Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Review the Email Domain Security Plan (EDSP). Determine the connection Timeout value. Open the Exchange Management Shell and enter the following command: Get-ReceiveConnector | Select Name, Identity, ConnectionTimeout For each Receive connector, if the value of ConnectionTimeout is not set to 00:05:00, this is a finding. or If ConnectionTimeout is set to another value other than 00:05:00 and has signoff and risk acceptance in the EDSP, this is not a finding.
Update the EDSP. Open the Exchange Management Shell and enter the following command: Set-ReceiveConnector -Identity <'IdentityName'> -ConnectionTimeout 00:05:00 Note: The <IdentityName> value must be in single quotes. or The value as identified by the EDSP that has obtained a signoff with risk acceptance. Repeat the procedures for each Receive connector.
Open the Exchange Management Shell and enter the following command: Get-ExchangeCertificate | Select CertificateDomains, issuer If the value of CertificateDomains does not indicate it is issued by the DoD, this is a finding.
Remove the non-DoD certificate and import the correct DoD certificates.
Review the Email Domain Security Plan (EDSP). Determine the Accepted Domain values. Open the Exchange Management Shell and enter the following command: Get-AcceptedDomain | Select Name, DomainName, Identity, Default If the Default value is not set to True, this is a finding. or If the Default value for AcceptedDomains is set to another value other than True and has signoff and risk acceptance in the EDSP, this is not a finding.
Update the EDSP. Open the Exchange Management Shell and enter the following command: Set-AcceptedDomain -Identity <'IdentityName'> -MakeDefault $true Note: The <IdentityName> value must be in quotes.
Open the Exchange Management Shell and enter the following command: Get-ReceiveConnector | Select Name, Identity, DomainSecureEnabled For each Receive connector, if the value of DomainSecureEnabled is not set to True, this is a finding.
Open the Exchange Management Shell and enter the following command: Set-ReceiveConnector -Identity <'IdentityName'> -DomainSecureEnabled $true Note: The <IdentityName> value must be in single quotes. Repeat the procedures for each Receive connector.
Open the Exchange Management Shell and enter the following command: Get-EventLogLevel If any EventLevel values returned are not set to Lowest, this is a finding.
Open the Exchange Management Shell and enter the following command: Set-EventLogLevel -Identity <'IdentityName\EventlogName'> -Level Lowest Note: The <IdentityName\EventlogName> value must be in quotes.
Open the Exchange Management Shell and enter the following command: Get-TransportService | Select Name, Identity, ConnectivityLogEnabled If the value of ConnectivityLogEnabled is not set to True, this is a finding.
Open the Exchange Management Shell and enter the following command: Set-TransportService -Identity <'IdentityName'> -ConnectivityLogEnabled $true Note: The <IdentityName> value must be in single quotes.
Note: If a third-party application is performing monitoring functions, the reviewer should verify the application is monitoring correctly and mark the vulnerability NA. Open the Exchange Management Shell and enter the following command: perfmon In the left pane, expand and navigate Performance >> Data Collector Sets >> User Defined. If no sets are defined or queues are not being monitored, this is a finding.
Open the Exchange Management Shell and enter the following command: perfmon In the left pane, navigate to and select Performance >> Data Collector Sets >> User Defined. Right-click on, navigate to, and configure User Defined >> New >> Data Collector Sets and configure the system to use the data collection set for monitoring the queues.
Open the Exchange Management Shell and enter the following command: Get-OrganizationConfig | Select Name, Identity, CustomerFeedbackEnabled If the value for CustomerFeedbackEnabled is not set to False, this is a finding.
Open the Exchange Management Shell and enter the following command: Set-OrganizationConfig -CustomerFeedbackEnabled $false
Review the Email Domain Security Plan (EDSP). Determine the authorized groups or users that should have read access to the audit data. If any group or user has read access to the audit data that is not documented in the EDSP, this is a finding.
Update the EDSP. Restrict any unauthorized groups' or users' read access to the audit logs.
Open the Exchange Management Shell and enter the following command: Get-ExchangeServer –status | Select Name, Identity, ErrorReportingEnabled For each Exchange server, if the value of ErrorReportingEnabled is not set to False, this is a finding.
Open the Exchange Management Shell and enter the following command: Set-ExchangeServer -Identity <'IdentityName'> -ErrorReportingEnabled $false Note: The <IdentityName> value must be in quotes. Repeat the procedure for each Identity.
Review the Email Domain Security Plan (EDSP). Determine the authorized groups or users that should have access to the audit data. If any group or user has modify privileges for the audit data that is not documented in the EDSP, this is a finding.
Update the EDSP. Restrict any unauthorized groups' or users' modify permissions for the audit logs.
Review the Email Domain Security Plan (EDSP). Determine the authorized groups or users that should have delete permissions for the audit data. If any group or user has delete permissions for the audit data that is not documented in the EDSP, this is a finding.
Update the EDSP. Restrict any unauthorized groups' or users' delete permissions for the audit logs.
Review the Email Domain Security Plan (EDSP). Determine the audit logs' assigned partition. Note: By default, the logs are located on the application partition in \Program Files\Microsoft\Exchange Server\V15\Logging\. If the log files are not on a separate partition from the application, this is a finding.
Update the EDSP. Configure the audit log location to be on a partition drive separate from the application.
Open the Exchange Management Shell and enter the following command: Get-ExecutionPolicy If the value returned is not RemoteSigned, this is a finding.
Open the Exchange Management Shell and enter the following command: Set-ExecutionPolicy RemoteSigned
Review the Email Domain Security Plan (EDSP). If using an Edge Server a Smart Host does not need to be configured, therefore, this is not a finding. Determine the Internet-facing connectors. Open the Exchange Management Shell and enter the following command: Get-SendConnector | Select Name, Identity, SmartHosts, DNSRoutingEnabled For each Send connector, if the value of SmartHosts does not return the Smart Host IP Address and the value for DNSRoutingEnabled is not set to False, this is a finding.
Open the Exchange Management Shell and enter the following command: Set-SendConnector <'IdentityName'> -SmartHosts <'IP Address of Smart Host'> -DNSRoutingEnabled $false Note: The <IdentityName> value must be in quotes. Repeat the procedures for each Send connector.
Open the Exchange Management Shell and enter the following command: Get-ReceiveConnector | Select Name, Identity, AuthMechanism For each Receive connector, if the value of AuthMechanism is not set to Tls, BasicAuth, BasicAuthRequireTLS, this is a finding.
Open the Exchange Management Shell and enter the following command: Set-ReceiveConnector -Identity <'IdentityName'> -AuthMechanism 'Tls, BasicAuth, BasicAuthRequireTLS' Note: The <IdentityName> value must be in quotes. Example only for the Identity: <ServerName>\Frontend <ServerName> Repeat the procedure for each Receive connector.
Review the Email Domain Security Plan (EDSP). Determine the Connection Timeout value. Open the Exchange Management Shell and enter the following command: Get-SendConnector | Select Name, Identity, ConnectionInactivityTimeOut For each Send connector, if the value of ConnectionInactivityTimeOut is not set to 00:10:00, this is a finding. or If ConnectionInactivityTimeOut is set to other than 00:10:00 and has signoff and risk acceptance in the EDSP, this is not a finding.
Update the EDSP. Open the Exchange Management Shell and enter the following command: Set-SendConnector -Identity <'IdentityName'> -ConnectionInactivityTimeOut 00:10:00 Note: The <IdentityName> value must be in quotes. or The value as identified by the EDSP that has obtained a signoff with risk acceptance. Repeat the procedure for each Send connector.
Review the Email Domain Security Plan (EDSP). Determine the value for Maximum Domain Connections. Open the Exchange Management Shell and enter the following command: Get-TransportService | Select Name, Identity, MaxPerDomainOutboundConnections If the value of MaxPerDomainOutboundConnections is not set to 20, this is a finding. or If the value of MaxPerDomainOutboundConnections is set to a value other than 20 and has signoff and risk acceptance in the EDSP, this is not a finding.
Update the EDSP. Open the Exchange Management Shell and enter the following command: Set-TransportService -Identity <'IdentityName'> -MaxPerDomainOutboundConnections 20 Note: The <IdentityName> value must be in quotes. or The value as identified by the EDSP that has obtained a signoff with risk acceptance.
Review the Email Domain Security Plan (EDSP). Determine the global maximum message send size. Open the Exchange Management Shell and enter the following command: Get-TransportConfig | Select Name, Identity, MaxSendSize If the value of MaxSendSize is not set to 10MB, this is a finding. or If the value of MaxSendSize is set to an alternate value and has signoff and risk acceptance in the EDSP, this is not a finding.
Update the EDSP. Open the Exchange Management Shell and enter the following command: Set-TransportConfig -MaxSendSize 10MB or The value as identified by the EDSP that has obtained a signoff with risk acceptance.
Review the Email Domain Security Plan (EDSP). Determine the value for SMTP Server Maximum Outbound Connections. Open the Exchange Management Shell and enter the following command: Get-TransportService | Select Name, Identity, MaxOutboundConnections If the value of MaxOutboundConnections is not set to 1000, this is a finding. or If the value of MaxOutboundConnections is set to a value other than 1000 and has signoff and risk acceptance in the EDSP, this is not a finding.
Update the EDSP. Open the Exchange Management Shell and enter the following command: Set-TransportService -Identity <'IdentityName'> -MaxOutboundConnections 1000 Note: The <IdentityName> value must be in quotes. or The value as identified by the EDSP that has obtained a signoff with risk acceptance.
Review the Email Domain Security Plan (EDSP). Determine the maximum message send size. Open the Exchange Management Shell and enter the following command: Get-SendConnector | Select Name, Identity, MaxMessageSize For each Send connector, if the value of MaxMessageSize is not the same as the global value, this is a finding. or If MaxMessageSize is set to a numeric value different from the maximum message send size value documented in the EDSP, this is a finding.
Update the EDSP. Open the Exchange Management Shell and enter the following command: Set-SendConnector -Identity <'IdentityName'> -MaxMessageSize <MaxSendSize> Note: The <IdentityName> value must be in quotes. or The value as identified by the EDSP that has obtained a signoff with risk acceptance. Repeat the procedure for each Send connector.
Review the Email Domain Security Plan (EDSP). Determine the value for Transient Failure Retry Count. Open the Exchange Management Shell and enter the following command: Get-TransportService | Select Name, Identity, TransientFailureRetryCount If the value of TransientFailureRetryCount is not set to 10 or less, this is a finding. or If the value of TransientFailureRetryCount is set to more than 10 or has signoff and risk acceptance in the EDSP, this is not a finding.
Update the EDSP. Open the Exchange Management Shell and enter the following command: Set-TransportService -Identity <'IdentityName'> -TransientFailureRetryCount 10 Note: The <IdentityName> value must be in quotes. or The value as identified by the EDSP that has obtained a signoff with risk acceptance.
Open the Exchange Management Shell and enter the following command: Get-SendConnector | Select Name, Identity Review the naming for connectors. For each Send connector, if the connectors are not clearly named for purpose and direction, this is a finding.
Update the EDSP. Open the Exchange Management Shell and enter the following command: Set-SendConnector -Name <'NewName'> -Identity <'IdentityName'> Note: Both the <NewName> and <IdentityName>values must be in quotes. Repeat the procedure for each Send connector.
Review the Email Domain Security Plan (EDSP). Determine the value for Receive connectors. Open the Exchange Management Shell and enter the following command: Get-ReceiveConnector | Select Name, Identity, MaxHopCount For each Receive connector, if the value of MaxHopCount is not set to 60, this is a finding. or If the value of MaxHopCount is set to a value other than 60 and has signoff and risk acceptance, this is not a finding.
Update the EDSP. Open the Exchange Management Shell and enter the following command: Set-ReceiveConnector -Identity <'IdentityName'> -MaxHopCount 60 Note: The <IdentityName> value must be in quotes. or The value as identified by the EDSP that has obtained a signoff with risk acceptance. Repeat the procedure for each Receive connector.
Open the Exchange Management Shell and enter the following command: Get-ReceiveConnector | Select Name, Identity For each Receive connector, review the naming for connectors. If the connectors are not clearly named for purpose and direction, this is a finding.
Open the Exchange Management Shell and enter the following command: Set-ReceiveConnector -Name <'NewName'> -Identity <'IdentityName'> Note: Both the <NewName> and <IdentityName> value must be in quotes. Repeat the procedure for each Receive connector.
Open the Exchange Management Shell and enter the following command: Get-ReceiveConnector | Select Name, Identity, ChunkingEnabled For each Receive connector, if the value of ChunkingEnabled is not set to True, this is a finding.
Open the Exchange Management Shell and enter the following command: Set-ReceiveConnector -Identity <'IdentityName'> -ChunkingEnabled $true Note: The <IdentityName> value must be in quotes. Repeat the procedure for each Receive connector.
Review the Email Domain Security Plan (EDSP). Determine the Maximum Recipients per Message value. Open the Exchange Management Shell and enter the following command: Get-ReceiveConnector | Select Name, Identity, MaxRecipientsPerMessage For each Receive connector, if the value of MaxRecipientsPerMessage is not set to 5000, this is a finding. or If the value of Maximum Recipients per Message is set to a value other than 5000 and has signoff and risk acceptance in the EDSP, this is not a finding.
Update the EDSP. Open the Exchange Management Shell and enter the following command: Set-ReceiveConnector -Identity <'IdentityName'> -MaxRecipientsPerMessage 5000 Note: The <IdentityName> value must be in quotes. or The value as identified by the EDSP that has obtained a signoff with risk acceptance. Repeat the procedure for each Receive connector.
Review the Email Domain Security Plan (EDSP). Determine the Maximum Inbound connections value. Open the Exchange Management Shell and enter the following command: Get-ReceiveConnector | Select Name, Identity, MaxInboundConnection Identify Internet-facing connectors. For each Receive connector, if the value of MaxInboundConnection is not set to 5000, this is a finding. or If MaxInboundConnection is set to a value other than 5000 or is set to unlimited and has signoff and risk acceptance in the EDSP, this is not a finding.
Update the EDSP. Open the Exchange Management Shell and enter the following command: Set-ReceiveConnector -Identity <'IdentityName'> -MaxInboundConnection 5000 Note: The <IdentityName> value must be in quotes. or The value as identified by the EDSP that has obtained a signoff with risk acceptance. Repeat the procedure for each Receive connector.
Review the Email Domain Security Plan (EDSP). Determine the global maximum message receive size. Open the Exchange Management Shell and enter the following command: Identify Internet-facing connectors. Get-ReceiveConnector | Select Name, Identity, MaxMessageSize If the value of MaxMessageSize is not the same as the global value, this is a finding. or If MaxMessageSize is set to a numeric value different from the global value and has signoff and risk acceptance in the EDSP, this is not a finding.
Update the EDSP. Open the Exchange Management Shell and enter the following command: Set-ReceiveConnector -Identity <'IdentityName'> -MaxMessageSize <'MaxReceiveSize'> Note: The <IdentityName> and <MaxReceiveSize> values must be in quotes. or The value as identified by the EDSP that has obtained a signoff with risk acceptance.
This requirement is N/A for SIPR enclaves. This requirement is N/A if the organization subscribes to EEMSG or other similar DoD enterprise protections for email services. Open the Exchange Management Shell and enter the following command: Get-SenderFilterConfig | Select Name, Action If the value of Action is not set to Reject, this is a finding.
Open the Exchange Management Shell and enter the following command: Set-SenderFilterConfig -Action Reject
This requirement is N/A for SIPR enclaves. This requirement is N/A if the organization subscribes to EEMSG or other similar DoD enterprise protections for email services. Open the Exchange Management Shell and enter the following command: Get-SenderFilterConfig | Select Name, BlankSenderBlockingEnabled If the value of BlankSenderBlockingEnabled is not set to True, this is a finding.
Open the Exchange Management Shell and enter the following command: Set-SenderFilterConfig -BlankSenderBlockingEnabled $true
Open the Exchange Management Shell and enter the following command: Get-ContentFilterConfig | Select Name, QuarantineMailbox If no SMTP address is assigned to QuarantineMailbox, this is a finding.
Open the Exchange Management Shell and enter the following command: Set-ContentFilterConfig -QuarantineMailbox <'QuarantineMailbox SmtpAddress'> Note: The <QuarantineMailbox SmtpAddress> value must be in quotes.
Review the Email Domain Security Plan (EDSP). Determine the unaccepted domains that are to be blocked. Open the Exchange Management Shell and enter the following command: Get-SenderFilterConfig | Select Name, BlockedDomains, BlockedDomainsAndSubdomains If the value for BlockedDomains or BlockedDomainsAndSubdomains does not reflect the list of accepted domains, this is a finding.
Update the EDSP. Open the Exchange Management Shell and enter the following command: For BlockedDomains: Set-SenderFilterConfig -BlockedDomains <BlockedDomain> Repeat the procedure for each domain that is to be blocked. or For BlockedDomainsAndSubdomains: Set-SenderFilterConfig -BlockedDomainsAndSubdomains <BlockedDomainAndSubdomain> Repeat the procedure for each domain and all of its subdomains that are to be blocked.
Open the Exchange Management Shell and enter the following command: Get-RecipientFilterConfig | Select Name, RecipientValidationEnabled If the value of RecipientValidationEnabled is not set to False, this is a finding.
Open the Exchange Management Shell and enter the following command: Set-RecipientFilterConfig -RecipientValidationEnabled $false
Open the Exchange Management Shell and enter the following command: Get-SenderReputationConfig | Select Name, Enabled If the value of Enabled is not set to True, this is a finding.
Open the Exchange Management Shell and enter the following command: Set-SenderReputationConfig -Enabled $true
Open the Exchange Management Shell and enter the following command: Get-SenderReputationConfig | Select Name, SrlBlockThreshold If the value of SrlBlockThreshold is not set to 6, this is a finding. or If the value of SrlBlockThreshold is set to a value other than 6 and has signoff and risk acceptance in the EDSP, this is not a finding.
Open the Exchange Management Shell and enter the following command: Set-SenderReputationConfig -SrlBlockThreshold 6 or The value as identified by the EDSP that has obtained a signoff with risk acceptance.
Review the Email Domain Security Plan (EDSP). Determine the list of undesirable attachment types that should be stripped. Open the Exchange Management Shell and enter the following command: Get-AttachmentFilterEntry For each attachment type, if the values returned are different from the EDSP documented attachment types, this is a finding.
Update the EDSP. Open the Exchange Management Shell and enter the following command: Add-AttachmentFilterEntry -Name <'*.FileExtension'> -Type FileName Repeat the procedure for each undesirable attachment type.
Open the Exchange Management Shell and enter the following command: Get-ContentFilterConfig | Select Name, Identity, Enabled If the value of Enabled is not set to True, this is a finding.
Open the Exchange Management Shell and enter the following command: Set-ContentFilterConfig -Enabled $true
If not using a service provider, this requirement is not applicable. This requirement is NA for SIPR enclaves. Review the Email Domain Security Plan (EDSP). Determine the name and information for the Block List provider. Open the Exchange Management Shell and enter the following command: Get-IPBlockListProvider | Select Name, Identity, LookupDomain If the values for Name, GUID, and LookupDomain are not configured, this is a finding.
Update the EDSP. Open the Exchange Management Shell and enter the following command: Set-IPBlockListProvider -Name <Provider Name> [Additional optional parameters as required by the service provider]
Open the Exchange Management Shell and enter the following command: Get-SenderIdConfig | Select Name, Identity, SpoofedDomainAction If the value of SpoofedDomainAction is not set to Reject, this is a finding.
Open the Exchange Management Shell and enter the following command: Set-SenderIdConfig -SpoofedDomainAction Reject
Open the Exchange Management Shell and enter the following command: Get-RecipientFilterConfig | Select Name, Enabled If the value of Enabled is not set to True, this is a finding.
Open the Exchange Management Shell and enter the following command: Set-RecipientFilterConfig -Enabled $true
Open the Exchange Management Shell and enter the following command: Get-ReceiveConnector | Select Name, Identity, TarpitInterval For each Receive connector, if the value of TarpitInterval is not set to 00:00:05 or greater, this is a finding.
Open the Exchange Management Shell and enter the following command: Set-ReceiveConnector -Identity <'IdentityName'> -TarpitInterval '00:00:05' Note: The <IdentityName> value and 00:00:05 must be in quotes. Repeat the procedures for each Receive connector.
Open the Exchange Management Shell and enter the following command: Get-ReceiveConnector | Select Name, Identity, PermissionGroups For each Receive connector, if the value of PermissionGroups is AnonymousUsers for any non-Internet connector, this is a finding.
Open the Exchange Management Shell and enter the following command: Set-ReceiveConnector -Identity <'IdentityName'> -PermissionGroups and enter a 'valid user groups'. Note: The <IdentityName> value and user group(s) must be in quotes. Example for user groups only: 'ExchangeServers, ExchangeUsers' Repeat the procedures for each Receive connector. This is an Example only: Set-ReceiveConnector -Identity <'IdentityName'> -PermissionGroups ExchangeUsers
Review the Email Domain Security Plan (EDSP). Identify the SMTP allow list settings. Open the Exchange Management Shell and enter the following command: Get-IPAllowListEntry | fl If the result returns any values, this is a finding. or If the result returns any values but has signoff and risk acceptance in the EDSP, this is not a finding.
Update the EDSP. Open the Exchange Management Shell and enter the following command: Note: Remove any value(s) that are not identified by the EDSP or have not obtained a signoff with risk acceptance. Remove-IPAllowListEntry -Identity <IP Allow List entry ID>
Open the Exchange Management Shell and enter the following command: Get-IPAllowListConfig | Select Name, Enabled If the value for Enabled is not set to True, this is a finding.
Open the Exchange Management Shell and enter the following command: Set-IPAllowListConfig -Enabled $true
This requirement is N/A for SIPR enclaves. This requirement is N/A if the organization subscribes to EEMSG or other similar DoD enterprise protections for email services. Open the Exchange Management Shell and enter the following command: Get-SenderFilterConfig | Select Name, Enabled If the value of Enabled is not set to True, this is a finding.
Open the Exchange Management Shell and enter the following command: Set-SenderfilterConfig -Enabled $true
Review the Email Domain Security Plan (EDSP). Note: If using another DoD-approved antispam product for email or a DoD-approved Email Gateway spamming device, such as Enterprise Email Security Gateway (EEMSG), this is not applicable. Open the Exchange Management Shell and enter the following command: Get-ContentFilterConfig | Format-Table Name, Enabled If no value is returned, this is a finding.
Update the EDSP. Install the AntiSpam module. Open the Exchange Management Shell and enter the following command: & $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1
Review the Email Domain Security Plan (EDSP). Note: If using another DoD-approved antispam product for email or a DoD-approved Email Gateway spamming device, such as Enterprise Email Security Gateway (EEMSG), this is not applicable. Open the Exchange Management Shell and enter the following command: Get-ContentFilterConfig | Format-Table Name, Enabled; Get-SenderFilterConfig | Format-Table Name,Enabled; Get-SenderIDConfig | Format-Table Name,Enabled; Get-SenderReputationConfig | Format-Table Name,Enabled If any of the following values returned are not set to True, this is a finding: Set-ContentFilterConfig Set-SenderFilterConfig Set-SenderIDConfig Set-SenderReputationConfig
Update the EDSP. Open the Exchange Management Shell and enter the following command for any values that were not set to True: Set-ContentFilterConfig -Enabled $true Set-SenderFilterConfig -Enabled $true Set-SenderIDConfig -Enabled $true Set-SenderReputationConfig -Enabled $true
Review the Email Domain Security Plan (EDSP). Note: If using another DoD-approved antispam product for email or a DoD-approved Email Gateway spamming device, such as Enterprise Email Security Gateway (EEMSG), this is not applicable. Determine the internal SMTP servers. Open the Exchange Management Shell and enter the following command: Get-TransportConfig | Format-List InternalSMTPServers If any internal SMTP server IP address returned does not reflect the list of accepted SMTP server IPs, this is a finding.
Note: Configure the IP addresses of every internal SMTP server. If the Mailbox server is the only SMTP server running the antispam agents, configure the IP address of the Mailbox server. Update the EDSP. Open the Exchange Management Shell and enter the following command: For a single SMTP server address: Set-TransportConfig -InternalSMTPServers @{Add='<ip address1>'} For multiple SMTP server addresses: Set-TransportConfig -InternalSMTPServers @{Add='<ip address1>','<ip address2>'}
Open the Exchange Management Shell and enter the following command: Get-SenderIdConfig | Select Name, Identity, Enabled If the value of Enabled is not set to True, this is a finding.
Open the Exchange Management Shell and enter the following command: Set-SenderIdConfig -Enable $true
Review the Email Domain Security Plan (EDSP). Determine the authorized groups and users that have access to the Exchange application directories. Determine if the access permissions on the directory match the access permissions listed in the EDSP. If any group or user has different access permissions than listed in the EDSP, this is a finding. Note: The default installation directory is \Program Files\Microsoft\Exchange Server\V15.
Update the EDSP. Navigate to the Exchange application directory and remove or modify the group or user access permissions. Note: The default installation directory is \Program Files\Microsoft\Exchange Server\V15.
Review the Email Domain Security Plan (EDSP). Determine the baseline documentation. Review the application software baseline procedures and implementation artifacts. Note the list of files and directories included in the baseline procedure for completeness. If an email software copy exists to serve as a baseline and is available for comparison during scanning efforts, this is not a finding.
Implement an email software baseline process and update the EDSP.
Review the Email Domain Security Plan (EDSP). Determine whether the site monitors system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) on servers for unauthorized changes against a baseline on a weekly basis. If software files are not monitored for unauthorized changes on a weekly basis, this is a finding. Note: A properly configured HBSS Policy Auditor File Integrity Monitor (FIM) module will meet the requirement for file integrity checking. The Asset module within HBSS does not meet this requirement.
Update the EDSP. Monitor the software files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) on Exchange servers for unauthorized changes against a baseline on a weekly basis. Note: This can be done with the use of various monitoring tools.
Review the Email Domain Security Plan (EDSP). Note: Required services will vary between organizations and will vary depending on the role of the individual system. Organizations will develop their own list of services, which will be documented and justified with the ISSO. The site’s list will be provided for any security review. Services that are common to multiple systems can be addressed in one document. Exceptions for individual systems should be identified separately by system. Open a Windows PowerShell and enter the following command: Get-Service | Where-Object {$_.status -eq 'running'} Note: The command returns a list of installed services and the status of that service. If the services required are not documented in the EDSP or undocumented or unnecessary services are running, this is a finding.
Update the EDSP with the services required for the system to function. Navigate to Administrator Tools >> Services and disable or remove any services that are not required.
Review the Email Domain Security Plan (EDSP). Determine the directory where Exchange is installed. Open Windows Explorer. Navigate to the location where Exchange is installed. If Exchange resides on a directory or partition other than that of the OS and does not have other applications installed (without associated approval from the ISSO), this is not a finding.
Update the EDSP. Install Exchange on a dedicated application directory or partition separate than that of the OS.
Open the Exchange Management Shell and enter the following command: Get-ReceiveConnector | Select Name, Identity, Banner If the value of Banner is not set to 220 SMTP Server Ready, this is a finding.
Open the Exchange Management Shell and enter the following command: Set-ReceiveConnector -Identity <'IdentityName'> -Banner '220 SMTP Server Ready' Note: The <IdentityName> and 220 SMTP Server Ready values must be in quotes.
Review the Email Domain Security Plan (EDSP). Determine if the Exchange servers are using redundancy by entering the following command: Get-TransportService | select FL If the value returned is not at least two Edge servers, this is a finding. Note: The EDSP must indicate what availability the system must have, as approved by the ISSO. This will be used for finding and severity downgrade purposes in other requirements.
Update the EDSP. Configure two or more Edge servers for load balancing.
Open the Exchange Management Shell and enter the following command: Get-SendConnector | Select Name, Identity, TlsAuthLevel If the value of TlsAuthLevel is not set to DomainValidation, this is a finding.
Open the Exchange Management Shell and enter the following command: Set-SendConnector -Identity <'IdentityName'> -TlsAuthLevel DomainValidation
Open the Exchange Management Shell and enter the following command: Get-ReceiveConnector | Select Name, Identity, AuthMechanism For each Receive connector, if the value of AuthMechanism is not set to Tls, this is a finding.
Open the Exchange Management Shell and enter the following command: Set-ReceiveConnector -Identity <'IdentityName'> -AuthMechanism 'Tls' Note: The <IdentityName> value must be in quotes. Repeat the process for each Receive connector.
Open the Exchange Management Shell and enter the following command: Get-SendConnector | Select Name, Identity, TlsDomain If the value of TlsDomain is not set to the value of the internal <'SMTP Domain'>, this is a finding.
Open the Exchange Management Shell and enter the following command: Set-SendConnector -Identity <'IdentityName'> -TlsDomain <'SMTP Domain'> Note: The SMTP Domain is the internal SMTP domain within the organization.
Exchange 2013 is no longer supported by the vendor. If the system is running Exchange 2013, this is a finding.
Upgrade to a supported version.
Open the Exchange Management Shell and enter the following command: Get-TransportAgent "Malware Agent" If the value of Enabled is set to True, this is a finding.
Open the Exchange Management Shell and enter the following command: & env:ExchangeInstallPath\Scripts\Disable-Antimalwarescanning.ps1
Site must utilize an approved DoD third party malicious code scanner. Consult with System Administrator to demonstrate the application being used to provide malicious code protection in the Exchange implementation. If System Administrator is unable to demonstrate a third party malicious code protection application, this is a finding. If System Administrator is unaware of a third party malicious code protection application, this is a finding.
Following vendor best practice guidance, install and configure the third party malicious code protection application.