STIGQter STIGQter: STIG Summary:

Microsoft Exchange 2013 Mailbox Server Security Technical Implementation Guide

Version: 2

Release: 1 Benchmark Date: 22 Jan 2021

SV-207267r615936_ruleExchange must have Administrator audit logging enabled.
SV-207268r615936_ruleExchange Servers must use approved DoD certificates.
SV-207269r615936_ruleExchange auto-forwarding email to remote domains must be disabled or restricted.
SV-207270r615936_ruleExchange Connectivity logging must be enabled.
SV-207271r615936_ruleThe Exchange Email Diagnostic log level must be set to the lowest level.
SV-207272r615936_ruleExchange Audit record parameters must be set.
SV-207273r615936_ruleExchange Circular Logging must be disabled.
SV-207274r615936_ruleExchange Email Subject Line logging must be disabled.
SV-207275r615936_ruleExchange Message Tracking Logging must be enabled.
SV-207276r615936_ruleExchange Queue monitoring must be configured with threshold and action.
SV-207277r615936_ruleExchange Send Fatal Errors to Microsoft must be disabled.
SV-207278r615936_ruleExchange must protect audit data against unauthorized read access.
SV-207279r615936_ruleExchange must not send Customer Experience reports to Microsoft.
SV-207280r615936_ruleExchange must protect audit data against unauthorized access.
SV-207281r615936_ruleExchange must protect audit data against unauthorized deletion.
SV-207282r615936_ruleExchange Audit data must be on separate partitions.
SV-207283r615936_ruleExchange Local machine policy must require signed scripts.
SV-207284r615936_ruleThe Exchange IMAP4 service must be disabled.
SV-207285r615936_ruleThe Exchange POP3 service must be disabled.
SV-207286r615936_ruleExchange Mailbox databases must reside on a dedicated partition.
SV-207287r615936_ruleExchange Internet-facing Send connectors must specify a Smart Host.
SV-207288r615936_ruleExchange internal Receive connectors must require encryption.
SV-207289r615936_ruleExchange internal Receive connectors must use Domain Security (mutual authentication Transport Layer Security).
SV-207290r615936_ruleExchange internal Send connectors must require encryption.
SV-207291r615936_ruleExchange Public Folder stores must be retained until backups are complete.
SV-207292r615936_ruleThe Exchange Public Folder database must not be overwritten by a restore.
SV-207293r615936_ruleExchange Mailboxes must be retained until backups are complete.
SV-207294r615936_ruleThe Exchange Mailbox database must not be overwritten by a restore.
SV-207295r615936_ruleExchange email forwarding must be restricted.
SV-207296r615936_ruleExchange email-forwarding SMTP domains must be restricted.
SV-207297r615936_ruleExchange Mail quota settings must not restrict receiving mail.
SV-207298r615936_ruleExchange Mail Quota settings must not restrict receiving mail.
SV-207299r615936_ruleThe Exchange Mail Store storage quota must issue a warning.
SV-207300r615936_ruleExchange Mailbox Stores must mount at startup.
SV-207301r615936_ruleExchange Message size restrictions must be controlled on Receive connectors.
SV-207302r615936_ruleExchange Receive connectors must control the number of recipients per message.
SV-207303r615936_ruleExchange Receive connectors must be clearly named.
SV-207304r615936_ruleThe Exchange Receive Connector Maximum Hop Count must be 60.
SV-207305r615936_ruleExchange Send connectors must be clearly named.
SV-207306r615936_ruleExchange Send connectors delivery retries must be controlled.
SV-207307r615936_ruleExchange Message size restrictions must be controlled on Send connectors.
SV-207308r615936_ruleThe Exchange Send connector connections count must be limited.
SV-207309r615936_ruleThe Exchange global inbound message size must be controlled.
SV-207310r615936_ruleThe Exchange global outbound message size must be controlled.
SV-207311r615936_ruleThe Exchange Outbound Connection Limit per Domain Count must be controlled.
SV-207312r615936_ruleThe Exchange Outbound Connection Timeout must be 10 minutes or less.
SV-207313r615936_ruleExchange Internal Receive connectors must not allow anonymous connections.
SV-207314r615936_ruleExchange external/Internet-bound automated response messages must be disabled.
SV-207315r615936_ruleExchange must have antispam filtering installed.
SV-207316r615936_ruleExchange must have antispam filtering enabled.
SV-207317r615936_ruleExchange must have antispam filtering configured.
SV-207318r615936_ruleExchange must not send automated replies to remote domains.
SV-207319r615936_ruleExchange servers must have an approved DoD email-aware virus protection software installed.
SV-207320r615936_ruleThe Exchange Global Recipient Count Limit must be set.
SV-207321r615936_ruleThe Exchange Receive connector timeout must be limited.
SV-207322r615936_ruleThe Exchange Public Store storage quota must be limited.
SV-207323r615936_ruleThe Exchange application directory must be protected from unauthorized access.
SV-207324r615936_ruleAn Exchange software baseline copy must exist.
SV-207325r615936_ruleExchange software must be monitored for unauthorized changes.
SV-207326r615936_ruleExchange services must be documented and unnecessary services must be removed or disabled.
SV-207327r615936_ruleExchange Outlook Anywhere (OA) clients must use NTLM authentication to access email.
SV-207328r615936_ruleThe Exchange Email application must not share a partition with another application.
SV-207329r615936_ruleExchange must not send delivery reports to remote domains.
SV-207330r615936_ruleExchange must not send nondelivery reports to remote domains.
SV-207331r615936_ruleThe Exchange SMTP automated banner response must not reveal server details.
SV-207332r615936_ruleExchange must provide Mailbox databases in a highly available and redundant configuration.
SV-207333r615936_ruleExchange must have the most current, approved service pack installed.
SV-207334r615936_ruleExchange Public Folder Stores must mount at startup.
SV-207335r615936_ruleThe applications built-in Malware Agent must be disabled.
SV-207336r615936_ruleA DoD-approved third party Exchange-aware malicious code protection application must be implemented.