How to disabel TLS Version 1.0 Protocol on Exchange and OWA

I need to patch an Exchange 2010/OWA server to pass a PCI compliance scan and they are asking to use TLS 1.1 or higher, so I found a script to disable TLS 1.0 and to enable TLS 1.1, however once I've disabled the TLS 1.0 many thing stooped working. Clients that were connecting via phone and using outlook anywhere from remote stoped working immediately. I have posted the script used below, but Am I missing anything here to make this work right? As you can see I've disabled only the TLS 1.0 server, because of some recommendations found online.

REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 0 /f
 
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Client" /v Enabled /t REG_DWORD /d 0 /f
 
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Server" /v Enabled /t REG_DWORD /d 0 /f
 
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Client" /v Enabled /t REG_DWORD /d 0 /f
 
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 0 /f
 
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Client" /v Enabled /t REG_DWORD /d 1 /f
 
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 0 /f
 
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.1\Client" /v Enabled /t REG_DWORD /d 1 /f
 
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 1 /f
 
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.2\Client" /v Enabled /t REG_DWORD /d 1 /f
 
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.2\Server" /v Enabled /t REG_DWORD /d 1 /f
 
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" /v Enabled /t REG_DWORD /d 0 /f
 
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" /v Enabled /t REG_DWORD /d 0 /f
 
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" /v Enabled /t REG_DWORD /d 0 /f
LVL 1
jdffAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
You can have TLS 1.0, 1.1, and 1.2 all enabled at the same time. Can you live with that approach?  This will enable legacy devices and services.
Brian MurphySenior Information Technology ConsultantCommented:
Jdff-
I provide instructions, step-by-step, to do this:
http://www.experts-exchange.com/articles/25021/Citrix-SSL-TLS-Vulnerabilities-and-Operating-System-Hardening.html

I wrote this for Citrix servers and workstation but the tool, technique is Windows Operating system and anything running on Windows Operating System.

Take a read.  This is the process I use to harden the Windows OS relative to SSL/TLS protocols.
jdffAuthor Commented:
John, the PCI scan won't pass if TLS 1.0 I enabled, so I need to figure a way for this to work with TLS 1.1 or higher.
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

jdffAuthor Commented:
Brian,
My problem is that once TLS 1.0 was disabled, clients could not talk to the exchange server anymore, any  ideas?
Brian MurphySenior Information Technology ConsultantCommented:
Well, let me look through your script again but one point is the "tool" I recommend has a best practice option.  I'm wondering if you disabled more than just TLS 1.  Technically you need to disable SSL 2.0, 3.0, and TLS 1.0.  

I see where you disabled the RC4 ciphers as well and there is no reason to have those enabled.

At first glance it looks like you disabled all the right protocols and enabled TLS 1.1 and 1.2.

I don't see anything at 2nd glance that would cause your issue unless the firmware requires upgrading on your phones.

In the article I discuss how older versions of Internet browser or operating system is still a problem despite what you might do server side.

Can you share the phone information?

What I mean is the type of phone and OS.  Android? etc.
Brian MurphySenior Information Technology ConsultantCommented:
You might want to provide this link to your compliance team.

http://blogs.technet.com/b/exchange/archive/2015/07/27/exchange-tls-amp-ssl-best-practices.aspx

Get a short-term exception.

Quote
While we believe the intentions of both proposals are good and will promote adoption of TLS 1.1 & 1.2, at this time, we do not yet recommend disabling TLS 1.0 on your Exchange Server(s).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Brian MurphySenior Information Technology ConsultantCommented:
Basically MS is stating not to disable TLS 1.0 at this time.

With that said, hardening is more than TLS protocol.  Take a look at my article on hardening.

If you can go back with specific statements that you disabled the "bad ciphers" but need an exception for TLS 1.0 at this time you might get it between this MS article and the one I wrote on best practices.

http://blogs.technet.com/b/exchange/archive/2015/07/27/exchange-tls-amp-ssl-best-practices.aspx

http://www.experts-exchange.com/articles/25021/Citrix-SSL-TLS-Vulnerabilities-and-Operating-System-Hardening.html
jdffAuthor Commented:
Brian, this is the report form the PCI scan.

Port 443

CVSS 5.00 FAIL

Protocol TCP

Service www

Title

TLS Version 1.0 Protocol Detection (PCI DSS)

Synopsis:

The remote service encrypts traffic using a protocol with known weaknesses.

Impact:

The remote service accepts connections encrypted using TLS 1.0. These versions

of TLS reportedly suffer from several cryptographic flaws. An attacker may be able

to exploit these flaws to conduct man-in-the-middle attacks or to decrypt

communications between the affected service and clients. As per PCI Security

Standards Council April 1, 2015 document `Migrating from SSL and Early TLS` all

TLS 1.0 encryption usage must include a Mitigation and Migration plan detailing

current risk management plus migration strategy off early TLS to secure TLS

versions such as TLS 1.1 or 1.2 on or before June 30, 2016. Consult the

application's documentation for information on how to upgrade TLS to version 1.1

or greater (TLS 1.2 strongly recommended) or upgrade the application to a version

that uses TLS version 1.1 or greater.

Resolution:

Consult the application's documentation to disable TLS 1.0. Use TLS 1.1 or higher

instead. If you are using TLS 1.0 with a mitigation and migration plan in place, you

may contact support@securitymetrics.com to see if you are eligible to mark this

vulnerability as a false positive. For more information, see

https://www.pcisecuritystandards.org/documents/Migrating_from_SSL_Early_TLS_In

formation%20Supplement_v1.pdf
Brian MurphySenior Information Technology ConsultantCommented:
I understand.  Secure protocols like TLS generally use TCP 443.  However, per the Microsoft Exchange article:

You can do this with confidence because TLS 1.0 will be the minimum which you support. Exchange and Windows have both supported TLS 1.0 for over a decade. TLS 1.0 itself is not considered vulnerable when SSL 3.0 is disabled on clients and servers. In fact, most Exchange sessions already have been using TLS 1.0 or even later, for years. You are simply disabling the ability for the session to be downgraded to SSL 3.0. Disabling SSL 3.0 is typically not too impactful except for clients and devices that are older than (roughly) 10 years old.

http://blogs.technet.com/b/exchange/archive/2015/07/27/exchange-tls-amp-ssl-best-practices.aspx

I'm not convinced that upgrading or modifying your clients will solve this problem.

You have it in writing that Microsoft does not believe this to be an issue when you disable SSL.

If you monitor your traffic on the OWA server or a client device you will notice with Wireshark or other utilities they are using TLS 1.0.

A lot of the TLS 1.0 attacks are based on negotiation of "low ciphers" which you disabled.

You disabled RC4.  Those are the streaming ciphers mentioned in my article and referenced in Microsoft Article for TLS best practice.
jdffAuthor Commented:
Brian, I understand where are you coming from, however I was asked to make exchange and owa not to use TLS 1.0, so I have to keep on the search for answers, but thanks for your time.
Gary Connor, Phd.CIO, CISOCommented:
jdff -
You have done the correct configuration for the server.  The problem now lies with the many clients that do not support TLS1.1 and TLS1.2.  Those issues have to be managed on a client-by-client basis depending on platform, OS, and software being used.  You now have a properly configured server per PCI, and you are correct that most ASVs will NOT give you a pass on TLS1.0 unless you write a full mitigation plan, so you can't allow TLS1.0.  With your properly configured server you will see many failures that are due to client-side inability to use TLS1.1 or TLS1.2.
jdffAuthor Commented:
An exception was granted after an upgrade plan was submitted to Security Metrics.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.