How do you enable HSTS in IIS on Server 2016 version 1607? [Answered]RSS

13 replies

Last post Nov 18, 2020 04:33 PM by JaxPlanet

‹ Previous Thread|Next Thread ›
  • How do you enable HSTS in IIS on Server 2016 version 1607?

    Nov 06, 2020 01:15 AM|JaxPlanet|LINK

    PCI scanning reported the vulnerability, "HSTS Missing From HTTPS Server".

    This blog addresses the problem but specifically states that native HSTS support only became available in Server 2016 version 1709 so it does not apply to my server:  https://blog.ollischer.com/microsoft-exchange-2016-and-iis-8-5-enable-http-strict-transport-security-hsts

    How do it eliminate this vulnerability from Server 2016 build 1607?

    Note that it is a production Exchange server at a small business so removing 1607 and rebuilding with 1709 is not an option.

    Thank you in advance!

  • Re: How do you enable HSTS in IIS on Server 2016 version 1607?

    Nov 06, 2020 03:31 AM|lextm|LINK

    That blog post clearly also showed how to use custom response header for older IIS releases.

    Lex Li
    Affordable IIS Consulting Services at https://support.lextudio.com/services/consulting.html
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: How do you enable HSTS in IIS on Server 2016 version 1607?

    Nov 06, 2020 08:17 AM|JaxPlanet|LINK

    You clearly did not understand my post but I do appreciate your effort.

    Edit: Sorry, that was a bit harsh.  PCI scanning is a continuing source of frustration for me and I do appreciate your attention to my post.  Please let me know if you know how to enable HSTS in IIS on Server 2016 version 1607.  I tried the blog's recommendation for 8.5, which you called "older versions", but it did not work.

  • Re: How do you enable HSTS in IIS on Server 2016 version 1607?

    Nov 06, 2020 06:51 PM|lextm|LINK

    JaxPlanet

    but it did not work.

    Try not to float on the surface.

    What did not work? After adding the custom response header, use developer tools of your web browser to confirm that IIS does send the right header. That tells "work or not".

    Lex Li
    Affordable IIS Consulting Services at https://support.lextudio.com/services/consulting.html
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: How do you enable HSTS in IIS on Server 2016 version 1607?

    Nov 06, 2020 11:15 PM|JaxPlanet|LINK

    As stated above, I tried 8.5 and PCI scanning as well as the test in the blog I said I followed indicated it did not work.

    Try not to float on the surface of my posts ;)

  • Re: How do you enable HSTS in IIS on Server 2016 version 1607?

    Nov 06, 2020 11:26 PM|lextm|LINK

    PCI scanning can be wrong itself. There are broken tools in that category for a very long time.

    As long as IIS returns the header after your changes, HSTS is on. You can run SSL Labs scan as reference, https://www.ssllabs.com/ssltest/index.html

    Lex Li
    Affordable IIS Consulting Services at https://support.lextudio.com/services/consulting.html
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: How do you enable HSTS in IIS on Server 2016 version 1607?

    Nov 07, 2020 12:36 AM|JaxPlanet|LINK

    That is exactly why I said I used PCI scanning and that website to test.  I deal with false positives all the time.

    Unfortunately, that has nothing to do with figuring out how to make the change, which is why I am here.

  • Re: How do you enable HSTS in IIS on Server 2016 version 1607?

    Nov 07, 2020 12:51 AM|lextm|LINK

    Then post both the applicationHost.config and web.config for that site.

    Nothing can be simpler than showing us how you followed that blog post, or simply wrong changes were made.

    Lex Li
    Affordable IIS Consulting Services at https://support.lextudio.com/services/consulting.html
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: How do you enable HSTS in IIS on Server 2016 version 1607?

    Nov 09, 2020 08:15 AM|Jalpa Panchal|LINK

    Hi,

    try to add the below code in your web.config file:

    <?xml version="1.0" encoding="UTF-8"?>
        <configuration>
          <system.webServer>
            <rewrite>
              <rules>
                <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                  <match url="(.*)" />
                  <conditions>
                    <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                  </conditions>
                  <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
                 </rule>
               </rules>
               <outboundRules>
                 <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                   <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
                   <conditions>
                     <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                   </conditions>
                   <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
                 </rule>
               </outboundRules>
             </rewrite>
           </system.webServer>
         </configuration>
    .NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today.
  • Re: How do you enable HSTS in IIS on Server 2016 version 1607?

    Nov 13, 2020 01:25 AM|JaxPlanet|LINK

    I am not familiar with the indentation protocol but, ignoring that, is this correct?:

    <?xml version="1.0" encoding="UTF-8"?>
    <configuration>
      <location inheritInChildApplications="false">
        <system.webServer>
          <httpProtocol>
                <customHeaders>
                      <add name="Strict-Transport-Security" value="max-age=31536000"/>
                </customHeaders>
          </httpProtocol>
          <serverRuntime appConcurrentRequestLimit="65535" uploadReadAheadSize="0" />
          <modules>
            <!-- Standard set of module removes for reducing per-request memory footprint and to reduce native/managed context switches -->
            <remove name="CustomErrorModule" />
            <remove name="DefaultAuthentication" />
            <remove name="DirectoryListingModule" />
            <remove name="DynamicCompressionModule" />
            <remove name="FileAuthorization" />
            <remove name="FormsAuthentication" />
            <remove name="HttpCacheModule" />
            <remove name="OutputCache" />
            <remove name="Profile" />
            <remove name="ProtocolSupportModule" />
            <remove name="RequestFilteringModule" />
            <remove name="RoleManager" />
            <remove name="ScriptModule-4.0" />
            <remove name="ServiceModel" />
            <remove name="ServiceModel-4.0" />
            <remove name="Session" />
            <remove name="StaticCompressionModule" />
            <remove name="UrlAuthorization" />
            <remove name="UrlMappingsModule" />
            <remove name="UrlRoutingModule-4.0" />

            <!-- Keep the HostHeaderValidationModule first - it prevents excessive and unnecessary Watsons that result from bogus host headers -->
            <add name="HostHeaderValidationModule" type="Microsoft.Exchange.HttpUtilities.HostHeaderValidationModule, Microsoft.Exchange.HttpUtilities, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
            <add name="OwaJavascriptRedirectModule" type="Microsoft.Exchange.HttpRedirect.OwaJavascriptRedirectModule, Microsoft.Exchange.HttpRedirectModules, Version=15.0.0.0,Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
          </modules>
        </system.webServer>
        <system.web>
          <machineKey validationKey="AutoGenerate,IsolateApps" />
          <compilation defaultLanguage="c#" debug="false">
            <assemblies>
              <add assembly="Microsoft.Exchange.HttpRedirectModules, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
            </assemblies>
          </compilation>
        </system.web>
        <rewrite>
          <rules>
            <rule name="HTTP to HTTPS redirect" stopProcessing="true">
              <match url="(.*)" />
              <conditions>
            <add input="{HTTPS}" pattern="off" ignoreCase="true" />
              </conditions>
              <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
          </rule>
          </rules>
          <outboundRules>
            <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
              <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
              <conditions>
               <add input="{HTTPS}" pattern="on" ignoreCase="true" />
              </conditions>
              <action type="Rewrite" value="max-age=31536000" />
            </rule>
          </outboundRules>
        </rewrite>
      </location>
      <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
        <linkedConfiguration href="file://E:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\SharedWebConfig.config"/>
      </assemblyBinding>
    </configuration>

  • Re: How do you enable HSTS in IIS on Server 2016 version 1607?

    Nov 13, 2020 01:31 AM|Jalpa Panchal|LINK

    Hi,

    We are adding the Strict-Transport-Security header by using the outbound rule so no need to add by using a custom header. you could remove it.

    JaxPlanet

    <httpProtocol>
                <customHeaders>
                      <add name="Strict-Transport-Security" value="max-age=31536000"/>
                </customHeaders>
          </httpProtocol>

    .NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today.
  • Re: How do you enable HSTS in IIS on Server 2016 version 1607?

    Nov 13, 2020 01:19 PM|JaxPlanet|LINK

    Does it look right now?:

    <?xml version="1.0" encoding="UTF-8"?>
    <configuration>
      <location inheritInChildApplications="false">
        <system.webServer>
          <serverRuntime appConcurrentRequestLimit="65535" uploadReadAheadSize="0" />
          <modules>
            <!-- Standard set of module removes for reducing per-request memory footprint and to reduce native/managed context switches -->
            <remove name="CustomErrorModule" />
            <remove name="DefaultAuthentication" />
            <remove name="DirectoryListingModule" />
            <remove name="DynamicCompressionModule" />
            <remove name="FileAuthorization" />
            <remove name="FormsAuthentication" />
            <remove name="HttpCacheModule" />
            <remove name="OutputCache" />
            <remove name="Profile" />
            <remove name="ProtocolSupportModule" />
            <remove name="RequestFilteringModule" />
            <remove name="RoleManager" />
            <remove name="ScriptModule-4.0" />
            <remove name="ServiceModel" />
            <remove name="ServiceModel-4.0" />
            <remove name="Session" />
            <remove name="StaticCompressionModule" />
            <remove name="UrlAuthorization" />
            <remove name="UrlMappingsModule" />
            <remove name="UrlRoutingModule-4.0" />

            <!-- Keep the HostHeaderValidationModule first - it prevents excessive and unnecessary Watsons that result from bogus host headers -->
            <add name="HostHeaderValidationModule" type="Microsoft.Exchange.HttpUtilities.HostHeaderValidationModule, Microsoft.Exchange.HttpUtilities, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
            <add name="OwaJavascriptRedirectModule" type="Microsoft.Exchange.HttpRedirect.OwaJavascriptRedirectModule, Microsoft.Exchange.HttpRedirectModules, Version=15.0.0.0,Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
          </modules>
        </system.webServer>
        <system.web>
          <machineKey validationKey="AutoGenerate,IsolateApps" />
          <compilation defaultLanguage="c#" debug="false">
            <assemblies>
              <add assembly="Microsoft.Exchange.HttpRedirectModules, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
            </assemblies>
          </compilation>
        </system.web>
        <rewrite>
          <rules>
            <rule name="HTTP to HTTPS redirect" stopProcessing="true">
              <match url="(.*)" />
              <conditions>
            <add input="{HTTPS}" pattern="off" ignoreCase="true" />
              </conditions>
              <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
          </rule>
          </rules>
          <outboundRules>
            <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
              <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
              <conditions>
               <add input="{HTTPS}" pattern="on" ignoreCase="true" />
              </conditions>
              <action type="Rewrite" value="max-age=31536000" />
            </rule>
          </outboundRules>
        </rewrite>
      </location>
      <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
        <linkedConfiguration href="file://E:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\SharedWebConfig.config"/>
      </assemblyBinding>
    </configuration>

  • Re: How do you enable HSTS in IIS on Server 2016 version 1607?

    Nov 18, 2020 09:56 AM|Jalpa Panchal|LINK

    it looks ok. did you face any issue with this configuration? 

    .NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today.
  • Re: How do you enable HSTS in IIS on Server 2016 version 1607?

    Nov 18, 2020 04:33 PM|JaxPlanet|LINK

    It worked and I don't see any side effects.

    Thank you!

‹ Previous Thread|Next Thread ›