DISA Microsoft Exchange 2016 Edge Transport Server STIG v2r3

Audit Details

Name: DISA Microsoft Exchange 2016 Edge Transport Server STIG v2r3

Updated: 5/17/2022

Authority: DISA STIG

Plugin: Windows

Revision: 1.0

Estimated Item Count: 80

File Details

Filename: DISA_STIG_Microsoft_Exchange_2016_Edge_Transport_Server_v2r3.audit

Size: 177 kB

MD5: 1130b4abd9defc4ab3d3181bd2be46d2
SHA256: f5686cca7d977a89b873bae2e6c29291d0c374a8cf774a90253b7c695996d0c2

Audit Items

DescriptionCategories
Authentication Failure

ACCESS CONTROL

DISA_STIG_Microsoft_Exchange_2016_Edge_Transport_Server_v2r3.audit from DISA Microsoft Exchange 2016 Edge Transport Server v2r3 STIG

SYSTEM AND INFORMATION INTEGRITY

EX16-ED-000010 - Exchange must limit the Receive connector timeout.

ACCESS CONTROL

EX16-ED-000020 - Exchange servers must use approved DoD certificates.

ACCESS CONTROL

EX16-ED-000030 - Exchange must have accepted domains configured.

ACCESS CONTROL

EX16-ED-000040 - Exchange must have auto-forwarding of email to remote domains disabled or restricted.

ACCESS CONTROL

EX16-ED-000050 - Exchange external Receive connectors must be domain secure-enabled.

ACCESS CONTROL

EX16-ED-000060 - The Exchange email Diagnostic log level must be set to the lowest level.

AUDIT AND ACCOUNTABILITY

EX16-ED-000070 - Exchange Connectivity logging must be enabled.

AUDIT AND ACCOUNTABILITY

EX16-ED-000080 - Exchange Queue monitoring must be configured with threshold and action.

AUDIT AND ACCOUNTABILITY

EX16-ED-000090 - Exchange must not send Customer Experience reports to Microsoft.

CONFIGURATION MANAGEMENT

EX16-ED-000100 - Exchange Audit data must be protected against unauthorized access (read access).

AUDIT AND ACCOUNTABILITY

EX16-ED-000110 - Exchange Send Fatal Errors to Microsoft must be disabled.

CONFIGURATION MANAGEMENT

EX16-ED-000120 - Exchange audit data must be protected against unauthorized access for modification.

AUDIT AND ACCOUNTABILITY

EX16-ED-000130 - Exchange audit data must be protected against unauthorized access for deletion.

AUDIT AND ACCOUNTABILITY

EX16-ED-000140 - Exchange audit data must be on separate partitions.

AUDIT AND ACCOUNTABILITY

EX16-ED-000150 - The Exchange local machine policy must require signed scripts.

CONFIGURATION MANAGEMENT

EX16-ED-000160 - Exchange Internet-facing Send connectors must specify a Smart Host.

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-ED-000170 - Exchange internal Send connectors must use domain security (mutual authentication Transport Layer Security). - DNSRoutingEnabled

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-ED-000170 - Exchange internal Send connectors must use domain security (mutual authentication Transport Layer Security). - DomainSecureEnabled

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-ED-000170 - Exchange internal Send connectors must use domain security (mutual authentication Transport Layer Security). - RequireTLS

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-ED-000170 - Exchange internal Send connectors must use domain security (mutual authentication Transport Layer Security). - TlsAuthLevel

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-ED-000180 - Exchange Internet-facing Receive connectors must offer Transport Layer Security (TLS) before using basic authentication.

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-ED-000190 - Exchange Outbound Connection Timeout must be 10 minutes or less.

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-ED-000200 - Exchange Outbound Connection Limit per Domain Count must be controlled.

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-ED-000230 - Exchange Send connector connections count must be limited.

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-ED-000240 - Exchange message size restrictions must be controlled on Send connectors.

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-ED-000250 - Exchange Send connectors delivery retries must be controlled.

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-ED-000260 - Exchange Send connectors must be clearly named.

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-ED-000270 - Exchange Receive connector Maximum Hop Count must be 60.

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-ED-000280 - Exchange Receive connectors must be clearly named.

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-ED-000290 - Exchange Receive connectors must control the number of recipients chunked on a single message.

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-ED-000300 - Exchange Receive connectors must control the number of recipients per message.

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-ED-000310 - The Exchange Internet Receive connector connections count must be set to default.

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-ED-000320 - Exchange Message size restrictions must be controlled on Receive connectors.

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-ED-000330 - Exchange messages with a blank sender field must be rejected.

SYSTEM AND INFORMATION INTEGRITY

EX16-ED-000340 - Exchange messages with a blank sender field must be filtered.

SYSTEM AND INFORMATION INTEGRITY

EX16-ED-000350 - Exchange filtered messages must be archived.

SYSTEM AND INFORMATION INTEGRITY

EX16-ED-000360 - The Exchange Sender filter must block unaccepted domains.

SYSTEM AND INFORMATION INTEGRITY

EX16-ED-000370 - Exchange nonexistent recipients must not be blocked.

SYSTEM AND INFORMATION INTEGRITY

EX16-ED-000380 - The Exchange Sender Reputation filter must be enabled.

SYSTEM AND INFORMATION INTEGRITY

EX16-ED-000390 - The Exchange Sender Reputation filter must identify the spam block level.

SYSTEM AND INFORMATION INTEGRITY

EX16-ED-000400 - Exchange Attachment filtering must remove undesirable attachments by file type.

SYSTEM AND INFORMATION INTEGRITY

EX16-ED-000410 - The Exchange Spam Evaluation filter must be enabled.

SYSTEM AND INFORMATION INTEGRITY

EX16-ED-000420 - The Exchange Block List service provider must be identified.

SYSTEM AND INFORMATION INTEGRITY

EX16-ED-000430 - Exchange messages with a malformed From address must be rejected.

SYSTEM AND INFORMATION INTEGRITY

EX16-ED-000470 - The Exchange Recipient filter must be enabled.

SYSTEM AND INFORMATION INTEGRITY

EX16-ED-000480 - The Exchange tarpitting interval must be set.

SYSTEM AND INFORMATION INTEGRITY

EX16-ED-000490 - Exchange internal Receive connectors must not allow anonymous connections.

SYSTEM AND INFORMATION INTEGRITY

EX16-ED-000500 - Exchange Simple Mail Transfer Protocol (SMTP) IP Allow List entries must be empty.

SYSTEM AND INFORMATION INTEGRITY