DISA Microsoft Exchange 2016 Mailbox Server STIG v2r2

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA Microsoft Exchange 2016 Mailbox Server STIG v2r2

Updated: 1/11/2022

Authority: DISA STIG

Plugin: Windows

Revision: 1.3

Estimated Item Count: 69

Audit Items

DescriptionCategories
Authentication Failure
DISA_STIG_Microsoft_Exchange_2016_Mailbox_Server_v2r2.audit from DISA Microsoft Exchange 2016 Mailbox Server v2r2 STIG

SYSTEM AND INFORMATION INTEGRITY

EX16-MB-000010 - Exchange must have Administrator audit logging enabled.

AUDIT AND ACCOUNTABILITY

EX16-MB-000020 - Exchange servers must use approved DoD certificates.

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-MB-000030 - Exchange auto-forwarding email to remote domains must be disabled or restricted.

CONFIGURATION MANAGEMENT

EX16-MB-000040 - Exchange Connectivity logging must be enabled.

AUDIT AND ACCOUNTABILITY

EX16-MB-000050 - The Exchange Email Diagnostic log level must be set to the lowest level.

CONFIGURATION MANAGEMENT

EX16-MB-000060 - Exchange Audit record parameters must be set.

AUDIT AND ACCOUNTABILITY

EX16-MB-000070 - Exchange Circular Logging must be disabled.

AUDIT AND ACCOUNTABILITY

EX16-MB-000080 - Exchange Email Subject Line logging must be disabled.

AUDIT AND ACCOUNTABILITY

EX16-MB-000090 - Exchange Message Tracking Logging must be enabled.

AUDIT AND ACCOUNTABILITY

EX16-MB-000100 - Exchange Queue monitoring must be configured with threshold and action.
EX16-MB-000110 - Exchange Send Fatal Errors to Microsoft must be disabled.

CONFIGURATION MANAGEMENT

EX16-MB-000120 - Exchange must protect audit data against unauthorized read access.
EX16-MB-000130 - Exchange must not send Customer Experience reports to Microsoft.

CONFIGURATION MANAGEMENT

EX16-MB-000140 - Exchange must protect audit data against unauthorized access.
EX16-MB-000150 - Exchange must protect audit data against unauthorized deletion.
EX16-MB-000160 - Exchange Audit data must be on separate partitions.
EX16-MB-000170 - Exchange Local machine policy must require signed scripts.

CONFIGURATION MANAGEMENT

EX16-MB-000180 - The Exchange Internet Message Access Protocol 4 (IMAP4) service must be disabled.

CONFIGURATION MANAGEMENT

EX16-MB-000190 - The Exchange Post Office Protocol 3 (POP3) service must be disabled.

CONFIGURATION MANAGEMENT

EX16-MB-000200 - Exchange Mailbox databases must reside on a dedicated partition.

CONFIGURATION MANAGEMENT

EX16-MB-000210 - Exchange Internet-facing Send connectors must specify a Smart Host.

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-MB-000220 - Exchange internal Receive connectors must require encryption.

IDENTIFICATION AND AUTHENTICATION

EX16-MB-000270 - Exchange Mailboxes must be retained until backups are complete.

CONTINGENCY PLANNING

EX16-MB-000290 - Exchange email forwarding must be restricted.

CONFIGURATION MANAGEMENT

EX16-MB-000300 - Exchange email-forwarding SMTP domains must be restricted.

CONFIGURATION MANAGEMENT

EX16-MB-000310 - Exchange Mail quota settings must not restrict receiving mail.

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-MB-000320 - Exchange Mail Quota settings must not restrict receiving mail.

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-MB-000340 - Exchange Mailbox Stores must mount at startup.

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-MB-000350 - Exchange Message size restrictions must be controlled on Receive connectors.

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-MB-000360 - Exchange Receive connectors must control the number of recipients per message.

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-MB-000380 - The Exchange Receive Connector Maximum Hop Count must be 60.

CONFIGURATION MANAGEMENT

EX16-MB-000410 - Exchange Message size restrictions must be controlled on Send connectors.

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-MB-000420 - The Exchange Send connector connections count must be limited.

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-MB-000430 - The Exchange global inbound message size must be controlled.

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-MB-000440 - The Exchange global outbound message size must be controlled.

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-MB-000450 - The Exchange Outbound Connection Limit per Domain Count must be controlled.

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-MB-000460 - The Exchange Outbound Connection Timeout must be 10 minutes or less.

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-MB-000470 - Exchange Internal Receive connectors must not allow anonymous connections.

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-MB-000480 - Exchange external/Internet-bound automated response messages must be disabled.

CONFIGURATION MANAGEMENT

EX16-MB-000490 - Exchange must have anti-spam filtering installed.

SYSTEM AND INFORMATION INTEGRITY

EX16-MB-000500 - Exchange must have anti-spam filtering enabled - ContentFilterConfig

SYSTEM AND INFORMATION INTEGRITY

EX16-MB-000500 - Exchange must have anti-spam filtering enabled - SenderFilterConfig

SYSTEM AND INFORMATION INTEGRITY

EX16-MB-000500 - Exchange must have anti-spam filtering enabled - SenderIDConfig

SYSTEM AND INFORMATION INTEGRITY

EX16-MB-000500 - Exchange must have anti-spam filtering enabled - SenderReputationConfig

SYSTEM AND INFORMATION INTEGRITY

EX16-MB-000510 - Exchange must have anti-spam filtering configured.

SYSTEM AND COMMUNICATIONS PROTECTION

EX16-MB-000520 - Exchange must not send automated replies to remote domains.

CONFIGURATION MANAGEMENT

EX16-MB-000530 - Exchange servers must have an approved DoD email-aware virus protection software installed.
EX16-MB-000540 - The Exchange Global Recipient Count Limit must be set.

SYSTEM AND COMMUNICATIONS PROTECTION