enable TLS 1.2 and disabling TLS1.0 and SSL 3 on all exchange servers and Clients

1)      Table depicting support for various SSL/TLS versions on different Windows OS

 

2)      SMTP – key piece of Exchange server infrastructure – support for TLS 1.1 and 1.2 were added in Exchange Server 2013 CU8 and Exchange Server 2010 SP3 RU9. This means if you want to add support for the latest ciphers and TLS versions, you may need to apply an update.

3)       Disable SSL  3.0 on all windows exchange servers

Steps to disable support for the SSL 3.0 protocol on Windows by following these steps:

·         Click Start, click Run, type regedt32 or type regedit, and then click OK.

·         In Registry Editor, locate the following registry key:

·         HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

·         Note If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.

·         On the Edit menu, click Add Value.

·         In the Data Type list, click DWORD.

·         In the Value Name box, type Enabled, and then click OK. 

·         Note If this value is present, double-click the value to edit its current value.

·         In the Edit DWORD (32-bit) Value dialog box, type 0 .

·         Click OK. Restart the computer.

4)      Enabling TLS 1.2 on servers

·         Execute the following commands via an elevated PowerShell command prompt to enable TLS v1.2

# Create keys in registry (not created by Windows out of the box)

md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2"

md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server"

md"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"

# Enable TLS 1.2 for client and server SCHANNEL communications

new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "Enabled" -value 1 -PropertyType "DWord"

new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS  1.2\Server" -name "DisabledByDefault" -value 0 -PropertyType "DWord"

new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "Enabled" -value 1 -PropertyType "DWord"

new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "DisabledByDefault" -value 0 -PropertyType "DWord"

5)      edit the server to default the use of the 256-bit ciphers

Click Start->gpedit.msc

Expand Computer Configuration -> Administrative Templates -> Network and select SSL Configuration Settings

Double click SSL Cipher Suite Order and check Enabled

Copy the text from the SSL Cipher Suites and paste it into notepad.

Move the following to the beginning of the text document: TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA (Note: here you could remove lower strength ciphers from the order to prevent the server from accepting those connections).

Paste the Cipher Suites back into the SSL Cipher Suites box in Group Policy and click OK

Restart the server for the changes to take effect

if you have load balancers., please enable TLS 1.2 and disabling SMB3.0 and TLS 1.0 and TLS 1.1 on load balancers also.