STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide

V-259669

CAT II (Medium)

Exchange Mailbox databases must reside on a dedicated partition.

Rule ID

SV-259669r961095_rule

STIG

Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide

Version

V2R3

CCIs

CCI-001082

Discussion

In the same way that added security layers can provide a cumulative positive effect on security posture, multiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit to one application can lead to an exploit of other applications sharing the same security context. For example, an exploit to a web server process that leads to unauthorized administrative access to the host system can most likely lead to a compromise of all applications hosted by the same system. Email services should be installed to a discrete set of directories on a partition that does not host other applications. Email services should never be installed on a Domain Controller/Directory Services server.

Check Content

Review the Email Domain Security Plan (EDSP) or document that contains this information.

Determine the location where the Exchange Mailbox databases reside.

Open the Exchange Management Shell and enter the following command:

Get-MailboxDatabase | Select-Object -Property Name, Identity, EdbFilePath

Open Windows Explorer, navigate to the mailbox databases, and verify they are on a dedicated partition.

If the mailbox databases are not on a dedicated partition, this is a finding.

Fix Text

Update the EDSP to specify the location where the Exchange Mailbox databases reside or verify that this information is documented by the organization.

Configure the mailbox databases on a dedicated partition.

Ensure the drive that its being moved to has enough space for the database and logs (if not moving the logs to their own partition). Consult the EDSP and ensure that this is done within a maintenance window as this will incur downtime for any users connected to this mailbox database. Ensure backups are not running at the time this needs to be done. If this server is in a Database Availability Group, this cannot be done until all replicated copies of that database are removed first. Then the move operation can be performed. Once completed, replicated copies can be recreated appropriately.

In an Exchange Management Shell, run the following (assuming copies of the database is removed if replicated or if it is a single copy database):

Move-DatabasePath -Identity "<name of database>" -EdbFilePath "<drive>:\PathToDatabase\<MailboxDatabase.edb>" -LogFolderPath "<drive>:\LogFolderPath\"

Example:
Move-DatabasePath -Identity "Database1" -EdbFilePath "D:\MailboxDBs\Database1.edb" -LogFolderPath "D:\MailboxDBLogs\"