?
Solved

HSTS for Exchange Server 2010 on Windows 2012 r2

Posted on 2016-08-30
2
Medium Priority
?
635 Views
Last Modified: 2016-10-24
I have a vulnerability that is stating my Exchange server needs HSTS. Is this something new that vulnerability scanners are requiring now?
If so, how do I change my Exchange server (owa) to be set to HSTS and is there any consequences of doing so?

The remote HTTPS server is not enforcing HTTP Strict Transport Security (HSTS). recommends configuring the remote web server to use HSTS.
0
Comment
Question by:Larry Kiterling
2 Comments
 

Author Comment

by:Larry Kiterling
ID: 41804999
Anybody?
0
 
LVL 6

Accepted Solution

by:
Leon Teale earned 2000 total points
ID: 41836212
HSTS is not something new and has been flagged by most security compaies for a few years now it has just become more of a push since security is becoming even bigger (i know this i do security tests daily for clients)
I reccomend having it on although it can be a pain sometimes. It helps prevent man in the middle attacks. its not a failure for any sort of requirment and i dont think the CVE score is high but if your wanting a clean report then yes enable it.

HSTS i think is set in your web server rather than in the Exchange settings

Also HSTS should only apply/be sent over HTTPS not HTTP. so if you dont use HTTPS or at least dont enforce it then jsut ignore it. if you do then you should set it.


You could just add a custom header.

system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="Strict-Transport-Security" value="max-age=31536000"/>
        </customHeaders>
    </httpProtocol>
</system.webServer>

Open in new window


check here for a full and better example:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
                        redirectType="Permanent" />
                </rule>
            </rules>
            <outboundRules>
                <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                    <match serverVariable="RESPONSE_Strict_Transport_Security"
                        pattern=".*" />
                    <conditions>
                        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                    </conditions>
                    <action type="Rewrite" value="max-age=31536000" />
                </rule>
            </outboundRules>
        </rewrite>
    </system.webServer>
</configuration>

Open in new window

0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As much as Microsoft wants to kill off PST file support, just as they tried to do with public folders, there are still times when it is useful or downright necessary to export Exchange mailboxes to PST files. Thankfully, it is still possible to e…
Eseutil Hard Recovery is part of exchange tool and ensures Exchange mailbox data recovery when mailbox gets corrupt due to some problem on Exchange server.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses

750 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question