I have an engagement coming up where we'll have to audit some Exchange servers. Currently, the DISA Exchange checklist is in draft. Yes, we'll be running Gold Disk on the servers, and we'll be running Oval to check the patches. However, is there any other guidance for auditing Exchange?
As I find other options, I'll post them here. And of course, I'll write up our methodology after the trip.
Edit: NSA Exchange guide
Unfortunately, CIS doesn't have a tool for Exchange.