Microsoft announced today that Exchange Server 2016 and 2019 now come with support for HTTP Strict Transport Security (also known as HSTS).
HSTS is a web server directive that instructs websites (such as OWA or ECP for Exchange Server) to only allow connections via HTTPS, shielding them from man-in-the-middle (MitM) attacks triggered via protocol downgrades and cookie hijacking.
It also ensures that users cannot circumvent expired, invalid, or untrusted certificate warnings, which might indicate that they connect through compromised channels.
Once toggled on, the web browsers will identify HSTS policy violations and promptly terminate the connections in response to man-in-the-middle attacks.
“HSTS doesn’t just add protection against common attack scenarios, it also helps remove the need for the common (and now insecure) practice of redirecting users from an HTTP URL to an HTTPS URL,” Microsoft explains.
“HSTS can also be used to address active and passive network attacks. However, HSTS doesn’t address malware, phishing, or browser vulnerabilities.”
How to configure Exchange HSTS support
Microsoft provides detailed information on configuring HSTS on Exchange Server 2016 and 2019 via PowerShell or the Internet Information Services (IIS) Manager on its documentation website.
Admins can also disable Exchange Server HSTS support by rolling back the configuration for each server.
“Please read the documentation carefully as some of the settings that are provided by the default IIS HSTS implementation (for example, HTTP to HTTPS redirect) must be configured in a different way as they could otherwise break connectivity to Exchange Server,” the Exchange Team said today.
“Exchange HealthChecker will receive an update soon that will help you to find out if the HSTS configuration on your Exchange Server is as expected.”
This week, Redmond announced that Windows Extended Protection will be enabled by default on Exchange Server 2019 starting this fall.
The security feature will be toggled on after installing the 2023 H2 Cumulative Update (also known as CU14) and will also protect from authentication relay or MitM attacks.
Microsoft also urged admins in January to continuously update their on-premises Exchange servers by installing the latest supported Cumulative Updates (CU) to always be ready for emergency security patches.