| V-228397 | | Exchange servers must have an approved DoD email-aware virus protection software installed. | With the proliferation of trojans, viruses, and spam attaching themselves to email messages (or attachments), it is necessary to have capable email-aw... |
| V-228354 | | Exchange must have Administrator audit logging enabled. | Unauthorized or malicious data changes can compromise the integrity and usefulness of the data. Automated attacks or malicious users with elevated pri... |
| V-228355 | | Exchange servers must use approved DoD certificates. | Server certificates are required for many security features in Exchange; without them, the server cannot engage in many forms of secure communication.... |
| V-228356 | | Exchange auto-forwarding email to remote domains must be disabled or restricted. | Attackers can use automated messages to determine whether a user account is active, in the office, traveling, and so on. An attacker might use this in... |
| V-228357 | | Exchange Connectivity logging must be enabled. | A connectivity log is a record of the SMTP connection activity of the outbound message delivery queues to the destination Mailbox server, smart host, ... |
| V-228358 | | The Exchange Email Diagnostic log level must be set to the lowest level. | Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availabil... |
| V-228361 | | Exchange Email Subject Line logging must be disabled. | Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availabil... |
| V-228362 | | Exchange Message Tracking Logging must be enabled. | A message tracking log provides a detailed log of all message activity as messages are transferred to and from a computer running Exchange.
If events... |
| V-228363 | | Exchange Queue monitoring must be configured with threshold and action. | Monitors are automated "process watchers" that respond to performance changes and can be useful in detecting outages and alerting administrators where... |
| V-228364 | | Exchange Send Fatal Errors to Microsoft must be disabled. | It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary ca... |
| V-228365 | | Exchange must protect audit data against unauthorized read access. | Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availabil... |
| V-228366 | | Exchange must not send Customer Experience reports to Microsoft. | It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary ca... |
| V-228367 | | Exchange must protect audit data against unauthorized access. | Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availabil... |
| V-228368 | | Exchange must protect audit data against unauthorized deletion. | Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availabil... |
| V-228369 | | Exchange Audit data must be on separate partitions. | Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availabil... |
| V-228370 | | Exchange Local machine policy must require signed scripts. | Scripts often provide a way for attackers to infiltrate a system, especially scripts downloaded from untrusted locations. By setting machine policy to... |
| V-228371 | | The Exchange Internet Message Access Protocol 4 (IMAP4) service must be disabled. | IMAP4 is not approved for use within the DoD. It uses a clear-text-based user name and password and does not support the DoD standard for PKI for emai... |
| V-228372 | | The Exchange Post Office Protocol 3 (POP3) service must be disabled. | POP3 is not approved for use within the DoD. It uses a clear-text-based user name and password and does not support the DoD standard for PKI for email... |
| V-228373 | | Exchange Mailbox databases must reside on a dedicated partition. | In the same way that added security layers can provide a cumulative positive effect on security posture, multiple applications can provide a cumulativ... |
| V-228374 | | Exchange Internet-facing Send connectors must specify a Smart Host. | When identifying a "Smart Host" for the email environment, a logical Send connector is the preferred method.
A Smart Host acts as an Internet-facing ... |
| V-228375 | | Exchange internal Receive connectors must require encryption. | The Simple Mail Transfer Protocol (SMTP) Receive connector is used by Exchange to send and receive messages from server to server using SMTP protocol.... |
| V-228376 | | Exchange Mailboxes must be retained until backups are complete. | Backup and recovery procedures are an important part of overall system availability and integrity. Complete backups reduce the chance of accidental de... |
| V-228377 | | Exchange email forwarding must be restricted. | Auto-forwarded email accounts do not meet the requirement for digital signature and encryption of Controlled Unclassified Information (CUI) and Person... |
| V-228378 | | Exchange email-forwarding SMTP domains must be restricted. | Auto-forwarded email accounts do not meet the requirement for digital signature and encryption of Controlled Unclassified Information (CUI) and Person... |
| V-228391 | | Exchange Internal Receive connectors must not allow anonymous connections. | This control is used to limit the servers that may use this server as a relay. If a Simple Mail Transport Protocol (SMTP) sender does not have a direc... |
| V-228392 | | Exchange external/Internet-bound automated response messages must be disabled. | Spam originators, in an effort to refine mailing lists, sometimes monitor transmissions for automated bounce-back messages. Automated messages include... |
| V-228393 | | Exchange must have anti-spam filtering installed. | Originators of spam messages are constantly changing their techniques in order to defeat spam countermeasures; therefore, spam software must be consta... |
| V-228394 | | Exchange must have anti-spam filtering enabled. | Originators of spam messages are constantly changing their techniques in order to defeat spam countermeasures; therefore, spam software must be consta... |
| V-228395 | | Exchange must have anti-spam filtering configured. | Originators of spam messages are constantly changing their techniques in order to defeat spam countermeasures; therefore, spam software must be consta... |
| V-228396 | | Exchange must not send automated replies to remote domains. | Attackers can use automated messages to determine whether a user account is active, in the office, traveling, and so on. An attacker might use this in... |
| V-228400 | | The Exchange application directory must be protected from unauthorized access. | Default product installations may provide more generous access permissions than are necessary to run the application. By examining and tailoring acces... |
| V-228401 | | An Exchange software baseline copy must exist. | Exchange software, as with other application software installed on a host system, must be included in a system baseline record and periodically review... |
| V-228402 | | Exchange software must be monitored for unauthorized changes. | Monitoring software files for changes against a baseline on a regular basis may help detect the possible introduction of malicious code on a system.... |
| V-228403 | | Exchange services must be documented and unnecessary services must be removed or disabled. | Unneeded but running services offer attackers an enhanced attack profile, and attackers are constantly watching to discover open ports with running se... |
| V-228404 | | Exchange Outlook Anywhere clients must use NTLM authentication to access email. | Identification and authentication provide the foundation for access control. Access to email services applications require NTLM authentication. Outloo... |
| V-228405 | | The Exchange Email application must not share a partition with another application. | In the same way that added security layers can provide a cumulative positive effect on security posture, multiple applications can provide a cumulativ... |
| V-228406 | | Exchange must not send delivery reports to remote domains. | Attackers can use automated messages to determine whether a user account is active, in the office, traveling, and so on. An attacker might use this in... |
| V-228407 | | Exchange must not send nondelivery reports to remote domains. | Attackers can use automated messages to determine whether a user account is active, in the office, traveling, and so on. An attacker might use this in... |
| V-228408 | | The Exchange SMTP automated banner response must not reveal server details. | Automated connection responses occur as a result of FTP or Telnet connections when connecting to those services. They report a successful connection b... |
| V-228409 | | Exchange Internal Send connectors must use an authentication level. | The Simple Mail Transfer Protocol (SMTP) connector is used by Exchange to send and receive messages from server to server. Several controls work toget... |
| V-228410 | | Exchange must provide Mailbox databases in a highly available and redundant configuration. | Exchange Server mailbox databases and any data contained in those mailboxes should be protected. This can be accomplished by configuring Mailbox serve... |
| V-228411 | | Exchange must have the most current, approved service pack installed. | Failure to install the most current Exchange service pack leaves a system vulnerable to exploitation. Current service packs correct known security and... |
| V-228412 | | The application must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. | Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with Federal stan... |
| V-228413 | | The applications built-in Malware Agent must be disabled. | Malicious code protection mechanisms include but are not limited to anti-virus and malware detection software. To minimize potential negative impact t... |
| V-228415 | | Exchange must use encryption for RPC client access. | This setting controls whether client machines are forced to use secure channels to communicate with the server. If this feature is enabled, clients wi... |
| V-228416 | | Exchange must use encryption for Outlook Web App (OWA) access. | This setting controls whether client machines should be forced to use secure channels to communicate with this virtual directory. If this feature is e... |
| V-228417 | | Exchange must have forms-based authentication disabled. | Identification and Authentication provide the foundation for access control. Access to email services applications in the DoD requires authentication ... |
| V-228418 | | Exchange must have authenticated access set to Integrated Windows Authentication only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-228359 | | Exchange Audit record parameters must be set. | Log files help establish a history of activities and can be useful in detecting attack attempts. This item declares the fields that must be available ... |
| V-228360 | | Exchange Circular Logging must be disabled. | Logging provides a history of events performed and can also provide evidence of tampering or attack. Failure to create and preserve logs adds to the r... |
| V-228379 | | Exchange Mail quota settings must not restrict receiving mail. | Mail quota settings control the maximum sizes of a user’s mailbox and the system’s response if these limits are exceeded. Mailbox data that is not mon... |
| V-228380 | | Exchange Mail Quota settings must not restrict receiving mail. | Mail quota settings control the maximum sizes of a user’s mailbox and the system’s response if these limits are exceeded. Mailbox data that is not mon... |
| V-228381 | | Exchange Mailbox Stores must mount at startup. | Administrator responsibilities include the ability to react to unplanned maintenance tasks or emergency situations that may require Mailbox data manip... |
| V-228382 | | Exchange Message size restrictions must be controlled on Receive connectors. | Email system availability depends in part on best practice strategies for setting tuning configurations. For message size restrictions, multiple place... |
| V-228383 | | Exchange Receive connectors must control the number of recipients per message. | Email system availability depends in part on best practice strategies for setting tuning configurations.
This configuration controls the maximum num... |
| V-228384 | | The Exchange Receive Connector Maximum Hop Count must be 60. | Email system availability depends in part on best practice strategies for setting tuning configurations. This setting controls the maximum number of h... |
| V-228385 | | Exchange Message size restrictions must be controlled on Send connectors. | Email system availability depends in part on best practice strategies for setting tuning configurations. For message size restrictions, multiple place... |
| V-228386 | | The Exchange Send connector connections count must be limited. | The Exchange Send connector setting controls the maximum number of simultaneous outbound connections allowed for a given SMTP connector and can be use... |
| V-228387 | | The Exchange global inbound message size must be controlled. | Email system availability depends in part on best practice strategies for setting tuning configurations. Message size limits should be set to 10 megab... |
| V-228388 | | The Exchange global outbound message size must be controlled. | Email system availability depends in part on best practice strategies for setting tuning configurations. Message size limits should be set to 10 megab... |
| V-228389 | | The Exchange Outbound Connection Limit per Domain Count must be controlled. | Email system availability depends in part on best practice strategies for setting tuning configurations. This configuration controls the maximum numbe... |
| V-228390 | | The Exchange Outbound Connection Timeout must be 10 minutes or less. | Email system availability depends in part on best practice strategies for setting tuning configurations. This configuration controls the number of idl... |
| V-228398 | | The Exchange Global Recipient Count Limit must be set. | Email system availability depends in part on best practice strategies for setting tuning configurations. The Global Recipient Count Limit field is use... |
| V-228399 | | The Exchange Receive connector timeout must be limited. | Email system availability depends in part on best practice strategies for setting tuning. This configuration controls the number of idle minutes befor... |
