Microsoft Exchange 2013 Mailbox Server Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Exchange Local machine policy must require signed scripts.
Scripts often provide a way for attackers to infiltrate a system, especially those downloaded from untrusted locations. By setting machine policy to prevent unauthorized script executions, unantici...Rule Medium Severity -
SRG-APP-000141
Group -
The Exchange IMAP4 service must be disabled.
The IMAP4 protocol is not approved for use within the DoD. It uses a clear-text-based user name and password and does not support the DoD standard for PKI for email access. User name and password c...Rule Medium Severity -
SRG-APP-000141
Group -
The Exchange POP3 service must be disabled.
The POP3 protocol is not approved for use within the DoD. It uses a clear-text-based user name and password and does not support the DoD standard for PKI for email access. User name and password co...Rule Medium Severity -
SRG-APP-000213
Group -
Exchange Internet-facing Send connectors must specify a Smart Host.
When identifying a "Smart Host" for the email environment, a logical Send connector is the preferred method. A Smart Host acts as an Internet-facing concentrator for other email servers. Appropria...Rule Medium Severity -
SRG-APP-000219
Group -
SRG-APP-000219
Group -
Exchange internal Receive connectors must use Domain Security (mutual authentication Transport Layer Security).
The Simple Mail Transfer Protocol (SMTP) connector is used by Exchange to send and receive messages from server to server. There are several controls that work together to provide security between ...Rule Medium Severity -
SRG-APP-000219
Group -
Exchange email forwarding must be restricted.
Auto-forwarded email accounts do not meet the requirement for digital signature and encryption of CUI and PII IAW DoDI 8520.2 (reference ee) and DoD Director for Administration and Management memor...Rule Medium Severity -
SRG-APP-000231
Group -
SRG-APP-000231
Group -
Exchange Public Folder stores must be retained until backups are complete.
Backup and recovery procedures are an important part of overall system availability and integrity. Complete backups reduce the chance of accidental deletion of important information and make it pos...Rule Medium Severity -
SRG-APP-000231
Group -
The Exchange Public Folder database must not be overwritten by a restore.
Email system availability depends in part on best practice strategies for setting tuning configurations. Unauthorized or accidental restoration of public folder data risks data loss or corruption. ...Rule Low Severity -
SRG-APP-000231
Group -
Exchange Mailboxes must be retained until backups are complete.
Backup and recovery procedures are an important part of overall system availability and integrity. Complete backups reduce the chance of accidental deletion of important information and make it pos...Rule Medium Severity -
SRG-APP-000231
Group -
The Exchange Mailbox database must not be overwritten by a restore.
Email system availability depends in part on best practice strategies for setting tuning configurations. Unauthorized or accidental restoration of mailbox data risks data loss or corruption. Th...Rule Low Severity -
SRG-APP-000231
Group -
SRG-APP-000246
Group -
Exchange Mail quota settings must not restrict receiving mail.
Mail quota settings control the maximum sizes of a user’s mailbox and the system’s response if these limits are exceeded. Mailbox data that is not monitored against a quota increases the risk of ma...Rule Low Severity -
SRG-APP-000246
Group -
SRG-APP-000246
Group -
The Exchange Mail Store storage quota must issue a warning.
Mail quota settings control the maximum sizes of a user’s mailbox and the system’s response if these limits are exceeded. Mailbox data that is not monitored against a quota increases the risk of ma...Rule Low Severity -
SRG-APP-000246
Group -
Exchange Mailbox Stores must mount at startup.
Administrator responsibilities include the ability to react to unplanned maintenance tasks or emergency situations that may require Mailbox data manipulation. Occasionally, there may be a need to s...Rule Low Severity -
SRG-APP-000247
Group -
SRG-APP-000247
Group -
Exchange Receive connectors must control the number of recipients per message.
Email system availability depends in part on best practice strategies for setting tuning configurations. This configuration controls the maximum number of recipients who will receive a copy of a ...Rule Low Severity -
SRG-APP-000247
Group -
Exchange Receive connectors must be clearly named.
For Receive connectors, unclear naming as to direction and purpose increases risk that messages may not flow as intended, troubleshooting efforts may be impaired, or incorrect assumptions may be ma...Rule Low Severity -
SRG-APP-000247
Group -
The Exchange Receive Connector Maximum Hop Count must be 60.
Email system availability depends in part on best practice strategies for setting tuning configurations. This setting controls the maximum number of hops (email servers traversed) a message may tak...Rule Low Severity -
SRG-APP-000247
Group -
Exchange Send connectors must be clearly named.
For Send connectors, unclear naming as to direction and purpose increases risk that messages may not flow as intended, troubleshooting efforts may be impaired, or incorrect assumptions may be made ...Rule Low Severity -
SRG-APP-000247
Group -
SRG-APP-000247
Group -
Exchange Message size restrictions must be controlled on Send connectors.
Email system availability depends in part on best practice strategies for setting tuning configurations. For message size restrictions, multiple places exist to set or override inbound or outbound ...Rule Low Severity -
SRG-APP-000247
Group -
The Exchange Send connector connections count must be limited.
The Exchange Send connector setting controls the maximum number of simultaneous outbound connections allowed for a given SMTP connector and can be used to throttle the SMTP service if resource cons...Rule Low Severity -
SRG-APP-000247
Group -
The Exchange global inbound message size must be controlled.
Email system availability depends in part on best practice strategies for setting tuning configurations. Message size limits should be set to 10 megabytes at most, but often are smaller, depending ...Rule Low Severity -
SRG-APP-000247
Group -
The Exchange global outbound message size must be controlled.
Email system availability depends in part on best practice strategies for setting tuning configurations. Message size limits should be set to 10 megabytes at most, but often are smaller, depending ...Rule Low Severity -
SRG-APP-000247
Group -
SRG-APP-000247
Group -
The Exchange Outbound Connection Timeout must be 10 minutes or less.
Email system availability depends in part on best practice strategies for setting tuning configurations. This configuration controls the number of idle minutes before the connection is dropped. It ...Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.