harden EXCH2013

Hi Experts,

I have a new EXCH2013 installation.
Now I have to harden this server because it has direct connectivity to outside users (OWA)
I have checked my connection, with www.ssllabs.com
This connection is terrible and has a F rating.

How to bring it to A or A+ ?
SSL3.0 is already disabled but what about the rest ?
Eprs_AdminSystem ArchitectAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Scott CSenior EngineerCommented:
Here is Microsoft's Security checklist for hardening Exchange 2013


Go through this and see what your rating is.

Here is another blog to go through.


Between these two you should improve your score.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Tom CieslikIT EngineerCommented:
The question is what is the rest ?
Without seeing your report it's hard to say what else you can do.
Eprs_AdminSystem ArchitectAuthor Commented:
Here is my Rating, see the picture.
This is the rating of the server with OWA.

F Rating
CEOs need to know what they should worry about

Nearly every week during the past few years has featured a headline about the latest data breach, malware attack, ransomware demand, or unrecoverable corporate data loss. Those stories are frequently followed by news that the CEOs at those companies were forced to resign.

Eprs_AdminSystem ArchitectAuthor Commented:
...and to fix insecure Renegotiation on EXCH2013 ?
David Johnson, CD, MVPRetiredCommented:
obviously ssl 3 is NOT disabled .. use nartac's tool to check and set. https://www.nartac.com/Products/IISCrypto requires reboot
Eprs_AdminSystem ArchitectAuthor Commented:
ok I will check this tool
In the meantime I have set some configuration on my firewall for the specific virtual IP.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.