| V-259640 | | Exchange must provide redundancy. | Denial of Service (DoS) is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accompl... |
| V-259641 | | Exchange internal Receive connectors must require encryption. | The Simple Mail Transfer Protocol (SMTP) Receive connector is used by Exchange to send and receive messages from server to server using SMTP protocol.... |
| V-259642 | | Exchange internal Send connectors must require encryption. | The Simple Mail Transfer Protocol (SMTP) connector is used by Exchange to send and receive messages from server to server. Several controls work toget... |
| V-259577 | | SchUseStrongCrypto must be enabled. | Exchange Server 2019 is configured by default with TLS 1.2. However, SchUseStrongCrypto is not set by default and must be configured to meet the TLS r... |
| V-259578 | | Exchange servers must use approved DOD certificates. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-259579 | | Exchange must have accepted domains configured. | Exchange may be configured to accept email for multiple domain names. This setting identifies the domains for which the server will accept mail. This ... |
| V-259580 | | Exchange external Receive connectors must be domain secure-enabled. | The Simple Mail Transfer Protocol (SMTP) connector is used by Exchange to send and receive messages from server to server. Several controls work toget... |
| V-259581 | | The Exchange email diagnostic log level must be set to the lowest level. | Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availabil... |
| V-259582 | | Exchange connectivity logging must be enabled. | A connectivity log is a record of the SMTP connection activity of the outbound message delivery queues to the destination mailbox server, smart host, ... |
| V-259583 | | Exchange message tracking logging must be enabled. | A message tracking log provides a detailed log of all message activity as messages are transferred to and from a computer running Exchange.
If events... |
| V-259584 | | Exchange queue monitoring must be configured with threshold and action. | Monitors are automated "process watchers" that respond to performance changes and can be useful in detecting outages and alerting administrators where... |
| V-259585 | | Exchange audit data must be protected against unauthorized access (read access). | Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availabil... |
| V-259586 | | Exchange audit data must be protected against unauthorized access for modification. | Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availabil... |
| V-259587 | | Exchange audit data must be protected against unauthorized access for deletion. | Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availabil... |
| V-259588 | | Exchange audit data must be on separate partitions. | Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availabil... |
| V-259589 | | Exchange local machine policy must require signed scripts. | Scripts often provide a way for attackers to infiltrate a system, especially scripts downloaded from untrusted locations. By setting machine policy to... |
| V-259590 | | Exchange must not send customer experience reports to Microsoft. | It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary ca... |
| V-259591 | | Exchange Send Fatal Errors to Microsoft must be disabled. | It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary ca... |
| V-259592 | | Exchange queue database must reside on a dedicated partition. | In the same way that added security layers can provide a cumulative positive effect on security posture, multiple applications can provide a cumulativ... |
| V-259593 | | Exchange internet-facing send connectors must specify a Smart Host. | When identifying a "Smart Host" for the email environment, a logical send connector is the preferred method.
A Smart Host acts as an internet-facing ... |
| V-259594 | | Exchange internal send connectors must use domain security (mutual authentication Transport Layer Security). | The Simple Mail Transfer Protocol (SMTP) connector is used by Exchange to send and receive messages from server to server. Several controls work toget... |
| V-259595 | | Exchange internet-facing receive connectors must offer Transport Layer Security (TLS) before using basic authentication. | Sending unencrypted email over the internet increases the risk that messages can be intercepted or altered. TLS is designed to protect confidentiality... |
| V-259596 | | More than one Edge server must be deployed. | To ensure hostile insiders are unable to easily commit DoS attacks and reduce the effectiveness of mail flow throughout the environment, a second Edge... |
| V-259597 | | Exchange Outbound Connection Timeout must be 10 minutes or less. | Email system availability depends in part on best practice strategies for setting tuning configurations. This configuration controls the number of idl... |
| V-259598 | | Exchange Outbound Connection limit per Domain Count must be controlled. | Email system availability depends in part on best practice strategies for setting tuning configurations. This configuration controls the maximum numbe... |
| V-259599 | | Exchange receive connector maximum hop count must be 60. | Email system availability depends in part on best practice strategies for setting tuning configurations. This setting controls the maximum number of h... |
| V-259600 | | Exchange receive connectors must control the number of recipients per message. | Email system availability depends in part on best practice strategies for setting tuning configurations.
This configuration controls the maximum num... |
| V-259601 | | Exchange send connector connections count must be limited. | This setting controls the maximum number of simultaneous outbound connections allowed for a given SMTP Connector and can be used to throttle the SMTP ... |
| V-259602 | | Exchange message size restrictions must be controlled on Send connectors. | Email system availability depends in part on best practice strategies for setting tuning configurations. For message size restrictions, multiple place... |
| V-259603 | | Exchange send connectors delivery retries must be controlled. | This setting controls the rate at which delivery attempts from the home domain are retried and user notifications are issued and notes the expiration ... |
| V-259604 | | Exchange receive connectors must be clearly named. | For receive connectors, unclear naming as to direction and purpose increases risk that messages may not flow as intended, troubleshooting efforts may ... |
| V-259605 | | Exchange receive connectors must control the number of recipients chunked on a single message. | Email system availability depends in part on best practice strategies for setting tuning configurations. For message size restrictions, multiple place... |
| V-259606 | | The Exchange internet receive connector connections count must be set to default. | Email system availability depends in part on best practice strategies for setting tuning configurations. This configuration controls the maximum numbe... |
| V-259607 | | Exchange Message size restrictions must be controlled on receive connectors. | Email system availability depends in part on best practices strategies for setting tuning configurations. For message size restrictions, multiple plac... |
| V-259608 | | Active hyperlinks in messages from non .mil domains must be rendered unclickable. | Active hyperlinks within an email are susceptible to attacks of malicious software or malware. The hyperlink could lead to a malware infection or redi... |
| V-259609 | | Exchange messages with a blank sender field must be rejected. | By performing filtering at the perimeter, up to 90 percent of spam, malware, and other undesirable messages are eliminated from the message stream rat... |
| V-259610 | | Exchange messages with a blank sender field must be filtered. | By performing filtering at the perimeter, up to 90 percent of spam, malware, and other undesirable messages are eliminated from the message stream rat... |
| V-259611 | | Exchange filtered messages must be archived. | By performing filtering at the perimeter, up to 90 percent of spam, malware, and other undesirable messages are eliminated from the message stream rat... |
| V-259612 | | The Exchange sender filter must block unaccepted domains. | Spam origination sites and other sources of suspected email-borne malware have the ability to corrupt, compromise, or otherwise limit availability of ... |
| V-259613 | | Exchange nonexistent recipients must not be blocked. | Spam originators, in an effort to refine mailing lists, sometimes use a technique where they first create fictitious names and then monitor rejected e... |
| V-259614 | | The Exchange Sender Reputation filter must be enabled. | By performing filtering at the perimeter, up to 90 percent of spam, malware, and other undesirable messages are eliminated from the message stream rat... |
| V-259615 | | The Exchange Sender Reputation filter must identify the spam block level. | By performing filtering at the perimeter, up to 90 percent of spam, malware, and other undesirable messages are eliminated from the message stream rat... |
| V-259616 | | Exchange Attachment filtering must remove undesirable attachments by file type. | By performing filtering at the perimeter, up to 90 percent of spam, malware, and other undesirable messages are eliminated from the message stream rat... |
| V-259617 | | The Exchange Spam Evaluation filter must be enabled. | By performing filtering at the perimeter, up to 90 percent of spam, malware, and other undesirable messages may be eliminated from the transport messa... |
| V-259618 | | The Exchange Block List service provider must be identified. | Block List filtering is a sanitization process performed on email messages prior to their arrival at the destination mailbox. By performing this proce... |
| V-259619 | | Exchange messages with a malformed From address must be rejected. | Sender Identification (SID) is an email anti-spam sanitization process. Sender ID uses DNS MX record lookups to verify the Simple Mail Transfer Protoc... |
| V-259620 | | The Exchange Recipient filter must be enabled. | Email system availability depends in part on best practice strategies for setting tuning configurations. Careful tuning reduces the risk that system o... |
| V-259621 | | The Exchange tarpitting interval must be set. | Tarpitting is the practice of artificially delaying server responses for specific Simple Mail Transfer Protocol (SMTP) communication patterns that ind... |
| V-259622 | | Exchange internal Receive connectors must not allow anonymous connections. | This control is used to limit the servers that may use this server as a relay. If a Simple Mail Transport Protocol (SMTP) sender does not have a direc... |
| V-259623 | | Exchange Simple Mail Transfer Protocol (SMTP) IP Allow List entries must be empty. | Email system availability depends in part on best practice strategies for setting tuning configurations. Careful tuning reduces the risk that system o... |
| V-259624 | | The Exchange Simple Mail Transfer Protocol (SMTP) IP Allow List Connection filter must be enabled. | Email system availability depends in part on best practice strategies for setting tuning configurations. Careful tuning reduces the risk that system o... |
| V-259625 | | The Exchange Simple Mail Transfer Protocol (SMTP) Sender filter must be enabled. | Email system availability depends in part on best practices strategies for setting tuning configurations. Careful tuning reduces the risk that system ... |
| V-259626 | | Exchange must have anti-spam filtering installed. | Originators of spam messages are constantly changing their techniques to defeat spam countermeasures; therefore, spam software must be constantly upda... |
| V-259627 | | Exchange must have anti-spam filtering enabled. | Originators of spam messages are constantly changing their techniques to defeat spam countermeasures; therefore, spam software must be constantly upda... |
| V-259628 | | Exchange must have anti-spam filtering configured. | Originators of spam messages are constantly changing their techniques to defeat spam countermeasures; therefore, spam software must be constantly upda... |
| V-259629 | | Exchange Sender Identification Framework must be enabled. | Email is only as secure as the recipient. When the recipient is an email server accepting inbound messages, authenticating the sender enables the rece... |
| V-259630 | | Exchange must limit the Receive connector timeout. | Email system availability depends in part on best practices strategies for setting tuning. This configuration controls the number of idle minutes befo... |
| V-259631 | | Role-Based Access Control must be defined for privileged and nonprivileged users. | Role Based Access Control (RBAC) is the permissions model used in Microsoft Exchange Server 2013, 2016, and 2019. With RBAC, there is no need to modif... |
| V-259632 | | The Exchange application directory must be protected from unauthorized access. | Default product installations may provide more generous access permissions than are necessary to run the application. By examining and tailoring acces... |
| V-259633 | | The Exchange software baseline copy must exist. | Exchange software, as with other application software installed on a host system, must be included in a system baseline record and periodically review... |
| V-259634 | | The Exchange local machine policy must require signed scripts. | Scripts, especially those downloaded from untrusted locations, often provide a way for attackers to infiltrate a system. By setting machine policy to ... |
| V-259635 | | Exchange services must be documented, and unnecessary services must be removed or disabled. | Unneeded but running services offer attackers an enhanced attack profile, and attackers are constantly watching to discover open ports with running se... |
| V-259636 | | The Exchange Edge server must point to a trusted list of DNS servers for external and internal resolution. | To mitigate the risk of possible erroneous queries that may have been coopted by bad actors, the Exchange Edge server must use DNS servers that utiliz... |
| V-259637 | | Exchange software must be installed on a separate partition from the OS. | In the same way that added security layers can provide a cumulative positive effect on security posture, multiple applications can provide a cumulativ... |
| V-259638 | | The Exchange SMTP automated banner response must not reveal server details. | Automated connection responses occur as a result of FTP or Telnet connections when connecting to those services. They report a successful connection b... |
| V-259639 | | Exchange internal Send connectors must use an authentication level. | The Simple Mail Transfer Protocol (SMTP) connector is used by Exchange to send and receive messages from server to server. Several controls work toget... |
| V-259643 | | Exchange must render hyperlinks from email sources from non-.mil domains as unclickable. | Active hyperlinks within an email are susceptible to attacks of malicious software or malware. The hyperlink could lead to a malware infection or redi... |
| V-259644 | | Exchange must have the most current, approved Cumulative Update (CU) installed. | The organization (including any contractor to the organization) must promptly install security-relevant software updates (e.g., patches, service packs... |
