EDCA

1.0.0.0

Controls/EDCA-TLS-040.json

                                {

  "id": "EDCA-TLS-040",

  "title": "Edge internal Receive connectors disallow anonymous connections",

  "description": "Internal Receive connectors on the Edge Transport server MUST NOT permit anonymous connections. Allowing anonymous connections on internal connectors enables unauthenticated relay, which can be abused to send spam or bypass anti-spam controls.",

  "verify": true,

  "subject": "Server",

  "category": "Transport Security",

  "severity": "High",

  "severityWeight": 8,

  "frameworks": [

    "Best Practice",

    "DISA"

  ],

  "references": [

    {

      "name": "Microsoft — Receive connectors",

      "url": "https://learn.microsoft.com/exchange/mail-flow/connectors/receive-connectors"

    },

    {

      "name": "DISA STIG EX19-ED-000100: The Exchange Internal Receive connector must not allow anonymous connections (V-259622)",

      "url": "https://www.stigviewer.com/stigs/microsoft_exchange_2019_edge_server/2024-12-06/finding/V-259622"

    }

  ],

  "remediation": {

    "automatable": false,

    "description": "Remove AnonymousUsers from the PermissionGroups on internal Receive connectors.",

    "scriptTemplate": "# Diagnose: identify internal Receive connectors on this Edge server.\n# Internal connectors are identified by ExchangeServer in AuthMechanism (set by EdgeSync during subscription).\n$serverName = $env:COMPUTERNAME\n$internalRc = Get-ReceiveConnector -Server $serverName | Where-Object {\n    [string]$_.AuthMechanism -match '\\bExchangeServer\\b'\n}\n$internalRc | Select-Object Identity, PermissionGroups, AuthMechanism, Bindings\n\n# Fix: remove AnonymousUsers permission group from each internal connector that permits it.\nforeach ($rc in ($internalRc | Where-Object { [string]$_.PermissionGroups -match '\\bAnonymousUsers\\b' })) {\n    Set-ReceiveConnector -Identity $rc.Identity -PermissionGroups ($rc.PermissionGroups -band (-bnot [Microsoft.Exchange.Data.PermissionGroups]::AnonymousUsers))\n    Write-Host \"AnonymousUsers removed from $($rc.Identity).\"\n}"

  },

  "considerations": "Internal Receive connectors used by Exchange Mailbox servers should use ExchangeServers or ExchangeLegacyServers permission groups, not AnonymousUsers. Removing anonymous access from a connector that is currently used for anonymous relay will immediately block that mail flow. Audit relay sources before making changes.",

  "roles": [

    "Edge"

  ]

}