Microsoft Exchange Server 2016 STIG Version 2, Release 1 Checklist Details (Checklist Revisions)

Supporting Resources:


Target CPE Name
Microsoft Exchange Server 2016 cpe:/a:microsoft:exchange_server:2016:::en (View CVEs)

Checklist Highlights

Checklist Name:
Microsoft Exchange Server 2016 STIG
Checklist ID:
Version 2, Release 1
Review Status:
Governmental Authority: Defense Information Systems Agency
Original Publication Date:

Checklist Summary:

Email systems are composed of multiple products and services working together to enable transport and delivery of messages to users. This overview gives background and information specific to a Microsoft Exchange Mailbox Server. Microsoft Exchange 2016 introduced a number of architectural and fundamental changes compared to Exchange 2013. In Exchange 2016, the Mailbox server role contains transport services for routing mail, mailbox databases, client access services to accept client connections, and Unified Messaging components. The Mailbox Server role hosts mailboxes and advanced scheduling services for Microsoft Office Outlook and MS Outlook Web App (OWA) users. It also performs processing and rendering for client connections proxied by the Client Access server and handles Unified Messaging requests. In addition, Mailbox servers may also host public folders, if desired. In all, the Mailbox Server role provides a foundation for workflow, document sharing, and other forms of collaboration. The Mailbox Server STIG must be reviewed on each Mailbox server in the Exchange environment. The Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. This document is meant for use in conjunction with the Windows Operating System (OS) STIG and any appropriate STIG(s) applicable to the system.

Checklist Role:

  • Enterprise Email Server

Known Issues:

Not provided.

Target Audience:

Not provided.

Target Operational Environment:

  • Managed
  • Specialized Security-Limited Functionality (SSLF)

Testing Information:

Not provided.

Regulatory Compliance:

DoDI 8500.01.


All technical NIST SP 800-53 requirements were considered while developing this STIG. Requirements that are applicable and configurable will be included in the final STIG. A report marked For Official Use Only (FOUO) will be available for those items that did not meet requirements. This report will be available to component Authorizing Official (AO) personnel for risk assessment purposes by request via email to:


Not provided.

Product Support:

Comments or proposed revisions to this document should be sent via email to the following address: DISA will coordinate all change requests with the relevant DoD organizations before inclusion in this document. Approved changes will be made in accordance with the DISA maintenance release schedule.

Point of Contact:


Not provided.


Not provided.

Change History:

New Checklist - 9/14/18
updated to FINAL -10/15/18
updated to v1,r2 - 1/22/19
Updated to FINAL - 2/19/19
Updated to v1,r2 - 4/30/19
Updated URLs - 6/7/19
Updated URLs - 8/9/19
Updated URL - 8/15/19
updated URLs - 11/1/19
removed reference link and updated resource link per DISA changes - 1/17/2020
updated URLs per DISA - 1/21/2020
updated per DISA - 8/4/2020
Updated URL per DISA - 10/28/20
Updated resource per DISA - 1/27/21


URL Description


Reference URL Description

NIST checklist record last modified on 01/28/2021