Microsoft has recently started supporting officially HSTS (HTTP Strict Transport Security). However, HSTS is not activated by default and must therefore be activated by the user. But first a few words about HSTS and how it works.
What is HSTS and how does it work?
HTTP Strict Transport Security (HSTS) is a policy for instructing the browser that a website may only be accessed via HTTPS. HSTS uses an HTTP header that communicates various parameters to the browser. For example, if a user accesses OWA on an Exchange server for the first time, the browser is instructed via the HSTS header to only establish connections to this website (and any subdomains) via HTTPS. The HSTS header also contains a time specification in which the browser must save and comply with the HSTS policy.
The HSTS header is intended to prevent browsers from establishing an unencrypted connection to the OWA website in the worst case and users from transmitting their access data unencrypted. Browsers with an active HSTS policy also prevent the user from ignoring a certificate warning. Without HSTS, users can simply ignore the certificate warnings and are trained to do so in some environments:
HSTS is intended to prevent users from ignoring certificate errors, as well as man-in-the-middle, copokie hijacking and SSL downgrade attacks. Of course, it is then essential that the certificate is valid and is renewed in good time before it expires. The time specification in the HSTS guideline is intended to prevent the browser from simply re-establishing an insecure connection if the HSTS header is missing. In other words, switching on HSTS, messing up, switching off HSTS is not possible.
Activate HSTS on Windows Server
HSTS can be easily activated on Windows Server 2019 and Windows Server 2022 via the IIS Manager. HSTS may only be activated on the default website:
Der Parameter „Max-Age“ legt fest, wie lange der Browser die HSTS RIchtlinie speichern soll. Zum Start können hier 300 Sekunden eingestellt werden. HSTS lässt sich mit den 300 Sekunden testen, lasst es mal ein paar Tage mit dieser Einstellung laufen. Treten keine Probleme auf, sollte hier ein deutlich höherer Wert eingetragen werden. Nach erfolgreichen Test kann man hier beispielsweise 31536000 seconds (1 year) or even 63072000 seconds (2 years):
On Windows Server 2016, the setting is not available in the IIS Manager GUI. The PowerShell can be used here:
Import-Module IISAdministration
Reset-IISServerManager -Confirm:$false
Start-IISCommitDelay
$iisConfig = Get-IISConfigSection -SectionPath "system.webServer/httpProtocol" -CommitPath "Default Web Site" | Get-IISConfigCollection -CollectionName "customHeaders"
New-IISConfigCollectionElement -ConfigCollection $iisConfig -ConfigAttribute @{"name"="Strict-Transport-Security"; "value"="max-age=300; includeSubDomains";}
Stop-IISCommitDelay
Remove-Module IISAdministration
If HSTS causes problems, the feature can be deactivated directly in the IIS Manager. In this case, you must bear in mind that the browser saves the policy for 5 minutes (300 seconds). HSTS can be deactivated via PowerShell with the following commands:
Import-Module IISAdministration
Reset-IISServerManager -Confirm:$false
Start-IISCommitDelay
$sitesCollection = Get-IISConfigSection -SectionPath "system.applicationHost/sites" | Get-IISConfigCollection
$siteElement = Get-IISConfigCollectionElement -ConfigCollection $sitesCollection -ConfigAttribute @{"name"="Default Web Site"}
$hstsElement = Get-IISConfigElement -ConfigElement $siteElement -ChildElementName "hsts"
Set-IISConfigAttributeValue -ConfigElement $hstsElement -AttributeName "enabled" -AttributeValue $false
Set-IISConfigAttributeValue -ConfigElement $hstsElement -AttributeName "max-age" -AttributeValue 0
Set-IISConfigAttributeValue -ConfigElement $hstsElement -AttributeName "includeSubDomains" -AttributeValue $false
Stop-IISCommitDelay
Remove-Module IISAdministration
Check setting
Once HSTS has been activated, a browser such as Edge can be used to check whether the HSTS header is being sent by the web servers. To do this, you can call up OWA once and then check via edge://net-internals/#hsts whether Edge is displaying HSTS:
If Edge displays the policy as shown in the screenshot, HSTS is working correctly.