When you move a lot of users in Exchange, you like to see what is…
Configure HSTS on Exchange Server
Security is essential, and most companies need to pay more attention to it. One is to avoid man-in-the-middle (MiTM) attacks and configure HSTS (HTTP Strict Transport Security) on Exchange Server. In this article, you will learn how to configure HSTS on Exchange Server with an HTTP response header.
Table of contents
HTTP Strict Transport Security
HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers should automatically interact with it using only HTTPS connections, which provide Transport Layer Security (TLS/SSL), unlike the insecure HTTP used alone. HSTS is an IETF standards track protocol and is specified in RFC 6797.
The HSTS Policy is communicated by the server to the user agent via an HTTP response header field named Strict-Transport-Security. HSTS Policy specifies a period of time during which the user agent should only access the server in a secure fashion Websites using HSTS often do not accept clear text HTTP, either by rejecting connections over HTTP or systematically redirecting users to HTTPS.
How to configure HSTS on Exchange Server
To configure HSTS on Exchange Server, follow these steps:
Note: You don’t need to restart IIS, and the change will apply immediately.
Note: Installing an Exchange Server CU/Exchange Server SU will keep the HSTS configuration.
Windows Server 2019 and higher
Configure HSTS on Windows Server 2019 and higher:
1. Sign in to the Exchange Server and start Internet Information Services (IIS) Manager.
2. Click in the connections panel on Default Web Site.
3. Click in the actions panel on HSTS…
4. Check the checkboxes and fill in the Max-Age: 31536000. Click OK.
Note: Do not check the checkbox Redirect Http to Https.
Windows Server 2016 and lower
Configure HSTS on Windows Server 2016 and lower by adding a custom HTTP Response Header:
1. Sign in to the Exchange Server and start Internet Information Services (IIS) Manager.
2. Click in the connections panel on Default Web Site.
3. Double-click HTTP Response Header
4. Click in the actions panel on Add…
5. Add the below name and value and click on OK.
- Name: Strict-Transport-Security
- Value: max-age=31536000; includeSubDomains; preload
6. Verify that the custom HTTP Response Header appears in the list.
Check HSTS on Exchange Server
Check that HSTS is successfully configured by following one of the below methods:
Check HSTS HTTP header with inspector tool
1. Start your favorite web browser and go to the Exchange Server OWA address.
2. Open the browser inspector tool > Network.
3. Click on the refresh button or press F5 to reload the page.
4. Select the document HTML URL and verify that it shows the header:
strict-transport-security: max-age=31536000; includeSubDomains; preload
Check HSTS HTTP header with Qualys
1. Go to Qualys SSL Labs and fill in the Exchange Server OWA address. Click Submit.
2. Verify that the summary shows the following:
HTTP Strict Transport Security (HSTS) with long duration deployed on this server.
That’s it! You successfully did configure HSTS on Exchange Server.
Read more: Configure Exchange Server TLS settings »
Conclusion
You learned how to configure HSTS on Exchange Server. It’s essential to implement HSTS and protect Exchange Server from man-in-the-middle (MiTM) attacks.
Did you enjoy this article? You may also like Exchange HTTPS high availability with Kemp load balancer. Don’t forget to follow us and share this article.
What Others Are Reading
This Post Has 0 Comments