Exchange internal Receive connectors must not allow anonymous connections.

From MS Exchange 2013 Edge Transport Server Security Technical Implementation Guide

Part of SRG-APP-000261

Associated with: CCI-001308

SV-84515r1_rule Exchange internal Receive connectors must not allow anonymous connections.

Vulnerability discussion

This control is used to limit the servers that may use this server as a relay. If a Simple Mail Transport Protocol (SMTP) sender does not have a direct connection to the Internet (for example, an application that produces reports to be emailed), it will need to use an SMTP Receive connector that does have a path to the Internet (for example, a local email server) as a relay.SMTP relay functions must be protected so third parties are not able to hijack a relay service for their own purposes. Most commonly, relay hijacking is done by spammers to disguise the source of their messages and may also be used to cover the source of more destructive attacks. Relays can be restricted in one of three ways: by blocking relays (restrict to a blank list of servers); by restricting use to lists of valid servers; or by restricting use to servers that can authenticate. Because authenticated connections are the most secure for SMTP Receive connectors, it is recommended that relays allow only servers that can authenticate.

Check content

Open the Exchange Management Shell and enter the following command: Get-ReceiveConnector | Select Name, Identity, PermissionGroups For each Receive connector, if the value of PermissionGroups is AnonymousUsers for any non-Internet connector, this is a finding.

Fix text

Open the Exchange Management Shell and enter the following command: Set-ReceiveConnector -Identity <'IdentityName'> -PermissionGroups and enter a 'valid user groups'. Note: The value and user group(s) must be in quotes. Example for user groups only: 'ExchangeServers, ExchangeUsers' Repeat the procedures for each Receive connector. This is an Example only: Set-ReceiveConnector -Identity <'IdentityName'> -PermissionGroups ExchangeUsers

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer