PCI compliance on Exchange 2013/Windows 2012 server

We have recently updated to Windows 2012 and Exchange 2013.   Since doing so, now my PCI compliance scan for our credit card provider fails.  The main failure is that the RC4 cipher is being  used as well as TLS 2.0 and 3.0 as well as a SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (LogJam) entry.  When I have tried to disable the use of the RC4 and TLS 2.0 and 3.0 I ran into an issue that now my OWA and Activesync sites no longer work.  Therefore, I removed the registry entries that I created to attempt to remove the non compliant protocols.  Now OWA and Activesync are working again but I am still not compliant on my scan since these "unsafe" protocols are in use.

Can anyone offer some assistance as to how to disable these protocols correctly and still have my IIS sites for Exchange server working correctly?
David BarmanAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
It should be SSL 2.0 and SSL 3.0 instead of TLS 2.0 and 3.0. I suggest enable TLS 1.0 and disabling the RC4 and SSL2.0/3.0 as a whole. You can check out iiscrypto tool. This is also asked in the past and if I may ask to check out
Indeed disabling SSL V3.0 on the Windows Server hosting Exchange server application wil not affect classical Exchange services. ...

You will need to enabled tls 1.0 at server since it is not mentioned to have work out for many .. and I suspect it is not supported too. At least from this TLS 1.0 is not suggested to be disabled.
https://technet.microsoft.com/en-us/library/security/3009008.aspx

 Sidenote - But I do know the aspect that RC4 is considered weak and should be disabled. This may be used in client
http://www.experts-exchange.com/Networking/Protocols/SSL/Q_28671523.html
The forume eventually has many view and many eventually leave tls1.0 for Exchange 2010, in order to  have OWA working.

Try ith SSLv3 disabled and TLS1.0 above enabled at the Exchange, and try with various browser on the OWA. If it works then do a ssllab test again, repeat the same and this time with TLS1.0 disabled, if it cannot even get OWA up - really will ssllab still matter in priority ... if it is ssllab test, it has a guide in listing the criteria (see Table 3. Protocol support rating guide).
SSL 3.0 80%
 TLS 1.0 90%
 TLS 1.1 95%
 TLS 1.2 100%


https://www.ssllabs.com/downloads/SSL_Server_Rating_Guide.pdf
 To note - tls1.0 is just one factor in overall assessment.
http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Microsoft_IIS/Q_28665708.html

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David BarmanAuthor Commented:
Thank you.  This was very helpful. After making the modifications and using the ssllabs.com site I was able to pass my PCI compliance scan.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.