-->
Edge Subscriptions are used to populate the Active Directory Lightweight Directory Services (AD LDS) instance on the Edge Transport server with Active Directory data. Although creating an Edge Subscription is optional, subscribing an Edge Transport server to the Exchange organization provides a simpler management experience and enhances antispam features. You need to create an Edge Subscription if you plan to use recipient lookup or safelist aggregation, or if you plan to help secure SMTP communications with partner domains by using Mutual Transport Layer Security (MTLS).
Edge Subscription process
- Feb 03, 2018 Now, let’s start with the configuration of the Exchange Edge transport server. To configure Exchange Edge transport server, we first need to know it’s pre-requisites. Till today it is recommended that not to install Exchange 2016 edge server on Windows server 2016 do its clashes between the Windows Server 2016 and Exchange Transport role.
- Demonstrate how to alter the local security policy to enable the Built In Administrator to use the Microsoft Edge Browser by using the secpol.msc (Internet E.
- Does anybody know how to download edge for MS server 2016? I have tried a couple of links and keep getting a prompt to open an app. It says: You'll need a new app to open this microsoft-edge. Since IE is going away is there an alternative? Thanks for the help.
- The new Chromium based Microsoft Edge is supported on all versions of Windows 7, Windows 8.1, Windows 10, Windows Server (2016 and above), Windows Server (2008 R2 to 2012 R2), and macOS. Starting with Microsoft Edge 80 (Stable) you can now use the new browser policy HideFirstRunExperience so the First-run experience and the splash screen will.
An Edge Transport server doesn't have direct access to Active Directory. The configuration and recipient information the Edge Transport server uses to process messages is stored locally in AD LDS. Creating an Edge Subscription establishes secure, automatic replication of information from Active Directory to AD LDS. The Edge Subscription process provisions the credentials used to establish a secure LDAP connection between the internal Exchange Mailbox servers and a subscribed Edge Transport server. The Microsoft Exchange EdgeSync service (EdgeSync) that runs on Mailbox servers performs periodic one-way synchronization to transfer up-to-date data to AD LDS. This reduces the administration tasks you perform in the perimeter network by letting you configure the Mailbox server and then synchronize that information to the Edge Transport server.
You subscribe an Edge Transport server to the Active Directory site that contains the Mailbox servers responsible for transferring messages to and from your Edge Transport servers. The Edge Subscription process creates an Active Directory site membership affiliation for the Edge Transport server. The site affiliation enables Mailbox servers in the Exchange organization to relay messages to the Edge Transport server for delivery to the Internet without having to configure explicit Send connectors.
Hi All, I am rolling out the new chromium edge to some workstations for testing. It installs and works find on Windows 10, but I cannot get it to work on Server 2016 standard.
One or more Edge Transport servers can be subscribed to a single Active Directory site. However, an Edge Transport server can't be subscribed to more than one Active Directory site. If you have more than one Edge Transport server deployed, each server can be subscribed to a different Active Directory site. Each Edge Transport server requires an individual Edge Subscription.
To deploy an Edge Transport server and subscribe it to an Active Directory site, follow these steps:
Install the Edge Transport server role.
Prepare for the Edge Subscription:
License the Edge Transport server.
Open ports in the firewall for mail flow and EdgeSync synchronization.
Verify that the Mailbox servers and the Edge Transport server can locate one another using DNS name resolution.
On the Mailbox Server, configure the transport settings to be replicated to the Edge Transport server.
On the Edge Transport server, create and export an Edge Subscription file by running the New-EdgeSubscription cmdlet.
Copy the Edge Subscription file to a Mailbox server or a file share that's accessible from the Active Directory site containing your Mailbox servers.
Import the Edge Subscription file to the Active Directory site by running the New-EdgeSubscription cmdlet on the Mailbox server.
Prepare for the Edge Subscription
Before you can subscribe your Edge Transport server to your Exchange organization, you need to make sure your infrastructure and your Mailbox servers are prepared for the EdgeSync synchronization. To prepare for EdgeSync, you need to:
License the Edge Transport server: The licensing information for the Edge Transport server is captured when the Edge Subscription is created. Subscribed Edge Transport servers need to be subscribed to the Exchange organization after the license key has been applied on the Edge Transport server. If the license key is applied on the Edge Transport server after you perform the Edge Subscription process, licensing information will not be updated in the Exchange organization, and you will need to resubscribe the Edge Transport server.
Verify that the required ports are open in the firewall: The following ports are used by subscribed Edge Transport servers:
SMTP: Port 25/TCP must be open for inbound and outbound mail flow between the Internet and the Edge Transport server, and between the Edge Transport server and the internal Exchange organization.
Secure LDAP: Non-standard port 50636/TCP is used for directory synchronization from Mailbox servers to AD LDS on the Edge Transport server. This port is required for successful EdgeSync synchronization.
Note
Port 50389/TCP is used locally by LDAP to bind to the AD LDS instance. This port doesn't have to be open on the firewall; it's used locally on the Edge Transport server.
If your environment requires specific ports, you can modify the ports used by AD LDS using the
ConfigureAdam.ps1script provided with Exchange. Modify the ports before you create the Edge Subscription. If you modify the ports after you create the Edge Subscription, you need to remove the Edge Subscription and create another one.Verify that DNS host name resolution is successful from the Edge Transport server to the Mailbox servers and from the Mailbox servers to the Edge Transport server
Configure the following transport settings for propagation to the Edge Transport server
Internal SMTP servers: Use the InternalSMTPServers parameter on the Set-TransportConfig cmdlet to specify a list of internal SMTP server IP addresses or IP address ranges to be ignored by the Sender ID and Connection Filtering agents on the Edge Transport server.
Accepted domains: Configure all authoritative domains, internal relay domains, and external relay domains.
Remote domains: Configure the settings for the default remote domain object (used for recipients in all remote domains), and configure remote domain objects as required for recipients in specific remote domains.
Create and export an Edge Subscription file on the Edge Transport server
When you create an Edge Subscription file by running the New-EdgeSubscription cmdlet on the Edge Transport server, the following actions occur:
An AD LDS account called the EdgeSync bootstrap replication account (ESBRA) is created. These ESBRA credentials are used to authenticate the first EdgeSync connection to the Edge Transport server. This account is configured to expire 24 hours after being created. Therefore, you need to complete the five-step subscription process described in the previous section within 24 hours. If the ESBRA expires before the Edge Subscription process is complete, you will need to run the New-EdgeSubscription cmdlet again to create a new Edge Subscription file.
The ESBRA credentials are retrieved from AD LDS and written to the Edge Subscription file. The public key for the Edge Transport server's self-signed certificate is also exported to the Edge Subscription file. The credentials written to the Edge Subscription file are specific to the server that exported the file.
Any previously created configuration objects on the Edge Transport server that will now be replicated to AD LDS from Active Directory are deleted from AD LDS, and the Exchange Management Shell cmdlets used to configure those objects are disabled. However, you can still use the Get-* cmdlets to view those objects. Running the New-EdgeSubscription cmdlet disables the following cmdlets on the Edge Transport server:
Set-SendConnector
New-SendConnector
Remove-SendConnector
New-AcceptedDomain
Set-AcceptedDomain
Remove-AcceptedDomain
New-RemoteDomain
Set-RemoteDomain
Remove-RemoteDomain
This example creates and exports the Edge Subscription file on the Edge Transport server.
Note
When you run the New-EdgeSubscription cmdlet on the Edge Transport server, you receive a prompt to acknowledge the commands that will be disabled and the configuration that will be overwritten on the Edge Transport server. To bypass this confirmation, you need to use the Force parameter. This parameter is useful when you script the New-EdgeSubscription cmdlet. You can also use the Force parameter to overwrite an existing file when you resubscribe an Edge Transport server.
Import the Edge Subscription file on a Mailbox server
When you import the Edge Subscription file to the Active Directory site by running the New-EdgeSubscription cmdlet on a Mailbox server, the following actions occur:
The Edge Subscription is created, joining the Edge Transport server to the Exchange organization. EdgeSync will propagate configuration data to this Edge Transport Server, creating an Edge configuration object in Active Directory.
Each Mailbox server in the Active Directory site receives notification from Active Directory that a new Edge Transport server has been subscribed. The Mailbox server retrieves the ESBRA from the Edge Subscription file. The Mailbox server then encrypts the ESBRA by using the public key of the Edge Transport server's self-signed certificate. The encrypted credentials are then written to the Edge configuration object.
Each Mailbox server also encrypts the ESBRA using its own public key and then stores the credentials in its own configuration object.
EdgeSync replication accounts (ESRAs) are created in Active Directory for each Edge Transport-Mailbox server pair. Each Mailbox server stores its ESRA credentials as an attribute of the Mailbox server configuration object.
Send connectors are automatically created to relay messages outbound from the Edge Transport server to the Internet, and inbound from the Edge Transport server to the Exchange organization. For more information, see the Send connectors created automatically by the Edge Subscription section in this topic.
The Microsoft Exchange EdgeSync service that runs on Mailbox servers uses the ESBRA credentials to establish a secure LDAP connection between a Mailbox server and the Edge Transport server, and performs the initial replication of data. The following data is replicated to AD LDS:
Topology data
Configuration data
Recipient data
ESRA credentials
The Microsoft Exchange Credential Service that runs on the Edge Transport server installs the ESRA credentials. These credentials are used to authenticate and secure later synchronization connections.
The EdgeSync synchronization schedule is established.
The Microsoft Exchange EdgeSync service running on the Mailbox servers in the subscribed Active Directory site then performs one-way replication of data from Active Directory to AD LDS on a regular schedule. You can also use the Start-EdgeSynchronization cmdlet to override the EdgeSync synchronization schedule and immediately start synchronization.
This example subscribes an Edge Transport server to the specified site and automatically creates the Internet Send connector and the Send connector from the Edge Transport server to the Mailbox servers.
Note
The default values of the CreateInternetSendConnector and CreateInboundSendConnector parameters are both $true, so you don't need to use them in this command.
Send connectors created automatically by the Edge Subscription
By default, when you import the Edge Subscription file to a Mailbox server, the Send connectors required to enable end-to-end mail flow between the Internet and the Exchange organization are created automatically, and any existing Send connectors on the Edge Transport server are deleted.
The Edge Subscription creates the following Send connectors:
A Send connector named EdgeSync - Inbound to <Site Name> that's configured to relay messages from the Edge Transport server to the Exchange organization.
A Send connector named EdgeSync - <Site Name> to Internet that's configured to relay messages from the Exchange organization to the Internet.
Also, subscribing an Edge Transport server to the Exchange organization allows the Mailbox servers in the subscribed Active Directory site to use the invisible and implicit intra-organization Send connector to relay messages to the Edge Transport server.
Inbound Send connector to receive messages from the Internet
When you run the New-EdgeSubscription cmdlet on the Mailbox server, the CreateInboundSendConnector parameter is set to the value $true. This creates the Send connector needed to send messages from the Edge Transport server to the Exchange organization. The following table shows the configuration of this Send connector.
Automatic inbound Send connector configuration
| Property | Value |
|---|---|
| Name | EdgeSync - Inbound to < Site Name> |
| AddressSpaces | SMTP:--;1The -- value in the address space represents all authoritative and internal relay accepted domains for the Exchange organization. Any messages the Edge Transport server receives for these accepted domains are routed to this Send connector and relayed to the smart hosts. |
| SourceTransportServers | < Edge Subscription name> |
| Enabled | True |
| DNSRoutingEnabled | False |
| SmartHosts | --The -- value in the list of smart hosts represents all Mailbox servers in the subscribed Active Directory site. Any Mailbox servers you add to the subscribed Active Directory site after you establish the Edge Subscription don't participate in the EdgeSync synchronization process. However, they are automatically added to the list of smart hosts for the automatically created inbound Send connector. If more than one Mailbox server is located in the subscribed Active Directory site, inbound connections will be load balanced across the smart hosts. |
You can't modify the address space or list of smart hosts at creation time for the automatically created inbound Send connector. However, you can set the CreateInboundSendConnector parameter to the value $false when you create an Edge Subscription. This allows you to manually configure a Send connector from the Edge Transport server to the Exchange organization.
Outbound Send connector to send messages to the Internet
When you run the New-EdgeSubscription cmdlet on the Mailbox server, the CreateInternetSendConnector parameter is set to the value $true. This creates the Send connector needed to send messages from the Exchange organization to the Internet. The following table shows the default configuration of this Send connector.
Automatic Internet Send connector configuration
| Property | Value |
|---|---|
| Name | EdgeSync - < Site Name> to Internet |
| AddressSpaces | SMTP:*;100 |
| SourceTransportServers | < Edge Subscription name> The name of the Edge Subscription is the same as the name of the subscribed Edge Transport server. |
| Enabled | True |
| DNSRoutingEnabled | True |
| DomainSecureEnabled | True |
If more than one Edge Transport server is subscribed to the same Active Directory site, no additional Send connectors to the Internet are created. Instead, all Edge Subscriptions are added to the same Send connector as the source server. This load balances outbound connections to the Internet across the subscribed Edge Transport servers.
The outbound Send connector is configured to send email messages from the Exchange organization to all remote SMTP domains, using DNS routing to resolve domain names to MX resource records.
Details about the EdgeSync service
After you subscribe an Edge Transport server to an Active Directory site, EdgeSync will replicate configuration and recipient data to the Edge Transport servers. The service replicates the following data from Active Directory to AD LDS:
Send connector configuration
Accepted domains
Remote domains
Safe Senders Lists
Blocked Senders Lists
Recipients
List of send and receive domains used in domain secure communications with partners
List of SMTP servers listed as internal in your organization's transport configuration
List of Mailbox servers in the subscribed Active Directory site
EdgeSync uses a mutually authenticated and authorized secure LDAP channel to transfer data from the Mailbox server to the Edge Transport server.
To replicate data to AD LDS, the Mailbox server binds to a global catalog server to retrieve updated data. EdgeSync initiates a secure LDAP session between a Mailbox server and the subscribed Edge Transport server over the non-standard TCP port 50636.
When you first subscribe an Edge Transport server to an Active Directory site, the initial replication that populates AD LDS with data from Active Directory can take five minutes or more, depending on the quantity of data in the directory service. After initial replication, EdgeSync only synchronizes new and changed objects, and removes any deleted objects.
Synchronization schedule
What Is Edge Server
Different types of data synchronize on different schedules. The EdgeSync synchronization schedule specifies the maximum interval between EdgeSync synchronizations. EdgeSync synchronization occurs at the following intervals:
Configuration data: 3 minutes.
Recipient data: 5 minutes.
Topology data: 5 minutes
If you want to change these intervals, use the Set-EdgeSyncServiceConfig cmdlet. Using the Start-EdgeSynchronization cmdlet on the Mailbox server to force Edge Subscription synchronization overrides the timer for the next scheduled EdgeSync synchronization, and starts EdgeSync immediately.
Selection of Mailbox servers
Each subscribed Edge Transport server is associated with a particular Active Directory site. If more than one Mailbox server exists in the site, any of these Mailbox servers can replicate data to the subscribed Edge Transport servers. To avoid contention among Mailbox servers when synchronizing, the preferred Mailbox server is selected as follows:
The first Mailbox server in the Active Directory site to perform a topology scan and discover the new Edge Subscription performs the initial replication. Because this discovery is based on the timing of the topology scan, any Mailbox server in the site may perform the initial replication.
The Mailbox server performing the initial replication establishes an EdgeSync lease option and sets a lock on the Edge Subscription. The lease option establishes that particular Mailbox server as the preferred server providing synchronization services to that Edge Transport server. The lock prevents EdgeSync running on another Mailbox server from taking over the lease option.
The EdgeSync lease option lasts for one hour. During that hour, no other EdgeSync service can take over the option unless a manual synchronization is started before the end of the hour. If the preferred Mailbox server isn't available to provide EdgeSync service at the time manual synchronization is started, after a five-minute wait, the lock is released and another EdgeSync service can take over the lease option and perform synchronization.
Unless manual synchronization is started, synchronization occurs based on the EdgeSync synchronization schedule. If the preferred server isn't available when a scheduled synchronization occurs, after a five-minute wait, the lock is released and another EdgeSync service can take over the lease option and perform synchronization.
This method of locking and leasing prevents more than one instance of EdgeSync from pushing data to the same Edge Transport server at the same time.
Notes:
In Exchange 2016 organizations, if you also have Exchange 2010 Hub Transport servers in the subscribed Active Directory site, Exchange 2016 Mailbox servers will always take precedence and perform the replication.
When you subscribe an Edge Transport server to an Active Directory site, all Mailbox servers installed in that Active Directory site at that time can participate in the EdgeSync synchronization process. If one of those servers is removed, the EdgeSync service that's running on the remaining Mailbox servers will continue the data synchronization process. However, if you later install new Mailbox servers in the Active Directory site, they won't automatically participate in EdgeSync synchronization. If you want to enable those new Mailbox servers to participate in EdgeSync synchronization, you will need to subscribe the Edge Transport server again.
The following table lists the EdgeSync properties related to locking and leasing. You can use the Set-EdgeSyncServiceConfig cmdlet to configure these properties.
EdgeSync lease properties
| Parameter | Default value | Description |
|---|---|---|
| LockDuration | 00:05:00 (5 minutes) | This setting determines how long a particular EdgeSync service will acquire a lock. If the EdgeSync service on the Mailbox server that's holding this lock doesn't respond, after five minutes the EdgeSync service on another Mailbox server will take over the lease. Forcing immediate EdgeSync synchronization doesn't override this setting. |
| OptionDuration | 01:00:00 (1 hour) | This setting determines how long an EdgeSync service can declare a lease option on an Edge Transport server. If the EdgeSync service holding the lease is unavailable and doesn't restart during this option period, no other Exchange EdgeSync service will take over the lease option unless you force EdgeSync synchronization. |
| LockRenewalDuration | 00:01:00 (1 minute) | This setting determines how frequently the lock field is updated when an EdgeSync service has acquired a lock to an Edge Transport server. |
Findings (MAC III - Administrative Sensitive)
Edge Server 2016 Update
| Finding ID | Severity | Title | Description |
|---|---|---|---|
| V-221259 | High | Exchange must provide redundancy. | Denial of Service (DoS) is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded ... |
| V-221253 | High | Exchange must render hyperlinks from email sources from non-.mil domains as unclickable. | Active hyperlinks within an email are susceptible to attacks of malicious software or malware. The hyperlink could lead to a malware infection or redirect the website to another fraudulent website ... |
| V-221261 | High | Exchange internal Receive connectors must require encryption. | The Simple Mail Transfer Protocol (SMTP) Receive connector is used by Exchange to send and receive messages from server to server using SMTP protocol. This setting controls the encryption strength ... |
| V-221262 | High | Exchange internal Send connectors must require encryption. | The Simple Mail Transfer Protocol (SMTP) connector is used by Exchange to send and receive messages from server to server. Several controls work together to provide security between internal ... |
| V-221221 | Medium | Exchange Outbound Connection Limit per Domain Count must be controlled. | Email system availability depends in part on best practice strategies for setting tuning configurations. This configuration controls the maximum number of simultaneous outbound connections from a ... |
| V-221220 | Medium | Exchange Outbound Connection Timeout must be 10 minutes or less. | Email system availability depends in part on best practice strategies for setting tuning configurations. This configuration controls the number of idle minutes before the connection is dropped. It ... |
| V-221209 | Medium | Exchange Queue monitoring must be configured with threshold and action. | Monitors are automated 'process watchers' that respond to performance changes and can be useful in detecting outages and alerting administrators where attention is needed. Exchange has built-in ... |
| V-221258 | Medium | The Exchange SMTP automated banner response must not reveal server details. | Automated connection responses occur as a result of FTP or Telnet connections when connecting to those services. They report a successful connection by greeting the connecting client and stating ... |
| V-221229 | Medium | Exchange Receive connectors must control the number of recipients per message. | Email system availability depends in part on best practice strategies for setting tuning configurations. This configuration controls the maximum number of recipients who will receive a copy of a ... |
| V-221255 | Medium | The Exchange software baseline copy must exist. | Exchange software, as with other application software installed on a host system, must be included in a system baseline record and periodically reviewed; otherwise, unauthorized changes to the ... |
| V-221254 | Medium | The Exchange application directory must be protected from unauthorized access. | Default product installations may provide more generous access permissions than are necessary to run the application. By examining and tailoring access permissions to more closely provide the ... |
| V-221257 | Medium | Exchange software must be installed on a separate partition from the OS. | In the same way that added security layers can provide a cumulative positive effect on security posture, multiple applications can provide a cumulative negative effect. A vulnerability and ... |
| V-221256 | Medium | Exchange services must be documented and unnecessary services must be removed or disabled. | Unneeded but running services offer attackers an enhanced attack profile, and attackers are constantly watching to discover open ports with running services. By analyzing and disabling unneeded ... |
| V-221251 | Medium | Exchange must have antispam filtering configured. | Originators of spam messages are constantly changing their techniques in order to defeat spam countermeasures; therefore, spam software must be constantly updated to address the changing threat. A ... |
| V-221250 | Medium | Exchange must have antispam filtering enabled. | Originators of spam messages are constantly changing their techniques in order to defeat spam countermeasures; therefore, spam software must be constantly updated to address the changing threat. ... |
| V-221252 | Medium | Exchange Sender Identification Framework must be enabled. | Email is only as secure as the recipient. When the recipient is an email server accepting inbound messages, authenticating the sender enables the receiver to better assess message quality and to ... |
| V-221211 | Medium | Exchange Audit data must be protected against unauthorized access (read access). | Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit log content must always be ... |
| V-221210 | Medium | Exchange must not send Customer Experience reports to Microsoft. | It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked ... |
| V-221213 | Medium | Exchange audit data must be protected against unauthorized access for modification. | Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit log content must always be ... |
| V-221238 | Medium | The Exchange Sender Reputation filter must identify the spam block level. | By performing filtering at the perimeter, up to 90 percent of spam, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the mail server ... |
| V-221215 | Medium | Exchange audit data must be on separate partitions. | Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit log content must always be ... |
| V-221214 | Medium | Exchange audit data must be protected against unauthorized access for deletion. | Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit log content must always be ... |
| V-221217 | Medium | Exchange Internet-facing Send connectors must specify a Smart Host. | When identifying a 'Smart Host' for the email environment, a logical Send connector is the preferred method.A Smart Host acts as an Internet-facing concentrator for other email servers. ... |
| V-221216 | Medium | The Exchange local machine policy must require signed scripts. | Scripts, especially those downloaded from untrusted locations, often provide a way for attackers to infiltrate a system. By setting machine policy to prevent unauthorized script executions, ... |
| V-221233 | Medium | Exchange messages with a blank sender field must be filtered. | By performing filtering at the perimeter, up to 90 percent of spam, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the mail server ... |
| V-221212 | Medium | Exchange Send Fatal Errors to Microsoft must be disabled. | It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked ... |
| V-221237 | Medium | The Exchange Sender Reputation filter must be enabled. | By performing filtering at the perimeter, up to 90 percent of spam, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the mail server ... |
| V-221236 | Medium | Exchange nonexistent recipients must not be blocked. | Spam originators, in an effort to refine mailing lists, sometimes use a technique where they first create fictitious names and then monitor rejected emails for non-existent recipients. Those not ... |
| V-221235 | Medium | The Exchange Sender filter must block unaccepted domains. | Spam origination sites and other sources of suspected email-borne malware have the ability to corrupt, compromise, or otherwise limit availability of email servers. Limiting exposure to unfiltered ... |
| V-221234 | Medium | Exchange filtered messages must be archived. | By performing filtering at the perimeter, up to 90 percent of spam, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the mail server ... |
| V-221208 | Medium | Exchange Connectivity logging must be enabled. | A connectivity log is a record of the SMTP connection activity of the outbound message delivery queues to the destination mailbox server, smart host, or domain. Connectivity logging is available ... |
| V-221232 | Medium | Exchange messages with a blank sender field must be rejected. | By performing filtering at the perimeter, up to 90 percent of spam, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the mail server ... |
| V-221263 | Medium | Exchange must have the most current, approved service pack installed. | The organization (including any contractor to the organization) must promptly install security-relevant software updates (e.g., patches, service packs, hot fixes). Flaws discovered during security ... |
| V-221202 | Medium | Exchange must limit the Receive connector timeout. | Email system availability depends in part on best practices strategies for setting tuning. This configuration controls the number of idle minutes before the connection is dropped. It works in ... |
| V-221219 | Medium | Exchange Internet-facing Receive connectors must offer Transport Layer Security (TLS) before using basic authentication. | Sending unencrypted email over the Internet increases the risk that messages can be intercepted or altered. TLS is designed to protect confidentiality and data integrity by encrypting email ... |
| V-221203 | Medium | Exchange servers must use approved DoD certificates. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., networks, web servers, and web ... |
| V-221270 | Medium | The applications built-in Malware Agent must be disabled. | Malicious code protection mechanisms include, but are not limited, to, anti-virus and malware detection software. In order to minimize potential negative impact to the organization that can be ... |
| V-221218 | Medium | Exchange internal Send connectors must use domain security (mutual authentication Transport Layer Security). | The Simple Mail Transfer Protocol (SMTP) connector is used by Exchange to send and receive messages from server to server. Several controls work together to provide security between internal ... |
| V-221248 | Medium | The Exchange Simple Mail Transfer Protocol (SMTP) Sender filter must be enabled. | Email system availability depends in part on best practices strategies for setting tuning configurations. Careful tuning reduces the risk that system or network congestion will contribute to ... |
| V-221249 | Medium | Exchange must have antispam filtering installed. | Originators of spam messages are constantly changing their techniques in order to defeat spam countermeasures; therefore, spam software must be constantly updated to address the changing threat. ... |
| V-221242 | Medium | Exchange messages with a malformed From address must be rejected. | Sender Identification (SID) is an email antispam sanitization process. Sender ID uses DNS MX record lookups to verify the Simple Mail Transfer Protocol (SMTP) sending server is authorized to send ... |
| V-221243 | Medium | The Exchange Recipient filter must be enabled. | Email system availability depends in part on best practice strategies for setting tuning configurations. Careful tuning reduces the risk that system or network congestion will contribute to ... |
| V-221240 | Medium | The Exchange Spam Evaluation filter must be enabled. | By performing filtering at the perimeter, up to 90 percent of spam, malware, and other undesirable messages may be eliminated from the transport message stream, preventing their entry into the ... |
| V-221241 | Medium | The Exchange Block List service provider must be identified. | Block List filtering is a sanitization process performed on email messages prior to their arrival at the destination mailbox. By performing this process at the email perimeter, threats can be ... |
| V-221246 | Medium | Exchange Simple Mail Transfer Protocol (SMTP) IP Allow List entries must be empty. | Email system availability depends in part on best practice strategies for setting tuning configurations. Careful tuning reduces the risk that system or network congestion will contribute to ... |
| V-221247 | Medium | The Exchange Simple Mail Transfer Protocol (SMTP) IP Allow List Connection filter must be enabled. | Email system availability depends in part on best practice strategies for setting tuning configurations. Careful tuning reduces the risk that system or network congestion will contribute to ... |
| V-221244 | Medium | The Exchange tarpitting interval must be set. | Tarpitting is the practice of artificially delaying server responses for specific Simple Mail Transfer Protocol (SMTP) communication patterns that indicate high volumes of spam or other unwelcome ... |
| V-221245 | Medium | Exchange internal Receive connectors must not allow anonymous connections. | This control is used to limit the servers that may use this server as a relay. If a Simple Mail Transport Protocol (SMTP) sender does not have a direct connection to the Internet (for example, an ... |
| V-221264 | Medium | The application must configure malicious code protection mechanisms to perform periodic scans of the information system every seven days. | Malicious code protection mechanisms include, but are not limited, to anti-virus and malware detection software. In order to minimize potential negative impact to the organization that can be ... |
| V-221265 | Medium | The application must configure malicious code protection mechanisms to perform periodic scans of the information system every seven days. | Malicious code protection mechanisms include, but are not limited, to anti-virus and malware detection software. In order to minimize potential negative impact to the organization that can be ... |
| V-221266 | Medium | The application must be configured to block and quarantine malicious code upon detection, then send an immediate alert to appropriate individuals. | Malicious code protection mechanisms include, but are not limited, to anti-virus and malware detection software. In order to minimize potential negative impact to the organization that can be ... |
| V-221267 | Medium | The application must be configured to block and quarantine malicious code upon detection, then send an immediate alert to appropriate individuals. | Malicious code protection mechanisms include, but are not limited, to anti-virus and malware detection software. In order to minimize potential negative impact to the organization that can be ... |
| V-221260 | Medium | Exchange internal Send connectors must use an authentication level. | The Simple Mail Transfer Protocol (SMTP) connector is used by Exchange to send and receive messages from server to server. Several controls work together to provide security between internal ... |
| V-221239 | Medium | Exchange Attachment filtering must remove undesirable attachments by file type. | By performing filtering at the perimeter, up to 90 percent of spam, malware, and other undesirable messages are eliminated from the message stream rather than admitting them into the mail server ... |
| V-221206 | Medium | Exchange external Receive connectors must be domain secure-enabled. | The Simple Mail Transfer Protocol (SMTP) connector is used by Exchange to send and receive messages from server to server. Several controls work together to provide security between internal ... |
| V-221207 | Medium | The Exchange email Diagnostic log level must be set to the lowest level. | Log files help establish a history of activities and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Diagnostic logging, however, ... |
| V-221204 | Medium | Exchange must have accepted domains configured. | Exchange may be configured to accept email for multiple domain names. This setting identifies the domains for which the server will accept mail. This check verifies the email server is not ... |
| V-221205 | Medium | Exchange must have auto-forwarding of email to remote domains disabled or restricted. | Attackers can use automated messages to determine whether a user account is active, in the office, traveling, and so on. An attacker might use this information to conduct future attacks. Ensure ... |
| V-221268 | Medium | The application must update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures. | Malicious code includes viruses, worms, trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. ... |
| V-221269 | Medium | The application must update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures. | Malicious code includes viruses, worms, trojan horses, and spyware. The code provides the ability for a malicious user to read from and write to files and folders on a computer's hard drive. ... |
| V-221226 | Medium | Exchange Receive connector Maximum Hop Count must be 60. | Email system availability depends in part on best practice strategies for setting tuning configurations. This setting controls the maximum number of hops (email servers traversed) a message may ... |
| V-221224 | Low | Exchange Send connectors delivery retries must be controlled. | This setting controls the rate at which delivery attempts from the home domain are retried and user notifications are issued and notes the expiration time when the message will be discarded. If ... |
| V-221228 | Low | Exchange Receive connectors must control the number of recipients chunked on a single message. | Email system availability depends in part on best practice strategies for setting tuning configurations. For message size restrictions, multiple places exist to set or override inbound or outbound ... |
| V-221231 | Low | Exchange Message size restrictions must be controlled on Receive connectors. | Email system availability depends in part on best practices strategies for setting tuning configurations. For message size restrictions, multiple places exist to set or override inbound or ... |
| V-221230 | Low | The Exchange Internet Receive connector connections count must be set to default. | Email system availability depends in part on best practice strategies for setting tuning configurations. This configuration controls the maximum number of simultaneous inbound connections allowed ... |
| V-221225 | Low | Exchange Send connectors must be clearly named. | For Send connectors, unclear naming as to direction and purpose increases risk that messages may not flow as intended, troubleshooting efforts may be impaired, or incorrect assumptions may be made ... |
| V-221223 | Low | Exchange message size restrictions must be controlled on Send connectors. | Email system availability depends in part on best practice strategies for setting tuning configurations. For message size restrictions, multiple places exist to set or override inbound or outbound ... |
| V-221222 | Low | Exchange Send connector connections count must be limited. | This setting controls the maximum number of simultaneous outbound connections allowed for a given SMTP Connector and can be used to throttle the SMTP service if resource constraints warrant it. If ... |
| V-221227 | Low | Exchange Receive connectors must be clearly named. | For receive connectors, unclear naming as to direction and purpose increases risk that messages may not flow as intended, troubleshooting efforts may be impaired, or incorrect assumptions may be ... |