STIGQter STIGQter: STIG Summary: MS Exchange 2013 Edge Transport Server Security Technical Implementation Guide

Version: 1

Release: 5 Benchmark Date: 26 Apr 2019

SV-84405r1_ruleExchange must limit the Receive connector timeout.
SV-84407r1_ruleExchange servers must use approved DoD certificates.
SV-84409r1_ruleExchange must have accepted domains configured.
SV-84413r1_ruleExchange external Receive connectors must be domain secure-enabled.
SV-84415r1_ruleThe Exchange email Diagnostic log level must be set to the lowest level.
SV-84417r1_ruleExchange Connectivity logging must be enabled.
SV-84419r1_ruleExchange Queue monitoring must be configured with threshold and action.
SV-84421r1_ruleExchange must not send Customer Experience reports to Microsoft.
SV-84423r1_ruleExchange Audit data must be protected against unauthorized access (read access).
SV-84425r1_ruleExchange Send Fatal Errors to Microsoft must be disabled.
SV-84427r1_ruleExchange audit data must be protected against unauthorized access for modification.
SV-84429r1_ruleExchange audit data must be protected against unauthorized access for deletion.
SV-84431r1_ruleExchange audit data must be on separate partitions.
SV-84433r1_ruleThe Exchange local machine policy must require signed scripts.
SV-84435r2_ruleExchange Internet-facing Send connectors must specify a Smart Host.
SV-84439r1_ruleExchange Internet-facing Receive connectors must offer Transport Layer Security (TLS) before using basic authentication.
SV-84441r1_ruleExchange Outbound Connection Timeout must be 10 minutes or less.
SV-84443r1_ruleExchange Outbound Connection Limit per Domain Count must be controlled.
SV-84445r1_ruleExchange Global Outbound Message size must be controlled.
SV-84449r1_ruleExchange Send connector connections count must be limited.
SV-84451r1_ruleExchange message size restrictions must be controlled on Send connectors.
SV-84453r1_ruleExchange Send connectors delivery retries must be controlled.
SV-84455r1_ruleExchange Send connectors must be clearly named.
SV-84457r1_ruleExchange Receive connector Maximum Hop Count must be 60.
SV-84459r1_ruleExchange Receive connectors must be clearly named.
SV-84461r1_ruleExchange Receive connectors must control the number of recipients chunked on a single message.
SV-84477r1_ruleExchange Receive connectors must control the number of recipients per message.
SV-84479r1_ruleThe Exchange Internet Receive connector connections count must be set to default.
SV-84481r1_ruleExchange Message size restrictions must be controlled on Receive connectors.
SV-84483r2_ruleExchange messages with a blank sender field must be rejected.
SV-84485r2_ruleExchange messages with a blank sender field must be filtered.
SV-84487r1_ruleExchange filtered messages must be archived.
SV-84489r1_ruleThe Exchange Sender filter must block unaccepted domains.
SV-84491r1_ruleExchange nonexistent recipients must not be blocked.
SV-84493r1_ruleThe Exchange Sender Reputation filter must be enabled.
SV-84495r1_ruleThe Exchange Sender Reputation filter must identify the spam block level.
SV-84497r2_ruleExchange Attachment filtering must remove undesirable attachments by file type.
SV-84499r1_ruleThe Exchange Spam Evaluation filter must be enabled.
SV-84501r2_ruleThe Exchange Block List service provider must be identified.
SV-84503r1_ruleExchange messages with malformed From address must be rejected.
SV-84511r1_ruleThe Exchange Recipient filter must be enabled.
SV-84513r1_ruleThe Exchange tarpitting interval must be set.
SV-84515r1_ruleExchange internal Receive connectors must not allow anonymous connections.
SV-84517r1_ruleExchange Simple Mail Transfer Protocol (SMTP) IP Allow List entries must be empty.
SV-84519r1_ruleThe Exchange Simple Mail Transfer Protocol (SMTP) IP Allow List Connection filter must be enabled.
SV-84521r2_ruleThe Exchange Simple Mail Transfer Protocol (SMTP) Sender filter must be enabled.
SV-84523r1_ruleExchange must have antispam filtering installed.
SV-84525r1_ruleExchange must have antispam filtering enabled.
SV-84527r1_ruleExchange must have antispam filtering configured.
SV-84529r1_ruleExchange Sender Identification Framework must be enabled.
SV-84533r1_ruleThe Exchange application directory must be protected from unauthorized access.
SV-84535r1_ruleThe Exchange software baseline copy must exist.
SV-84537r1_ruleExchange software must be monitored for unauthorized changes.
SV-84539r1_ruleExchange services must be documented and unnecessary services must be removed or disabled.
SV-84541r1_ruleExchange software must be installed on a separate partition from the OS.
SV-84543r1_ruleThe Exchange SMTP automated banner response must not reveal server details.
SV-84549r2_ruleExchange must provide redundancy.
SV-84551r1_ruleExchange internal Send connectors must use an authentication level.
SV-84553r1_ruleExchange internal Receive connectors must require encryption.
SV-84555r1_ruleExchange internal Send connectors must require encryption.
SV-84557r1_ruleExchange must have the most current, approved service pack installed.
SV-84559r1_ruleThe applications built-in Malware Agent must be disabled.
SV-84561r1_ruleA DoD-approved third party Exchange-aware malicious code protection application must be implemented.