Check: EX16-ED-000030
Microsoft Exchange 2016 Edge Transport Server STIG:
EX16-ED-000030
(in versions v2 r5 through v1 r1)
Title
Exchange must have accepted domains configured. (Cat II impact)
Discussion
Exchange may be configured to accept email for multiple domain names. This setting identifies the domains for which the server will accept mail. This check verifies the email server is not accepting email for unauthorized domains.
Check Content
Review the Email Domain Security Plan (EDSP). Determine the Accepted Domain values. Open the Exchange Management Shell and enter the following command: Get-AcceptedDomain | Select Name, DomainName, Identity, Default If the value of "Default" is not set to "True", this is a finding. or If the "Default" value for "AcceptedDomains" is set to another value other than "True" and has signoff and risk acceptance in the EDSP, this is not a finding.
Fix Text
Update the EDSP. Open the Exchange Management Shell and enter the following command: Set-AcceptedDomain -Identity <'IdentityName'> -MakeDefault $true Note: The <IdentityName> value must be in single quotes.
Additional Identifiers
Rule ID: SV-221204r879533_rule
Vulnerability ID: V-221204
Group Title: SRG-APP-000038
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001368 |
The information system enforces approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies. |
Controls
Number | Title |
---|---|
AC-4 |
Information Flow Enforcement |