EX19-ED-000130 Exchange Attachment filtering must remove undesirable attachments by file type.

Information

By performing filtering at the perimeter, up to 90 percent of spam, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the mail server environment.

Attachments are being used more frequently for different forms of attacks. By filtering undesirable attachments, a large percent of malicious code can be prevented from entering the system. Attachments must be controlled at the entry point into the email environment to prevent successful attachment-based attacks. The following is a basic list of known attachments that should be filtered from internet mail attachments:

*.ade *.crt *.jse *.msi *.scr *.wsh *.dir
*.adp *.csh *.ksh *.msp *.sct *.htm *.dcr
*.app *.exe *.lnk *.mst *.shb *.html *.plg
*.asx *.fxp *.mda *.ops *.shs *.htc *.spl
*.bas *.hlp *.mdb *.pcd *.url *.mht *.swf
*.bat *.hta *.mde *.pif *.vb *.mhtml *.zip
*.chm *.inf *.mdt *.prf *.vbe *.shtm
*.cmd *.ins *.mdw *.prg *.vbs *.shtml
*.com *.isp *.mdz *.reg *.wsc *.stm
*.cpl *.js *.msc *.scf *.wsf *.xml

Solution

Update the EDSP to reflect the list of undesirable attachment types that should be stripped.

Open the Exchange Management Shell and enter the following command:

Add-AttachmentFilterEntry -Name <'*.FileExtension'> -Type FileName

Repeat the procedure for each undesirable attachment type.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Exchange_2019_Y24M07_STIG.zip

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-8(2), CAT|II, CCI|CCI-001308, Rule-ID|SV-259616r961161_rule, STIG-ID|EX19-ED-000130, Vuln-ID|V-259616

Plugin: Windows

Control ID: e461eba5ea4330c1b32b516b7fba2ed7067d51619487d8c98e0399dd0be0806b