Solved

HSTS for Exchange Server 2010 on Windows 2012 r2

Posted on 2016-08-30
2
98 Views
Last Modified: 2016-10-24
I have a vulnerability that is stating my Exchange server needs HSTS. Is this something new that vulnerability scanners are requiring now?
If so, how do I change my Exchange server (owa) to be set to HSTS and is there any consequences of doing so?

The remote HTTPS server is not enforcing HTTP Strict Transport Security (HSTS). recommends configuring the remote web server to use HSTS.
0
Comment
Question by:Larry Kiterling
2 Comments
 

Author Comment

by:Larry Kiterling
ID: 41804999
Anybody?
0
 
LVL 6

Accepted Solution

by:
Leon Teale earned 500 total points
ID: 41836212
HSTS is not something new and has been flagged by most security compaies for a few years now it has just become more of a push since security is becoming even bigger (i know this i do security tests daily for clients)
I reccomend having it on although it can be a pain sometimes. It helps prevent man in the middle attacks. its not a failure for any sort of requirment and i dont think the CVE score is high but if your wanting a clean report then yes enable it.

HSTS i think is set in your web server rather than in the Exchange settings

Also HSTS should only apply/be sent over HTTPS not HTTP. so if you dont use HTTPS or at least dont enforce it then jsut ignore it. if you do then you should set it.


You could just add a custom header.

system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="Strict-Transport-Security" value="max-age=31536000"/>
        </customHeaders>
    </httpProtocol>
</system.webServer>

Open in new window


check here for a full and better example:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
                        redirectType="Permanent" />
                </rule>
            </rules>
            <outboundRules>
                <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                    <match serverVariable="RESPONSE_Strict_Transport_Security"
                        pattern=".*" />
                    <conditions>
                        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                    </conditions>
                    <action type="Rewrite" value="max-age=31536000" />
                </rule>
            </outboundRules>
        </rewrite>
    </system.webServer>
</configuration>

Open in new window

0

Featured Post

[Webinar] Disaster Recovery and Cloud Management

Learn from Unigma and CloudBerry industry veterans which providers are best for certain use cases and how to lower cloud costs, how to grow your Managed Services practice in IaaS clouds, and how to utilize public cloud for Disaster Recovery

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now