MS Exchange 2013 Edge Transport Server STIG Version Comparison

There are 12 differences between versions v1 r3 (Oct. 26, 2018) (the "left" version) and v1 r5 (April 26, 2019) (the "right" version).

Check EX13-EG-000020 was removed from the benchmark in the "right" version. The text below reflects the old wording.

This check's original form is available here.

Title

Exchange must have auto-forwarding of email to remote domains disabled or restricted.

Check Content

Non-Enterprise Mail Check Content: Open the Exchange Management Shell and enter the following command: Get-RemoteDomain | Select Name, DomainName, Identity, AutoForwardEnabled If the value of AutoForwardEnabled is not set to False, this is a finding. Enterprise Mail Check Content: Open the Exchange Management Shell and enter the following command: Get-RemoteDomain | Select Name, DomainName, Identity, AutoForwardEnabled If the value of DomainName is not set to a .mil and/or .gov domain(s) and the value of AutoForwardEnabled is not set to True, this is a finding.

Discussion

Attackers can use automated messages to determine whether a user account is active, in the office, traveling, and so on. An attacker might use this information to conduct future attacks. Ensure Automatic Forwards to remote domains are disabled, except for enterprise email that must be restricted to forward-only to .mil and .gov. domains. Before enabling this setting, first configure a remote domain.

Fix

For Non-Enterprise Mail Fix Text: Open the Exchange Management Shell and enter the following command: Set-RemoteDomain -Identity <'IdentityName'> -AutoForwardEnabled $false Note: The <IdentityName> value must be in quotes. For Enterprise Mail Fix Text, enter the following commands: New-RemoteDomain -Name <NewDomainName> -DomainName <SMTP address space> Note: NewDomainName must be either a .mil or .gov domain. Set-RemoteDomain -Identity <'IdentityName'> -AutoForwardEnabled $true