| V-221202 | | Exchange must limit the Receive connector timeout. | Email system availability depends in part on best practices strategies for setting tuning. This configuration controls the number of idle minutes befo... |
| V-221203 | | Exchange servers must use approved DoD certificates. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-221204 | | Exchange must have accepted domains configured. | Exchange may be configured to accept email for multiple domain names. This setting identifies the domains for which the server will accept mail. This ... |
| V-221206 | | Exchange external Receive connectors must be domain secure-enabled. | The Simple Mail Transfer Protocol (SMTP) connector is used by Exchange to send and receive messages from server to server. Several controls work toget... |
| V-221207 | | The Exchange email Diagnostic log level must be set to the lowest level. | Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availabil... |
| V-221208 | | Exchange Connectivity logging must be enabled. | A connectivity log is a record of the SMTP connection activity of the outbound message delivery queues to the destination mailbox server, smart host, ... |
| V-221209 | | Exchange Queue monitoring must be configured with threshold and action. | Monitors are automated "process watchers" that respond to performance changes and can be useful in detecting outages and alerting administrators where... |
| V-221210 | | Exchange must not send Customer Experience reports to Microsoft. | It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary ca... |
| V-221211 | | Exchange Audit data must be protected against unauthorized access (read access). | Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availabil... |
| V-221212 | | Exchange Send Fatal Errors to Microsoft must be disabled. | It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary ca... |
| V-221213 | | Exchange audit data must be protected against unauthorized access for modification. | Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availabil... |
| V-221214 | | Exchange audit data must be protected against unauthorized access for deletion. | Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availabil... |
| V-221215 | | Exchange audit data must be on separate partitions. | Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availabil... |
| V-221216 | | The Exchange local machine policy must require signed scripts. | Scripts, especially those downloaded from untrusted locations, often provide a way for attackers to infiltrate a system. By setting machine policy to ... |
| V-221217 | | Exchange Internet-facing Send connectors must specify a Smart Host. | When identifying a "Smart Host" for the email environment, a logical Send connector is the preferred method.
A Smart Host acts as an Internet-facing ... |
| V-221218 | | Exchange internal Send connectors must use domain security (mutual authentication Transport Layer Security). | The Simple Mail Transfer Protocol (SMTP) connector is used by Exchange to send and receive messages from server to server. Several controls work toget... |
| V-221219 | | Exchange Internet-facing Receive connectors must offer Transport Layer Security (TLS) before using basic authentication. | Sending unencrypted email over the Internet increases the risk that messages can be intercepted or altered. TLS is designed to protect confidentiality... |
| V-221220 | | Exchange Outbound Connection Timeout must be 10 minutes or less. | Email system availability depends in part on best practice strategies for setting tuning configurations. This configuration controls the number of idl... |
| V-221221 | | Exchange Outbound Connection Limit per Domain Count must be controlled. | Email system availability depends in part on best practice strategies for setting tuning configurations. This configuration controls the maximum numbe... |
| V-221226 | | Exchange Receive connector Maximum Hop Count must be 60. | Email system availability depends in part on best practice strategies for setting tuning configurations. This setting controls the maximum number of h... |
| V-221229 | | Exchange Receive connectors must control the number of recipients per message. | Email system availability depends in part on best practice strategies for setting tuning configurations.
This configuration controls the maximum num... |
| V-221232 | | Exchange messages with a blank sender field must be rejected. | By performing filtering at the perimeter, up to 90 percent of spam, malware, and other undesirable messages are eliminated from the message stream rat... |
| V-221233 | | Exchange messages with a blank sender field must be filtered. | By performing filtering at the perimeter, up to 90 percent of spam, malware, and other undesirable messages are eliminated from the message stream rat... |
| V-221234 | | Exchange filtered messages must be archived. | By performing filtering at the perimeter, up to 90 percent of spam, malware, and other undesirable messages are eliminated from the message stream rat... |
| V-221235 | | The Exchange Sender filter must block unaccepted domains. | Spam origination sites and other sources of suspected email-borne malware have the ability to corrupt, compromise, or otherwise limit availability of ... |
| V-221236 | | Exchange nonexistent recipients must not be blocked. | Spam originators, in an effort to refine mailing lists, sometimes use a technique where they first create fictitious names and then monitor rejected e... |
| V-221237 | | The Exchange Sender Reputation filter must be enabled. | By performing filtering at the perimeter, up to 90 percent of spam, malware, and other undesirable messages are eliminated from the message stream rat... |
| V-221238 | | The Exchange Sender Reputation filter must identify the spam block level. | By performing filtering at the perimeter, up to 90 percent of spam, malware, and other undesirable messages are eliminated from the message stream rat... |
| V-221239 | | Exchange Attachment filtering must remove undesirable attachments by file type. | By performing filtering at the perimeter, up to 90 percent of spam, malware, and other undesirable messages are eliminated from the message stream rat... |
| V-221240 | | The Exchange Spam Evaluation filter must be enabled. | By performing filtering at the perimeter, up to 90 percent of spam, malware, and other undesirable messages may be eliminated from the transport messa... |
| V-221241 | | The Exchange Block List service provider must be identified. | Block List filtering is a sanitization process performed on email messages prior to their arrival at the destination mailbox. By performing this proce... |
| V-221242 | | Exchange messages with a malformed From address must be rejected. | Sender Identification (SID) is an email antispam sanitization process. Sender ID uses DNS MX record lookups to verify the Simple Mail Transfer Protoco... |
| V-221243 | | The Exchange Recipient filter must be enabled. | Email system availability depends in part on best practice strategies for setting tuning configurations. Careful tuning reduces the risk that system o... |
| V-221244 | | The Exchange tarpitting interval must be set. | Tarpitting is the practice of artificially delaying server responses for specific Simple Mail Transfer Protocol (SMTP) communication patterns that ind... |
| V-221245 | | Exchange internal Receive connectors must not allow anonymous connections. | This control is used to limit the servers that may use this server as a relay. If a Simple Mail Transport Protocol (SMTP) sender does not have a direc... |
| V-221246 | | Exchange Simple Mail Transfer Protocol (SMTP) IP Allow List entries must be empty. | Email system availability depends in part on best practice strategies for setting tuning configurations. Careful tuning reduces the risk that system o... |
| V-221247 | | The Exchange Simple Mail Transfer Protocol (SMTP) IP Allow List Connection filter must be enabled. | Email system availability depends in part on best practice strategies for setting tuning configurations. Careful tuning reduces the risk that system o... |
| V-221248 | | The Exchange Simple Mail Transfer Protocol (SMTP) Sender filter must be enabled. | Email system availability depends in part on best practices strategies for setting tuning configurations. Careful tuning reduces the risk that system ... |
| V-221249 | | Exchange must have antispam filtering installed. | Originators of spam messages are constantly changing their techniques in order to defeat spam countermeasures; therefore, spam software must be consta... |
| V-221250 | | Exchange must have antispam filtering enabled. | Originators of spam messages are constantly changing their techniques in order to defeat spam countermeasures; therefore, spam software must be consta... |
| V-221251 | | Exchange must have antispam filtering configured. | Originators of spam messages are constantly changing their techniques in order to defeat spam countermeasures; therefore, spam software must be consta... |
| V-221252 | | Exchange Sender Identification Framework must be enabled. | Email is only as secure as the recipient. When the recipient is an email server accepting inbound messages, authenticating the sender enables the rece... |
| V-221254 | | The Exchange application directory must be protected from unauthorized access. | Default product installations may provide more generous access permissions than are necessary to run the application. By examining and tailoring acces... |
| V-221255 | | The Exchange software baseline copy must exist. | Exchange software, as with other application software installed on a host system, must be included in a system baseline record and periodically review... |
| V-221256 | | Exchange services must be documented and unnecessary services must be removed or disabled. | Unneeded but running services offer attackers an enhanced attack profile, and attackers are constantly watching to discover open ports with running se... |
| V-221257 | | Exchange software must be installed on a separate partition from the OS. | In the same way that added security layers can provide a cumulative positive effect on security posture, multiple applications can provide a cumulativ... |
| V-221258 | | The Exchange SMTP automated banner response must not reveal server details. | Automated connection responses occur as a result of FTP or Telnet connections when connecting to those services. They report a successful connection b... |
| V-221260 | | Exchange internal Send connectors must use an authentication level. | The Simple Mail Transfer Protocol (SMTP) connector is used by Exchange to send and receive messages from server to server. Several controls work toget... |
| V-221263 | | Exchange must have the most current, approved service pack installed. | The organization (including any contractor to the organization) must promptly install security-relevant software updates (e.g., patches, service packs... |
| V-221264 | | The application must configure malicious code protection mechanisms to perform periodic scans of the information system every seven days. | Malicious code protection mechanisms include, but are not limited, to anti-virus and malware detection software. In order to minimize potential negati... |
| V-221265 | | The application must configure malicious code protection mechanisms to perform periodic scans of the information system every seven days. | Malicious code protection mechanisms include, but are not limited, to anti-virus and malware detection software. In order to minimize potential negati... |
| V-221266 | | The application must be configured to block and quarantine malicious code upon detection, then send an immediate alert to appropriate individuals. | Malicious code protection mechanisms include, but are not limited, to anti-virus and malware detection software. In order to minimize potential negati... |
| V-221267 | | The application must be configured to block and quarantine malicious code upon detection, then send an immediate alert to appropriate individuals. | Malicious code protection mechanisms include, but are not limited, to anti-virus and malware detection software. In order to minimize potential negati... |
| V-221268 | | The application must update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures. | Malicious code includes viruses, worms, trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files... |
| V-221269 | | The application must update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures. | Malicious code includes viruses, worms, trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files... |
| V-221270 | | The applications built-in Malware Agent must be disabled. | Malicious code protection mechanisms include, but are not limited, to, anti-virus and malware detection software. In order to minimize potential negat... |
| V-221222 | | Exchange Send connector connections count must be limited. | This setting controls the maximum number of simultaneous outbound connections allowed for a given SMTP Connector and can be used to throttle the SMTP ... |
| V-221223 | | Exchange message size restrictions must be controlled on Send connectors. | Email system availability depends in part on best practice strategies for setting tuning configurations. For message size restrictions, multiple place... |
| V-221224 | | Exchange Send connectors delivery retries must be controlled. | This setting controls the rate at which delivery attempts from the home domain are retried and user notifications are issued and notes the expiration ... |
| V-221225 | | Exchange Send connectors must be clearly named. | For Send connectors, unclear naming as to direction and purpose increases risk that messages may not flow as intended, troubleshooting efforts may be ... |
| V-221227 | | Exchange Receive connectors must be clearly named. | For receive connectors, unclear naming as to direction and purpose increases risk that messages may not flow as intended, troubleshooting efforts may ... |
| V-221228 | | Exchange Receive connectors must control the number of recipients chunked on a single message. | Email system availability depends in part on best practice strategies for setting tuning configurations. For message size restrictions, multiple place... |
| V-221230 | | The Exchange Internet Receive connector connections count must be set to default. | Email system availability depends in part on best practice strategies for setting tuning configurations. This configuration controls the maximum numbe... |
| V-221231 | | Exchange Message size restrictions must be controlled on Receive connectors. | Email system availability depends in part on best practices strategies for setting tuning configurations. For message size restrictions, multiple plac... |
| V-221253 | | Exchange must render hyperlinks from email sources from non-.mil domains as unclickable. | Active hyperlinks within an email are susceptible to attacks of malicious software or malware. The hyperlink could lead to a malware infection or redi... |
| V-221259 | | Exchange must provide redundancy. | Denial of Service (DoS) is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accompl... |
| V-221261 | | Exchange internal Receive connectors must require encryption. | The Simple Mail Transfer Protocol (SMTP) Receive connector is used by Exchange to send and receive messages from server to server using SMTP protocol.... |
| V-221262 | | Exchange internal Send connectors must require encryption. | The Simple Mail Transfer Protocol (SMTP) connector is used by Exchange to send and receive messages from server to server. Several controls work toget... |
