Secure OWA headers for Exchange Server

Secure Webmail headers in Exchange

If you go to http://web-sniffer.net and fill in your OWA URL you will see that default some specific information is showed regarding to your internal Exchange organization. This includes your internal server name, IIS version used and the ASP.NET part. This is information you’d rather hide for the outside world.

Now, there are multiple ways to remove this information as for example you can do it via registry. A better way to do this is to use the URL Rewrite feature which can be installed as a small add-on for IIS. Download this via the following URL –> Download URL Rewrite

After downloading and installing open up a command prompt and type –> IISRESET to reset the IIS service. Although it seemed to me it is not really necessary, it can be done later as well. Open up the IIS console and navigate to the owa default website. Now double click the URL rewrite feature.

Click on add. For the server variable name type –> RESPONSE_SERVER
After that click on OK and create 2 other variables with the following names –>  RESPONSE_X-POWERED-BY and RESPONSE_X-ASPNET-VERSION

After the variables have been added it looks like this

Go to the owa default website again and click on URL rewrite.
Now click on ”Add Rule”.


Choose to create a blank rule

The name is just a friendly name to name this rule. Important is that the variable name matches the variables we created earlier. So in the end we have 3 outbound rules. As pattern you can use .+  The value in the end remains empty because this is exactly what the goal is.

The exact same thing should be done for the other 2 variables.

The final step is to remove the internal servername. On the left click on the default owa website and click on http Response Headers.

Double-click the X-FEServer and remove the value (so not the name). You can’t leave it completely empty but you can use one space or something completely different than your internal mail server name.

Now when you perform a new check via web-sniffer.net you will see that the sensitive information is removed from the outside world.

Please note that this is a website-specific rule. If you want to create the rule for all of your applications, create the rule at the server level. Also, some applications, especially third party applications, may require the x-aspnet-version header, so you may need to remove this rule for those applications.

If multiple servers, perform this on every Exchange server.

Share this blog!

One thought on “Secure OWA headers for Exchange Server”

Leave a Reply

Your email address will not be published. Required fields are marked *