Avatar of Stev0W
Flag for United Kingdom of Great Britain and Northern Ireland asked on

Remote Web Workplace fails penetration test on the HTTP security reponse headers

On our small site, we are running a single DC, server 2016 Standard running the essentials role.

After a penetration test on our Domain. The report says that "Several HTTP headers that can be used to provide additional security were not used, these security headers can help defend against a number of common attack vectors"

from googling It looks like this can be fixed with PowerShell but the commands are not being recognised. What would be the simplest way to proceed?

SecurityPowershell* windows server 2016 essentials

Avatar of undefined
Last Comment

8/22/2022 - Mon
David Favor

1) You can use the https://securityheaders.com tester (or may similar testers) for granular data about what to fix.

2) Ultimately you'll effect header changes in your Webserver config files, then restart your Webserver to serve new headers.

3) Likely you can use Powershell commands + I prefer just to edit Webserver configs to effect header changes.

File Editing == Simple

Scripting Edits == Complex (and can destroy files)

Since this is usually a one off (one + done) activity, file editing is the safer choice.

Also file editing will work one any Webserver, where scripted edits only work on 1x Webserver config.
Philip Elder

Since the Essentials RWW is essentially a canned setup one needs to be careful about tweaking it.

The principle change that needs to happen is to enable TLS 1.2 and disable the other versions (SSL as well). Was this done already as it should have shown up in the security audit if it wasn't?

Hi Phillip, yes TLS 1.0 & 1.1 have been disabled along with other insecure protocols. It's just the missing headers that seem to be an issue on the report.
I think as David says I may have to change the Http securtiy headers manually. I'm not familiar with what I would have to add without breaking anything and was wondering if anybody else had made these changes. 
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
Philip Elder

This is the first time I've ever seen this recommendation.

It's an oddball so I think it would be good to see the justification for it. It should have an explanation that is in-depth along with the methods, or pointers to the methods, to implement the requested changes.

Care to elaborate?

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.