UCF STIG Viewer Logo

MS Exchange 2013 Client Access Server Security Technical Implementation Guide


Date Finding Count (33)
2019-12-18 CAT I (High): 1 CAT II (Med): 28 CAT III (Low): 4
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles

Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-69775 High Exchange OWA must use https.
V-69767 Medium Exchange services must be documented and unnecessary services must be removed or disabled.
V-69729 Medium Exchange must have IIS map client certificates to an approved certificate server.
V-69763 Medium Exchange software baseline copy must exist.
V-69761 Medium Exchange application directory must be protected from unauthorized access.
V-69723 Medium Exchange must have Administrator audit logging enabled.
V-69721 Medium Exchange must have authenticated access set to Integrated Windows Authentication only.
V-69727 Medium Exchange ActiveSync (EAS) must only use certificate-based authentication to access email.
V-69725 Medium Exchange Servers must use approved DoD certificates.
V-69765 Medium Exchange software must be monitored for unauthorized changes.
V-69745 Medium Exchange must have audit data protected against unauthorized deletion.
V-69717 Medium Exchange must use Encryption for OWA access.
V-69741 Medium Exchange must not send Customer Experience reports to Microsoft.
V-69743 Medium Exchange must have Audit data protected against unauthorized modification.
V-69753 Medium Exchange IMAP4 service must be disabled.
V-69755 Medium Exchange POP3 service must be disabled.
V-69751 Medium Exchange Local machine policy must require signed scripts.
V-69719 Medium Exchange must have Forms-based Authentication disabled.
V-69739 Medium Exchange must have Audit data protected against unauthorized read access.
V-69715 Medium Exchange must use Encryption for RPC client access.
V-69735 Medium Exchange must have Queue monitoring configured with threshold and action.
V-69737 Medium Exchange must have Send Fatal Errors to Microsoft disabled.
V-69731 Medium Exchange Email Diagnostic log level must be set to lowest level.
V-69779 Medium Exchange must have the most current, approved service pack installed.
V-69771 Medium Exchange software must be installed on a separate partition from the OS.
V-69773 Medium Exchange must provide redundancy.
V-69769 Medium Exchange Outlook Anywhere (OA) clients must use NTLM authentication to access email.
V-69777 Medium Exchange OWA must have S/MIME Certificates enabled.
V-69781 Medium Exchange must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-69757 Low Exchange must have the Public Folder virtual directory removed if not in use by the site.
V-69747 Low Exchange must have Audit data on separate partitions.
V-69733 Low Exchange must have Audit record parameters set.
V-69759 Low Exchange must have the Microsoft Active Sync directory removed.