EX19-MB-000117 - Exchange email-forwarding SMTP domains must be restricted.

Information

Auto-forwarded email accounts do not meet the requirement for digital signature and encryption of Controlled Unclassified Information (CUI) and Personally Identifiable Information (PII) in accordance with DODI 8520.2 (reference ee) and DOD Director for Administration and Management memorandum, 'Safeguarding Against and Responding to the Breach of Personally Identifiable Information'.

Use of forwarding set by an administrator interferes with nonrepudiation requirements that each end user be responsible for creation and destination of email data.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Update the EDSP to specify any accounts that have been authorized to have email auto-forwarded or verify that this information is documented by the organization.

For domains that are listed in the EDSP to allow AutoForwarding, open the Exchange Management Shell and enter the following command:

Set-RemoteDomain -Identity <RemoteDomainIdParameter> -AutoForwardEnabled $true

If the Remote Domain is NOT listed in the EDSP to allow for AutoForwarding, open the Exchange Management Shell and enter the following command:

Set-RemoteDomain -Identity [RemoteDomainIdentity] -AutoForwardingEnabled $false

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Exchange_2019_Y24M10_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-28, CAT|II, CCI|CCI-001199, Rule-ID|SV-259673r961128_rule, STIG-ID|EX19-MB-000117, Vuln-ID|V-259673

Plugin: Windows

Control ID: b81b2664dc1e330370d462404d85515abd83ae27b0f312fcff4437b47d7a0289