Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

HSTS for Exchange Server 2010 on Windows 2012 r2

Posted on 2016-08-30
2
Medium Priority
?
511 Views
Last Modified: 2016-10-24
I have a vulnerability that is stating my Exchange server needs HSTS. Is this something new that vulnerability scanners are requiring now?
If so, how do I change my Exchange server (owa) to be set to HSTS and is there any consequences of doing so?

The remote HTTPS server is not enforcing HTTP Strict Transport Security (HSTS). recommends configuring the remote web server to use HSTS.
0
Comment
Question by:Larry Kiterling
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 

Author Comment

by:Larry Kiterling
ID: 41804999
Anybody?
0
 
LVL 6

Accepted Solution

by:
Leon Teale earned 2000 total points
ID: 41836212
HSTS is not something new and has been flagged by most security compaies for a few years now it has just become more of a push since security is becoming even bigger (i know this i do security tests daily for clients)
I reccomend having it on although it can be a pain sometimes. It helps prevent man in the middle attacks. its not a failure for any sort of requirment and i dont think the CVE score is high but if your wanting a clean report then yes enable it.

HSTS i think is set in your web server rather than in the Exchange settings

Also HSTS should only apply/be sent over HTTPS not HTTP. so if you dont use HTTPS or at least dont enforce it then jsut ignore it. if you do then you should set it.


You could just add a custom header.

system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="Strict-Transport-Security" value="max-age=31536000"/>
        </customHeaders>
    </httpProtocol>
</system.webServer>

Open in new window


check here for a full and better example:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
                        redirectType="Permanent" />
                </rule>
            </rules>
            <outboundRules>
                <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                    <match serverVariable="RESPONSE_Strict_Transport_Security"
                        pattern=".*" />
                    <conditions>
                        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                    </conditions>
                    <action type="Rewrite" value="max-age=31536000" />
                </rule>
            </outboundRules>
        </rewrite>
    </system.webServer>
</configuration>

Open in new window

0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The core idea of this article is to make you acquainted with the best way in which you can export Exchange mailbox to PST format.
The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question