STIGQter STIGQter: STIG Summary: MS Exchange 2013 Mailbox Server Security Technical Implementation Guide

Version: 1

Release: 6 Benchmark Date: 24 Jan 2020

SV-84563r1_ruleExchange must have Administrator audit logging enabled.
SV-84565r1_ruleExchange Servers must use approved DoD certificates.
SV-84567r1_ruleExchange auto-forwarding email to remote domains must be disabled or restricted.
SV-84569r1_ruleExchange Connectivity logging must be enabled.
SV-84571r1_ruleThe Exchange Email Diagnostic log level must be set to the lowest level.
SV-84573r1_ruleExchange Audit record parameters must be set.
SV-84575r1_ruleExchange Circular Logging must be disabled.
SV-84577r4_ruleExchange Email Subject Line logging must be disabled.
SV-84579r2_ruleExchange Message Tracking Logging must be enabled.
SV-84581r1_ruleExchange Queue monitoring must be configured with threshold and action.
SV-84583r1_ruleExchange Send Fatal Errors to Microsoft must be disabled.
SV-84585r1_ruleExchange must protect audit data against unauthorized read access.
SV-84587r1_ruleExchange must not send Customer Experience reports to Microsoft.
SV-84589r1_ruleExchange must protect audit data against unauthorized access.
SV-84591r1_ruleExchange must protect audit data against unauthorized deletion.
SV-84593r1_ruleExchange Audit data must be on separate partitions.
SV-84595r1_ruleExchange Local machine policy must require signed scripts.
SV-84597r2_ruleThe Exchange IMAP4 service must be disabled.
SV-84599r2_ruleThe Exchange POP3 service must be disabled.
SV-84601r1_ruleExchange Mailbox databases must reside on a dedicated partition.
SV-84603r1_ruleExchange Internet-facing Send connectors must specify a Smart Host.
SV-84605r1_ruleExchange internal Receive connectors must require encryption.
SV-84607r1_ruleExchange internal Send connectors must use Domain Security (mutual authentication Transport Layer Security).
SV-84609r1_ruleExchange internal Send connectors must require encryption.
SV-84611r1_ruleExchange Public Folder stores must be retained until backups are complete.
SV-84613r1_ruleThe Exchange Public Folder database must not be overwritten by a restore.
SV-84615r1_ruleExchange Mailboxes must be retained until backups are complete.
SV-84617r1_ruleThe Exchange Mailbox database must not be overwritten by a restore.
SV-84619r2_ruleExchange email forwarding must be restricted.
SV-84621r1_ruleExchange email-forwarding SMTP domains must be restricted.
SV-84623r1_ruleExchange Mail quota settings must not restrict receiving mail.
SV-84625r1_ruleExchange Mail Quota settings must not restrict receiving mail.
SV-84627r1_ruleThe Exchange Mail Store storage quota must issue a warning.
SV-84629r1_ruleExchange Mailbox Stores must mount at startup.
SV-84631r1_ruleExchange Message size restrictions must be controlled on Receive connectors.
SV-84633r1_ruleExchange Receive connectors must control the number of recipients per message.
SV-84635r1_ruleExchange Receive connectors must be clearly named.
SV-84637r1_ruleThe Exchange Receive Connector Maximum Hop Count must be 60.
SV-84639r1_ruleExchange Send connectors must be clearly named.
SV-84641r1_ruleExchange Send connectors delivery retries must be controlled.
SV-84643r1_ruleExchange Message size restrictions must be controlled on Send connectors.
SV-84645r1_ruleThe Exchange Send connector connections count must be limited.
SV-84647r1_ruleThe Exchange global inbound message size must be controlled.
SV-84649r1_ruleThe Exchange global outbound message size must be controlled.
SV-84651r1_ruleThe Exchange Outbound Connection Limit per Domain Count must be controlled.
SV-84653r1_ruleThe Exchange Outbound Connection Timeout must be 10 minutes or less.
SV-84655r1_ruleExchange Internal Receive connectors must not allow anonymous connections.
SV-84657r1_ruleExchange external/Internet-bound automated response messages must be disabled.
SV-84659r1_ruleExchange must have antispam filtering installed.
SV-84661r1_ruleExchange must have antispam filtering enabled.
SV-84663r1_ruleExchange must have antispam filtering configured.
SV-84665r2_ruleExchange must not send automated replies to remote domains.
SV-84667r1_ruleExchange servers must have an approved DoD email-aware virus protection software installed.
SV-84669r1_ruleThe Exchange Global Recipient Count Limit must be set.
SV-84671r1_ruleThe Exchange Receive connector timeout must be limited.
SV-84673r1_ruleThe Exchange Public Store storage quota must be limited.
SV-84675r1_ruleA DoD-approved third party Exchange-aware malicious code protection application must be implemented.
SV-84677r1_ruleThe applications built-in Malware Agent must be disabled.
SV-84679r1_ruleExchange Public Folder Stores must mount at startup.
SV-84681r1_ruleExchange must have the most current, approved service pack installed.
SV-84683r2_ruleExchange must provide Mailbox databases in a highly available and redundant configuration.
SV-84687r1_ruleThe Exchange SMTP automated banner response must not reveal server details.
SV-84689r1_ruleThe Exchange application directory must be protected from unauthorized access.
SV-84691r1_ruleAn Exchange software baseline copy must exist.
SV-84693r1_ruleExchange software must be monitored for unauthorized changes.
SV-84695r1_ruleExchange services must be documented and unnecessary services must be removed or disabled.
SV-84697r1_ruleExchange Outlook Anywhere (OA) clients must use NTLM authentication to access email.
SV-84699r1_ruleThe Exchange Email application must not share a partition with another application.
SV-84701r1_ruleExchange must not send delivery reports to remote domains.
SV-84703r1_ruleExchange must not send nondelivery reports to remote domains.