EX19-ED-000224 - The Exchange Edge server must point to a trusted list of DNS servers for external and internal resolution.

Information

To mitigate the risk of possible erroneous queries that may have been coopted by bad actors, the Exchange Edge server must use DNS servers that utilize DNSSEC to resolve external hosts and internal hosts before routing messages to the appropriate destination.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Verify in the EDSP or consult with the appropriate personnel who manage which DNS servers to use for Internal and External DNS resolution.

If a GUID for the External and Internal network adapters are applicable, then gather the values to populate the appropriate properties with the following commands:

netsh lan show interfaces

This will provide the adapters and the GUIDs for each. Identify the external and internal adapters for the Edge server.

Once gathered, run the following:

Set-TransportService -Identity <name of server> -ExternalDNSAdapterEnabled $true -ExternalDNSAdapterGuid <externalAdapterGUID> -InternalDNSAdapterEnabled $true -InternalDNSAdapterGuid <InternalAdapterGuid>

If the 'ExternalDNSAdapterEnabled' or InternalDNSAdapterEnabled are set to false, use the following to set the DNS configuration:

Set-TransportService -Identity <name of server> -InternalDNSServers @{add='Trusted DNS IP1','Trusted DNS IP2'}
Set-TransportService -Identity <name of server> -ExternalDNSServers @{add='Trusted DNS IP1','Trusted DNS IP2'}

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Exchange_2019_Y24M10_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-21, CAT|II, CCI|CCI-002466, Rule-ID|SV-259636r961587_rule, STIG-ID|EX19-ED-000224, Vuln-ID|V-259636

Plugin: Windows

Control ID: c7adef7abb0dd6b4151602e7f170229faf3251baa590e84df2dc68a961b62aef