Exchange must have administrator audit logging enabled.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-259648	SRG-APP-000027	EX19-MB-000016	SV-259648r960780_rule	2024-08-22	2

Description
Unauthorized or malicious data changes can compromise the integrity and usefulness of the data. Automated attacks or malicious users with elevated privileges have the ability to effect change using the same mechanisms as email administrators. Auditing any changes to access mechanisms not only supports accountability and nonrepudiation for those authorized to define the environment but also enables investigation of changes made by others who may not be authorized. Note: This administrator auditing feature audits all exchange changes regardless of the user's assigned role or permissions.

Description

Unauthorized or malicious data changes can compromise the integrity and usefulness of the data. Automated attacks or malicious users with elevated privileges have the ability to effect change using the same mechanisms as email administrators. Auditing any changes to access mechanisms not only supports accountability and nonrepudiation for those authorized to define the environment but also enables investigation of changes made by others who may not be authorized. Note: This administrator auditing feature audits all exchange changes regardless of the user's assigned role or permissions.

ℹ️ Check
Open the Exchange Management Shell and enter the following command: Get-AdminAuditLogConfig \| Select-Object -Property Name, AdminAuditLogEnabled If the value of "AdminAuditLogEnabled" is not set to "True", this is a finding.

✔️ Fix
Open the Exchange Management Shell and enter the following command: Set-AdminAuditLogConfig -AdminAuditLogEnabled $true