Forum Discussion
How to prevent Malicious HTTP Redirections on an Exchange server
Hello All!
I am attempting to assist a customer who is trying to pass PCI scans. By default, their IP addresses redirects any HTTPS (443) requests to the Exchange server's OWA. This is fine, except the scan states that the server does not pass a couple of vulnerabilities, one of them being "Redirection via Arbitrary Host Header Manipulation".
As a solution, they recommended whitelisting domains, only allow permitted domains to be included in the Host header. I (for the life of me) cannot figure out how to get this to work on a server who's default website is the Exchange OWA. Every time I try to implement a rule in IIS (see: https://techcommunity.microsoft.com/t5/iis-support-blog/host-header-vulnerability/ba-p/1031958) that would redirect any requests that don't match the supplied string to the desired domain name, the page won't load and I get "ERR_TOO_MANY_REDIRECTS" presumably because of Exchange's automatic OWA redirection.
Is there a way I can prevent malicious HTTP redirections without breaking OWA?
To clarify: there are two domain names on our DNS that lead to the IP address of the Exchange server: mail.domain.com and vpn.otherdomain.com, obviously one is meant for mail and the other one is meant for vpn access over port 8443. The main domain (domain.com) leads to a completely different IP address that hosts their public website. I would like to change the IIS settings on the Exchange server so that mail.domain.com is the only domain allowed to be requested through an HTTP request.
2 Replies
- I fount the certificate I don't have the key it was issued by Microsoft Build things got shuffled around never installed it portal. I am having a hard time with a disk again. cmd line check device prompting me to format it OS on it? other device had USB 250 GB needed it prompt me said does not exist then say dysfunctional took it to another device formatted it took back write its write protected took it back other device cmd prompt privilege's were suspended? Think in group policy? I doubt if it is I would password protect not write protect with no password? I have to partition another disk install instance on it spare interchangeable I know protical not to partition a disk with OS on it but this confusing.
jcount437 For anyone looking for an answer, here it is. I went to "Bindings" on the Default Web Site, selected my HTTPS (443) binding, and set the hostname to "https://mail.domain.com/" and enabled "Require Server Name Indication". Now when I try to use "https://vpn.domain.com/" on port 443, I get a 404 error, which is exactly what I need to pass the scan. Problem solved, no need to mess with URL Rewrite.
