Skip to content
Log In

Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-APP-000014

    Group
    Show

  • SchUseStrongCrypto must be enabled.

    Exchange Server 2019 is configured by default with TLS 1.2. However, SchUseStrongCrypto is not set by default and must be configured to meet the TLS requirement. The strong cryptography (configured...
    Rule Medium Severity
    Show

  • SRG-APP-000033

    Group
    Show

  • SRG-APP-000038

    Group
    Show

  • Exchange must have accepted domains configured.

    Exchange may be configured to accept email for multiple domain names. This setting identifies the domains for which the server will accept mail. This check verifies the email server is not acceptin...
    Rule Medium Severity
    Show

  • SRG-APP-000065

    Group
    Show

  • SRG-APP-000089

    Group
    Show

  • The Exchange email diagnostic log level must be set to the lowest level.

    Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Diagnostic logging, however, characteristi...
    Rule Medium Severity
    Show

  • SRG-APP-000089

    Group
    Show

  • Exchange connectivity logging must be enabled.

    A connectivity log is a record of the SMTP connection activity of the outbound message delivery queues to the destination mailbox server, smart host, or domain. Connectivity logging is available on...
    Rule Medium Severity
    Show

  • SRG-APP-000098

    Group
    Show

  • SRG-APP-000111

    Group
    Show

  • SRG-APP-000118

    Group
    Show

  • Exchange audit data must be protected against unauthorized access (read access).

    Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit log content must always be considere...
    Rule Medium Severity
    Show

  • SRG-APP-000119

    Group
    Show

  • Exchange audit data must be protected against unauthorized access for modification.

    Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit log content must always be considere...
    Rule Medium Severity
    Show

  • SRG-APP-000120

    Group
    Show

  • Exchange audit data must be protected against unauthorized access for deletion.

    Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit log content must always be considere...
    Rule Medium Severity
    Show

  • SRG-APP-000125

    Group
    Show

  • Exchange audit data must be on separate partitions.

    Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit log content must always be considere...
    Rule Medium Severity
    Show

  • SRG-APP-000131

    Group
    Show

  • SRG-APP-000141

    Group
    Show

  • SRG-APP-000141

    Group
    Show

  • Exchange Send Fatal Errors to Microsoft must be disabled.

    It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and...
    Rule Medium Severity
    Show

  • SRG-APP-000211

    Group
    Show

  • SRG-APP-000213

    Group
    Show

  • SRG-APP-000219

    Group
    Show

  • Exchange internal send connectors must use domain security (mutual authentication Transport Layer Security).

    The Simple Mail Transfer Protocol (SMTP) connector is used by Exchange to send and receive messages from server to server. Several controls work together to provide security between internal server...
    Rule Medium Severity
    Show

  • SRG-APP-000219

    Group
    Show

  • Exchange internet-facing receive connectors must offer Transport Layer Security (TLS) before using basic authentication.

    Sending unencrypted email over the internet increases the risk that messages can be intercepted or altered. TLS is designed to protect confidentiality and data integrity by encrypting email message...
    Rule Medium Severity
    Show

  • SRG-APP-000246

    Group
    Show

  • More than one Edge server must be deployed.

    To ensure hostile insiders are unable to easily commit DoS attacks and reduce the effectiveness of mail flow throughout the environment, a second Edge server is deployed to allow for multiple paths...
    Rule Medium Severity
    Show

  • SRG-APP-000247

    Group
    Show

  • SRG-APP-000247

    Group
    Show

  • Exchange Outbound Connection limit per Domain Count must be controlled.

    Email system availability depends in part on best practice strategies for setting tuning configurations. This configuration controls the maximum number of simultaneous outbound connections from a d...
    Rule Medium Severity
    Show

  • SRG-APP-000247

    Group
    Show

  • Exchange receive connector maximum hop count must be 60.

    Email system availability depends in part on best practice strategies for setting tuning configurations. This setting controls the maximum number of hops (email servers traversed) a message may tak...
    Rule Medium Severity
    Show

  • SRG-APP-000247

    Group
    Show

  • Exchange receive connectors must control the number of recipients per message.

    Email system availability depends in part on best practice strategies for setting tuning configurations. This configuration controls the maximum number of recipients who will receive a copy of a ...
    Rule Medium Severity
    Show

  • SRG-APP-000247

    Group
    Show

  • Exchange send connector connections count must be limited.

    This setting controls the maximum number of simultaneous outbound connections allowed for a given SMTP Connector and can be used to throttle the SMTP service if resource constraints warrant it. If ...
    Rule Medium Severity
    Show

  • SRG-APP-000247

    Group
    Show

  • SRG-APP-000247

    Group
    Show

  • Exchange send connectors delivery retries must be controlled.

    This setting controls the rate at which delivery attempts from the home domain are retried and user notifications are issued and notes the expiration time when the message will be discarded. If d...
    Rule Medium Severity
    Show

  • SRG-APP-000247

    Group
    Show

  • Exchange receive connectors must be clearly named.

    For receive connectors, unclear naming as to direction and purpose increases risk that messages may not flow as intended, troubleshooting efforts may be impaired, or incorrect assumptions may be ma...
    Rule Medium Severity
    Show

  • SRG-APP-000247

    Group
    Show

  • Exchange receive connectors must control the number of recipients chunked on a single message.

    Email system availability depends in part on best practice strategies for setting tuning configurations. For message size restrictions, multiple places exist to set or override inbound or outbound ...
    Rule Medium Severity
    Show

  • SRG-APP-000247

    Group
    Show

  • The Exchange internet receive connector connections count must be set to default.

    Email system availability depends in part on best practice strategies for setting tuning configurations. This configuration controls the maximum number of simultaneous inbound connections allowed t...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules