Skip to content
Log In

Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Exchange messages with a blank sender field must be filtered.

    By performing filtering at the perimeter, up to 90 percent of spam, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the mail server en...
    Rule Medium Severity
    Show

  • SRG-APP-000261

    Group
    Show

  • SRG-APP-000261

    Group
    Show

  • The Exchange Sender filter must block unaccepted domains.

    Spam origination sites and other sources of suspected email-borne malware have the ability to corrupt, compromise, or otherwise limit availability of email servers. Limiting exposure to unfiltered ...
    Rule Medium Severity
    Show

  • SRG-APP-000261

    Group
    Show

  • Exchange nonexistent recipients must not be blocked.

    Spam originators, in an effort to refine mailing lists, sometimes use a technique where they first create fictitious names and then monitor rejected emails for non-existent recipients. Those not re...
    Rule Medium Severity
    Show

  • SRG-APP-000261

    Group
    Show

  • The Exchange Sender Reputation filter must be enabled.

    By performing filtering at the perimeter, up to 90 percent of spam, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the mail server en...
    Rule Medium Severity
    Show

  • SRG-APP-000261

    Group
    Show

  • The Exchange Sender Reputation filter must identify the spam block level.

    By performing filtering at the perimeter, up to 90 percent of spam, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the mail server en...
    Rule Medium Severity
    Show

  • SRG-APP-000261

    Group
    Show

  • SRG-APP-000261

    Group
    Show

  • The Exchange Spam Evaluation filter must be enabled.

    By performing filtering at the perimeter, up to 90 percent of spam, malware, and other undesirable messages may be eliminated from the transport message stream, preventing their entry into the Exch...
    Rule Medium Severity
    Show

  • SRG-APP-000261

    Group
    Show

  • SRG-APP-000261

    Group
    Show

  • Exchange messages with a malformed From address must be rejected.

    Sender Identification (SID) is an email antispam sanitization process. Sender ID uses DNS MX record lookups to verify the Simple Mail Transfer Protocol (SMTP) sending server is authorized to send e...
    Rule Medium Severity
    Show

  • SRG-APP-000261

    Group
    Show

  • SRG-APP-000261

    Group
    Show

  • The Exchange tarpitting interval must be set.

    Tarpitting is the practice of artificially delaying server responses for specific Simple Mail Transfer Protocol (SMTP) communication patterns that indicate high volumes of spam or other unwelcome m...
    Rule Medium Severity
    Show

  • SRG-APP-000261

    Group
    Show

  • SRG-APP-000261

    Group
    Show

  • Exchange Simple Mail Transfer Protocol (SMTP) IP Allow List entries must be empty.

    Email system availability depends in part on best practice strategies for setting tuning configurations. Careful tuning reduces the risk that system or network congestion will contribute to availab...
    Rule Medium Severity
    Show

  • SRG-APP-000261

    Group
    Show

  • SRG-APP-000261

    Group
    Show

  • The Exchange Simple Mail Transfer Protocol (SMTP) Sender filter must be enabled.

    Email system availability depends in part on best practices strategies for setting tuning configurations. Careful tuning reduces the risk that system or network congestion will contribute to availa...
    Rule Medium Severity
    Show

  • SRG-APP-000261

    Group
    Show

  • SRG-APP-000261

    Group
    Show

  • Exchange must have antispam filtering enabled.

    Originators of spam messages are constantly changing their techniques in order to defeat spam countermeasures; therefore, spam software must be constantly updated to address the changing threat. Sp...
    Rule Medium Severity
    Show

  • SRG-APP-000261

    Group
    Show

  • Exchange must have antispam filtering configured.

    Originators of spam messages are constantly changing their techniques in order to defeat spam countermeasures; therefore, spam software must be constantly updated to address the changing threat. A ...
    Rule Medium Severity
    Show

  • SRG-APP-000261

    Group
    Show

  • SRG-APP-000261

    Group
    Show

  • SRG-APP-000378

    Group
    Show

  • The Exchange application directory must be protected from unauthorized access.

    Default product installations may provide more generous access permissions than are necessary to run the application. By examining and tailoring access permissions to more closely provide the least...
    Rule Medium Severity
    Show

  • SRG-APP-000380

    Group
    Show

  • SRG-APP-000383

    Group
    Show

  • Exchange services must be documented and unnecessary services must be removed or disabled.

    Unneeded but running services offer attackers an enhanced attack profile, and attackers are constantly watching to discover open ports with running services. By analyzing and disabling unneeded ser...
    Rule Medium Severity
    Show

  • SRG-APP-000431

    Group
    Show

  • Exchange software must be installed on a separate partition from the OS.

    In the same way that added security layers can provide a cumulative positive effect on security posture, multiple applications can provide a cumulative negative effect. A vulnerability and subseque...
    Rule Medium Severity
    Show

  • SRG-APP-000435

    Group
    Show

  • The Exchange SMTP automated banner response must not reveal server details.

    Automated connection responses occur as a result of FTP or Telnet connections when connecting to those services. They report a successful connection by greeting the connecting client and stating th...
    Rule Medium Severity
    Show

  • SRG-APP-000435

    Group
    Show

  • SRG-APP-000435

    Group
    Show

  • Exchange internal Send connectors must use an authentication level.

    The Simple Mail Transfer Protocol (SMTP) connector is used by Exchange to send and receive messages from server to server. Several controls work together to provide security between internal server...
    Rule Medium Severity
    Show

  • SRG-APP-000439

    Group
    Show

  • SRG-APP-000439

    Group
    Show

  • Exchange internal Send connectors must require encryption.

    The Simple Mail Transfer Protocol (SMTP) connector is used by Exchange to send and receive messages from server to server. Several controls work together to provide security between internal server...
    Rule High Severity
    Show

  • SRG-APP-000456

    Group
    Show

  • SRG-APP-000277

    Group
    Show

  • The application must configure malicious code protection mechanisms to perform periodic scans of the information system every seven days.

    Malicious code protection mechanisms include, but are not limited, to anti-virus and malware detection software. In order to minimize potential negative impact to the organization that can be cause...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules