Disable TLS 1.0 on Exchange 2016
Because the security is the main topic that all organizations target, the disable of TLS 1.0 become the high priority goal that should be completed on each environment.
First there are some recommendation by Microsoft before do this step for exchange as following:
- Deploy supported operating systems, clients, browsers, and Exchange versions
- Test everything by disabling SSL 3.0 on Internet Explorer
- Disable support for SSL 3.0 on the client
- Disable support for SSL 3.0 on the server
- Prioritize TLS 1.2 ciphers, and AES/3DES above others
- Strongly consider disabling RC4 ciphers
- Do NOT use MD5/MD2 certificate hashing anywhere in the chain
- Use RSA-2048 when creating new certificate keys
- When renewing or creating new requests, request SHA 256-bit or better
- Know what your version of Exchange supports
- Use tools to test and verify
- Do NOT get confused by explicit TLS vs. implicit TLS
The TLS 1.0 can be disabled only if you applied at least CU6 for exchange 2016, to can work only with TLS 1.2
To disable the TLS 1.0 you can do it with third party software IISCrypto “https://www.nartac.com/Products/IISCrypto”
Or you can for that using registry key as following:
”
reg add “HKLMSYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0Server” /v “Enabled” /t REG_DWORD /d 0 /f
reg add “HKLMSYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1Server” /v “Enabled” /t REG_DWORD /d 0 /f
reg add “HKLMSYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Server” /v “Enabled” /t REG_DWORD /d 1 /f
”
Ratish Nair
Microsoft MVP | Office Servers and Services
Team @MSExchangeGuru