AUDIT_EXCHANGE

This policy item runs Exchange cmdlets on the target Exchange server and returns the results. Results are evaluated with use of string or regular expression matching of the PowerShell output, similar to AUDIT_POWERSHELL.

The AUDIT_EXCHANGE check type automatically imports Exchange Management Shell (EMS) cmdlets, allowing you to write PowerShell code without manual cmdlet import. This functionality is particularly useful for auditing Microsoft Exchange configurations against CIS and DISA security guidance.

Supported Versions

The following Microsoft Exchange versions are supported:

  • Microsoft Exchange 2013
  • Microsoft Exchange 2016

Usage

<custom_item>

type: AUDIT_EXCHANGE

description: ["description"]

value_type: POLICY_TEXT

value_data: ["banner content"]

powershell_args: ["exchange powershell cmdlets"]

(optional) powershell_option: [CAN_BE_NULL]

(optional) secure_string: ["encrypted secure string"]

(optional) check_type: [CHECK_EQUAL|CHECK_REGEX|...]

(optional) only_show_cmd_output: [YES|NO]

</custom_item>

The following are descriptions of the keywords:

  • value_type: The value is POLICY_TEXT. If you use POLICY_MULTI_TEXT, the evaluation will work, but NULL will appear as the Remote value.

  • value_data: The content of the expected PowerShell output.

  • powershell_args: The value is the Exchange cmdlet with additional PowerShell formatting options. The output of this command will be returned, and should resemble what would be returned from the Exchange shell.

  • powershell_option: The value is CAN_BE_NULL, which allows the check to pass if there is no data returned from PowerShell.

  • secure_string: You can use this field to specify a secured string to run with the check. To create a secure string for this field, as the scanning user on the target being scanned, run the following command in PowerShell, enter the password when prompted, and copy the output into the secure_string field.

    Read-Host -AsSecureString | ConvertFrom-SecureString

    This method avoids credential disclosure by generating an encrypted password string without exposing the plain-text password in PowerShell logs.

    Note: The encrypted password string is user and machine-specific. Generate a separate secure string for each target if scanning multiple Exchange servers.

  • check_type: This field changes how the string is evaluated. By default, the evaluation checks that the output exactly matches the contents of value_data. You can change the evaluation with CHECK_NOT_EQUAL, CHECK_REGEX, or CHECK_NOT_REGEX.

  • only_show_cmd_output: If you set this field to YES, the check result will be INFO/LOW and will report the value that was returned from the PowerShell. If you set this field to NO, the evaluation will be defined by other fields in the check.

Note: The comparison that the check performs is not case sensitive.

Examples

Example 1: Check Exchange Version

<custom_item>

type: AUDIT_EXCHANGE

description: "Exchange - Check Type Example"

value_type: POLICY_TEXT

value_data: ".*"

powershell_args: "get-exchangeserver | fl -Property ExchangeVersion"

secure_string: "01000000d08c9ddf0115d1118c7a00c04fc297eb..."

check_type: CHECK_REGEX

</custom_item>

Example 2: Verify Transport Service Settings

<custom_item>

type: AUDIT_EXCHANGE

description: "Ensure 'MaxReceiveSize' is configured for Transport Service"

info: "Verifies Exchange transport service has MaxReceiveSize configured per security guidance."

value_type: POLICY_TEXT

value_data: "10MB"

powershell_args: "Get-TransportService | Select-Object -ExpandProperty MaxReceiveSize"

secure_string: "01000000d08c9ddf0115d1118c7a00c04fc297eb..."

check_type: CHECK_EQUAL

</custom_item>