Solved

exchange 2010 turning off 3des ciphers

Posted on 2016-11-14
2
662 Views
Last Modified: 2016-11-29
Is there any issue in turning off 3des ciphers on exchange 2010?  We are on the most up to date patches for the server.  trustwave is failing our monthly scan due to this cipher being available.  I have turned it off on our web servers just unsure if disabling it will cause anything in exchange to not work properly.

Thanks
0
Comment
Question by:Tim Lewis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 41887710
I do not think the finding is saying 3DES is weak but rather it is due to the use of CBC block chaining used instead. The recommended approach as per MS stated this. There is no need to disable 3DES and the focus is to close up the other weak cipher instead, which 3DES in itself is not.
The current recommendations, which will continue evolving, are as follows:
•Deploy supported operating systems, clients, browsers, and Exchange versions
•Test everything by disabling SSL 3.0 on Internet Explorer
•Disable support for SSL 3.0 on the client
•Disable support for SSL 3.0 on the server
•Prioritize TLS 1.2 ciphers, and AES/3DES above others
•Strongly consider disabling RC4 ciphers
•Do NOT use MD5/MD2 certificate hashing anywhere in the chain
•Use RSA-2048 when creating new certificate keys
•When renewing or creating new requests, request SHA 256-bit or better
•Know what your version of Exchange supports
•Use tools to test and verify
•Do NOT get confused by explicit TLS vs. implicit TLS
•(For now) Wait to disable TLS 1.0 on the Exchange server
https://blogs.technet.microsoft.com/exchange/2015/07/27/exchange-tls-ssl-best-practices/

Instead adopt the changing on the cipher list order on the server can minimize the use of a less secure cipher, but you may want to go further and disable it completely. For example, the below should be in lower in the list (in registry - SCHANNEL\Ciphers\Triple DES 168) as the disabling of these requires more testing before you confirmed to disabled them. Do a gradual move in testing rather than an immediate disabled  
•SSL_RSA_WITH_3DES_EDE_CBC_SHA
•SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
•TLS_RSA_WITH_3DES_EDE_CBC_SHA
•TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

The iiscrypto tool is handy to disable cipher as well as enable based on best practice.
https://www.petri.com/cipher-best-practice-configure-iis-ssl-tls-protocol
tool - https://www.nartac.com/Products/IISCrypto
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 41892132
+1 for iiscrypto
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question