STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide

Version

V2R6

Benchmark ID

MS_Exchange_2016_Edge_Transport_Server_STIG

Total Checks

68

Tags

application

CAT I: 4CAT II: 56CAT III: 8

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (68)

V-221202MEDIUMExchange must limit the Receive connector timeout.V-221203MEDIUMExchange servers must use approved DoD certificates.V-221204MEDIUMExchange must have accepted domains configured.V-221206MEDIUMExchange external Receive connectors must be domain secure-enabled.V-221207MEDIUMThe Exchange email Diagnostic log level must be set to the lowest level.V-221208MEDIUMExchange Connectivity logging must be enabled.V-221209MEDIUMExchange Queue monitoring must be configured with threshold and action.V-221210MEDIUMExchange must not send Customer Experience reports to Microsoft.V-221211MEDIUMExchange Audit data must be protected against unauthorized access (read access).V-221212MEDIUMExchange Send Fatal Errors to Microsoft must be disabled.V-221213MEDIUMExchange audit data must be protected against unauthorized access for modification.V-221214MEDIUMExchange audit data must be protected against unauthorized access for deletion.V-221215MEDIUMExchange audit data must be on separate partitions.V-221216MEDIUMThe Exchange local machine policy must require signed scripts.V-221217MEDIUMExchange Internet-facing Send connectors must specify a Smart Host.V-221218MEDIUMExchange internal Send connectors must use domain security (mutual authentication Transport Layer Security).V-221219MEDIUMExchange Internet-facing Receive connectors must offer Transport Layer Security (TLS) before using basic authentication.V-221220MEDIUMExchange Outbound Connection Timeout must be 10 minutes or less.V-221221MEDIUMExchange Outbound Connection Limit per Domain Count must be controlled.V-221222LOWExchange Send connector connections count must be limited.V-221223LOWExchange message size restrictions must be controlled on Send connectors.V-221224LOWExchange Send connectors delivery retries must be controlled.V-221225LOWExchange Send connectors must be clearly named.V-221226MEDIUMExchange Receive connector Maximum Hop Count must be 60.V-221227LOWExchange Receive connectors must be clearly named.V-221228LOWExchange Receive connectors must control the number of recipients chunked on a single message.V-221229MEDIUMExchange Receive connectors must control the number of recipients per message.V-221230LOWThe Exchange Internet Receive connector connections count must be set to default.V-221231LOWExchange Message size restrictions must be controlled on Receive connectors.V-221232MEDIUMExchange messages with a blank sender field must be rejected.V-221233MEDIUMExchange messages with a blank sender field must be filtered.V-221234MEDIUMExchange filtered messages must be archived.V-221235MEDIUMThe Exchange Sender filter must block unaccepted domains.V-221236MEDIUMExchange nonexistent recipients must not be blocked.V-221237MEDIUMThe Exchange Sender Reputation filter must be enabled.V-221238MEDIUMThe Exchange Sender Reputation filter must identify the spam block level.V-221239MEDIUMExchange Attachment filtering must remove undesirable attachments by file type.V-221240MEDIUMThe Exchange Spam Evaluation filter must be enabled.V-221241MEDIUMThe Exchange Block List service provider must be identified.V-221242MEDIUMExchange messages with a malformed From address must be rejected.V-221243MEDIUMThe Exchange Recipient filter must be enabled.V-221244MEDIUMThe Exchange tarpitting interval must be set.V-221245MEDIUMExchange internal Receive connectors must not allow anonymous connections.V-221246MEDIUMExchange Simple Mail Transfer Protocol (SMTP) IP Allow List entries must be empty.V-221247MEDIUMThe Exchange Simple Mail Transfer Protocol (SMTP) IP Allow List Connection filter must be enabled.V-221248MEDIUMThe Exchange Simple Mail Transfer Protocol (SMTP) Sender filter must be enabled.V-221249MEDIUMExchange must have antispam filtering installed.V-221250MEDIUMExchange must have antispam filtering enabled.V-221251MEDIUMExchange must have antispam filtering configured.V-221252MEDIUMExchange Sender Identification Framework must be enabled.V-221253HIGHExchange must render hyperlinks from email sources from non-.mil domains as unclickable.V-221254MEDIUMThe Exchange application directory must be protected from unauthorized access.V-221255MEDIUMThe Exchange software baseline copy must exist.V-221256MEDIUMExchange services must be documented and unnecessary services must be removed or disabled.V-221257MEDIUMExchange software must be installed on a separate partition from the OS.V-221258MEDIUMThe Exchange SMTP automated banner response must not reveal server details.V-221259HIGHExchange must provide redundancy.V-221260MEDIUMExchange internal Send connectors must use an authentication level.V-221261HIGHExchange internal Receive connectors must require encryption.V-221262HIGHExchange internal Send connectors must require encryption.V-221263MEDIUMExchange must have the most current, approved service pack installed.V-221264MEDIUMThe application must configure malicious code protection mechanisms to perform periodic scans of the information system every seven days.V-221265MEDIUMThe application must configure malicious code protection mechanisms to perform periodic scans of the information system every seven days.V-221266MEDIUMThe application must be configured to block and quarantine malicious code upon detection, then send an immediate alert to appropriate individuals.V-221267MEDIUMThe application must be configured to block and quarantine malicious code upon detection, then send an immediate alert to appropriate individuals.V-221268MEDIUMThe application must update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.V-221269MEDIUMThe application must update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures.V-221270MEDIUMThe applications built-in Malware Agent must be disabled.