Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

exchange 2010 turning off 3des ciphers

Posted on 2016-11-14
2
298 Views
Last Modified: 2016-11-29
Is there any issue in turning off 3des ciphers on exchange 2010?  We are on the most up to date patches for the server.  trustwave is failing our monthly scan due to this cipher being available.  I have turned it off on our web servers just unsure if disabling it will cause anything in exchange to not work properly.

Thanks
0
Comment
Question by:Tim Lewis
2 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 41887710
I do not think the finding is saying 3DES is weak but rather it is due to the use of CBC block chaining used instead. The recommended approach as per MS stated this. There is no need to disable 3DES and the focus is to close up the other weak cipher instead, which 3DES in itself is not.
The current recommendations, which will continue evolving, are as follows:
•Deploy supported operating systems, clients, browsers, and Exchange versions
•Test everything by disabling SSL 3.0 on Internet Explorer
•Disable support for SSL 3.0 on the client
•Disable support for SSL 3.0 on the server
•Prioritize TLS 1.2 ciphers, and AES/3DES above others
•Strongly consider disabling RC4 ciphers
•Do NOT use MD5/MD2 certificate hashing anywhere in the chain
•Use RSA-2048 when creating new certificate keys
•When renewing or creating new requests, request SHA 256-bit or better
•Know what your version of Exchange supports
•Use tools to test and verify
•Do NOT get confused by explicit TLS vs. implicit TLS
•(For now) Wait to disable TLS 1.0 on the Exchange server
https://blogs.technet.microsoft.com/exchange/2015/07/27/exchange-tls-ssl-best-practices/

Instead adopt the changing on the cipher list order on the server can minimize the use of a less secure cipher, but you may want to go further and disable it completely. For example, the below should be in lower in the list (in registry - SCHANNEL\Ciphers\Triple DES 168) as the disabling of these requires more testing before you confirmed to disabled them. Do a gradual move in testing rather than an immediate disabled  
•SSL_RSA_WITH_3DES_EDE_CBC_SHA
•SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
•TLS_RSA_WITH_3DES_EDE_CBC_SHA
•TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

The iiscrypto tool is handy to disable cipher as well as enable based on best practice.
https://www.petri.com/cipher-best-practice-configure-iis-ssl-tls-protocol
tool - https://www.nartac.com/Products/IISCrypto
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 41892132
+1 for iiscrypto
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question