STIGQter STIGQter: STIG Summary: MS Exchange 2010 Edge Transport Server STIG

Version: 1

Release: 15 Benchmark Date: 26 Apr 2019

SV-43976r1_ruleSender Identification Framework must be enabled.
SV-43977r2_ruleSMTP Sender Filter must be enabled.
SV-43978r1_ruleSMTP IP Allow List Connection Filter must be enabled.
SV-43980r1_ruleSMTP IP Allow List entries must be empty.
SV-43981r3_ruleMessage size restrictions must be controlled on Receive connectors.
SV-43983r2_ruleInternet Receive Connector connections count must be set to default.
SV-43985r1_ruleReceive Connector timeout must be limited.
SV-43986r1_ruleInternal Receive Connectors must not allow anonymous connections.
SV-43987r1_ruleInternal Receive Connectors must require encryption.
SV-43988r1_ruleExternal Receive Connectors must be Domain Secure Enabled.
SV-43989r1_ruleInternet facing receive connectors must offer TLS before using basic authentication.
SV-43992r2_ruleReceive Connectors must control the number of recipients per message.
SV-43994r1_ruleReceive Connectors must control the number of recipients chunked on a single message.
SV-43995r1_ruleReceive Connectors must be clearly named.
SV-43996r2_ruleAuto-forwarding email to remote domains must be disabled or restricted.
SV-43998r1_ruleTarpitting interval must be set.
SV-43999r2_ruleReceive Connector Maximum Hop Count must be 60.
SV-44001r1_ruleRecipient filter must be enabled.
SV-44004r1_ruleSend Connectors must be clearly named.
SV-44006r1_ruleSend Connectors delivery retries must be controlled.
SV-44007r3_ruleMessage size restrictions must be controlled on Send connectors.
SV-44009r1_ruleSend Connector connections count must be limited.
SV-44010r1_ruleInternal Send Connectors must use Domain Security (Mutual Authentication TLS).
SV-44012r3_ruleInternal Send Connectors must require encryption.
SV-44014r2_ruleInternet facing send Connectors must specify a Smart Host.
SV-44016r1_ruleConnectivity logging must be enabled.
SV-44026r2_ruleEmail Diagnostic log level must be set to low or lowest level.
SV-44028r2_ruleThe Send Fatal Errors to Microsoft must be disabled.
SV-44031r1_ruleAudit data must be protected against unauthorized access.
SV-44033r1_ruleExchange application directory must be protected from unauthorized access.
SV-44036r1_ruleExchange must not send Customer Experience reports to Microsoft.
SV-44038r1_ruleAudit data must be on separate partitions.
SV-44039r3_ruleQueue monitoring must be configured with threshold and action.
SV-44040r1_ruleEmail software must be monitored for change on INFOCON frequency schedule.
SV-44041r1_ruleExchange software baseline copy must exist.
SV-44042r1_ruleAccepted domains must be configured.
SV-44043r2_ruleServices must be documented and unnecessary services must be removed or disabled.
SV-44045r3_ruleEmail application must not share a partition with another application.
SV-44046r2_ruleServers must use approved DoD certificates.
SV-44047r2_ruleGlobal outbound message size must be controlled.
SV-44049r3_ruleThe current, approved service pack must be installed.
SV-44051r1_ruleMessages with malformed from address must be rejected.
SV-44052r1_ruleLocal machine policy must require signed scripts.
SV-44053r2_ruleBlock list service provider must be identified.
SV-44054r1_ruleSMTP automated banner response must not reveal server details.
SV-44055r2_ruleOutbound Connection Limit per Domain Count must be controlled.
SV-44056r1_ruleSPAM evaluation filter must be enabled.
SV-44057r2_ruleAttachment filtering must remove undesirable attachments by file type.
SV-44058r1_ruleSender reputation filter must identify SPAM block level.
SV-44059r1_ruleSender reputation filter must be enabled.
SV-44060r1_ruleNon-existent recipients must not be blocked.
SV-44061r1_ruleSender Filter must block accepted domains at the edge.
SV-44062r1_ruleFiltered messages must be archived.
SV-44063r2_ruleMessages with blank sender field must be filtered.
SV-44064r2_ruleMessages with blank senders must be rejected.
SV-44066r1_ruleOutbound Connection Timeout must be 10 or less.
SV-75445r1_ruleInternal Send Connectors must use an authentication level