medium The Exchange IMAP4 service must be disabled.
V-70035 Medium Exchange external/Internet-bound automated response messages must be disabled.
V-70037 Medium Exchange must have antispam filtering installed.
V-69987 Medium Exchange internal Send connectors must require encryption.
V-69985 Medium Exchange internal Send connectors must use Domain Security (mutual authentication Transport Layer Security).
V-69983 Medium Exchange internal Receive connectors must require encryption.
V-69981 Medium Exchange Internet-facing Send connectors must specify a Smart Host.
V-70075 Medium Exchange Outlook Anywhere (OA) clients must use NTLM authentication to access email.
V-70077 Medium The Exchange Email application must not share a partition with another application.
V-70071 Medium Exchange software must be monitored for unauthorized changes.
V-69989 Medium Exchange Public Folder stores must be retained until backups are complete.
V-69943 Medium Exchange Servers must use approved DoD certificates.
V-69941 Medium Exchange must have Administrator audit logging enabled.
V-69947 Medium Exchange Connectivity logging must be enabled.
V-69945 Medium Exchange auto-forwarding email to remote domains must be disabled or restricted.
V-70059 Medium Exchange must have the most current, approved service pack installed.
V-69969 Medium Exchange must protect audit data against unauthorized deletion.
V-69961 Medium Exchange Send Fatal Errors to Microsoft must be disabled.
V-69963 Medium Exchange must protect audit data against unauthorized read access.
V-69965 Medium Exchange must not send Customer Experience reports to Microsoft.
V-69967 Medium Exchange must protect audit data against unauthorized access.
V-70073 Medium Exchange services must be documented and unnecessary services must be removed or disabled.
V-70079 Medium Exchange must not send delivery reports to remote domains.
V-69949 Medium The Exchange Email Diagnostic log level must be set to the lowest level.
V-70081 Medium Exchange must not send nondelivery reports to remote domains.
V-69955 Medium Exchange Email Subject Line logging must be disabled.
V-70069 Medium An Exchange software baseline copy must exist.
V-70041 Medium Exchange must have antispam filtering configured.
V-69959 Medium Exchange Queue monitoring must be configured with threshold and action.
V-70043 Medium Exchange must not send automated replies to remote domains.
V-70063 Medium Exchange Internal Send connectors must use an authentication level.
V-70061 Medium Exchange must provide Mailbox databases in a highly available and redundant configuration.
V-69999 Medium Exchange email-forwarding SMTP domains must be restricted.
V-70067 Medium The Exchange application directory must be protected from unauthorized access.
V-69957 Medium Exchange Message Tracking Logging must be enabled.
V-70055 Medium The applications built-in Malware Agent must be disabled.
V-69993 Medium Exchange Mailboxes must be retained until backups are complete.
V-70065 Medium The Exchange SMTP automated banner response must not reveal server details.
V-69997 Medium Exchange email forwarding must be restricted.
V-70053 Medium A DoD-approved third party Exchange-aware malicious code protection application must be implemented.
V-70051 Low The Exchange Public Store storage quota must be limited.
V-70031 Low The Exchange Outbound Connection Timeout must be 10 minutes or less.
V-70019 Low Exchange Send connectors delivery retries must be controlled.
V-70013 Low Exchange Receive connectors must be clearly named.
V-70011 Low Exchange Receive connectors must control the number of recipients per message.
V-70017 Low Exchange Send connectors must be clearly named.
V-70015 Low The Exchange Receive Connector Maximum Hop Count must be 60.
V-70007 Low Exchange Mailbox Stores must mount at startup.
V-70023 Low The Exchange Send connector connections count must be limited.
V-70021 Low Exchange Message size restrictions must be controlled on Send connectors.
V-70009 Low Exchange Message size restrictions must be controlled on Receive connectors.
V-70025 Low The Exchange global inbound message size must be controlled.
V-70005 Low The Exchange Mail Store storage quota must issue a warning.
V-70029 Low The Exchange Outbound Connection Limit per Domain Count must be controlled.
V-70001 Low Exchange Mail quota settings must not restrict receiving mail.
V-70047 Low The Exchange Global Recipient Count Limit must be set.
V-70003 Low Exchange Mail Quota settings must not restrict receiving mail.
V-70049 Low The Exchange Receive connector timeout must be limited.
V-70057 Low Exchange Public Folder Stores must mount at startup.
V-69951 Low Exchange Audit record parameters must be set.
V-69953 Low Exchange Circular Logging must be disabled.
V-69991 Low The Exchange Public Folder database must not be overwritten by a restore.
V-70027 Low The Exchange global outbound message size must be controlled.
V-69995 Low The Exchange Mailbox database must not be overwritten by a restore.