STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide

Version

V2R2

Benchmark ID

MS_Exchange_2019_Edge_Server_STIG

Total Checks

68

Tags

application

CAT I: 3CAT II: 65CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (68)

V-259577MEDIUMSchUseStrongCrypto must be enabled.V-259578MEDIUMExchange servers must use approved DOD certificates.V-259579MEDIUMExchange must have accepted domains configured.V-259580MEDIUMExchange external Receive connectors must be domain secure-enabled.V-259581MEDIUMThe Exchange email diagnostic log level must be set to the lowest level.V-259582MEDIUMExchange connectivity logging must be enabled.V-259583MEDIUMExchange message tracking logging must be enabled.V-259584MEDIUMExchange queue monitoring must be configured with threshold and action.V-259585MEDIUMExchange audit data must be protected against unauthorized access (read access).V-259586MEDIUMExchange audit data must be protected against unauthorized access for modification.V-259587MEDIUMExchange audit data must be protected against unauthorized access for deletion.V-259588MEDIUMExchange audit data must be on separate partitions.V-259589MEDIUMExchange local machine policy must require signed scripts.V-259590MEDIUMExchange must not send customer experience reports to Microsoft.V-259591MEDIUMExchange Send Fatal Errors to Microsoft must be disabled.V-259592MEDIUMExchange queue database must reside on a dedicated partition.V-259593MEDIUMExchange internet-facing send connectors must specify a Smart Host.V-259594MEDIUMExchange internal send connectors must use domain security (mutual authentication Transport Layer Security).V-259595MEDIUMExchange internet-facing receive connectors must offer Transport Layer Security (TLS) before using basic authentication.V-259596MEDIUMMore than one Edge server must be deployed.V-259597MEDIUMExchange Outbound Connection Timeout must be 10 minutes or less.V-259598MEDIUMExchange Outbound Connection limit per Domain Count must be controlled.V-259599MEDIUMExchange receive connector maximum hop count must be 60.V-259600MEDIUMExchange receive connectors must control the number of recipients per message.V-259601MEDIUMExchange send connector connections count must be limited.V-259602MEDIUMExchange message size restrictions must be controlled on Send connectors.V-259603MEDIUMExchange send connectors delivery retries must be controlled.V-259604MEDIUMExchange receive connectors must be clearly named.V-259605MEDIUMExchange receive connectors must control the number of recipients chunked on a single message.V-259606MEDIUMThe Exchange internet receive connector connections count must be set to default.V-259607MEDIUMExchange Message size restrictions must be controlled on receive connectors.V-259608MEDIUMActive hyperlinks in messages from non .mil domains must be rendered unclickable.V-259609MEDIUMExchange messages with a blank sender field must be rejected.V-259610MEDIUMExchange messages with a blank sender field must be filtered.V-259611MEDIUMExchange filtered messages must be archived.V-259612MEDIUMThe Exchange sender filter must block unaccepted domains.V-259613MEDIUMExchange nonexistent recipients must not be blocked.V-259614MEDIUMThe Exchange Sender Reputation filter must be enabled.V-259615MEDIUMThe Exchange Sender Reputation filter must identify the spam block level.V-259616MEDIUMExchange Attachment filtering must remove undesirable attachments by file type.V-259617MEDIUMThe Exchange Spam Evaluation filter must be enabled.V-259618MEDIUMThe Exchange Block List service provider must be identified.V-259619MEDIUMExchange messages with a malformed From address must be rejected.V-259620MEDIUMThe Exchange Recipient filter must be enabled.V-259621MEDIUMThe Exchange tarpitting interval must be set.V-259622MEDIUMExchange internal Receive connectors must not allow anonymous connections.V-259623MEDIUMExchange Simple Mail Transfer Protocol (SMTP) IP Allow List entries must be empty.V-259624MEDIUMThe Exchange Simple Mail Transfer Protocol (SMTP) IP Allow List Connection filter must be enabled.V-259625MEDIUMThe Exchange Simple Mail Transfer Protocol (SMTP) Sender filter must be enabled.V-259626MEDIUMExchange must have anti-spam filtering installed.V-259627MEDIUMExchange must have anti-spam filtering enabled.V-259628MEDIUMExchange must have anti-spam filtering configured.V-259629MEDIUMExchange Sender Identification Framework must be enabled.V-259630MEDIUMExchange must limit the Receive connector timeout.V-259631MEDIUMRole-Based Access Control must be defined for privileged and nonprivileged users.V-259632MEDIUMThe Exchange application directory must be protected from unauthorized access.V-259633MEDIUMThe Exchange software baseline copy must exist.V-259634MEDIUMThe Exchange local machine policy must require signed scripts.V-259635MEDIUMExchange services must be documented, and unnecessary services must be removed or disabled.V-259636MEDIUMThe Exchange Edge server must point to a trusted list of DNS servers for external and internal resolution.V-259637MEDIUMExchange software must be installed on a separate partition from the OS.V-259638MEDIUMThe Exchange SMTP automated banner response must not reveal server details.V-259639MEDIUMExchange internal Send connectors must use an authentication level.V-259640HIGHExchange must provide redundancy.V-259641HIGHExchange internal Receive connectors must require encryption.V-259642HIGHExchange internal Send connectors must require encryption.V-259643MEDIUMExchange must render hyperlinks from email sources from non-.mil domains as unclickable.V-259644MEDIUMExchange must have the most current, approved Cumulative Update (CU) installed.