STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide

Version

V2R6

Release Date

Dec 18, 2023

SCAP Benchmark ID

MS_Exchange_2016_Mailbox_Server_STIG

Total Checks

64

Tags

other

CAT I: 1CAT II: 47CAT III: 16

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON Download STIG ZIP

Checks (64)

V-228354MEDIUMExchange must have Administrator audit logging enabled.V-228355MEDIUMExchange servers must use approved DoD certificates.V-228356MEDIUMExchange auto-forwarding email to remote domains must be disabled or restricted.V-228357MEDIUMExchange Connectivity logging must be enabled.V-228358MEDIUMThe Exchange Email Diagnostic log level must be set to the lowest level.V-228359LOWExchange Audit record parameters must be set.V-228360LOWExchange Circular Logging must be disabled.V-228361MEDIUMExchange Email Subject Line logging must be disabled.V-228362MEDIUMExchange Message Tracking Logging must be enabled.V-228363MEDIUMExchange Queue monitoring must be configured with threshold and action.V-228364MEDIUMExchange Send Fatal Errors to Microsoft must be disabled.V-228365MEDIUMExchange must protect audit data against unauthorized read access.V-228366MEDIUMExchange must not send Customer Experience reports to Microsoft.V-228367MEDIUMExchange must protect audit data against unauthorized access.V-228368MEDIUMExchange must protect audit data against unauthorized deletion.V-228369MEDIUMExchange Audit data must be on separate partitions.V-228370MEDIUMExchange Local machine policy must require signed scripts.V-228371MEDIUMThe Exchange Internet Message Access Protocol 4 (IMAP4) service must be disabled.V-228372MEDIUMThe Exchange Post Office Protocol 3 (POP3) service must be disabled.V-228373MEDIUMExchange Mailbox databases must reside on a dedicated partition.V-228374MEDIUMExchange Internet-facing Send connectors must specify a Smart Host.V-228375MEDIUMExchange internal Receive connectors must require encryption.V-228376MEDIUMExchange Mailboxes must be retained until backups are complete.V-228377MEDIUMExchange email forwarding must be restricted.V-228378MEDIUMExchange email-forwarding SMTP domains must be restricted.V-228379LOWExchange Mail quota settings must not restrict receiving mail.V-228380LOWExchange Mail Quota settings must not restrict receiving mail.V-228381LOWExchange Mailbox Stores must mount at startup.V-228382LOWExchange Message size restrictions must be controlled on Receive connectors.V-228383LOWExchange Receive connectors must control the number of recipients per message.V-228384LOWThe Exchange Receive Connector Maximum Hop Count must be 60.V-228385LOWExchange Message size restrictions must be controlled on Send connectors.V-228386LOWThe Exchange Send connector connections count must be limited.V-228387LOWThe Exchange global inbound message size must be controlled.V-228388LOWThe Exchange global outbound message size must be controlled.V-228389LOWThe Exchange Outbound Connection Limit per Domain Count must be controlled.V-228390LOWThe Exchange Outbound Connection Timeout must be 10 minutes or less.V-228391MEDIUMExchange Internal Receive connectors must not allow anonymous connections.V-228392MEDIUMExchange external/Internet-bound automated response messages must be disabled.V-228393MEDIUMExchange must have anti-spam filtering installed.V-228394MEDIUMExchange must have anti-spam filtering enabled.V-228395MEDIUMExchange must have anti-spam filtering configured.V-228396MEDIUMExchange must not send automated replies to remote domains.V-228397HIGHExchange servers must have an approved DoD email-aware virus protection software installed.V-228398LOWThe Exchange Global Recipient Count Limit must be set.V-228399LOWThe Exchange Receive connector timeout must be limited.V-228400MEDIUMThe Exchange application directory must be protected from unauthorized access.V-228401MEDIUMAn Exchange software baseline copy must exist.V-228402MEDIUMExchange software must be monitored for unauthorized changes.V-228403MEDIUMExchange services must be documented and unnecessary services must be removed or disabled.V-228404MEDIUMExchange Outlook Anywhere clients must use NTLM authentication to access email.V-228405MEDIUMThe Exchange Email application must not share a partition with another application.V-228406MEDIUMExchange must not send delivery reports to remote domains.V-228407MEDIUMExchange must not send nondelivery reports to remote domains.V-228408MEDIUMThe Exchange SMTP automated banner response must not reveal server details.V-228409MEDIUMExchange Internal Send connectors must use an authentication level.V-228410MEDIUMExchange must provide Mailbox databases in a highly available and redundant configuration.V-228411MEDIUMExchange must have the most current, approved service pack installed.V-228412MEDIUMThe application must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.V-228413MEDIUMThe applications built-in Malware Agent must be disabled.V-228415MEDIUMExchange must use encryption for RPC client access.V-228416MEDIUMExchange must use encryption for Outlook Web App (OWA) access.V-228417MEDIUMExchange must have forms-based authentication disabled.V-228418MEDIUMExchange must have authenticated access set to Integrated Windows Authentication only.