httpCookies httpOnlyCookies=”true” requireSSL=”true” – PCI vulnerability

If you have a Microsoft Exchange Server running OWA that failed a PCI vulnerability scan because of the following:

<httpCookies httpOnlyCookies=”true” requireSSL=”true”/>

Here what we can do to remediate it on the Windows server.

Schedule a brief downtime for the Exchange Server while IIS restarts below.

Launch IIS on the Exchange server, go to Default Web Site, expand and click on “owa” Virtual Directory

On the right and under Management, double click on Configuration Editor.

On the bottom make sure you click on “Features view” as opposed to “Content View“.  On the top click on the drop-down after “Section“.  Select “system.web” and expand it then select “httpCookies“.

Change both httpONLYCookies and RequireSSL to True

Restart IIS by going to command line and typing IISReset