sweet32 and disabling TLS 1.0 in Exchange 2016
Hello!
I have a fully patched Exchange 2016 server on Windows 2012. I want to close these vulnerabilities found using Qualys scans, but I don't know how to do it without breaking OWA and whatever other features are affected in Exchange. I cannot find any articles for 2016 out there to do it safely. Can anyone point me toward specific steps to do it safely? Thanks!
I have a fully patched Exchange 2016 server on Windows 2012. I want to close these vulnerabilities found using Qualys scans, but I don't know how to do it without breaking OWA and whatever other features are affected in Exchange. I cannot find any articles for 2016 out there to do it safely. Can anyone point me toward specific steps to do it safely? Thanks!
ASKER
Hi Amit,
Yes, I used IISCrypto and hit Best Practices. And I am already a Qualys member actually. But I am still getting hit with TLS 1.0 and
CVE-2016-2183 (Sweet32) after doing that. If I disable TLS 1.0 it breaks mail in certain ways as does disabling DES and 3DES ciphers. Is there a safe way to do it?
Yes, I used IISCrypto and hit Best Practices. And I am already a Qualys member actually. But I am still getting hit with TLS 1.0 and
CVE-2016-2183 (Sweet32) after doing that. If I disable TLS 1.0 it breaks mail in certain ways as does disabling DES and 3DES ciphers. Is there a safe way to do it?
Actually few weak ciphers you will have accept because MAC clients still does not support AES 256 they are accepting 3DES. I have been part of VA in my project and had to live with 3DES because of MAC clients. If you have Windows clients 7 and above then they are supporting AES 256 and you can disable 3DES. Even mobile devices also supporting AES encryption.
ASKER
Gotcha, and thanks, but will that affect mail for my Windows 7 users at all? And what about disabling TLS 1.0 without affecting mail?
Disabling TLS1.0 can effect some of your mobile devices. I won't recommend to disable it.
ASKER
Is there a way to mitigate these if not close them?
As per my understand if we restrict more then we may face challenges with end user. Even I was reading few article which says TLS1.0 is also getting deprecated due to vulnerabilities.
You can disable TLS 1.0 as well but impact can be there after disabling. However the best thing in MS platform is if client supports higher version of security so it by default connects to higher one. I was checking most Android phone later 4.4 are supporting TLS 1.1 so I think you can close TLS 1.0 as well but mark a risk of service impact in your change request so your management can consider it.
When you see a major impact you may enable TLS 1.0 as well.
You can disable TLS 1.0 as well but impact can be there after disabling. However the best thing in MS platform is if client supports higher version of security so it by default connects to higher one. I was checking most Android phone later 4.4 are supporting TLS 1.1 so I think you can close TLS 1.0 as well but mark a risk of service impact in your change request so your management can consider it.
When you see a major impact you may enable TLS 1.0 as well.
ASKER
well I tried disabing TLS 1.0 in Exchange 2010 and it broke autodiscover, autoreply, etc. for all clients regardless of client OS. Would I have the same trouble with those using a fully patched 2016?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok great, thanks Amit, I appreciate your time and info! I will not be able to try this right away, so is it ok if we wait a couple of weeks before I close the question to ensure I don't have any further Q's ?
I dont mind but Expert exchange will ask you to close this question after few short period, that is a process.
ASKER
gotcha, thanks!
ASKER
Hey Amit, I was mistaken about one thing, my server is Windows 2016 not 2012. Does that change anything?
Does not matter because you have even newer version of Server which can support new security layers.
NA
https://www.nartac.com/Products/IISCrypto
In case you want to get report from Qualys then run free scan test but you will have start your free trial account on it.
https://www.qualys.com/forms/trials/suite/