EX19-MB-000040 - Exchange email subject line logging must be disabled.

Information

Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. When 'message tracking' is enabled, only the sender, recipients, time, and other delivery information is included by default. Information such as the subject and message body is not included.

However, the absence of the message subject line can make it difficult to locate a specific message in the log unless one knows roughly what time the message was sent. To simplify searches through these logs, Exchange offers the ability to include the message 'subject line' in the log files and in the Message Tracking Center display. This can make it significantly easier to locate a specific message.

However, this feature creates larger log files and will contain information that may raise privacy and legal concerns. Enterprise policy should be consulted before this feature is enabled. Also, because the log files may contain sensitive information in the form of the subject line, the log files will need to be protected, commensurate with the sensitivity level, as the content may be of interest to an attacker.

For these reasons, it is recommended that subject logging not be enabled during regular production operations. Instead, treat this feature as a diagnostic that can be used if needed. The tradeoff is that finding the correct message in the message tracking logs will become more difficult because the administrator will need to search using only the time the message was sent and the message's sender. This control will have no effect unless Message Tracking is enabled. However, the setting should be disabled in case message tracking is enabled in the future.

Solution

Open the Exchange Management Shell and enter the following command:

Set-Transportservice -MessageTrackingLogSubjectLoggingEnabled $False

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Exchange_2019_Y24M10_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, CAT|II, CCI|CCI-000133, Rule-ID|SV-259656r960900_rule, STIG-ID|EX19-MB-000040, Vuln-ID|V-259656

Plugin: Windows

Control ID: a071d7b4b81e15e1e4778df89c6a5d75cb963f229ec1df00439fe36cd4a78552