Check: Exch-2-715
Exchange 2010 Hub Transport Server STIG:
Exch-2-715
(in version v1 r12)
Title
Internal Receive Connectors must not allow anonymous connections. (Cat II impact)
Discussion
This control is used to limit the servers that may use this server as a relay. If a Simple Mail Transport Protocol (SMTP) sender does not have a direct connection to the Internet (for example, an application that produces reports to be emailed) then it will need to use an SMTP Receive Connector that does have a path to the Internet (for example, a local email server) as a relay. SMTP relay functions must be protected so third parties are not able to hijack a relay service for their own purposes. Most commonly, hijacking of relays is done by SPAMMERS to disguise the source of their messages, and may also be used to cover the source of more destructive attacks. Relays can be restricted in one of three ways; by blocking relays (restrict to a blank list of servers), by restricting use to lists of valid servers, or by restricting use to servers that can authenticate. Because authenticated connections are the most secure for SMTP Receive Connectors, it is recommended that relays allow only servers that can authenticate.
Check Content
Open the Exchange Management Shell and enter the following command: Get-ReceiveConnector | Select Name, Identity, PermissionGroups If the value of 'PermissionGroups' is 'AnonymousUsers' for any non-internet connector, this is a finding.
Fix Text
Open the Exchange Management Shell and enter the following command: Set-ReceiveConnector -Identity <'ReceiveConnector'> -PermissionGroups and enter a valid value other than 'AnonymousUsers'.
Additional Identifiers
Rule ID: SV-43986r1_rule
Vulnerability ID: V-33566
Group Title: Exch-2-715
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |