Solved

HSTS for Exchange Server 2010 on Windows 2012 r2

Posted on 2016-08-30
2
223 Views
Last Modified: 2016-10-24
I have a vulnerability that is stating my Exchange server needs HSTS. Is this something new that vulnerability scanners are requiring now?
If so, how do I change my Exchange server (owa) to be set to HSTS and is there any consequences of doing so?

The remote HTTPS server is not enforcing HTTP Strict Transport Security (HSTS). recommends configuring the remote web server to use HSTS.
0
Comment
Question by:Larry Kiterling
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 

Author Comment

by:Larry Kiterling
ID: 41804999
Anybody?
0
 
LVL 6

Accepted Solution

by:
Leon Teale earned 500 total points
ID: 41836212
HSTS is not something new and has been flagged by most security compaies for a few years now it has just become more of a push since security is becoming even bigger (i know this i do security tests daily for clients)
I reccomend having it on although it can be a pain sometimes. It helps prevent man in the middle attacks. its not a failure for any sort of requirment and i dont think the CVE score is high but if your wanting a clean report then yes enable it.

HSTS i think is set in your web server rather than in the Exchange settings

Also HSTS should only apply/be sent over HTTPS not HTTP. so if you dont use HTTPS or at least dont enforce it then jsut ignore it. if you do then you should set it.


You could just add a custom header.

system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="Strict-Transport-Security" value="max-age=31536000"/>
        </customHeaders>
    </httpProtocol>
</system.webServer>

Open in new window


check here for a full and better example:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
                        redirectType="Permanent" />
                </rule>
            </rules>
            <outboundRules>
                <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                    <match serverVariable="RESPONSE_Strict_Transport_Security"
                        pattern=".*" />
                    <conditions>
                        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                    </conditions>
                    <action type="Rewrite" value="max-age=31536000" />
                </rule>
            </outboundRules>
        </rewrite>
    </system.webServer>
</configuration>

Open in new window

0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This video discusses moving either the default database or any database to a new volume.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question