Carding
Professional
- Messages
- 2,871
- Reaction score
- 2,331
- Points
- 113
Even the most lazy administrators will no longer be able to let the situation take its course.
Microsoft recently announced that Exchange Server 2016 and 2019 now have built-in support for HTTP Strict Transport Security — HSTS), a mechanism for forcing the use of the secure HTTPS protocol.
HSTS protects Exchange Server web applications such as OWA and ECP from man-in-the-middle (MitM) attacks and cookie interception by forcing the use of an encrypted HTTPS connection.
The mechanism also prevents users from ignoring warnings about expired, invalid, or unverified certificates that may indicate a compromised connection.
If a violation of the HSTS policy is detected, browsers will immediately terminate all suspicious connections.
According to Microsoft, HSTS will not only strengthen protection against common types of attacks, but also eliminate the need for insecure redirection practices from HTTP to HTTPS.
In addition, with HSTS, both active and passive network attacks will be practically safe for users (with the exception of malware, phishing, and browser vulnerabilities).
For more information about configuring HSTS in Exchange Server 2016 and 2019 using PowerShell or IIS visit the Microsoft website. Administrators can also manually disable HSTS support by revoking the corresponding settings on each individual server.
The company recommends that you carefully review the documentation, because some of the default settings in IIS, such as redirecting from HTTP to HTTPS, must be configured in a special way so as not to disrupt Exchange Server.
Exchange HealthChecker will also soon be able to help you check whether the HSTS configuration on the server is correct.
On Monday, Microsoft also announced that advanced Windows Protection will be enabled by default in Exchange Server 2019, starting with the Fall 2023 H2 Update (CU14). This feature will protect users from MitM attacks, as well as authentication hijacking attacks.
In January, the corporation strongly recommended that administrators take care of protecting Exchange servers. Microsoft has called for regular installation of the latest supported cumulative updates to always be prepared for urgent security updates.
Microsoft recently announced that Exchange Server 2016 and 2019 now have built-in support for HTTP Strict Transport Security — HSTS), a mechanism for forcing the use of the secure HTTPS protocol.
HSTS protects Exchange Server web applications such as OWA and ECP from man-in-the-middle (MitM) attacks and cookie interception by forcing the use of an encrypted HTTPS connection.
The mechanism also prevents users from ignoring warnings about expired, invalid, or unverified certificates that may indicate a compromised connection.
If a violation of the HSTS policy is detected, browsers will immediately terminate all suspicious connections.
According to Microsoft, HSTS will not only strengthen protection against common types of attacks, but also eliminate the need for insecure redirection practices from HTTP to HTTPS.
In addition, with HSTS, both active and passive network attacks will be practically safe for users (with the exception of malware, phishing, and browser vulnerabilities).
For more information about configuring HSTS in Exchange Server 2016 and 2019 using PowerShell or IIS visit the Microsoft website. Administrators can also manually disable HSTS support by revoking the corresponding settings on each individual server.
The company recommends that you carefully review the documentation, because some of the default settings in IIS, such as redirecting from HTTP to HTTPS, must be configured in a special way so as not to disrupt Exchange Server.
Exchange HealthChecker will also soon be able to help you check whether the HSTS configuration on the server is correct.
On Monday, Microsoft also announced that advanced Windows Protection will be enabled by default in Exchange Server 2019, starting with the Fall 2023 H2 Update (CU14). This feature will protect users from MitM attacks, as well as authentication hijacking attacks.
In January, the corporation strongly recommended that administrators take care of protecting Exchange servers. Microsoft has called for regular installation of the latest supported cumulative updates to always be prepared for urgent security updates.
