{"id":2675,"date":"2018-10-22T08:43:38","date_gmt":"2018-10-22T06:43:38","guid":{"rendered":"https:\/\/msb365.abstergo.ch\/?p=2675"},"modified":"2018-12-17T12:17:49","modified_gmt":"2018-12-17T10:17:49","slug":"enable-tls-1-2-and-disable-ssl-3-0-on-exchange-servers","status":"publish","type":"post","link":"https:\/\/www.msb365.blog\/?p=2675","title":{"rendered":"Enable TLS 1.2 and disable SSL 3.0 on Exchange Servers"},"content":{"rendered":"<p>On October 31 Microsoft will disable TLS 1.1 for Exchange. If you have not changed your environment to TLS 1.2 yet, you should do that asap!<\/p>\n<p>Here, the way how you can do this for Exchange server 2010&nbsp; on Windows Server 2008 R2:<\/p>\n<p>&nbsp;<\/p>\n<h2><strong>Disable SSL 3.0<\/strong><\/h2>\n<p>The most steps we need to do are in the registry. Here we have some folders and entries which have to be created if they don\u2019t exist yet. However, to disable SSL 3.0 on Exchange servers, we need to browse the registry to the following path:<\/p>\n<p>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\SSL 3.0<\/p>\n<p>&nbsp;<\/p>\n<p>If this path does not exist completely, we can create it using PowerShell and the following command:<\/p>\n<pre class=\"\">md \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\SSL 3.0\"<\/pre>\n<p>Now we need to create a new DWORD property, this can be done with the following command:<\/p>\n<pre class=\"\">new-itemproperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\SSL 3.0\" -name \"Enabled\" -value 0 -PropertyType \"DWord\"<\/pre>\n<p>&nbsp;<\/p>\n<h2><strong>Restart Server<\/strong><\/h2>\n<p>At this point we need to reboot our server. This can be done with this PowerShell command:<\/p>\n<pre class=\"\">Restart-Computer -ComputerName $computername -Force<\/pre>\n<p>&nbsp;<\/p>\n<h2><strong>Enable TLS 1.2<\/strong><\/h2>\n<p>Now, we are ready to create the next keys in the registry to enable TLS 1.2 for client and server schannel communications. Note, they are not created by Windows out of the box.<\/p>\n<p>This can be done by PowerShell as well. We simply run the following commands:<\/p>\n<pre class=\"\"># Create keys in registry (not created by Windows out of the box)\r\nmd \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.2\"\r\nmd \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.2\\Server\"\r\nmd \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.2\\Client\"<\/pre>\n<p>&nbsp;<\/p>\n<p>To enable TLS 1.2 we need this commands:<\/p>\n<pre class=\"\"># Enable TLS 1.2 for client and server SCHANNEL communications\r\nnew-itemproperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.2\\Server\" -name \"Enabled\" -value 1 -PropertyType \"DWord\"\r\nnew-itemproperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS&nbsp; 1.2\\Server\" -name \"DisabledByDefault\" -value 0 -PropertyType \"DWord\"\r\nnew-itemproperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.2\\Client\" -name \"Enabled\" -value 1 -PropertyType \"DWord\"\r\nnew-itemproperty -path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.2\\Client\" -name \"DisabledByDefault\" -value 0 -PropertyType \"DWord\"<\/pre>\n<p>&nbsp;<\/p>\n<h2><strong>Edit the server to use of the 256-bit ciphers as default<\/strong><\/h2>\n<p>Click&nbsp;Start-&gt;gpedit.msc<\/p>\n<p>Expand Computer&nbsp;Configuration&nbsp;-&gt;&nbsp;Administrative Templates -&gt;&nbsp;Network&nbsp;and select &#8220;SSL Configuration Settings&#8221;<\/p>\n<p><img fetchpriority=\"high\" decoding=\"async\" class=\"alignnone size-large wp-image-2676\" src=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/10\/1-1024x440.png\" alt=\"\" width=\"1024\" height=\"440\" srcset=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/10\/1-1024x440.png 1024w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/10\/1-300x129.png 300w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/10\/1-768x330.png 768w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/10\/1-600x258.png 600w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/10\/1-780x335.png 780w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/10\/1.png 1236w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p>Double click &#8220;SSL Cipher Suite Order&#8221; and check &#8220;Enabled&#8221;<\/p>\n<p>&nbsp;<\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-2677\" src=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/10\/2.png\" alt=\"\" width=\"696\" height=\"637\" srcset=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/10\/2.png 696w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/10\/2-300x275.png 300w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/10\/2-600x549.png 600w\" sizes=\"(max-width: 696px) 100vw, 696px\" \/><\/p>\n<p>Copy the text from the &#8220;SSL Cipher Suites&#8221; and paste it into Notepad.<\/p>\n<p>&nbsp;<\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-2678\" src=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/10\/3.png\" alt=\"\" width=\"931\" height=\"265\" srcset=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/10\/3.png 931w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/10\/3-300x85.png 300w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/10\/3-768x219.png 768w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/10\/3-600x171.png 600w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/10\/3-780x222.png 780w\" sizes=\"(max-width: 931px) 100vw, 931px\" \/><\/p>\n<p>Move the following to the beginning of the text document:&nbsp;<strong>TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA<\/strong>&nbsp;(Note: here you could remove lower strength ciphers from the order to prevent the server from accepting those connections).<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2679\" src=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/10\/4.png\" alt=\"\" width=\"699\" height=\"638\" srcset=\"https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/10\/4.png 699w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/10\/4-300x274.png 300w, https:\/\/msb365.abstergo.ch\/wp-content\/uploads\/2018\/10\/4-600x548.png 600w\" sizes=\"(max-width: 699px) 100vw, 699px\" \/><\/p>\n<p>Paste the Cipher Suites back into the SSL Cipher Suites box in Group Policy and click OK<\/p>\n<p>&nbsp;<\/p>\n<p>Restart the server for the changes to take effect.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>Now, the Exchange server is ready for working with TLS 1.2.<\/p>\n<p><strong>Note<\/strong>: if you have load balancers, please enable TLS 1.2 and disabling TLS 1.0 and TLS 1.1 on the load balancers, too.<\/p>\n<p>&nbsp;<\/p>\n<p>Photo by&nbsp;<a href=\"https:\/\/unsplash.com\/photos\/4pPzKfd6BEg?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText\">Patryk Gr\u0105dys<\/a>&nbsp;on&nbsp;<a href=\"https:\/\/unsplash.com\/?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText\">Unsplash<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>On October 31 Microsoft will disable TLS 1.1 for Exchange. If you have not changed your environment to TLS 1.2 yet, you should do that asap! Here, the way how you can do this for Exchange server 2010&nbsp; on Windows Server 2008 R2: &nbsp; Disable SSL 3.0 The most steps we need to do are [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2681,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[2,3],"tags":[],"class_list":["post-2675","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-exchange","category-powershell"],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/posts\/2675","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2675"}],"version-history":[{"count":6,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/posts\/2675\/revisions"}],"predecessor-version":[{"id":2692,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/posts\/2675\/revisions\/2692"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=\/wp\/v2\/media\/2681"}],"wp:attachment":[{"href":"https:\/\/www.msb365.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2675"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2675"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.msb365.blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2675"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}