Skip to content

Configure HSTS on Exchange Server

Security is essential, and most companies need to pay more attention to it. One is to avoid man-in-the-middle (MiTM) attacks and configure HSTS (HTTP Strict Transport Security) on Exchange Server. In this article, you will learn how to configure HSTS on Exchange Server with an HTTP response header.

HTTP Strict Transport Security

HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers should automatically interact with it using only HTTPS connections, which provide Transport Layer Security (TLS/SSL), unlike the insecure HTTP used alone. HSTS is an IETF standards track protocol and is specified in RFC 6797.

The HSTS Policy is communicated by the server to the user agent via an HTTP response header field named Strict-Transport-Security. HSTS Policy specifies a period of time during which the user agent should only access the server in a secure fashion Websites using HSTS often do not accept clear text HTTP, either by rejecting connections over HTTP or systematically redirecting users to HTTPS.

How to configure HSTS on Exchange Server

To configure HSTS on Exchange Server, follow these steps:

Note: You don’t need to restart IIS, and the change will apply immediately.

Note: Installing an Exchange Server CU/Exchange Server SU will keep the HSTS configuration.

Windows Server 2019 and higher

Configure HSTS on Windows Server 2019 and higher:

1. Sign in to the Exchange Server and start Internet Information Services (IIS) Manager.

2. Click in the connections panel on Default Web Site.

3. Click in the actions panel on HSTS…

4. Check the checkboxes and fill in the Max-Age: 31536000. Click OK.

Note: Do not check the checkbox Redirect Http to Https.

Configure HSTS on Exchange Server Windows Server 2019

Windows Server 2016 and lower

Configure HSTS on Windows Server 2016 and lower by adding a custom HTTP Response Header:

1. Sign in to the Exchange Server and start Internet Information Services (IIS) Manager.

2. Click in the connections panel on Default Web Site.

3. Double-click HTTP Response Header

Configure HSTS on Exchange Server Windows Server 2016 01

4. Click in the actions panel on Add…

5. Add the below name and value and click on OK.

  • Name: Strict-Transport-Security
  • Value: max-age=31536000; includeSubDomains; preload
Configure HSTS on Exchange Server Windows Server 2016 02

6. Verify that the custom HTTP Response Header appears in the list.

Configure HSTS on Exchange Server Windows Server 2016 03

Check HSTS on Exchange Server

Check that HSTS is successfully configured by following one of the below methods:

Check HSTS HTTP header with inspector tool

1. Start your favorite web browser and go to the Exchange Server OWA address.

2. Open the browser inspector tool > Network.

3. Click on the refresh button or press F5 to reload the page.

4. Select the document HTML URL and verify that it shows the header:

strict-transport-security: max-age=31536000; includeSubDomains; preload

Configure HSTS on Exchange Server check HTTP header

Check HSTS HTTP header with Qualys

1. Go to Qualys SSL Labs and fill in the Exchange Server OWA address. Click Submit.

Configure HSTS on Exchange Server check Qualys hostname

2. Verify that the summary shows the following:

HTTP Strict Transport Security (HSTS) with long duration deployed on this server.

Configure HSTS on Exchange Server check Qualys summary

That’s it! You successfully did configure HSTS on Exchange Server.

Read more: Configure Exchange Server TLS settings »

Conclusion

You learned how to configure HSTS on Exchange Server. It’s essential to implement HSTS and protect Exchange Server from man-in-the-middle (MiTM) attacks.

Did you enjoy this article? You may also like Exchange HTTPS high availability with Kemp load balancer. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has One Comment

  1. I suppose it would be a good idea to start with shorter times likes 5 minutes, a week rather than a year (31536000 sec.) directly to test and make sure that there are no issues. Host names like mail.exoip.com are subdomains that will not be listed on https://hstspreload.org for hardcoded inclusion in browsers, the preload will instead be on the domain level i.e. exoip.com and any subdomain with missing or invalid certificate will be unaccessable. So maybe is preload something to set when you are 100% certain that everything is OK.

Leave a Reply

Your email address will not be published. Required fields are marked *