As many customers asked for it, we’re happy to announce that Microsoft Exchange Server now officially supports HTTP Strict Transport Security, also known as HSTS.
What is HSTS and how can it help protecting my users?
HSTS is a policy mechanism that helps to protect websites (OWA or ECP when it comes to Exchange Server) against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It is a widely supported standard that was defined in RFC 6797.
It allows web servers to declare that web browsers should only interact with them using HTTPS connections, which provide encryption and authentication. The browser is instructed to enforce HSTS when it receives the Strict-Transport-Security (STS) header over an HTTPS connection.
HSTS prevents users from bypassing invalid certificate warnings (for example, expired, invalid or not trusted certificates, name mismatches…), which could indicate a compromised connection.
If an attacker tries to perform a protocol downgrade attack or a man-in-the-middle attack, the browser will detect the violation of the HSTS policy and abort the connection.
How do I configure HSTS?
We’ve published the documentation that contains all the necessary steps to configure HSTS on Exchange Server 2016 and 2019. You can find it here. I will show you the PowerShell commands to run on your Exchange OWA Access Servers to enable this.
Please read the documentation carefully as some of the settings that are provided by the default IIS HSTS implementation (for example, HTTP to HTTPS redirect) must be configured in a different way as they could otherwise break connectivity to Exchange Server.
Exchange HealthChecker will receive an update soon that will help you to find out if the HSTS configuration on your Exchange Server is as expected.
Enable HSTS with PowerShell for Exchange 2019
Run the following commands in PowerShell to Enable HSTS on Exchange 2019. Refer to the Microsoft Document Link above for the why and the details! Also, refer to the same documentation to enable on Exchange 2016 and below…
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | #Run these commands first to setup HSTS Import-Module IISAdministration Reset-IISServerManager -Confirm:$false Start-IISCommitDelay $sitesCollection = Get-IISConfigSection -SectionPath "system.applicationHost/sites" | Get-IISConfigCollection $siteElement = Get-IISConfigCollectionElement -ConfigCollection $sitesCollection -ConfigAttribute @{"name"="Default Web Site"} $hstsElement = Get-IISConfigElement -ConfigElement $siteElement -ChildElementName "hsts" Set-IISConfigAttributeValue -ConfigElement $hstsElement -AttributeName "enabled" -AttributeValue $true Set-IISConfigAttributeValue -ConfigElement $hstsElement -AttributeName "max-age" -AttributeValue 300 Set-IISConfigAttributeValue -ConfigElement $hstsElement -AttributeName "includeSubDomains" -AttributeValue $true ## Run This ONLY If you plan to add your domain to the HSTS Preload List, you must make sure that the ## preload directive is also sent as part of the Strict-Transport-Security header. You must not send the ## preload directive if you have no plans to submit your domain to the HSTS Preload List. Set-IISConfigAttributeValue -ConfigElement $hstsElement -AttributeName "preload" -AttributeValue $true #Finally, run these commands to complete configuration Stop-IISCommitDelay Remove-Module IISAdministration |
IMPORTANT
We can’t redirect HTTP to HTTPS using the HSTS configuration, as this breaks connectivity for some scenarios, including the Exchange Management Shell (EMS). If you want to enable HTTP to HTTPS redirect, you must follow the steps outlined in Configure http to https redirection for Outlook on the web in Exchange Server. Here are the list of commands to do it through an Administrative Command Prompt. MAKE SURE YOU CHANGE THE OWA URL value on the one command to add your OWA domain. The commands also assume that you are using the DEFAULT VIRTUAL DIRECTORIES in IIS for Exchange Server 2019.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 | #Use PowerShell to remove the Require SSL setting from the default website %windir%\system32\inetsrv\appcmd.exe set config "Default Web Site" -section:access -sslFlags:None -commit:APPHOST #Use PowerShell to restore the Require SSL setting on other virtual directories in the default website %windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/api" -section:Access -sslFlags:Ssl,Ssl128 -commit:APPHOST %windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/aspnet_client" -section:Access -sslFlags:Ssl,Ssl128 -commit:APPHOST %windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/autodiscover" -section:Access -sslFlags:Ssl,Ssl128 -commit:APPHOST %windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/ecp" -section:Access -sslFlags:Ssl,Ssl128 -commit:APPHOST %windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/ews" -section:Access -sslFlags:Ssl,Ssl128 -commit:APPHOST %windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/mapi" -section:Access -sslFlags:Ssl,Ssl128 -commit:APPHOST %windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/Microsoft-Server-Activesync" -section:Access -sslFlags:Ssl,Ssl128 -commit:APPHOST %windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/OAB" -section:Access -sslFlags:Ssl,Ssl128 -commit:APPHOST %windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/OWA" -section:Access -sslFlags:Ssl,Ssl128 -commit:APPHOST %windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/PowerShell" -section:Access -sslFlags:Ssl,Ssl128 -commit:APPHOST %windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/Rpc" -section:Access -sslFlags:Ssl,Ssl128 -commit:APPHOST #Use PowerShell to configure the default website to redirect to the /owa virtual directory #REPLACE <OWA DOMAIN URL> i.e. mail.server.com %windir%\system32\inetsrv\appcmd.exe set config "Default Web Site" -section:httpredirect -enabled:true -destination:"https://<OWA DOMAIN URL>/owa" -childOnly:true #Use PowerShell to remove http redirection from all virtual directories in the default website %windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/api" -section:httpredirect -enabled:false -destination:"" -childOnly:false %windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/aspnet_client" -section:httpredirect -enabled:false -destination:"" -childOnly:false %windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/autodiscover" -section:httpredirect -enabled:false -destination:"" -childOnly:false %windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/ecp" -section:httpredirect -enabled:false -destination:"" -childOnly:false %windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/ews" -section:httpredirect -enabled:false -destination:"" -childOnly:false %windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/mapi" -section:httpredirect -enabled:false -destination:"" -childOnly:false %windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/Microsoft-Server-Activesync" -section:httpredirect -enabled:false -destination:"" -childOnly:false %windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/OAB" -section:httpredirect -enabled:false -destination:"" -childOnly:false %windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/OWA" -section:httpredirect -enabled:false -destination:"" -childOnly:false %windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/PowerShell" -section:httpredirect -enabled:false -destination:"" -childOnly:false %windir%\system32\inetsrv\appcmd.exe set config "Default Web Site/Rpc" -section:httpredirect -enabled:false -destination:"" -childOnly:false #Use PowerShell to restart IIS net stop w3svc /y net start w3svc |
Hopefully, this will help further lock down your Exchange 2019 servers until V-Next comes out next year!
KEEP LEARNING / KEEP GROWING
References:
Configure HTTP Strict Transport Security (HSTS) in Exchange Server | Microsoft Learn
Configure http to https redirection for Outlook on the web in Exchange Server | Microsoft Learn
About Lance Lingerfelt
Lance Lingerfelt is an M365 Specialist and Evangelist with over 20 years of experience in the Information Technology field. Having worked in enterprise environments to small businesses, he is able to adapt and provide the best IT Training and Consultation possible. With a focus on AI, the M365 Stack, and Healthcare, he continues to give back to the community with training, public speaking events, and this blog.