Exchange TLS & SSL Configuration to achieve an A rating from SSLLabs

My test Exchange Server with Exchange 2013 on Windows Server 2012 R2, I was able to achieve an A rating from SSLLabs by disabling SSL 3.0, removing RC4 ciphers, and enabling AEAD encryption . This is nearly as good as one can achieve at this time.

Disable support for SSL 3.0 on the server:

Remove RC4 Ciphers:

 

Ciphers available on Windows Server 2012 R2:

The following cipher suites supports AEAD encryption on Windows Server 2012 R2:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

To enable the required encryption, download IISCrypto from Nartac software. I had to enable the following Ciphers:

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

Then move them to the top of the Ciphers list.

 

SSLLabs message: This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.

To fix it, you can increase the DHE key size to 2048 adding the registry key below:

https://docs.microsoft.com/en-us/security-updates/securityadvisories/2016/3174644

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"ServerMinKeyBitLength"=dword:00000800

Using this setting you will have a AEAD cipher that is not classified as “weak” and SSLLabs will give you an A Grade.

Status of your Exchange Environment

See the status of your Exchange Environment:

Get-OabVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*
Get-WebServicesVirtualDirectory | fl server, Name,ExternalURL, InternalURL, *auth*
Get-EcpVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*
Get-ActiveSyncVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*
Get-OutlookAnywhere | fl server, Name, *hostname*, *auth*
Get-OwaVirtualDirectory | fl server, Name, ExternalURL, InternalURL, *auth*
Get-ClientAccessService | fl Name,OutlookAnywhereEnabled, AutodiscoverServiceInternalUri
Get-ExchangeCertificate | fl FriendlyName, Subject, CertificateDomains, Thumbprint, Services, Issuer, *not*
Get-MapiVirtualDirectory | fl server, Name,ExternalURL,InternalURL, *auth*
Get-ClientAccessArray | fl
Get-OutlookProvider

Exchange 2013 Open Relay fix

Open relay is a very bad thing for messaging servers on the Internet. Messaging servers that are accidentally or intentionally configured as open relays allow mail from any source to be transparently re-routed through the open relay server. This behavior masks the original source of the messages, and makes it look like the mail originated from the open relay server. Open relay servers are eagerly sought out and used by spammers, so you never want your messaging servers to be configured for open relay.

Continue reading “Exchange 2013 Open Relay fix”