EX19-ED-000126 - The Exchange sender filter must block unaccepted domains.

Information

Spam origination sites and other sources of suspected email-borne malware have the ability to corrupt, compromise, or otherwise limit availability of email servers. Limiting exposure to unfiltered inbound messages can reduce the risk of spam and malware impacts.

The Global Deny list blocks messages originating from specific sources. Most block list filtering is done using a commercial block list service, because eliminating threats from known spammers prevents the messages being evaluated inside the enclave where there is more risk they can do harm.

Additional sources should also be blocked to supplement the contents of the commercial Block List service. For example, during a zero-day threat action, entries can be added and then removed when the threat is mitigated. An additional best practice is to enter the enterprise's home domains in the block list, because inbound email with a 'from' address of the home domain is very likely to be spoofed spam.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Update the EDSP to reflect the unaccepted domains that are to be blocked.

Open the Exchange Management Shell and enter the following command:

For BlockedDomains:

Set-SenderFilterConfig -BlockedDomains <BlockedDomain>

To add additional domains to the list (array):

Set-SenderFilterConfig -BlockedDomains @{add='<blockeddomain2>','<blockeddomain3>','<blockeddomain4>'}

Each domain added must be quotes and separated by a comma.

Repeat the procedure for each domain that is to be blocked.

or

For BlockedDomainsAndSubdomains:

Set-SenderFilterConfig -BlockedDomainsAndSubdomains <BlockedDomainAndSubdomain>

Same procedure applies for adding multiple domains applies to this filter.

Repeat the procedure for each domain and all of its subdomains that are to be blocked.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Exchange_2019_Y24M10_STIG.zip

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-8(2), CAT|II, CCI|CCI-001308, Rule-ID|SV-259612r961161_rule, STIG-ID|EX19-ED-000126, Vuln-ID|V-259612

Plugin: Windows

Control ID: 3f5add1c6f495e99eef5521931bd9c143329c3d64d95a246c361534d280172c3