Exchange must have Administrator audit logging enabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-228354	EX16-MB-000010	SV-228354r879526_rule		Medium

Description

Unauthorized or malicious data changes can compromise the integrity and usefulness of the data. Automated attacks or malicious users with elevated privileges have the ability to effect change using the same mechanisms as email administrators. Auditing any changes to access mechanisms not only supports accountability and nonrepudiation for those authorized to define the environment but also enables investigation of changes made by others who may not be authorized. Note: This administrator auditing feature audits all exchange changes regardless of the user's assigned role or permissions.

STIG	Date
Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide	2023-12-18

Details

Check Text (C-30587r496858_chk)

Open the Exchange Management Shell and enter the following command:

Get-AdminAuditLogConfig | Select Name, AdminAuditLogEnabled

If the value of "AdminAuditLogEnabled" is not set to "True", this is a finding.

Fix Text (F-30572r496859_fix)

Open the Exchange Management Shell and enter the following command:

Set-AdminAuditLogConfig -AdminAuditLogEnabled $true