| V-259645 | | Exchange must use encryption for RPC client access. | This setting controls whether client machines are forced to use secure channels to communicate with the server. If this feature is enabled, clients wi... |
| V-259646 | | Exchange must use encryption for Outlook Web App (OWA) access. | This setting controls whether client machines should be forced to use secure channels to communicate with this virtual directory. If this feature is e... |
| V-259647 | | Exchange must have forms-based authentication enabled. | Identification and Authentication provide the foundation for access control. Access to email services applications in the DOD requires authentication ... |
| V-259648 | | Exchange must have administrator audit logging enabled. | Unauthorized or malicious data changes can compromise the integrity and usefulness of the data. Automated attacks or malicious users with elevated pri... |
| V-259649 | | Exchange servers must use approved DOD certificates. | Server certificates are required for many security features in Exchange; without them, the server cannot engage in many forms of secure communication.... |
| V-259650 | | Exchange must have authenticated access set to integrated Windows authentication only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-259651 | | Exchange auto-forwarding email to remote domains must be disabled or restricted. | Attackers can use automated messages to determine whether a user account is active, in the office, traveling, and so on. An attacker might use this in... |
| V-259652 | | Exchange connectivity logging must be enabled. | A connectivity log is a record of the SMTP connection activity of the outbound message delivery queues to the destination Mailbox server, smart host, ... |
| V-259653 | | The Exchange email diagnostic log level must be set to the lowest level. | Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availabil... |
| V-259655 | | The RBAC role for audit log management must be defined and restricted. | The RBAC role for the audit log management "Audit Log Role" should be defined in the Organizational or Enterprise Domain Security Plan (EDSP) to defin... |
| V-259656 | | Exchange email subject line logging must be disabled. | Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availabil... |
| V-259657 | | Exchange message tracking logging must be enabled. | A message tracking log provides a detailed log of all message activity as messages are transferred to and from a computer running Exchange.
If events... |
| V-259659 | | Exchange queue monitoring must be configured with threshold and action. | Monitors are automated "process watchers" that respond to performance changes and can be useful in detecting outages and alerting administrators where... |
| V-259660 | | Exchange must protect audit data against unauthorized read access. | Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availabil... |
| V-259661 | | Exchange must protect audit data against unauthorized access. | Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availabil... |
| V-259662 | | Exchange must protect audit data against unauthorized deletion. | Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availabil... |
| V-259663 | | Exchange audit data must be on separate partitions. | Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availabil... |
| V-259664 | | Exchange local machine policy must require signed scripts. | Scripts often provide a way for attackers to infiltrate a system, especially scripts downloaded from untrusted locations. By setting machine policy to... |
| V-259665 | | Exchange Send Fatal Errors to Microsoft must be disabled. | It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary ca... |
| V-259666 | | Exchange must not send customer experience reports to Microsoft. | It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary ca... |
| V-259667 | | The Exchange Internet Message Access Protocol 4 (IMAP4) service must be disabled. | IMAP4 is not approved for use within the DOD. It uses a clear-text-based user name and password and does not support the DOD standard for PKI for emai... |
| V-259668 | | The Exchange Post Office Protocol 3 (POP3) service must be disabled. | POP3 is not approved for use within the DOD. It uses a clear-text-based user name and password and does not support the DOD standard for PKI for email... |
| V-259669 | | Exchange Mailbox databases must reside on a dedicated partition. | In the same way that added security layers can provide a cumulative positive effect on security posture, multiple applications can provide a cumulativ... |
| V-259670 | | Exchange internet-facing send connectors must specify a smart host. | When identifying a "Smart Host" for the email environment, a logical Send connector is the preferred method.
A Smart Host acts as an internet-facing ... |
| V-259671 | | Exchange mailboxes must be retained until backups are complete. | Backup and recovery procedures are an important part of overall system availability and integrity. Complete backups reduce the chance of accidental de... |
| V-259672 | | Exchange email forwarding must be restricted. | Auto-forwarded email accounts do not meet the requirement for digital signature and encryption of Controlled Unclassified Information (CUI) and Person... |
| V-259673 | | Exchange email-forwarding SMTP domains must be restricted. | Auto-forwarded email accounts do not meet the requirement for digital signature and encryption of Controlled Unclassified Information (CUI) and Person... |
| V-259687 | | Exchange internal receive connectors must not allow anonymous connections. | This control is used to limit the servers that may use this server as a relay. If a Simple Mail Transport Protocol (SMTP) sender does not have a direc... |
| V-259688 | | Exchange external/internet-bound automated response messages must be disabled. | Spam originators, in an effort to refine mailing lists, sometimes monitor transmissions for automated bounce-back messages. Automated messages include... |
| V-259689 | | Exchange must have anti-spam filtering installed. | Originators of spam messages are constantly changing their techniques to defeat spam countermeasures; therefore, spam software must be constantly upda... |
| V-259690 | | Exchange must have anti-spam filtering enabled. | Originators of spam messages are constantly changing their techniques to defeat spam countermeasures; therefore, spam software must be constantly upda... |
| V-259691 | | Exchange must have anti-spam filtering configured. | Originators of spam messages are constantly changing their techniques to defeat spam countermeasures; therefore, spam software must be constantly upda... |
| V-259692 | | Exchange must not send automated replies to remote domains. | Attackers can use automated messages to determine whether a user account is active, in the office, traveling, and so on. An attacker might use this in... |
| V-259694 | | Exchange antimalware agent must be enabled and configured. | Microsoft Exchange 2019 offers built-in antimalware protection for messages going through the transport pipeline. When enabled, the default settings a... |
| V-259695 | | The Exchange malware scanning agent must be configured for automatic updates. | Antimalware protection in Exchange Server 2019 helps combat viruses and spyware in an email messaging environment. Viruses infect other programs and d... |
| V-259698 | | Role-Based Access Control must be defined for privileged and nonprivileged users. | Role Based Access Control (RBAC) is the permissions model used in Microsoft Exchange Server 2013, 2016, and 2019. With RBAC, there is no need to modif... |
| V-259699 | | The Exchange application directory must be protected from unauthorized access. | Default product installations may provide more generous access permissions than are necessary to run the application. By examining and tailoring acces... |
| V-259700 | | An Exchange software baseline copy must exist. | Exchange software, as with other application software installed on a host system, must be included in a system baseline record and periodically review... |
| V-259701 | | Exchange software must be monitored for unauthorized changes. | Monitoring software files for changes against a baseline on a regular basis may help detect the possible introduction of malicious code on a system.... |
| V-259702 | | Exchange services must be documented, and unnecessary services must be removed or disabled. | Unneeded but running services offer attackers an enhanced attack profile, and attackers are constantly watching to discover open ports with running se... |
| V-259703 | | Exchange Outlook Anywhere clients must use NTLM authentication to access email. | Identification and authentication provide the foundation for access control. Access to email services applications require NTLM authentication. Outloo... |
| V-259704 | | The Exchange email application must not share a partition with another application. | In the same way that added security layers can provide a cumulative positive effect on security posture, multiple applications can provide a cumulativ... |
| V-259705 | | Exchange must not send delivery reports to remote domains. | Attackers can use automated messages to determine whether a user account is active, in the office, traveling, and so on. An attacker might use this in... |
| V-259706 | | Exchange must not send nondelivery reports to remote domains. | Attackers can use automated messages to determine whether a user account is active, in the office, traveling, and so on. An attacker might use this in... |
| V-259707 | | The Exchange SMTP automated banner response must not reveal server details. | Automated connection responses occur as a result of FTP or Telnet connections when connecting to those services. They report a successful connection b... |
| V-259708 | | Exchange internal send connectors must use an authentication level. | The Simple Mail Transfer Protocol (SMTP) connector is used by Exchange to send and receive messages from server to server. Several controls work toget... |
| V-259709 | | Exchange must provide mailbox databases in a highly available and redundant configuration. | Exchange Server mailbox databases and any data contained in those mailboxes should be protected. This can be accomplished by configuring Mailbox serve... |
| V-259711 | | Exchange must have the most current, approved Cumulative Update installed. | Failure to install the most current Exchange Cumulative Update (CU) leaves a system vulnerable to exploitation. Current CUs correct known security and... |
| V-259712 | | Exchange must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. | Configuring Exchange to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards a... |
| V-259654 | | Exchange audit record parameters must be set. | Log files help establish a history of activities and can be useful in detecting attack attempts. This item declares the fields that must be available ... |
| V-259658 | | Exchange circular logging must be disabled. | Logging provides a history of events performed and can also provide evidence of tampering or attack. Failure to create and preserve logs adds to the r... |
| V-259674 | | Exchange mailbox stores must mount at startup. | Administrator responsibilities include the ability to react to unplanned maintenance tasks or emergency situations that may require Mailbox data manip... |
| V-259675 | | Exchange mail quota settings must not restrict receiving mail. | Mail quota settings control the maximum sizes of a user's mailbox and the system's response if these limits are exceeded. Mailbox data that is not mon... |
| V-259676 | | Exchange mail quota settings must not restrict sending mail. | Mail quota settings control the maximum sizes of a user's mailbox and the system's response if these limits are exceeded. Mailbox data that is not mon... |
| V-259677 | | Exchange Message size restrictions must be controlled on Receive connectors. | Email system availability depends in part on best practice strategies for setting tuning configurations. For message size restrictions, multiple place... |
| V-259678 | | The Exchange Receive Connector Maximum Hop Count must be 60. | Email system availability depends in part on best practice strategies for setting tuning configurations. This setting controls the maximum number of h... |
| V-259679 | | The Exchange send connector connections count must be limited. | The Exchange Send connector setting controls the maximum number of simultaneous outbound connections allowed for a given SMTP connector and can be use... |
| V-259681 | | Exchange message size restrictions must be controlled on send connectors. | Email system availability depends in part on best practice strategies for setting tuning configurations. For message size restrictions, multiple place... |
| V-259682 | | The Exchange global inbound message size must be controlled. | Email system availability depends in part on best practice strategies for setting tuning configurations. Message size limits should be set to 10 MB at... |
| V-259683 | | The Exchange global outbound message size must be controlled. | Email system availability depends in part on best practice strategies for setting tuning configurations. Message size limits should be set to 10 MB at... |
| V-259684 | | The Exchange Outbound Connection Limit per Domain Count must be controlled. | Email system availability depends in part on best practice strategies for setting tuning configurations. This configuration controls the maximum numbe... |
| V-259685 | | The Exchange Outbound Connection Timeout must be 10 minutes or less. | Email system availability depends in part on best practice strategies for setting tuning configurations. This configuration controls the number of idl... |
| V-259693 | | The Exchange Global Recipient Count Limit must be set. | Email system availability depends in part on best practice strategies for setting tuning configurations. The Global Recipient Count Limit field is use... |
| V-259697 | | The Exchange receive connector timeout must be limited. | Email system availability depends in part on best practice strategies for setting tuning. This configuration controls the number of idle minutes befor... |
| V-259686 | | Exchange servers must have an approved DOD email-aware virus protection software installed. | With the proliferation of trojans, viruses, and spam attaching themselves to email messages (or attachments), it is necessary to have capable email-aw... |
| V-259710 | | The application must protect the confidentiality and integrity of transmitted information. | Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepte... |
