• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 748
  • Last Modified:

HSTS for Exchange Server 2010 on Windows 2012 r2

I have a vulnerability that is stating my Exchange server needs HSTS. Is this something new that vulnerability scanners are requiring now?
If so, how do I change my Exchange server (owa) to be set to HSTS and is there any consequences of doing so?

The remote HTTPS server is not enforcing HTTP Strict Transport Security (HSTS). recommends configuring the remote web server to use HSTS.
Larry Kiterling
Larry Kiterling
1 Solution
Larry KiterlingAuthor Commented:
Leon TealePenetration TesterCommented:
HSTS is not something new and has been flagged by most security compaies for a few years now it has just become more of a push since security is becoming even bigger (i know this i do security tests daily for clients)
I reccomend having it on although it can be a pain sometimes. It helps prevent man in the middle attacks. its not a failure for any sort of requirment and i dont think the CVE score is high but if your wanting a clean report then yes enable it.

HSTS i think is set in your web server rather than in the Exchange settings

Also HSTS should only apply/be sent over HTTPS not HTTP. so if you dont use HTTPS or at least dont enforce it then jsut ignore it. if you do then you should set it.

You could just add a custom header.

            <add name="Strict-Transport-Security" value="max-age=31536000"/>

Open in new window

check here for a full and better example:

<?xml version="1.0" encoding="UTF-8"?>
                <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                    <match url="(.*)" />
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
                        redirectType="Permanent" />
                <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                    <match serverVariable="RESPONSE_Strict_Transport_Security"
                        pattern=".*" />
                        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                    <action type="Rewrite" value="max-age=31536000" />

Open in new window

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now