Check: EX16-ED-000400
Microsoft Exchange 2016 Edge Transport Server STIG:
EX16-ED-000400
(in versions v2 r5 through v1 r4)
Title
Exchange Attachment filtering must remove undesirable attachments by file type. (Cat II impact)
Discussion
By performing filtering at the perimeter, up to 90 percent of spam, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the mail server environment. Attachments are being used more frequently for different forms of attacks. By filtering undesirable attachments, a large percent of malicious code can be prevented from entering the system. Attachments must be controlled at the entry point into the email environment to prevent successful attachment-based attacks. The following is a basic list of known attachments that should be filtered from Internet mail attachments: *.ade *.crt *.jse *.msi *.scr *.wsh *.dir *.adp *.csh *.ksh *.msp *.sct *.htm *.dcr *.app *.exe *.lnk *.mst *.shb *.html *.plg *.asx *.fxp *.mda *.ops *.shs *.htc *.spl *.bas *.hlp *.mdb *.pcd *.url *.mht *.swf *.bat *.hta *.mde *.pif *.vb *.mhtml *.zip *.chm *.inf *.mdt *.prf *.vbe *.shtm *.cmd *.ins *.mdw *.prg *.vbs *.shtml *.com *.isp *.mdz *.reg *.wsc *.stm *.cpl *.js *.msc *.scf *.wsf *.xml
Check Content
Note: If third-party anti-spam product is being used, the anti-spam product must be configured to meet the requirement. Review the Email Domain Security Plan (EDSP). Determine the list of undesirable attachment types that should be stripped. Open the Exchange Management Shell and enter the following command: Get-AttachmentFilterEntry For each attachment type, if the values returned are different from the EDSP documented attachment types, this is a finding.
Fix Text
Update the EDSP to reflect the list of undesirable attachment types that should be stripped. Open the Exchange Management Shell and enter the following command: Add-AttachmentFilterEntry -Name <'*.FileExtension'> -Type FileName Repeat the procedure for each undesirable attachment type.
Additional Identifiers
Rule ID: SV-221239r879653_rule
Vulnerability ID: V-221239
Group Title: SRG-APP-000261
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001308 |
The information system automatically updates spam protection mechanisms. |
Controls
Number | Title |
---|---|
SI-8 (2) |
Automatic Updates |