Exposed RDP and HSTS not enforced

I’m having trouble resolving a few issues from the security center. The scanner is giving me these insights:
Insight - Exposed RDP server detected
Insight - HTTP Strict Transport Security (HSTS) not enforced
I can’t figure out this teams menu at all, I would like to just un-expose my RDP servers or disable them entirely as I will not be using any remote desktop related functions for my site.
As for the HSTS I have everything turned on in the HSTS SSL menu aside from max age header (0), and no-sniff header but I don’t think those are related in any way and the warning still won’t go away with subsequent scans.

1 Like

Security Center is in beta and they are aware of the RDP and HSTS warnings. I’m also getting the RDP warning from servers I don’t think have RDP ports open. HSTS is also a mystery to me.

Still a work in progress.


Just don’t worry about it then? I’m new to web development and hosting so it was kind of freaking me out.

I’ve also received Exposed RDP warning, but those ports are not open at all (nmap returns filtered state) and none of those hosts have RDP running.
It seems the system might have reported false-positives.

The problem seems to be resolved as the warning has disappeared from my dashboard

I had the same. Exposed RDP (We have detected that TCP connections on port 3389 for this host succeed.) while my only opened ports are 22, 80 and 443.
However, regarding HSTS, these are true. You can enable it on each of your sites from cloudflare directly if it makes sense to do it (select the domain and then go to SSL/TLS > Edge certificates)

I have HSTS everywhere, and gives my sites a passing grade, yet Security Center flags a handful of my hostnames for this. I’ve not yet found a pattern.

EDIT: Another user pointed out that their firewall rules block this test, and I have the same type of firewall rule.


So the Security Center is showing all of my DNS records as “HTTP Strict Transport Security (HSTS) not enforced”.

Detection method
We have made HTTP and HTTPS requests to your hostname to check for the presence of the Strict-Transport-Security header in the response. We have not detected the correct header in the response.

Is this something I can just ignore or is there a way I can enforce HSTS?

EDIT: I have HSTS enabled and our site is on the preload list via Chromium and others.


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.