As part of my Security Best Practices regarding Microsoft Exchange and Microsoft IIS I always implement a couple of configuration settings to harden the underlying IIS, e.g. disabling the “X-AspNet-Version” header, disabling deprecated and/or unsecure protocols, disabling deprecated and/or unsecure
Microsoft Exchange 2016 and IIS 8.5+ – Enable HTTP Strict Transport Security (HSTS)
