Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

exchange 2010 turning off 3des ciphers

Posted on 2016-11-14
2
Medium Priority
?
1,035 Views
Last Modified: 2016-11-29
Is there any issue in turning off 3des ciphers on exchange 2010?  We are on the most up to date patches for the server.  trustwave is failing our monthly scan due to this cipher being available.  I have turned it off on our web servers just unsure if disabling it will cause anything in exchange to not work properly.

Thanks
0
Comment
Question by:Tim Lewis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 41887710
I do not think the finding is saying 3DES is weak but rather it is due to the use of CBC block chaining used instead. The recommended approach as per MS stated this. There is no need to disable 3DES and the focus is to close up the other weak cipher instead, which 3DES in itself is not.
The current recommendations, which will continue evolving, are as follows:
•Deploy supported operating systems, clients, browsers, and Exchange versions
•Test everything by disabling SSL 3.0 on Internet Explorer
•Disable support for SSL 3.0 on the client
•Disable support for SSL 3.0 on the server
•Prioritize TLS 1.2 ciphers, and AES/3DES above others
•Strongly consider disabling RC4 ciphers
•Do NOT use MD5/MD2 certificate hashing anywhere in the chain
•Use RSA-2048 when creating new certificate keys
•When renewing or creating new requests, request SHA 256-bit or better
•Know what your version of Exchange supports
•Use tools to test and verify
•Do NOT get confused by explicit TLS vs. implicit TLS
•(For now) Wait to disable TLS 1.0 on the Exchange server
https://blogs.technet.microsoft.com/exchange/2015/07/27/exchange-tls-ssl-best-practices/

Instead adopt the changing on the cipher list order on the server can minimize the use of a less secure cipher, but you may want to go further and disable it completely. For example, the below should be in lower in the list (in registry - SCHANNEL\Ciphers\Triple DES 168) as the disabling of these requires more testing before you confirmed to disabled them. Do a gradual move in testing rather than an immediate disabled  
•SSL_RSA_WITH_3DES_EDE_CBC_SHA
•SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
•TLS_RSA_WITH_3DES_EDE_CBC_SHA
•TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

The iiscrypto tool is handy to disable cipher as well as enable based on best practice.
https://www.petri.com/cipher-best-practice-configure-iis-ssl-tls-protocol
tool - https://www.nartac.com/Products/IISCrypto
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 41892132
+1 for iiscrypto
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
Know the reasons and solutions to move/import EDB to New Exchange Server. Also, find out how to recover an Exchange .edb file and to restore the file back.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question