Microsoft Exchange 2016 Edge Transport Server STIG Version Comparison

There are 2 differences between versions v2 r3 (Dec. 15, 2021) (the "left" version) and v2 r5 (Jan. 24, 2024) (the "right" version).

Check EX16-ED-000040 was removed from the benchmark in the "right" version. The text below reflects the old wording.

This check's original form is available here.

Title

Exchange must have auto-forwarding of email to remote domains disabled or restricted.

Check Content

Non-Enterprise Mail Check Content: Open the Exchange Management Shell and enter the following command: Get-RemoteDomain | Select Name, DomainName, Identity, AutoForwardEnabled If the value of "AutoForwardEnabled" is not set to "False", this is a finding. Enterprise Mail Check Content: Open the Exchange Management Shell and enter the following command: Get-RemoteDomain | Select Name, DomainName, Identity, AutoForwardEnabled If the value of “AutoForwardEnabled” is “True” and “DomainName” is not set to a “.mil” and/or “.gov” domain(s), this is a finding.

Discussion

Attackers can use automated messages to determine whether a user account is active, in the office, traveling, and so on. An attacker might use this information to conduct future attacks. Ensure Automatic Forwards to remote domains are disabled, except for enterprise email that must be restricted to forward-only to .mil and .gov. domains. Before enabling this setting, first configure a remote domain.

Fix

For Non-Enterprise Mail Fix Text: Open the Exchange Management Shell and enter the following command: Set-RemoteDomain -Identity <'IdentityName'> -AutoForwardEnabled $false Note: The <IdentityName> value must be in single quotes. For Enterprise Mail Fix Text, enter the following commands: New-RemoteDomain -Name <NewDomainName> -DomainName <SMTP address space> Note: NewDomainName must be either a ".mil" or ".gov" domain. Set-RemoteDomain -Identity <'IdentityName'> -AutoForwardEnabled $true