Check: IIST-SV-000160
Microsoft IIS 10.0 Server STIG:
IIST-SV-000160
(in versions v2 r10 through v1 r2)
Title
An IIS Server configured to be a SMTP relay must require authentication. (Cat II impact)
Discussion
Anonymous SMTP relays are strictly prohibited. An anonymous SMTP relay can be a vector for many types of malicious activity not limited to server exploitation for the sending of SPAM mail, access to emails, phishing, DoS attacks, etc. Enabling TLS, authentication, and strictly assigning IP addresses that can communicate with the relay greatly reduce the risk of the implementation.
Check Content
Interview the System Administrator about the role of the IIS 10.0 web server. If the IIS 10.0 web server is running SMTP relay services, have the SA provide supporting documentation on how the server is hardened. A DoD-issued certificate, and specific allowed IP address should be configured. If the IIS web server is not running SMTP relay services, this is Not Applicable. If the IIS web server running SMTP relay services without TLS enabled, this is a finding. If the IIS web server running SMTP relay services is not configured to only allow a specific IP address, from the same network as the relay, this is a finding.
Fix Text
Configure the relay server with a specific allowed IP address, from the same network as the relay, and implement TLS.
Additional Identifiers
Rule ID: SV-228572r879587_rule
Vulnerability ID: V-228572
Group Title: SRG-APP-000141-WSR-000075
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000381 |
The organization configures the information system to provide only essential capabilities. |
Controls
Number | Title |
---|---|
CM-7 |
Least Functionality |