Endpoint Protection

Is there any instructions or information on how to modify the header information / HSTS information for the SEPM Console Website.

I'm working on resolving issues discussed here:

https://www.beyondsecurity.com/scan_pentest_network_vulnerabilities_hsts_missing_from_https_server

I've not seen one but you may want to work with support. Any vulnerabilities are usually fixed in a new build so I'm not sure how manually fixing is viewed by them. 

Thanks Brian, I opened a case, but was checking here in case anyone had already taken care of this and might be able to offer some suggestions.

A new TechNote has been added regarding this issue:

https://support.symantec.com/en_US/article.TECH246952.html

Basically need to edit the httpd.conf file (make a backup first) and copy in the directives/material that is found in that technote.  After copying in the directive (and updating the url in the sample to the url of your SEPM site) restart your SEPM server so the web server restarts as needed.  Wait for the server to restart, after restart, try connecting to your SEPM console.  The connection should work as intended.  You can then run a scan tool to check to see if you meet the expected requirements/configuration.

SEPM uses Apache, so anyone familiar with Apache should understand how to add this directive in.

The path to find the file should be something like this on a Windows server:

\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache

Hopefully this helps someone else.