UCF STIG Viewer Logo

MS Exchange 2013 Mailbox Server Security Technical Implementation Guide


Overview

Date Finding Count (70)
2019-12-23 CAT I (High): 1 CAT II (Med): 45 CAT III (Low): 24
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Public)

Finding ID Severity Title
V-70045 High Exchange servers must have an approved DoD email-aware virus protection software installed.
V-69979 Medium Exchange Mailbox databases must reside on a dedicated partition.
V-70033 Medium Exchange Internal Receive connectors must not allow anonymous connections.
V-69973 Medium Exchange Local machine policy must require signed scripts.
V-70039 Medium Exchange must have antispam filtering enabled.
V-69971 Medium Exchange Audit data must be on separate partitions.
V-69977 Medium The Exchange POP3 service must be disabled.
V-69975 Medium The Exchange IMAP4 service must be disabled.
V-70035 Medium Exchange external/Internet-bound automated response messages must be disabled.
V-70037 Medium Exchange must have antispam filtering installed.
V-69987 Medium Exchange internal Send connectors must require encryption.
V-69985 Medium Exchange internal Send connectors must use Domain Security (mutual authentication Transport Layer Security).
V-69983 Medium Exchange internal Receive connectors must require encryption.
V-69981 Medium Exchange Internet-facing Send connectors must specify a Smart Host.
V-70075 Medium Exchange Outlook Anywhere (OA) clients must use NTLM authentication to access email.
V-70077 Medium The Exchange Email application must not share a partition with another application.
V-70071 Medium Exchange software must be monitored for unauthorized changes.
V-69989 Medium Exchange Public Folder stores must be retained until backups are complete.
V-69943 Medium Exchange Servers must use approved DoD certificates.
V-69941 Medium Exchange must have Administrator audit logging enabled.
V-69947 Medium Exchange Connectivity logging must be enabled.
V-69945 Medium Exchange auto-forwarding email to remote domains must be disabled or restricted.
V-70059 Medium Exchange must have the most current, approved service pack installed.
V-69969 Medium Exchange must protect audit data against unauthorized deletion.
V-69961 Medium Exchange Send Fatal Errors to Microsoft must be disabled.
V-69963 Medium Exchange must protect audit data against unauthorized read access.
V-69965 Medium Exchange must not send Customer Experience reports to Microsoft.
V-69967 Medium Exchange must protect audit data against unauthorized access.
V-70073 Medium Exchange services must be documented and unnecessary services must be removed or disabled.
V-70079 Medium Exchange must not send delivery reports to remote domains.
V-69949 Medium The Exchange Email Diagnostic log level must be set to the lowest level.
V-70081 Medium Exchange must not send nondelivery reports to remote domains.
V-69955 Medium Exchange Email Subject Line logging must be disabled.
V-70069 Medium An Exchange software baseline copy must exist.
V-70041 Medium Exchange must have antispam filtering configured.
V-69959 Medium Exchange Queue monitoring must be configured with threshold and action.
V-70043 Medium Exchange must not send automated replies to remote domains.
V-70061 Medium Exchange must provide Mailbox databases in a highly available and redundant configuration.
V-69999 Medium Exchange email-forwarding SMTP domains must be restricted.
V-70067 Medium The Exchange application directory must be protected from unauthorized access.
V-69957 Medium Exchange Message Tracking Logging must be enabled.
V-70055 Medium The applications built-in Malware Agent must be disabled.
V-69993 Medium Exchange Mailboxes must be retained until backups are complete.
V-70065 Medium The Exchange SMTP automated banner response must not reveal server details.
V-69997 Medium Exchange email forwarding must be restricted.
V-70053 Medium A DoD-approved third party Exchange-aware malicious code protection application must be implemented.
V-70051 Low The Exchange Public Store storage quota must be limited.
V-70031 Low The Exchange Outbound Connection Timeout must be 10 minutes or less.
V-70019 Low Exchange Send connectors delivery retries must be controlled.
V-70013 Low Exchange Receive connectors must be clearly named.
V-70011 Low Exchange Receive connectors must control the number of recipients per message.
V-70017 Low Exchange Send connectors must be clearly named.
V-70015 Low The Exchange Receive Connector Maximum Hop Count must be 60.
V-70007 Low Exchange Mailbox Stores must mount at startup.
V-70023 Low The Exchange Send connector connections count must be limited.
V-70021 Low Exchange Message size restrictions must be controlled on Send connectors.
V-70009 Low Exchange Message size restrictions must be controlled on Receive connectors.
V-70025 Low The Exchange global inbound message size must be controlled.
V-70005 Low The Exchange Mail Store storage quota must issue a warning.
V-70029 Low The Exchange Outbound Connection Limit per Domain Count must be controlled.
V-70001 Low Exchange Mail quota settings must not restrict receiving mail.
V-70047 Low The Exchange Global Recipient Count Limit must be set.
V-70003 Low Exchange Mail Quota settings must not restrict receiving mail.
V-70049 Low The Exchange Receive connector timeout must be limited.
V-70057 Low Exchange Public Folder Stores must mount at startup.
V-69951 Low Exchange Audit record parameters must be set.
V-69953 Low Exchange Circular Logging must be disabled.
V-69991 Low The Exchange Public Folder database must not be overwritten by a restore.
V-70027 Low The Exchange global outbound message size must be controlled.
V-69995 Low The Exchange Mailbox database must not be overwritten by a restore.