STIGQter STIGQter: STIG Summary: Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide

Version: 1

Release: 4 Benchmark Date: 24 Jan 2020

CheckedNameTitle
SV-95195r1_ruleExchange must limit the Receive connector timeout.
SV-95197r1_ruleExchange servers must use approved DoD certificates.
SV-95199r1_ruleExchange must have accepted domains configured.
SV-95201r2_ruleExchange must have auto-forwarding of email to remote domains disabled or restricted.
SV-95203r1_ruleExchange external Receive connectors must be domain secure-enabled.
SV-95205r1_ruleThe Exchange email Diagnostic log level must be set to the lowest level.
SV-95207r1_ruleExchange Connectivity logging must be enabled.
SV-95209r1_ruleExchange Queue monitoring must be configured with threshold and action.
SV-95211r1_ruleExchange must not send Customer Experience reports to Microsoft.
SV-95213r1_ruleExchange Audit data must be protected against unauthorized access (read access).
SV-95215r1_ruleExchange Send Fatal Errors to Microsoft must be disabled.
SV-95217r1_ruleExchange audit data must be protected against unauthorized access for modification.
SV-95219r1_ruleExchange audit data must be protected against unauthorized access for deletion.
SV-95221r1_ruleExchange audit data must be on separate partitions.
SV-95223r1_ruleThe Exchange local machine policy must require signed scripts.
SV-95225r1_ruleExchange Internet-facing Send connectors must specify a Smart Host.
SV-95227r1_ruleExchange internal Send connectors must use domain security (mutual authentication Transport Layer Security).
SV-95229r1_ruleExchange Internet-facing Receive connectors must offer Transport Layer Security (TLS) before using basic authentication.
SV-95231r1_ruleExchange Outbound Connection Timeout must be 10 minutes or less.
SV-95233r1_ruleExchange Outbound Connection Limit per Domain Count must be controlled.
SV-95235r1_ruleExchange Send connector connections count must be limited.
SV-95237r1_ruleExchange message size restrictions must be controlled on Send connectors.
SV-95239r1_ruleExchange Send connectors delivery retries must be controlled.
SV-95241r1_ruleExchange Send connectors must be clearly named.
SV-95243r1_ruleExchange Receive connector Maximum Hop Count must be 60.
SV-95245r1_ruleExchange Receive connectors must be clearly named.
SV-95247r1_ruleExchange Receive connectors must control the number of recipients chunked on a single message.
SV-95249r1_ruleExchange Receive connectors must control the number of recipients per message.
SV-95251r1_ruleThe Exchange Internet Receive connector connections count must be set to default.
SV-95253r1_ruleExchange Message size restrictions must be controlled on Receive connectors.
SV-95255r1_ruleExchange messages with a blank sender field must be rejected.
SV-95257r1_ruleExchange messages with a blank sender field must be filtered.
SV-95259r2_ruleExchange filtered messages must be archived.
SV-95261r2_ruleThe Exchange Sender filter must block unaccepted domains.
SV-95263r2_ruleExchange nonexistent recipients must not be blocked.
SV-95265r2_ruleThe Exchange Sender Reputation filter must be enabled.
SV-95267r2_ruleThe Exchange Sender Reputation filter must identify the spam block level.
SV-95269r2_ruleExchange Attachment filtering must remove undesirable attachments by file type.
SV-95271r2_ruleThe Exchange Spam Evaluation filter must be enabled.
SV-95273r1_ruleThe Exchange Block List service provider must be identified.
SV-95275r2_ruleExchange messages with a malformed From address must be rejected.
SV-95277r1_ruleThe Exchange Recipient filter must be enabled.
SV-95279r1_ruleThe Exchange tarpitting interval must be set.
SV-95281r1_ruleExchange internal Receive connectors must not allow anonymous connections.
SV-95283r1_ruleExchange Simple Mail Transfer Protocol (SMTP) IP Allow List entries must be empty.
SV-95285r1_ruleThe Exchange Simple Mail Transfer Protocol (SMTP) IP Allow List Connection filter must be enabled.
SV-95287r1_ruleThe Exchange Simple Mail Transfer Protocol (SMTP) Sender filter must be enabled.
SV-95289r1_ruleExchange must have antispam filtering installed.
SV-95291r1_ruleExchange must have antispam filtering enabled.
SV-95293r1_ruleExchange must have antispam filtering configured.
SV-95295r2_ruleExchange Sender Identification Framework must be enabled.
SV-95297r3_ruleExchange must strip hyperlink email sources from non-.mil domains.
SV-95299r1_ruleThe Exchange application directory must be protected from unauthorized access.
SV-95301r1_ruleThe Exchange software baseline copy must exist.
SV-95303r1_ruleExchange services must be documented and unnecessary services must be removed or disabled.
SV-95305r1_ruleExchange software must be installed on a separate partition from the OS.
SV-95307r1_ruleThe Exchange SMTP automated banner response must not reveal server details.
SV-95309r1_ruleExchange must provide redundancy.
SV-95311r1_ruleExchange internal Send connectors must use an authentication level.
SV-95313r1_ruleExchange internal Send connectors must require encryption.
SV-95315r1_ruleExchange must have the most current, approved service pack installed.
SV-95317r1_ruleThe application must configure malicious code protection mechanisms to perform periodic scans of the information system every seven days.
SV-95319r1_ruleThe application must configure malicious code protection mechanisms to perform periodic scans of the information system every seven days.
SV-95321r1_ruleThe application must be configured to block and quarantine malicious code upon detection, then send an immediate alert to appropriate individuals.
SV-95323r1_ruleThe application must be configured to block and quarantine malicious code upon detection, then send an immediate alert to appropriate individuals.
SV-95325r1_ruleThe application must update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.
SV-95327r1_ruleThe application must update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.
SV-95329r1_ruleThe applications built-in Malware Agent must be disabled.
SV-95331r1_ruleA DoD-approved third-party Exchange-aware malicious code protection application must be implemented.
SV-95463r1_ruleExchange internal Receive connectors must require encryption.