STIGQter: STIG Summary: Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

Exchange Internet-facing Send connectors must specify a Smart Host.

DISA Rule

SV-221217r612603_rule

Vulnerability Number

V-221217

Group Title

SRG-APP-000213

Rule Version

EX16-ED-000160

Severity

CAT II

CCI(s)

• CCI-001178 - The information system provides additional data origin authentication artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries.

Weight

10

Fix Recommendation

Open the Exchange Management Shell and enter the following command:

Set-SendConnector <'IdentityName'> -SmartHosts <'IP Address of Smart Host'> -DNSRoutingEnabled $false

Note: The <IdentityName> value must be in single quotes.

Repeat the procedures for each send connector.

Check Contents

Review the Email Domain Security Plan (EDSP).

Determine the Internet-facing connectors.

Open the Exchange Management Shell and enter the following command:

Get-SendConnector | Select Name, Identity, SmartHosts, DNSRoutingEnabled

For each send connector, if the value of "SmartHosts" does not return the Smart Host IP Address and the value for "DNSRoutingEnabled" is not set to "False", this is a finding.

Vulnerability Number

V-221217

Documentable

False

Rule Version

EX16-ED-000160

Severity Override Guidance

Review the Email Domain Security Plan (EDSP).

Determine the Internet-facing connectors.

Open the Exchange Management Shell and enter the following command:

Get-SendConnector | Select Name, Identity, SmartHosts, DNSRoutingEnabled

For each send connector, if the value of "SmartHosts" does not return the Smart Host IP Address and the value for "DNSRoutingEnabled" is not set to "False", this is a finding.

Check Content Reference

M

Target Key

4079

Comments