Exchange TLS & SSL Best Practices

For those using Exchange on-premises (including SBS 2011), here are some best practice recommendations from the Exchange Team.

http://blogs.technet.com/b/exchange/archive/2015/07/27/exchange-tls-amp-ssl-best-practices.aspx

In a nutshell,

  • Deploy supported operating systems, clients, browsers, and exchange versions
  • Test everything by disabling SSL 3.0 on Internet Explorer
  • Disable support for SSL 3.0 on the client
  • Disable support for SSL 3.0 on the server
  • Prioritize TLS 1.2 ciphers, and AES/3DES above others
  • Strongly consider disabling RC4 ciphers
  • Do NOT use MD5/MD2 certificate hashing anywhere in the chain
  • Use RSA-2048 when creating new certificate keys
  • When renewing or creating new requests, request SHA 256-bit or better
  • Know what your version of Exchange supports
  • Use tools to test and verify
  • Do NOT get confused by explicit TLS vs. implicit TLS
  • (For now) Wait to disable TLS 1.0 on the Exchange server

Leave a Reply

Your email address will not be published. Required fields are marked *

Solve the Equation to continue * Time limit is exhausted. Please reload CAPTCHA.