STIGQter: STIG Summary: Microsoft Exchange 2013 Mailbox Server Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

Exchange must provide Mailbox databases in a highly available and redundant configuration.

DISA Rule

SV-207332r615936_rule

Vulnerability Number

V-207332

Group Title

SRG-APP-000435

Rule Version

EX13-MB-000335

Severity

CAT II

CCI(s)

• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

Update the EDSP.

Add two or more Mailbox servers to the database availability group.

Check Contents

Review the Email Domain Security Plan (EDSP).

Determine if the Exchange Mailbox databases are using redundancy.

Open an Exchange Admin Center.

Navigate to and select Microsoft Exchange >> Microsoft Exchange On - Premises <server.domain> >> Organization Configuration >> Mailbox.

In the right pane, if two or more Mailbox servers are not listed, this is a finding.

Note: The EDSP must indicate what availability the system must have, as approved by the ISSO. This can be used for justification when determining finding and possibly a severity downgrade.

Vulnerability Number

V-207332

Documentable

False

Rule Version

EX13-MB-000335

Severity Override Guidance

Review the Email Domain Security Plan (EDSP).

Determine if the Exchange Mailbox databases are using redundancy.

Open an Exchange Admin Center.

Navigate to and select Microsoft Exchange >> Microsoft Exchange On - Premises <server.domain> >> Organization Configuration >> Mailbox.

In the right pane, if two or more Mailbox servers are not listed, this is a finding.

Note: The EDSP must indicate what availability the system must have, as approved by the ISSO. This can be used for justification when determining finding and possibly a severity downgrade.

Check Content Reference

M

Target Key

2923

Comments