As many customers asked for it, we’re happy to announce that Microsoft Exchange Server now officially supports HTTP Strict Transport Security, also known as HSTS.
What is HSTS and how can it help protecting my users?
HSTS is a policy mechanism that helps to protect websites (OWA or ECP when it comes to Exchange Server) against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It is a widely supported standard that was defined in RFC 6797.
It allows web servers to declare that web browsers should only interact with them using HTTPS connections, which provide encryption and authentication. The browser is instructed to enforce HSTS when it receives the Strict-Transport-Security (STS) header over an HTTPS connection.
HSTS prevents users from bypassing invalid certificate warnings (for example, expired, invalid or not trusted certificates, name mismatches…), which could indicate a compromised connection.
If an attacker tries to perform a protocol downgrade attack or a man-in-the-middle attack, the browser will detect the violation of the HSTS policy and abort the connection.
How can I configure HSTS on my Exchange Server?
We’ve published the documentation that contains all the necessary steps to configure HSTS on Exchange Server 2016 and 2019. You can find it here.
Please read the documentation carefully as some of the settings that are provided by the default IIS HSTS implementation (for example, HTTP to HTTPS redirect) must be configured in a different way as they could otherwise break connectivity to Exchange Server.
Exchange HealthChecker received an update that will help you to find out if the HSTS configuration on your Exchange Server is as expected.
Please let us know if you have any questions or feedback!
The Exchange Server Team
