Security Https Headers For Exchange 2016 Hybrid

RamaRaju Chennu 41 Reputation points
2020-12-09T06:44:31.617+00:00

I have an exchange 2016 Hybrid setup which has mix mailboxes some in onpremise and some are migrated to Office 365.
Our SOC team does random checks for any security issues and they tried to run a poodle scan using following website: https://securityheaders.com/

SOC team ran the test for autodiscover.domain.com and got an F rating. Attached is the screenshot for the same. IMG-20201130-WA0001.jpg

Now the issue is that SOC team want to make sure that the exchange server has strict security and should not get any web attacks and want it to be secured from hackers.

I tried to follow some articles:
https://blog.ollischer.com/microsoft-exchange-2016-and-iis-8-5-enable-http-strict-transport-security-hsts

https://www.ryadel.com/en/iis-web-config-secure-http-response-headers-pass-securityheaders-io-scan/

I enabled the IIS HTTP header to strict mode and ran the security test again which gave me a D rating (See Screenshot) Screenshot from 2020-11-30 17-11-27.jpg, but I cannot go further since if I use the web.config changes mentioned in below article it breaks ECP and OWA functionality.
https://www.ryadel.com/en/iis-web-config-secure-http-response-headers-pass-securityheaders-io-scan/

Does anyone has some information OR do we really need to worry about the security headers if it is an exchange server. I can understand if we are using a website like Apache or Ngnix so we can use the above articles for strict HTTP response, but what if it is an exchange server in hybrid and any web attack would be possible for a hacker.
46517-img-20201130-wa0001.jpg46520-screenshot-from-2020-11-30-17-11-27.jpg

Exchange | Hybrid management
0 comments No comments
{count} votes

Accepted answer
  1. KyleXu-MSFT 26,396 Reputation points
    2020-12-10T02:25:07.033+00:00

    @RamaRaju Chennu

    Personally, I think you don't need to worry about it.

    Firstly, we don't know the working mechanism and evaluation standard for the tool that you used.

    Secondly, Exchange doesn't use the "https://autodiscover.domain.com", the autodiscover works with "https://autodiscover.<smtp-address-domain>/autodiscover/autodiscover.xml". If you still think the autodiscover record isn't safety, you can remove this record and use SRV record to replace it.

    In fact, you can use many devices(Such as F5 or EOP) to filter client access requests to ensure the security of your Exchange server.

    If you are still concerned about the security of your Exchange server, you could open a paid ticket to confirm with Microsoft products team.


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. RamaRaju Chennu 41 Reputation points
    2020-12-14T12:24:22.373+00:00

    @KyleXu-MSFT

    Thank you for your response on this topic and apologise for my delay in response

    Our Organisation using security scorecard tool to get this scan and i don't have any Idea about working mechanism of this tool.

    I just mentioned only https://autodiscover.domain.com to explain the issue but our Security team mentioned all service records (Mail.domain.com,owa.domain.com,autodiscover...etc) where the security headers missing for all records. every time they mentioning DNS records (mail.domin.com...etc) as subdomains, normally we called those as DNS records or service records, and i have no idea how this security scorecard tool fetching these records by scanning domain.com.

    Anyhow i would like to know this scan applicable on a exchange environment or not? because these headers are really needed for any exchange then why Microsoft not designed these by default, as we know exchange websites generate automatically with the exchange installation.

    Does anyone have information about this tool and this kind of vulnerability scans against exchange environment? Please let me know..


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.