The Exchange Receive connector timeout must be limited.

From MS Exchange 2013 Mailbox Server Security Technical Implementation Guide

Part of SRG-APP-000295

Associated with: CCI-002361

SV-84671r1_rule The Exchange Receive connector timeout must be limited.

Vulnerability discussion

Email system availability depends in part on best practice strategies for setting tuning. This configuration controls the number of idle minutes before the connection is dropped. It works in conjunction with the Maximum Inbound Connections Count setting. Connections, once established, may incur delays in message transfer. If the timeout period is too long, there is risk that idle connections may be maintained for unnecessarily long time periods, preventing new connections from being established.

Check content

Review the Email Domain Security Plan (EDSP). Determine the Connection Timeout value. Open the Exchange Management Shell and enter the following command: Get-ReceiveConnector | Select Name, Identity, ConnectionTimeout For each Receive connector, if the value of ConnectionTimeout is not set to 00:10:00, this is a finding. or If ConnectionTimeout is set to other than 00:10:00 and has signoff and risk acceptance in the EDSP, this is not a finding.

Fix text

Update the EDSP. Open the Exchange Management Shell and enter the following command: Set-ReceiveConnector -Identity <'IdentityName'> -ConnectionTimeout 00:10:00 Note: The value must be in quotes. or The value as identified by the EDSP that has obtained a signoff with risk acceptance.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer