Kemp Technologies Blogs

Enabling TLS 1.2 on Exchange Server 2013 & 2016 – Part 2

Kurt Jung | Posted on

This is the second part of a blog post that discusses why and how you should adopt Transport Layer Security (TLS) 1.2 across your IT infrastructure generally and within Exchange Server organizations specifically.

In the previous blog post we outlined how to add TLS 1.2 support alongside TLS 1.0 & 1.1 so that they could operate in parallel, until such time that all services are switched to the more secure TLS 1.2 protocol. Operating with multiple TLS protocol versions in place allows servers that have been configured to support TLS 1.2 to use that if both endpoints support it, or to drop back to TLS 1.0 or 1.1 when communicating with a service that does not.

Once all servers that Exchange Server needs to communicate with have been configured to use TLS 1.2 the legacy TLS protocols should be disabled, and all communication should be enforced to use TLS 1.2. There are security vulnerabilities in previous TLS releases that are fixed in the latest version. 

In addition to the Exchange Server’s that are part of a messaging infrastructure, there are also other servers that Exchange Server communicates with over the network. These other servers should also be configured to use TLS 1.2 where appropriate before the legacy versions of TLS can be disabled. Here are some examples of other servers, devices, and services you should configure to use TLS 1.2 before enforcing the latest protocol on the network:

  • End User Client Machines (Outlook, OWA, IMAP, etc.)
  • Active Directory Domain Controllers
  • DNS Servers
  • SMTP Gateway Servers
  • Email Encryption Servers
  • Journaling Servers
  • Archiving Servers
  • Backup Infrastructure
  • Mobile Application Servers
  • Skype for Business Servers
  • SharePoint Servers 
  • Exchange Web Services (EWS) Custom application servers
  • Load Balancers
  • Organization specific services

The final entry on the list above is especially important. Ensure that any unique in-house services or applications that have been deployed to use Exchange Server services are not forgotten about when moving over to TLS 1.2. Anything that has just TLS 1.0 or 1.1 support running will not be able to communicate with an Exchange Server that only has TLS 1.2 support. If any servers are too old to support TLS 1.2, then a plan should be put in place to upgrade them, replace them, or replicate the functionality delivered with more recent applications or Cloud services that do support TLS 1.2.

Disabling TLS 1.0 & 1.1

Most servers in an IT Infrastructure, and this is true for Exchange Server, act as both client and server endpoints when communicating on the network. The endpoint that makes the initial connection is described as the client as it is requesting something from the target, which is defined as the server. This server can in turn request connections to other servers, and in that case, it is the client. To fully disable support for TLS 1.0 & 1.1 requires it to be disabled for both client and server operations separately. 

To disable TLS 1.0 support, add the following Registry settings on Microsoft Windows machines. Add the following two entries:

“DisabledByDefault”=dword:00000001“Enabled”=dword:00000000

Under the following two Registry Key paths:

  1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
  2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server

To disable support for TLS 1.1 you make the same changes under different Registry Key paths. Add the following two entries:

DisabledByDefault”=dword:00000001“Enabled”=dword:00000000

Under the following two Registry Key paths:

  1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client
  2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server

If your Exchange Servers use any non-Windows based services, then consult the documentation for those to see how to enable TLS 1.2, and how to disable TLS 1.0 & 1.1.

TLS 1.2 has the latest security for encrypting communication over the network. It should be enabled as soon as possible across all IT infrastructure and the previous protocols retired.