STIGQter STIGQter: STIG Summary:

Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide

Version: 2

Release: 3 Benchmark Date: 23 Apr 2021

SV-228354r612748_ruleExchange must have Administrator audit logging enabled.
SV-228355r612748_ruleExchange servers must use approved DoD certificates.
SV-228356r612748_ruleExchange auto-forwarding email to remote domains must be disabled or restricted.
SV-228357r612748_ruleExchange Connectivity logging must be enabled.
SV-228358r612748_ruleThe Exchange Email Diagnostic log level must be set to the lowest level.
SV-228359r612748_ruleExchange Audit record parameters must be set.
SV-228360r612748_ruleExchange Circular Logging must be disabled.
SV-228361r612748_ruleExchange Email Subject Line logging must be disabled.
SV-228362r612748_ruleExchange Message Tracking Logging must be enabled.
SV-228363r612748_ruleExchange Queue monitoring must be configured with threshold and action.
SV-228364r612748_ruleExchange Send Fatal Errors to Microsoft must be disabled.
SV-228365r612748_ruleExchange must protect audit data against unauthorized read access.
SV-228366r612748_ruleExchange must not send Customer Experience reports to Microsoft.
SV-228367r612748_ruleExchange must protect audit data against unauthorized access.
SV-228368r612748_ruleExchange must protect audit data against unauthorized deletion.
SV-228369r612748_ruleExchange Audit data must be on separate partitions.
SV-228370r612748_ruleExchange Local machine policy must require signed scripts.
SV-228371r612748_ruleThe Exchange Internet Message Access Protocol 4 (IMAP4) service must be disabled.
SV-228372r612748_ruleThe Exchange Post Office Protocol 3 (POP3) service must be disabled.
SV-228373r612748_ruleExchange Mailbox databases must reside on a dedicated partition.
SV-228374r612748_ruleExchange Internet-facing Send connectors must specify a Smart Host.
SV-228375r612748_ruleExchange internal Receive connectors must require encryption.
SV-228376r612748_ruleExchange Mailboxes must be retained until backups are complete.
SV-228377r612748_ruleExchange email forwarding must be restricted.
SV-228378r612748_ruleExchange email-forwarding SMTP domains must be restricted.
SV-228379r612748_ruleExchange Mail quota settings must not restrict receiving mail.
SV-228380r612748_ruleExchange Mail Quota settings must not restrict receiving mail.
SV-228381r612748_ruleExchange Mailbox Stores must mount at startup.
SV-228382r612748_ruleExchange Message size restrictions must be controlled on Receive connectors.
SV-228383r612748_ruleExchange Receive connectors must control the number of recipients per message.
SV-228384r612748_ruleThe Exchange Receive Connector Maximum Hop Count must be 60.
SV-228385r612748_ruleExchange Message size restrictions must be controlled on Send connectors.
SV-228386r612748_ruleThe Exchange Send connector connections count must be limited.
SV-228387r612748_ruleThe Exchange global inbound message size must be controlled.
SV-228388r612748_ruleThe Exchange global outbound message size must be controlled.
SV-228389r612748_ruleThe Exchange Outbound Connection Limit per Domain Count must be controlled.
SV-228390r612748_ruleThe Exchange Outbound Connection Timeout must be 10 minutes or less.
SV-228391r612748_ruleExchange Internal Receive connectors must not allow anonymous connections.
SV-228392r612748_ruleExchange external/Internet-bound automated response messages must be disabled.
SV-228393r612748_ruleExchange must have anti-spam filtering installed.
SV-228394r612748_ruleExchange must have anti-spam filtering enabled.
SV-228395r612748_ruleExchange must have anti-spam filtering configured.
SV-228396r612748_ruleExchange must not send automated replies to remote domains.
SV-228397r612748_ruleExchange servers must have an approved DoD email-aware virus protection software installed.
SV-228398r612748_ruleThe Exchange Global Recipient Count Limit must be set.
SV-228399r612748_ruleThe Exchange Receive connector timeout must be limited.
SV-228400r612748_ruleThe Exchange application directory must be protected from unauthorized access.
SV-228401r612748_ruleAn Exchange software baseline copy must exist.
SV-228402r612748_ruleExchange software must be monitored for unauthorized changes.
SV-228403r612748_ruleExchange services must be documented and unnecessary services must be removed or disabled.
SV-228404r612748_ruleExchange Outlook Anywhere clients must use NTLM authentication to access email.
SV-228405r612748_ruleThe Exchange Email application must not share a partition with another application.
SV-228406r612748_ruleExchange must not send delivery reports to remote domains.
SV-228407r684255_ruleExchange must not send nondelivery reports to remote domains.
SV-228408r612748_ruleThe Exchange SMTP automated banner response must not reveal server details.
SV-228409r612748_ruleExchange Internal Send connectors must use an authentication level.
SV-228410r612748_ruleExchange must provide Mailbox databases in a highly available and redundant configuration.
SV-228411r612748_ruleExchange must have the most current, approved service pack installed.
SV-228412r612748_ruleThe application must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
SV-228413r612748_ruleThe applications built-in Malware Agent must be disabled.
SV-228415r612748_ruleExchange must use encryption for RPC client access.
SV-228416r684257_ruleExchange must use encryption for Outlook Web App (OWA) access.
SV-228417r612748_ruleExchange must have Forms-based Authentication enabled.
SV-228418r612748_ruleExchange must have authenticated access set to Integrated Windows Authentication only.