STIGQter STIGQter: STIG Summary: Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide

Version: 1

Release: 4 Benchmark Date: 25 Oct 2019

SV-95333r1_ruleExchange must have Administrator audit logging enabled.
SV-95335r1_ruleExchange servers must use approved DoD certificates.
SV-95337r1_ruleExchange auto-forwarding email to remote domains must be disabled or restricted.
SV-95339r1_ruleExchange Connectivity logging must be enabled.
SV-95341r1_ruleThe Exchange Email Diagnostic log level must be set to the lowest level.
SV-95343r1_ruleExchange Audit record parameters must be set.
SV-95345r1_ruleExchange Circular Logging must be disabled.
SV-95347r4_ruleExchange Email Subject Line logging must be disabled.
SV-95349r1_ruleExchange Message Tracking Logging must be enabled.
SV-95351r1_ruleExchange Queue monitoring must be configured with threshold and action.
SV-95353r1_ruleExchange Send Fatal Errors to Microsoft must be disabled.
SV-95355r1_ruleExchange must protect audit data against unauthorized read access.
SV-95357r1_ruleExchange must not send Customer Experience reports to Microsoft.
SV-95359r1_ruleExchange must protect audit data against unauthorized access.
SV-95361r1_ruleExchange must protect audit data against unauthorized deletion.
SV-95363r1_ruleExchange Audit data must be on separate partitions.
SV-95365r1_ruleExchange Local machine policy must require signed scripts.
SV-95367r1_ruleThe Exchange Internet Message Access Protocol 4 (IMAP4) service must be disabled.
SV-95369r1_ruleThe Exchange Post Office Protocol 3 (POP3) service must be disabled.
SV-95371r1_ruleExchange Mailbox databases must reside on a dedicated partition.
SV-95373r1_ruleExchange Internet-facing Send connectors must specify a Smart Host.
SV-95375r1_ruleExchange internal Receive connectors must require encryption.
SV-95377r1_ruleExchange Mailboxes must be retained until backups are complete.
SV-95379r1_ruleExchange email forwarding must be restricted.
SV-95381r1_ruleExchange email-forwarding SMTP domains must be restricted.
SV-95383r1_ruleExchange Mail quota settings must not restrict receiving mail.
SV-95385r1_ruleExchange Mail Quota settings must not restrict receiving mail.
SV-95387r1_ruleExchange Mailbox Stores must mount at startup.
SV-95389r1_ruleExchange Message size restrictions must be controlled on Receive connectors.
SV-95391r1_ruleExchange Receive connectors must control the number of recipients per message.
SV-95393r1_ruleThe Exchange Receive Connector Maximum Hop Count must be 60.
SV-95395r1_ruleExchange Message size restrictions must be controlled on Send connectors.
SV-95397r1_ruleThe Exchange Send connector connections count must be limited.
SV-95399r1_ruleThe Exchange global inbound message size must be controlled.
SV-95401r1_ruleThe Exchange global outbound message size must be controlled.
SV-95403r1_ruleThe Exchange Outbound Connection Limit per Domain Count must be controlled.
SV-95405r1_ruleThe Exchange Outbound Connection Timeout must be 10 minutes or less.
SV-95407r1_ruleExchange Internal Receive connectors must not allow anonymous connections.
SV-95409r1_ruleExchange external/Internet-bound automated response messages must be disabled.
SV-95411r1_ruleExchange must have anti-spam filtering installed.
SV-95413r1_ruleExchange must have anti-spam filtering enabled.
SV-95415r1_ruleExchange must have anti-spam filtering configured.
SV-95417r1_ruleExchange must not send automated replies to remote domains.
SV-95417r2_ruleExchange must not send automated replies to remote domains.
SV-95419r1_ruleExchange servers must have an approved DoD email-aware virus protection software installed.
SV-95421r1_ruleThe Exchange Global Recipient Count Limit must be set.
SV-95423r1_ruleThe Exchange Receive connector timeout must be limited.
SV-95425r1_ruleThe Exchange application directory must be protected from unauthorized access.
SV-95427r1_ruleExchange must have authenticated access set to Integrated Windows Authentication only.
SV-95429r1_ruleExchange must have Forms-based Authentication enabled.
SV-95431r1_ruleExchange must use encryption for Outlook Web App (OWA) access.
SV-95433r1_ruleExchange must use encryption for RPC client access.
SV-95435r1_ruleA DoD-approved third party Exchange-aware malicious code protection application must be implemented.
SV-95437r1_ruleThe applications built-in Malware Agent must be disabled.
SV-95439r1_ruleAn Exchange software baseline copy must exist.
SV-95441r1_ruleExchange software must be monitored for unauthorized changes.
SV-95443r1_ruleExchange services must be documented and unnecessary services must be removed or disabled.
SV-95445r1_ruleExchange Outlook Anywhere clients must use NTLM authentication to access email.
SV-95447r1_ruleThe Exchange Email application must not share a partition with another application.
SV-95449r1_ruleThe application must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
SV-95451r1_ruleExchange must have the most current, approved service pack installed.
SV-95453r1_ruleExchange must provide Mailbox databases in a highly available and redundant configuration.
SV-95455r1_ruleExchange must not send delivery reports to remote domains.
SV-95457r1_ruleExchange must not send nondelivery reports to remote domains.
SV-95459r1_ruleThe Exchange SMTP automated banner response must not reveal server details.
SV-95461r1_ruleExchange Internal Send connectors must use an authentication level.