MS Exchange 2013 Client Access Server Security Technical Implementation Guide

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]

Details

Version / Release: V1R1

Published: 2016-07-19

Updated At: 2018-09-23 19:14:16

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-84337r1_rule EX13-CA-000005 CCI-000068 MEDIUM Exchange must use Encryption for RPC client access. This setting controls whether client machines are forced to use secure channels to communicate with the server. If this feature is enabled, clients will only be able to communicate with the server over secure communication channels. Failure to require se
    SV-84339r1_rule EX13-CA-000010 CCI-000068 MEDIUM Exchange must use Encryption for OWA access. This setting controls whether client machines should be forced to use secure channels to communicate with this virtual directory. If this feature is enabled, clients will only be able to communicate with the directory if they are capable of supporting sec
    SV-84341r1_rule EX13-CA-000015 CCI-000068 MEDIUM Exchange must have Forms-based Authentication enabled. Identification and Authentication provide the foundation for access control. Access to email services applications in the DoD requires authentication using DoD Public Key Infrastructure (PKI) certificates. Authentication for Outlook Web App (OWA) is used
    SV-84343r1_rule EX13-CA-000020 CCI-000213 MEDIUM Exchange must have authenticated access set to Integrated Windows Authentication only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., networks, web servers, and web portals) must be properly configured to incorporate access cont
    SV-84345r1_rule EX13-CA-000025 CCI-001403 MEDIUM Exchange must have Administrator audit logging enabled. Unauthorized or malicious data changes can compromise the integrity and usefulness of the data. Automated attacks or malicious users with elevated privileges have the ability to affect change using the same mechanisms as email administrators. Auditing ch
    SV-84347r1_rule EX13-CA-000030 CCI-000213 MEDIUM Exchange Servers must use approved DoD certificates. Server certificates are required for many security features in Exchange; without them the server cannot engage in many forms of secure communication. Failure to implement valid certificates makes it virtually impossible to secure Exchange's communications
    SV-84349r1_rule EX13-CA-000035 CCI-000213 MEDIUM Exchange ActiveSync (EAS) must only use certificate-based authentication to access email. Identification and Authentication provide the foundation for access control. For EAS to be used effectively on DoD networks, client certificate authentication must be used for communications between the MEM and email server. Additionally, the internal and
    SV-84351r1_rule EX13-CA-000040 CCI-000213 MEDIUM Exchange must have IIS map client certificates to an approved certificate server. For EAS to be used effectively on DoD networks, client certificate authentication must be used for communications between the MEM and email server. Identification and Authentication provide the foundation for access control. IIS must be mapped to an appro
    SV-84353r1_rule EX13-CA-000045 CCI-000169 MEDIUM Exchange Email Diagnostic log level must be set to lowest level. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Diagnostic logging, however, characteristically produces large volumes of data and requires care in
    SV-84355r1_rule EX13-CA-000050 CCI-000169 LOW Exchange must have Audit record parameters set. Log files help establish a history of activities, and can be useful in detecting attack attempts. This item declares the fields that must be available in the audit log file in order to adequately research events that are logged. Audit records should incl
    SV-84357r1_rule EX13-CA-000055 CCI-000154 MEDIUM Exchange must have Queue monitoring configured with threshold and action. Monitors are automated "process watchers" that respond to performance changes, and can be useful in detecting outages and alerting administrators where attention is needed. Exchange has built-in monitors that enable the administrator to generate alerts if
    SV-84359r1_rule EX13-CA-000060 CCI-000381 MEDIUM Exchange must have Send Fatal Errors to Microsoft disabled. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. This setting enables an automated log entry to be sent to Microsoft giving general details about th
    SV-84361r1_rule EX13-CA-000065 CCI-000162 MEDIUM Exchange must have Audit data protected against unauthorized read access. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit log content must always be considered sensitive, and in need of protection. Audit data availa
    SV-84363r1_rule EX13-CA-000070 CCI-000381 MEDIUM Exchange must not send Customer Experience reports to Microsoft. It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to
    SV-84365r1_rule EX13-CA-000075 CCI-000163 MEDIUM Exchange must have Audit data protected against unauthorized modification. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit log content must always be considered sensitive, and in need of protection. Audit data availa
    SV-84367r1_rule EX13-CA-000080 CCI-000164 MEDIUM Exchange must have audit data protected against unauthorized deletion. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit log content must always be considered sensitive, and in need of protection. Audit data availa
    SV-84369r1_rule EX13-CA-000085 CCI-001348 LOW Exchange must have Audit data on separate partitions. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit log content must always be considered sensitive, and in need of protection. Successful expl
    SV-84373r1_rule EX13-CA-000090 CCI-001749 MEDIUM Exchange Local machine policy must require signed scripts. Scripts often provide a way for attackers to infiltrate a system, especially those downloaded from untrusted locations. By setting machine policy to prevent unauthorized script executions, unanticipated system impacts can be avoided. Failure to allow only
    SV-84375r1_rule EX13-CA-000095 CCI-000381 MEDIUM Exchange IMAP4 service must be disabled. The IMAP4 protocol is not approved for use within the DoD. It uses a clear text-based user name and password and does not support the DoD standard for PKI for email access. User name and password could easily be captured from the network, allowing malicio
    SV-84377r1_rule EX13-CA-000100 CCI-000381 MEDIUM Exchange POP3 service must be disabled. The POP3 protocol is not approved for use within the DoD. It uses a clear text based user name and password and does not support the DoD standard for PKI for email access. User name and password could easily be captured from the network allowing malicious
    SV-84379r1_rule EX13-CA-000105 CCI-000381 LOW Exchange must have the Public Folder virtual directory removed if not in use by the site. To reduce the vectors through which a server can be attacked, unneeded application components should be disabled or removed. By default, a virtual directory is installed for Public Folders. If an attacker were to intrude into an Exchange CA server and be
    SV-84381r1_rule EX13-CA-000110 CCI-000381 LOW Exchange must have the Microsoft Active Sync directory removed. To reduce the vectors through which a server can be attacked, unneeded application components should be disabled or removed. By default, a virtual directory is installed for Active Sync, and the Exchange application default has Active Sync disabled. If a
    SV-84383r1_rule EX13-CA-000115 CCI-001812 MEDIUM Exchange application directory must be protected from unauthorized access. Default product installations may provide more generous access permissions than are necessary to run the application. By examining and tailoring access permissions to more closely provide the least amount of privilege possible, attack vectors that align w
    SV-84385r1_rule EX13-CA-000120 CCI-001813 MEDIUM Exchange software baseline copy must exist. Exchange software, as with other application software installed on a host system, must be included in a system baseline record and periodically reviewed; otherwise, unauthorized changes to the software may not be discovered. This effort is a vital step to
    SV-84387r1_rule EX13-CA-000125 CCI-001814 MEDIUM Exchange software must be monitored for unauthorized changes. Monitoring software files for changes against a baseline on a regular basis may help detect the possible introduction of malicious code on a system.
    SV-84389r1_rule EX13-CA-000130 CCI-001762 MEDIUM Exchange services must be documented and unnecessary services must be removed or disabled. Unneeded but running services offer attackers an enhanced attack profile, and attackers are constantly watching to discover open ports with running services. By analyzing and disabling unneeded services, the associated open ports become unresponsive to ou
    SV-84391r1_rule EX13-CA-000135 CCI-001953 MEDIUM Exchange Outlook Anywhere (OA) clients must use NTLM authentication to access email. Identification and authentication provide the foundation for access control. Access to email services applications requires NTLM authentication. Outlook Anywhere, if authorized for use by the site, must use NTLM authentication when accessing email. Note:
    SV-84393r1_rule EX13-CA-000140 CCI-002530 MEDIUM Exchange software must be installed on a separate partition from the OS. In the same way that added security layers can provide a cumulative positive effect on security posture, multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit to one application can lead to an exploit of ot
    SV-84395r1_rule EX13-CA-000145 CCI-002385 MEDIUM Exchange must provide redundancy. Load balancing is a way to manage which Exchange servers receive traffic. Load balancing helps distribute incoming client connections over a variety of endpoints. This ensures that no one endpoint takes on a disproportional share of the load. Load balanci
    SV-84397r1_rule EX13-CA-000150 CCI-002418 HIGH Exchange OWA must use https. Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and either read or altered.
    SV-84399r1_rule EX13-CA-000155 CCI-002421 MEDIUM Exchange OWA must have S/MIME Certificates enabled. Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and either read or altered. This requirement applies only to those applications that are either distr
    SV-84401r1_rule EX13-CA-000160 CCI-002605 MEDIUM Exchange must have the most current, approved service pack installed. Failure to install the most current Exchange service pack leaves a system vulnerable to exploitation. Current service packs correct known security and system vulnerabilities.
    SV-84403r1_rule EX13-CA-000165 CCI-000366 MEDIUM Exchange must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. Configuring the application to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security p