exchange 2010 turning off 3des ciphers

Is there any issue in turning off 3des ciphers on exchange 2010?  We are on the most up to date patches for the server.  trustwave is failing our monthly scan due to this cipher being available.  I have turned it off on our web servers just unsure if disabling it will cause anything in exchange to not work properly.

Tim LewisNetwork ManagerAsked:
Who is Participating?
btanConnect With a Mentor Exec ConsultantCommented:
I do not think the finding is saying 3DES is weak but rather it is due to the use of CBC block chaining used instead. The recommended approach as per MS stated this. There is no need to disable 3DES and the focus is to close up the other weak cipher instead, which 3DES in itself is not.
The current recommendations, which will continue evolving, are as follows:
•Deploy supported operating systems, clients, browsers, and Exchange versions
•Test everything by disabling SSL 3.0 on Internet Explorer
•Disable support for SSL 3.0 on the client
•Disable support for SSL 3.0 on the server
•Prioritize TLS 1.2 ciphers, and AES/3DES above others
•Strongly consider disabling RC4 ciphers
•Do NOT use MD5/MD2 certificate hashing anywhere in the chain
•Use RSA-2048 when creating new certificate keys
•When renewing or creating new requests, request SHA 256-bit or better
•Know what your version of Exchange supports
•Use tools to test and verify
•Do NOT get confused by explicit TLS vs. implicit TLS
•(For now) Wait to disable TLS 1.0 on the Exchange server

Instead adopt the changing on the cipher list order on the server can minimize the use of a less secure cipher, but you may want to go further and disable it completely. For example, the below should be in lower in the list (in registry - SCHANNEL\Ciphers\Triple DES 168) as the disabling of these requires more testing before you confirmed to disabled them. Do a gradual move in testing rather than an immediate disabled  

The iiscrypto tool is handy to disable cipher as well as enable based on best practice.
tool -
+1 for iiscrypto
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.