This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Lansweeper Community
- Forums
- General Discussions
- Re: Security: HSTS Missing
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-30-2020 10:36 PM
Recent security concerns have brought the lack of HSTS on lansweeper to light. Is there any way the next patch can resolve this?
Labels:
- Labels:
-
General Discussion
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-02-2020 01:23 AM
If you are hosting Lansweeper using IIS, you can add a HTTP Response Header. https://support.nartac.com/article/20-how-do-i-add-http-strict-transport-security-hsts-to-my-website
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-02-2020 03:28 PM
Caleb wrote:
If you are hosting Lansweeper using IIS, you can add a HTTP Response Header. https://support.nartac.com/article/20-how-do-i-add-http-strict-transport-security-hsts-to-my-website
How does this apply to the default IIS Express, which does not have the standard IIS manager?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-02-2020 05:35 PM
Grey wrote:Caleb wrote:
If you are hosting Lansweeper using IIS, you can add a HTTP Response Header. https://support.nartac.com/article/20-how-do-i-add-http-strict-transport-security-hsts-to-my-website
How does this apply to the default IIS Express, which does not have the standard IIS manager?
Per Microsoft's documentation, something like this should work.
<site name="Lansweeper" id="1" serverAutoStart="true">
<application path="/" applicationPool="Clr4IntegratedAppPool">
<virtualDirectory path="/" physicalPath="C:\Program Files (x86)\Lansweeper\website" />
</application>
<bindings>
<binding protocol="https" bindingInformation="*:443:" />
</bindings>
<hsts enabled="true" max-age="31536000" includeSubDomains="true"/>
</site>
https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/hsts#configuration-sample
I haven't tested, so proceed with caution by making backups and testing in dev first, etc.
Microsoft recommends that you set the max age to a shorter value during testing. https://docs.microsoft.com/en-us/aspnet/core/security/enforcing-ssl?view=aspnetcore-3.1&tabs=visual-studio#http-strict-transport-security-protocol-hsts
Hope this helps.
New to Lansweeper?
Try Lansweeper For Free
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now
Related Content
- Deploying Lansweeper in AWS Using An RDS Database Guide in Product Discussions
- Custom Report - Windows SERVERS Missing Security Agents (was Report Listing Duplicate Assets) in Reports & Analytics
- Microsoft security advisory widget is missing in General Discussions
- Automatic User Roles Delegation with two Domains in General Discussions
- Agentless scanning. Only working with domain admin account. (FIXED) in General Discussions
