Forum Discussion

blushta's avatar
blushta
MCT
Mar 25, 2025

HTTP Response Headers Hardening for Exchange 2019 on Windows Server 2022

Category: Security Hardening Issue: Currently, Exchange 2019 running on Windows Server 2022 does not have strict HTTP response headers configured, leaving it potentially vulnerable to security thre...
Exchange Server
HTTP headers
ScarlettDavis's avatar
ScarlettDavis
Iron Contributor
Mar 28, 2025

1. Key security header configuration
 Response headers that must be added:
powershell
# Set via IIS Manager or PowerShell
Set-WebConfigurationProperty -Filter “/system.webServer/httpProtocol/customHeaders” -PSPath “IIS:\Sites\Default Web Site” -Name “X-Content -Type-Options” -Value ”nosniff”
Set-WebConfigurationProperty -Filter “/system.webServer/httpProtocol/customHeaders” -PSPath “IIS:\Sites\Default Web Site” -Name “X-Frame- Options” -Value ”SAMEORIGIN”
Set-WebConfigurationProperty -Filter “/system.webServer/httpProtocol/customHeaders” -PSPath “IIS:\Sites\Default Web Site” -Name “Strict- Transport-Security” -Value ”max-age=31536000; includeSubDomains”
2. Tuning of specific Exchange components
 OWA/ECP hardening:
powershell
# Add CSP header for OWA virtual directory
Set-WebConfigurationProperty -Filter “/system.webServer/httpProtocol/customHeaders” -PSPath “IIS:\Sites\Default Web Site\owa” -Name ” Content-Security-Policy” -Value ‘default-src ’self‘ https:; script-src ’self‘ ’unsafe-inline‘ ’unsafe-eval‘ https:; style-src ’self‘ ’unsafe- inline' https:”
3. Server-level hardening
Disable unnecessary information exposure:
powershell.
# Remove Server header
Set-WebConfigurationProperty -Filter “/system.webServer/rewrite/outboundRules” -PSPath “IIS:\” -Name “enabled” -Value $true
Add-WebConfigurationProperty -Filter “/system.webServer/rewrite/outboundRules” -PSPath “IIS:\” -Name “rule” -Value @{name='Remove Server Header'; patternSyntax='Wildcard'; matchServerVariable='RESPONSE_Server'; action='AbortRequest'}
4. Automated Deployment Scripts
 Complete hardening script:
powershell
$headers = @{
    “X-Content-Type-Options” = ”nosniff”
    “X-Frame-Options” = ”SAMEORIGIN”
    “Strict-Transport-Security” = ”max-age=31536000; includeSubDomains”
    “Referrer-Policy” = ”strict-origin-when-cross-origin”
}
foreach ($site in (Get-Website)) {
    foreach ($header in $headers.GetEnumerator()) {
        Set-WebConfigurationProperty -Filter “/system.webServer/httpProtocol/customHeaders” -PSPath “IIS:\Sites\$($site.Name)” -Name $header.Key -Value $header.Value
    }
}
5. Validation and Testing
 Check the tool:
Use curl validation:
bash
curl -I https://your-exchange-server.com/owa
Online scanning:
SecurityHeaders.com
Mozilla Observatory
6. Rollback Programs
 Emergency recovery:
powershell
# Remove all custom headers
Clear-WebConfiguration -Filter “/system.webServer/httpProtocol/customHeaders” -PSPath “IIS:\Sites\Default Web Site”
Best Practice:
Verify in a test environment first
Backup IIS configuration before modification (%windir%\system32\inetsrv\config\applicationHost.config)

  • blushta's avatar
    blushta
    MCT
    Mar 29, 2025

    Dear Davis,

    Thank you for the PowerShell script; however, it seems that that script has a syntax error, which is taking time to correct. I have created these response headers manually.

    Thank you

    b.l

Resources