Exchange must have accepted domains configured.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-221204 | EX16-ED-000030 | SV-221204r960801_rule | CCI-001368 | medium |
| Description | ||||
| Exchange may be configured to accept email for multiple domain names. This setting identifies the domains for which the server will accept mail. This check verifies the email server is not accepting email for unauthorized domains. | ||||
| STIG | Date | |||
| Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide | 2024-12-06 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AC-4
1.00
- DISA · V2R6 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.1.3
1.00
- DISA · V2R6 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-001368
1.00
- DISA · V2R6 · disa_xccdf · related
Details
Check Text (C-221204r960801_chk)
Review the Email Domain Security Plan (EDSP).
Determine the Accepted Domain values.
Open the Exchange Management Shell and enter the following command:
Get-AcceptedDomain | Select Name, DomainName, Identity, Default
If the value of "Default" is not set to "True", this is a finding.
or
If the "Default" value for "AcceptedDomains" is set to another value other than "True" and has signoff and risk acceptance in the EDSP, this is not a finding.
Fix Text (F-22908r411739_fix)
Update the EDSP.
Open the Exchange Management Shell and enter the following command:
Set-AcceptedDomain -Identity <'IdentityName'> -MakeDefault $true
Note: The <IdentityName> value must be in single quotes.