Implementing HTTP Strict Transport Security [HSTS] on Exchange Server 2016

Implementing HSTS on Exchange Server 2016

Very recently have implemented HTTP Strict Transport Security on my exchange servers 2016 OWA and wanted to share my experience

About HTTP Strict Transport Security [HSTS] :

HTTP Strict Transport Security (HSTS) is a mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking.

It allows web servers to declare that web browsers should automatically interact with it using only HTTPS connections, which provide Transport Layer Security (TLS/SSL), unlike the insecure HTTP used alone

Configure HSTS on Windows Server 2016 and lower by adding a custom HTTP Response Header:

Step 1. Sign in to the Exchange Server and start Internet Information Services (IIS) Manager.

Step 2. Click in the connections panel on Default Web Site.

Step 3. Double-click HTTP Response Header

Step 4. Click in the actions panel on Add…

Step 5. Add the below name and value and click on OK.

Name: Strict-Transport-Security
Value: max-age=31536000; includeSubDomains; preload

How to validate whether HSTS on Exchange Server successfully implemented or not

Check HSTS HTTP header with SSL link

Step 1. Go to website [https://www.ssllabs.com/ssltest/] and fill in the Exchange Server OWA address [my case : https://cloudmonkeys.xyz/owa] Click Submit. it will run 100%. Once validation completes, and search for Strict Transport Security (HSTS) - Parameter , it should tell as TRUE as below

Microsoft 365 & Exchange Admin's Blog -Troubleshooting is an art not a rocket science

Search This Blog

Implementing HTTP Strict Transport Security [HSTS] on Exchange Server 2016

Check HSTS HTTP header with SSL link

Comments

Post a Comment