{ "name": "stig_microsoft_exchange_2010_hub_transport_server_role", "date": "2012-05-31", "description": "The Microsoft Exchange Server 2010 STIGs cover four of the five roles available with Microsoft Exchange Server 2010, plus core Exchange Server 2010 global requirements. The Email Services Policy STIG must also be reviewed for each site hosting email services. The core Exchange Server guidance must be reviewed on each server role prior to the role-specific guidance. Also, for the Client Access server, the IIS guidance must be reviewed prior to the OWA checks.", "title": "Microsoft Exchange 2010 Hub Transport Server Role", "version": "1", "item_syntax": "^\\w-\\d+$", "section_separator": null, "items": [ { "id": "EXCH-HB-322", "title": "Send Connectors must use a Smart Hosts.", "description": "In the case of identifying a 'Smart Host' for the email environment, the connector level is the preferred location for this configuration because flow control in this routing group will be retained even if future changes occur at the Receive Connector level. \n\nA 'Smart Host' (Edge Transport Server) Role acts as an Internet Facing Concentrator for other email servers. Appropriate hardening can be applied to the Edge Transport Server (Email Secure Gateway) role rather than at multiple locations throughout the enterprise. The 'Smart Host' performs all Domain Name Service (DNS) lookups to determine mail routing and offers some proxy-type benefits. \n\nFailure to identify a 'Smart Host' could default to each email server performing its own lookups (potentially through protective firewalls). Exchange servers should not be Internet facing, and should therefore not perform any 'Smart Host' functions. They must, however, be configured to identify the server that is performing the \"Smart Host\" function.", "severity": "medium" }, { "id": "Exch-HB-201", "title": "Receive Connector message size must be controlled.", "description": "This setting can be used to limit the total size of messages at the connector level. This includes the message header, the message body, and any attachments. For internal message flow, Exchange Server uses the custom X-MS-Exchange-Organization-OriginalSize: message header to record the original message size of the message as it enters the Exchange Server organization. Whenever the message is checked against the specified message size limits, the lower value of the current message size or the original message size header is used. The size of the message can change because of content conversion, encoding, and agent processing. This setting somewhat limits the impact a malicious user or a computer with malware can have on the Exchange infrastructure by restricting the size of incoming messages.", "severity": "low" }, { "id": "Exch-HB-202", "title": "Receive Connector connections count must be controlled.", "description": "Email system availability depends in part on best practices strategies for setting tuning. This configuration controls the maximum number of simultaneous inbound connections allowed to the server. By default, the number of simultaneous inbound connections is unlimited. If a limit is set and is too low, the connections pool may get filled. If attackers perceive there is a limit, they could deny service to the Simple Mail Transfer Protocol (SMTP) server using a limited connection count.\n", "severity": "low" }, { "id": "Exch-HB-203", "title": "Receive Connector timeout must be limited.", "description": "Email system availability depends in part on best practices strategies for setting tuning. This configuration controls the number of idle minutes before the connection is dropped. It works in conjunction with the Maximum Inbound Connections Count setting. \n\nConnections, once established, may incur delays in message transfer. If the timeout period is too long, there is risk that idle connections may be maintained for unnecessarily long time periods, preventing new connections from being established. \n", "severity": "low" }, { "id": "Exch-HB-204", "title": "Receive Connector must restrict relay access.", "description": "This control is used to limit the servers that may use this server as a relay. If an Simple Mail Transport Protocol (SMTP) sender does not have a direct connection to the Internet (for example, an application that produces reports to be emailed) then it will need to use an SMTP Receive Connector that does have a path to the Internet (for example, a local email server) as a relay.\n\nSMTP relay functions must be protected so that third parties are not able to hijack a relay service for their own purposes. Most commonly, hijacking of relays is done by SPAMMERS to disguise the source of their messages, and may also be used to cover the source of more destructive attacks. Because authenticated connections are the most secure for SMTP Receive Connectors, it is recommended that relays allow only servers that can authenticate.", "severity": "medium" }, { "id": "Exch-HB-205", "title": "Receive Connector connection must be encrypted.", "description": "The Simple Mail Transfer Protocol (SMTP) Receive Connector is used by Exchange to send and receive messages from server to server using SMTP protocol. This setting controls the encryption strength used for client connections to the SMTP Receive Connector. With this feature enabled, only clients capable of supporting secure communications will be able to send mail using this SMTP server. Where secure channels are required, encryption can also be selected. \n\nThe use of secure communication prevents eavesdroppers from reading or modifying communications between mail clients and servers. While sensitive message bodies should be encrypted by the sender at the client, requiring a secure connection from the client to the server adds protection by encrypting the sender and recipient information that cannot be encrypted by the sender. \n\nIndividually, channel security and encryption can be compromised by attackers. Used together, email becomes a more difficult target, and security is heightened. Failure to enable this feature gives eavesdroppers an opportunity to read or modify messages between the client and server.", "severity": "medium" }, { "id": "Exch-HB-206", "title": "Receive Connectors must use Domain Security (Mutual Authentication TLS).", "description": "The Simple Mail Transfer Protocol (SMTP) connector is used by Exchange to send and receive messages from server to server. There are several controls that work together to provide security between internal servers. This setting controls the authentication method used for communications between servers. With this feature enabled, only servers capable of supporting domain authentication will be able to send and receive mail within the domain.\n\nThe use of secure communication prevents eavesdroppers from reading or modifying communications between mail clients and servers. While sensitive message bodies should be encrypted by the sender at the client, requiring a secure connection from the server to server adds protection by encrypting the sender and recipient information that cannot be encrypted by the sender. \n\nIndividually, channel security and encryption can be compromised by attackers. Used together, email becomes a more difficult target, and security is heightened. Failure to enable this feature gives eavesdroppers an opportunity to read or modify messages between servers.", "severity": "medium" }, { "id": "Exch-HB-208", "title": "Receive Connectors must control the message count per inbound session.", "description": "Email system availability depends in part on best practices strategies for setting tuning configurations. This setting controls the maximum number of messages allowed in a single SMTP session by breaking large numbers of messages into multiple sessions. Failure to control message counts as they arrive adds risk that a sending domain could monopolize email resources by not controlling message counts per session as inbound messages arrive. Microsoft best practice recommends setting this to a value of 300.", "severity": "low" }, { "id": "Exch-HB-209", "title": "Receive Connectors must control the number of recipients 'chunked' on a single message.", "description": "Email system availability depends in part on best practices strategies for setting tuning configurations. This setting is used when two Exchange servers send or receive email. The chunking setting enables large message bodies to be relayed by the remote server to the Receive Connector in multiple, smaller chunks.", "severity": "low" }, { "id": "Exch-HB-210", "title": "Receive Connectors must be clearly named.", "description": "For Receive Connectors, unclear naming as to direction and purpose increases risk that messages may not flow as intended, troubleshooting efforts may be impaired, or incorrect assumptions made about the completeness of the configuration. \n\nCollectively, connectors should account for all connections required for the overall email topology design. Simple Mail Transfer Protocol (SMTP) connectors, when listed, must name purpose and direction clearly, and their counterparts on servers to which they connect should be recognizable as their partners.\n", "severity": "low" }, { "id": "Exch-HB-211", "title": "Send Connectors must be clearly named.", "description": "For Send Connectors, unclear naming as to direction and purpose increases risk that messages may not flow as intended, troubleshooting efforts may be impaired, or incorrect assumptions made about the completeness of the configuration. \n\nCollectively, connectors should account for all connections required for the overall email topology design. Simple Mail Transfer Protocol (SMTP) connectors, when listed, must name purpose and direction clearly, and their counterparts on servers to which they connect should be recognizable as their partners.\n", "severity": "low" }, { "id": "Exch-HB-212", "title": "Send Connector delivery retries must be controlled.", "description": "This setting controls the rate at which delivery attempts from the home domain are retried, user notification is issued, and expiration timeout when the message will be discarded. \n\nIf delivery retry attempts are too frequent, servers will generate network congestion. If too far apart, then messages may remain queued longer than necessary, potentially raising disk resource requirements. \n\nThe default values of these fields should be adequate for most environments. Administrators may wish to modify the values as a result, but changes should be documented in the System Security Plan.\n\nNote: Transport configuration settings apply to the organization/global level of Exchange by checking and setting them at the Hub server the setting will apply to both Hub and Edge roles.", "severity": "low" }, { "id": "Exch-HB-213", "title": "Send Connector message size must be controlled.", "description": "This setting can be used to limit the total size of messages at the connector level. This includes the message header, the message body, and any attachments. For internal message flow, Exchange Server uses the custom X-MS-Exchange-Organization-OriginalSize: message header to record the original message size of the message as it enters the Exchange Server organization. Whenever the message is checked against the specified message size limits, the lower value of the current message size or the original message size header is used. The size of the message can change because of content conversion, encoding, and agent processing. This setting somewhat limits the impact a malicious user or a computer with malware can have on the Exchange infrastructure by restricting the size of incoming messages.", "severity": "medium" }, { "id": "Exch-HB-214", "title": "Send Connector connections count must be limited.", "description": "This setting controls the maximum number of simultaneous outbound connections allowed for a given SMTP Connector, and can be used to throttle the SMTP service if resource constraints warrant it. If the limit is too low, connections may be dropped. If too high, some domains may use a disproportionate resource share, denying access to other domains. Appropriate tuning reduces risk of data delay or loss. \n\nNote: Transport configuration settings apply to the organization/global level of Exchange by checking and setting them at the Hub server the setting will apply to both Hub and Edge roles.", "severity": "low" }, { "id": "Exch-HB-215", "title": "Send connections per domain must be set.", "description": "This configuration controls the maximum number of simultaneous outbound connections to a domain, and works in conjunction with the Maximum Outbound Connections Count setting as a delivery tuning mechanism. If the limit is too low, connections may be dropped. If too high, some domains may use a disproportionate resource share, denying access to other domains. Appropriate tuning reduces risk of data delay or loss. \n\nBy default, a limit of 100 simultaneous outbound connections from a domain should be sufficient. The value may be adjusted downward if justified by local site conditions.\n\nNote: Transport configuration settings apply to the organization/global level of Exchange by checking and setting them at the Hub server the setting will apply to both Hub and Edge roles.", "severity": "low" }, { "id": "Exch-HB-216", "title": "Send Connectors must use Domain Security (Mutual Authentication TLS).", "description": "The Simple Mail Transfer Protocol (SMTP) connector is used by Exchange to send and receive messages from server to server. There are several controls that work together to provide security between internal servers. This setting controls the authentication method used for communications between servers. With this feature enabled, only servers capable of supporting domain authentication will be able to send and receive mail within the domain.\n\nThe use of secure communication prevents eavesdroppers from reading or modifying communications between mail clients and servers. While sensitive message bodies should be encrypted by the sender at the client, requiring a secure connection from the server to server adds protection by encrypting the sender and recipient information that cannot be encrypted by the sender. \n\nIndividually, channel security and encryption can be compromised by attackers. Used together, email becomes a more difficult target, and security is heightened. Failure to enable this feature gives eavesdroppers an opportunity to read or modify messages between servers.", "severity": "medium" }, { "id": "Exch-HB-217", "title": "Send Connectors must be encrypted.", "description": "The Simple Mail Transfer Protocol (SMTP) connector is used by Exchange to send and receive messages from server to server. There are several controls that work together to provide security between internal servers. This setting controls the encryption method used for communications between servers. With this feature enabled, only servers capable of supporting Transport Layer Security (TLS) will be able to send and receive mail within the domain.\n\nThe use of secure communication prevents eavesdroppers from reading or modifying communications between mail clients and servers. While sensitive message bodies should be encrypted by the sender at the client, requiring a secure connection from the server to server adds protection by encrypting the sender and recipient information that cannot be encrypted by the sender. \n\nIndividually, channel security and encryption can be compromised by attackers. Used together, email becomes a more difficult target, and security is heightened. Failure to enable this feature gives eavesdroppers an opportunity to read or modify messages between servers.", "severity": "medium" }, { "id": "Exch-HB-218", "title": "Email application directory permissions must be restricted.", "description": "Default product installations may provide more generous permissions than are necessary to run the application. By examining and tailoring permissions to more closely provide the least amount of privilege possible, attack vectors that align with user permissions are less likely to access more highly secured areas.", "severity": "medium" }, { "id": "Exch-HB-219", "title": "Connectivity logging must be enabled.", "description": "A connectivity log is a record of the SMTP connection activity of the outbound message delivery queues to the destination Mailbox server, smart host, or domain. Connectivity logging is available on Hub Transport servers and Edge Transport servers. By default, connectivity logging is disabled. If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users.\n\nNote: Transport configuration settings apply to the organization/global level of Exchange by checking and setting them at the Hub server the setting will apply to both Hub and Edge roles.", "severity": "medium" } ] }