Solved

exchange 2010 turning off 3des ciphers

Posted on 2016-11-14
2
100 Views
Last Modified: 2016-11-29
Is there any issue in turning off 3des ciphers on exchange 2010?  We are on the most up to date patches for the server.  trustwave is failing our monthly scan due to this cipher being available.  I have turned it off on our web servers just unsure if disabling it will cause anything in exchange to not work properly.

Thanks
0
Comment
Question by:danskoit
2 Comments
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 41887710
I do not think the finding is saying 3DES is weak but rather it is due to the use of CBC block chaining used instead. The recommended approach as per MS stated this. There is no need to disable 3DES and the focus is to close up the other weak cipher instead, which 3DES in itself is not.
The current recommendations, which will continue evolving, are as follows:
•Deploy supported operating systems, clients, browsers, and Exchange versions
•Test everything by disabling SSL 3.0 on Internet Explorer
•Disable support for SSL 3.0 on the client
•Disable support for SSL 3.0 on the server
•Prioritize TLS 1.2 ciphers, and AES/3DES above others
•Strongly consider disabling RC4 ciphers
•Do NOT use MD5/MD2 certificate hashing anywhere in the chain
•Use RSA-2048 when creating new certificate keys
•When renewing or creating new requests, request SHA 256-bit or better
•Know what your version of Exchange supports
•Use tools to test and verify
•Do NOT get confused by explicit TLS vs. implicit TLS
•(For now) Wait to disable TLS 1.0 on the Exchange server
https://blogs.technet.microsoft.com/exchange/2015/07/27/exchange-tls-ssl-best-practices/

Instead adopt the changing on the cipher list order on the server can minimize the use of a less secure cipher, but you may want to go further and disable it completely. For example, the below should be in lower in the list (in registry - SCHANNEL\Ciphers\Triple DES 168) as the disabling of these requires more testing before you confirmed to disabled them. Do a gradual move in testing rather than an immediate disabled  
•SSL_RSA_WITH_3DES_EDE_CBC_SHA
•SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
•TLS_RSA_WITH_3DES_EDE_CBC_SHA
•TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

The iiscrypto tool is handy to disable cipher as well as enable based on best practice.
https://www.petri.com/cipher-best-practice-configure-iis-ssl-tls-protocol
tool - https://www.nartac.com/Products/IISCrypto
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 41892132
+1 for iiscrypto
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now