STIGQter STIGQter: STIG Summary:

Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide

Version: 2

Release: 2 Benchmark Date: 22 Jan 2021

CheckedNameTitle
SV-221202r612603_ruleExchange must limit the Receive connector timeout.
SV-221203r612603_ruleExchange servers must use approved DoD certificates.
SV-221204r612603_ruleExchange must have accepted domains configured.
SV-221205r612603_ruleExchange must have auto-forwarding of email to remote domains disabled or restricted.
SV-221206r612603_ruleExchange external Receive connectors must be domain secure-enabled.
SV-221207r612603_ruleThe Exchange email Diagnostic log level must be set to the lowest level.
SV-221208r612603_ruleExchange Connectivity logging must be enabled.
SV-221209r612603_ruleExchange Queue monitoring must be configured with threshold and action.
SV-221210r612603_ruleExchange must not send Customer Experience reports to Microsoft.
SV-221211r612603_ruleExchange Audit data must be protected against unauthorized access (read access).
SV-221212r612603_ruleExchange Send Fatal Errors to Microsoft must be disabled.
SV-221213r612603_ruleExchange audit data must be protected against unauthorized access for modification.
SV-221214r612603_ruleExchange audit data must be protected against unauthorized access for deletion.
SV-221215r612603_ruleExchange audit data must be on separate partitions.
SV-221216r612603_ruleThe Exchange local machine policy must require signed scripts.
SV-221217r612603_ruleExchange Internet-facing Send connectors must specify a Smart Host.
SV-221218r612603_ruleExchange internal Send connectors must use domain security (mutual authentication Transport Layer Security).
SV-221219r612603_ruleExchange Internet-facing Receive connectors must offer Transport Layer Security (TLS) before using basic authentication.
SV-221220r612603_ruleExchange Outbound Connection Timeout must be 10 minutes or less.
SV-221221r612603_ruleExchange Outbound Connection Limit per Domain Count must be controlled.
SV-221222r612603_ruleExchange Send connector connections count must be limited.
SV-221223r612603_ruleExchange message size restrictions must be controlled on Send connectors.
SV-221224r612603_ruleExchange Send connectors delivery retries must be controlled.
SV-221225r612603_ruleExchange Send connectors must be clearly named.
SV-221226r612603_ruleExchange Receive connector Maximum Hop Count must be 60.
SV-221227r612603_ruleExchange Receive connectors must be clearly named.
SV-221228r612603_ruleExchange Receive connectors must control the number of recipients chunked on a single message.
SV-221229r612603_ruleExchange Receive connectors must control the number of recipients per message.
SV-221230r612603_ruleThe Exchange Internet Receive connector connections count must be set to default.
SV-221231r612603_ruleExchange Message size restrictions must be controlled on Receive connectors.
SV-221232r612603_ruleExchange messages with a blank sender field must be rejected.
SV-221233r612603_ruleExchange messages with a blank sender field must be filtered.
SV-221234r612603_ruleExchange filtered messages must be archived.
SV-221235r612603_ruleThe Exchange Sender filter must block unaccepted domains.
SV-221236r612603_ruleExchange nonexistent recipients must not be blocked.
SV-221237r612603_ruleThe Exchange Sender Reputation filter must be enabled.
SV-221238r612603_ruleThe Exchange Sender Reputation filter must identify the spam block level.
SV-221239r612603_ruleExchange Attachment filtering must remove undesirable attachments by file type.
SV-221240r612603_ruleThe Exchange Spam Evaluation filter must be enabled.
SV-221241r612603_ruleThe Exchange Block List service provider must be identified.
SV-221242r612603_ruleExchange messages with a malformed From address must be rejected.
SV-221243r612603_ruleThe Exchange Recipient filter must be enabled.
SV-221244r612603_ruleThe Exchange tarpitting interval must be set.
SV-221245r612603_ruleExchange internal Receive connectors must not allow anonymous connections.
SV-221246r612603_ruleExchange Simple Mail Transfer Protocol (SMTP) IP Allow List entries must be empty.
SV-221247r612603_ruleThe Exchange Simple Mail Transfer Protocol (SMTP) IP Allow List Connection filter must be enabled.
SV-221248r612603_ruleThe Exchange Simple Mail Transfer Protocol (SMTP) Sender filter must be enabled.
SV-221249r612603_ruleExchange must have antispam filtering installed.
SV-221250r612603_ruleExchange must have antispam filtering enabled.
SV-221251r612603_ruleExchange must have antispam filtering configured.
SV-221252r612603_ruleExchange Sender Identification Framework must be enabled.
SV-221253r612603_ruleExchange must render hyperlinks from email sources from non-.mil domains as unclickable.
SV-221254r612603_ruleThe Exchange application directory must be protected from unauthorized access.
SV-221255r612603_ruleThe Exchange software baseline copy must exist.
SV-221256r612603_ruleExchange services must be documented and unnecessary services must be removed or disabled.
SV-221257r612603_ruleExchange software must be installed on a separate partition from the OS.
SV-221258r612603_ruleThe Exchange SMTP automated banner response must not reveal server details.
SV-221259r612603_ruleExchange must provide redundancy.
SV-221260r612603_ruleExchange internal Send connectors must use an authentication level.
SV-221261r612603_ruleExchange internal Receive connectors must require encryption.
SV-221262r612603_ruleExchange internal Send connectors must require encryption.
SV-221263r612603_ruleExchange must have the most current, approved service pack installed.
SV-221264r612603_ruleThe application must configure malicious code protection mechanisms to perform periodic scans of the information system every seven days.
SV-221265r612603_ruleThe application must configure malicious code protection mechanisms to perform periodic scans of the information system every seven days.
SV-221266r612603_ruleThe application must be configured to block and quarantine malicious code upon detection, then send an immediate alert to appropriate individuals.
SV-221267r612603_ruleThe application must be configured to block and quarantine malicious code upon detection, then send an immediate alert to appropriate individuals.
SV-221268r612603_ruleThe application must update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.
SV-221269r612603_ruleThe application must update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.
SV-221270r612603_ruleThe applications built-in Malware Agent must be disabled.