STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide

Version

V2R3

Release Date

May 14, 2025

SCAP Benchmark ID

MS_Exchange_2019_Mailbox_Server_STIG

Total Checks

66

Tags

other

CAT I: 2CAT II: 49CAT III: 15

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON Download STIG ZIP

Checks (66)

V-259645MEDIUMExchange must use encryption for RPC client access.V-259646MEDIUMExchange must use encryption for Outlook Web App (OWA) access.V-259647MEDIUMExchange must have forms-based authentication enabled.V-259648MEDIUMExchange must have administrator audit logging enabled.V-259649MEDIUMExchange servers must use approved DOD certificates.V-259650MEDIUMExchange must have authenticated access set to integrated Windows authentication only.V-259651MEDIUMExchange auto-forwarding email to remote domains must be disabled or restricted.V-259652MEDIUMExchange connectivity logging must be enabled.V-259653MEDIUMThe Exchange email diagnostic log level must be set to the lowest level.V-259654LOWExchange audit record parameters must be set.V-259655MEDIUMThe RBAC role for audit log management must be defined and restricted.V-259656MEDIUMExchange email subject line logging must be disabled.V-259657MEDIUMExchange message tracking logging must be enabled.V-259658LOWExchange circular logging must be disabled.V-259659MEDIUMExchange queue monitoring must be configured with threshold and action.V-259660MEDIUMExchange must protect audit data against unauthorized read access.V-259661MEDIUMExchange must protect audit data against unauthorized access.V-259662MEDIUMExchange must protect audit data against unauthorized deletion.V-259663MEDIUMExchange audit data must be on separate partitions.V-259664MEDIUMExchange local machine policy must require signed scripts.V-259665MEDIUMExchange Send Fatal Errors to Microsoft must be disabled.V-259666MEDIUMExchange must not send customer experience reports to Microsoft.V-259667MEDIUMThe Exchange Internet Message Access Protocol 4 (IMAP4) service must be disabled.V-259668MEDIUMThe Exchange Post Office Protocol 3 (POP3) service must be disabled.V-259669MEDIUMExchange Mailbox databases must reside on a dedicated partition.V-259670MEDIUMExchange internet-facing send connectors must specify a smart host.V-259671MEDIUMExchange mailboxes must be retained until backups are complete.V-259672MEDIUMExchange email forwarding must be restricted.V-259673MEDIUMExchange email-forwarding SMTP domains must be restricted.V-259674LOWExchange mailbox stores must mount at startup.V-259675LOWExchange mail quota settings must not restrict receiving mail.V-259676LOWExchange mail quota settings must not restrict sending mail.V-259677LOWExchange Message size restrictions must be controlled on Receive connectors.V-259678LOWThe Exchange Receive Connector Maximum Hop Count must be 60.V-259679LOWThe Exchange send connector connections count must be limited.V-259681LOWExchange message size restrictions must be controlled on send connectors.V-259682LOWThe Exchange global inbound message size must be controlled.V-259683LOWThe Exchange global outbound message size must be controlled.V-259684LOWThe Exchange Outbound Connection Limit per Domain Count must be controlled.V-259685LOWThe Exchange Outbound Connection Timeout must be 10 minutes or less.V-259686HIGHExchange servers must have an approved DOD email-aware virus protection software installed.V-259687MEDIUMExchange internal receive connectors must not allow anonymous connections.V-259688MEDIUMExchange external/internet-bound automated response messages must be disabled.V-259689MEDIUMExchange must have anti-spam filtering installed.V-259690MEDIUMExchange must have anti-spam filtering enabled.V-259691MEDIUMExchange must have anti-spam filtering configured.V-259692MEDIUMExchange must not send automated replies to remote domains.V-259693LOWThe Exchange Global Recipient Count Limit must be set.V-259694MEDIUMExchange antimalware agent must be enabled and configured.V-259695MEDIUMThe Exchange malware scanning agent must be configured for automatic updates.V-259697LOWThe Exchange receive connector timeout must be limited.V-259698MEDIUMRole-Based Access Control must be defined for privileged and nonprivileged users.V-259699MEDIUMThe Exchange application directory must be protected from unauthorized access.V-259700MEDIUMAn Exchange software baseline copy must exist.V-259701MEDIUMExchange software must be monitored for unauthorized changes.V-259702MEDIUMExchange services must be documented, and unnecessary services must be removed or disabled.V-259703MEDIUMExchange Outlook Anywhere clients must use NTLM authentication to access email.V-259704MEDIUMThe Exchange email application must not share a partition with another application.V-259705MEDIUMExchange must not send delivery reports to remote domains.V-259706MEDIUMExchange must not send nondelivery reports to remote domains.V-259707MEDIUMThe Exchange SMTP automated banner response must not reveal server details.V-259708MEDIUMExchange internal send connectors must use an authentication level.V-259709MEDIUMExchange must provide mailbox databases in a highly available and redundant configuration.V-259710HIGHThe application must protect the confidentiality and integrity of transmitted information.V-259711MEDIUMExchange must have the most current, approved Cumulative Update installed.V-259712MEDIUMExchange must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.