My test Exchange Server with Exchange 2013 on Windows Server 2012 R2, I was able to achieve an A rating from SSLLabs by disabling SSL 3.0, removing RC4 ciphers, and enabling AEAD encryption . This is nearly as good as one can achieve at this time.
Disable support for SSL 3.0 on the server:
Remove RC4 Ciphers:
Ciphers available on Windows Server 2012 R2:
The following cipher suites supports AEAD encryption on Windows Server 2012 R2:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
To enable the required encryption, download IISCrypto from Nartac software. I had to enable the following Ciphers:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Then move them to the top of the Ciphers list.
SSLLabs message: This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.
To fix it, you can increase the DHE key size to 2048 adding the registry key below:
https://docs.microsoft.com/en-us/security-updates/securityadvisories/2016/3174644
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman] "ServerMinKeyBitLength"=dword:00000800
Using this setting you will have a AEAD cipher that is not classified as “weak” and SSLLabs will give you an A Grade.