Remove From My Forums

How do you enable HSTS in IIS on Server 2016 version 1607?

Question
0

Sign in to vote

User-1591348768 posted

PCI scanning reported the vulnerability, "HSTS Missing From HTTPS Server".

This blog addresses the problem but specifically states that native HSTS support only became available in Server 2016 version 1709 so it does not apply to my server: https://blog.ollischer.com/microsoft-exchange-2016-and-iis-8-5-enable-http-strict-transport-security-hsts

How do it eliminate this vulnerability from Server 2016 build 1607?

Note that it is a production Exchange server at a small business so removing 1607 and rebuilding with 1709 is not an option.

Thank you in advance!

Friday, November 6, 2020 1:15 AM

Answers

User-848649084 posted

Hi,

try to add the below code in your web.config file:

<?xml version="1.0" encoding="UTF-8"?>
    <configuration>
      <system.webServer>
        <rewrite>
          <rules>
            <rule name="HTTP to HTTPS redirect" stopProcessing="true">
              <match url="(.*)" />
              <conditions>
                <add input="{HTTPS}" pattern="off" ignoreCase="true" />
              </conditions>
              <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
             </rule>
           </rules>
           <outboundRules>
             <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
               <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
               <conditions>
                 <add input="{HTTPS}" pattern="on" ignoreCase="true" />
               </conditions>
               <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
             </rule>
           </outboundRules>
         </rewrite>
       </system.webServer>
     </configuration>

Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM

Monday, November 9, 2020 8:15 AM

All replies

0

Sign in to vote

User690216013 posted

That blog post clearly also showed how to use custom response header for older IIS releases.

Friday, November 6, 2020 3:31 AM
0

Sign in to vote

User-1591348768 posted

You clearly did not understand my post but I do appreciate your effort.

Edit: Sorry, that was a bit harsh. PCI scanning is a continuing source of frustration for me and I do appreciate your attention to my post. Please let me know if you know how to enable HSTS in IIS on Server 2016 version 1607. I tried the blog's recommendation for 8.5, which you called "older versions", but it did not work.

Friday, November 6, 2020 8:17 AM
0

Sign in to vote

User690216013 posted

JaxPlanet
but it did not work.

Try not to float on the surface.

What did not work? After adding the custom response header, use developer tools of your web browser to confirm that IIS does send the right header. That tells "work or not".

Friday, November 6, 2020 6:51 PM
0

Sign in to vote

User-1591348768 posted

As stated above, I tried 8.5 and PCI scanning as well as the test in the blog I said I followed indicated it did not work.

Try not to float on the surface of my posts ;)

Friday, November 6, 2020 11:15 PM
0

Sign in to vote

User690216013 posted

PCI scanning can be wrong itself. There are broken tools in that category for a very long time.

As long as IIS returns the header after your changes, HSTS is on. You can run SSL Labs scan as reference, https://www.ssllabs.com/ssltest/index.html

Friday, November 6, 2020 11:26 PM
0

Sign in to vote

User-1591348768 posted

That is exactly why I said I used PCI scanning and that website to test. I deal with false positives all the time.

Unfortunately, that has nothing to do with figuring out how to make the change, which is why I am here.

Saturday, November 7, 2020 12:36 AM
0

Sign in to vote

User690216013 posted

Then post both the applicationHost.config and web.config for that site.

Nothing can be simpler than showing us how you followed that blog post, or simply wrong changes were made.

Saturday, November 7, 2020 12:51 AM

User-848649084 posted

Hi,

try to add the below code in your web.config file:

<?xml version="1.0" encoding="UTF-8"?>
    <configuration>
      <system.webServer>
        <rewrite>
          <rules>
            <rule name="HTTP to HTTPS redirect" stopProcessing="true">
              <match url="(.*)" />
              <conditions>
                <add input="{HTTPS}" pattern="off" ignoreCase="true" />
              </conditions>
              <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
             </rule>
           </rules>
           <outboundRules>
             <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
               <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
               <conditions>
                 <add input="{HTTPS}" pattern="on" ignoreCase="true" />
               </conditions>
               <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
             </rule>
           </outboundRules>
         </rewrite>
       </system.webServer>
     </configuration>

Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM

Monday, November 9, 2020 8:15 AM

0

Sign in to vote

User-1591348768 posted

I am not familiar with the indentation protocol but, ignoring that, is this correct?:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<location inheritInChildApplications="false">
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Strict-Transport-Security" value="max-age=31536000"/>
</customHeaders>
</httpProtocol>
<serverRuntime appConcurrentRequestLimit="65535" uploadReadAheadSize="0" />
<modules>

<remove name="CustomErrorModule" />
<remove name="DefaultAuthentication" />
<remove name="DirectoryListingModule" />
<remove name="DynamicCompressionModule" />
<remove name="FileAuthorization" />
<remove name="FormsAuthentication" />
<remove name="HttpCacheModule" />
<remove name="OutputCache" />
<remove name="Profile" />
<remove name="ProtocolSupportModule" />
<remove name="RequestFilteringModule" />
<remove name="RoleManager" />
<remove name="ScriptModule-4.0" />
<remove name="ServiceModel" />
<remove name="ServiceModel-4.0" />
<remove name="Session" />
<remove name="StaticCompressionModule" />
<remove name="UrlAuthorization" />
<remove name="UrlMappingsModule" />
<remove name="UrlRoutingModule-4.0" />


<add name="HostHeaderValidationModule" type="Microsoft.Exchange.HttpUtilities.HostHeaderValidationModule, Microsoft.Exchange.HttpUtilities, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<add name="OwaJavascriptRedirectModule" type="Microsoft.Exchange.HttpRedirect.OwaJavascriptRedirectModule, Microsoft.Exchange.HttpRedirectModules, Version=15.0.0.0,Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</modules>
</system.webServer>
<system.web>
<machineKey validationKey="AutoGenerate,IsolateApps" />
<compilation defaultLanguage="c#" debug="false">
<assemblies>
<add assembly="Microsoft.Exchange.HttpRedirectModules, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</assemblies>
</compilation>
</system.web>
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
</rules>
<outboundRules>
<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000" />
</rule>
</outboundRules>
</rewrite>
</location>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<linkedConfiguration href="file://E:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\SharedWebConfig.config"/>
</assemblyBinding>
</configuration>

Friday, November 13, 2020 1:25 AM
0

Sign in to vote

User-848649084 posted

Hi,

We are adding the Strict-Transport-Security header by using the outbound rule so no need to add by using a custom header. you could remove it.

<httpProtocol>
<customHeaders>
<add name="Strict-Transport-Security" value="max-age=31536000"/>
</customHeaders>
</httpProtocol>

Friday, November 13, 2020 1:31 AM
0

Sign in to vote

User-1591348768 posted

Does it look right now?:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<location inheritInChildApplications="false">
<system.webServer>
<serverRuntime appConcurrentRequestLimit="65535" uploadReadAheadSize="0" />
<modules>

<remove name="CustomErrorModule" />
<remove name="DefaultAuthentication" />
<remove name="DirectoryListingModule" />
<remove name="DynamicCompressionModule" />
<remove name="FileAuthorization" />
<remove name="FormsAuthentication" />
<remove name="HttpCacheModule" />
<remove name="OutputCache" />
<remove name="Profile" />
<remove name="ProtocolSupportModule" />
<remove name="RequestFilteringModule" />
<remove name="RoleManager" />
<remove name="ScriptModule-4.0" />
<remove name="ServiceModel" />
<remove name="ServiceModel-4.0" />
<remove name="Session" />
<remove name="StaticCompressionModule" />
<remove name="UrlAuthorization" />
<remove name="UrlMappingsModule" />
<remove name="UrlRoutingModule-4.0" />


<add name="HostHeaderValidationModule" type="Microsoft.Exchange.HttpUtilities.HostHeaderValidationModule, Microsoft.Exchange.HttpUtilities, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<add name="OwaJavascriptRedirectModule" type="Microsoft.Exchange.HttpRedirect.OwaJavascriptRedirectModule, Microsoft.Exchange.HttpRedirectModules, Version=15.0.0.0,Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</modules>
</system.webServer>
<system.web>
<machineKey validationKey="AutoGenerate,IsolateApps" />
<compilation defaultLanguage="c#" debug="false">
<assemblies>
<add assembly="Microsoft.Exchange.HttpRedirectModules, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</assemblies>
</compilation>
</system.web>
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
</rules>
<outboundRules>
<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000" />
</rule>
</outboundRules>
</rewrite>
</location>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<linkedConfiguration href="file://E:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\SharedWebConfig.config"/>
</assemblyBinding>
</configuration>

Friday, November 13, 2020 1:19 PM
0

Sign in to vote

User-848649084 posted

it looks ok. did you face any issue with this configuration?

Wednesday, November 18, 2020 9:56 AM
0

Sign in to vote

User-1591348768 posted

It worked and I don't see any side effects.

Thank you!

Wednesday, November 18, 2020 4:33 PM

Answered by:

How do you enable HSTS in IIS on Server 2016 version 1607?

Question

Answers

All replies

JaxPlanet