Important
Read carefully as some of the steps described here can only be performed on specific operating systems or specific Exchange Server versions.
At the beginning of each section there is a matrix that shows whether a setting is supported or not and if it has already been pre-configured from a certain Exchange Server version.
Things to consider before disabling a TLS version
Tip
You can use the Exchange HealthChecker script to check the current TLS configuration of your Exchange server.
Please make sure that every application supports the TLS versions, which remain enabled. Considerations such as (but not limited to):
Do your Domain Controllers and Global Catalog servers support, for example, a TLS 1.2 only configuration?
Do partner applications (such as, but not limited to, SharePoint, Lync, Skype for Business, etc.) support, for example, a TLS 1.2 only configuration?
Have you updated older Windows 7 desktops using Outlook to support TLS 1.2 over WinHTTP?
Do your load balancers support TLS 1.2 being used?
Do your desktop, mobile, and browser applications support TLS 1.2?
Do devices such as multi-function printers support TLS 1.2?
Do your third-party or custom in-house applications that integrate with Exchange Server or Microsoft 356 support a strong TLS implementation?
As such we strongly recommend any steps you take to transition to TLS 1.2 and away from older security protocols are first performed in labs which simulate your production environments before you slowly start rolling them out in production.
Exchange Server cannot run without Windows Server and therefore it is important to have the latest operating system updates installed to run a stable and secure TLS implementation.
It's also required to have the latest version of .NET Framework and associated patches supported by your CU in place.
Based on your operating system, make sure that the following updates are also in place (they should be installed if your server is current on Windows Updates):
If your operating system is Windows Server 2012 or Windows Server 2012 R2, KB3161949 and KB2973337 must be installed before TLS 1.2 can be enabled.
Make sure to reboot the Exchange Server after the TLS configuration has been applied. It becomes active after the server was restarted.
Expand table
The SystemDefaultTlsVersions registry value defines which security protocol version defaults will be used by .NET Framework 4.x. If the value is set to 1, then .NET Framework 4.x inherits its defaults from the Windows Secure Channel (Schannel) DisabledByDefault registry values. If the value is undefined, it behaves as if the value is set to 0.
The strong cryptography (configured by the SchUseStrongCrypto registry value) uses more secure network protocols (TLS 1.2 and TLS 1.1) and blocks protocols that are not secure. SchUseStrongCrypto affects only client (outgoing) connections in your application. By configuring .NET Framework 4.x to inherit its values from Schannel we gain the ability to use the latest versions of TLS supported by the OS, including TLS 1.2.
Enable .NET Framework 4.x Schannel inheritance
Run the following commands from an elevated PowerShell window to configure the .NET Framework 4.x Schannel inheritance:
Enable .NET Framework 3.5 Schannel inheritance
Note
Exchange Server 2013 and later do not need this setting. However, we recommend configuring it identically to the .NET 4.x settings to ensure a consistent configuration.
Run the following commands from an elevated PowerShell window to configure the .NET Framework 3.5 Schannel inheritance:
Steps to configure TLS 1.2
The following table shows the Exchange Server/Windows Server combinations on which TLS 1.2 is supported. The table also shows the default configuration:
Enable TLS 1.2
Run the following command from an elevated PowerShell window to enable TLS 1.2 for client and server connections:
Disable TLS 1.2
Run the following command from an elevated PowerShell window to disable TLS 1.2 for client and server connections:
Steps to configure TLS 1.1
The following table shows the Exchange Server/Windows Server combinations on which TLS 1.1 is supported. The table also shows the default configuration:
Enable TLS 1.1
Note
The Microsoft TLS 1.1 implementation has no known security vulnerabilities. But because of the potential for future protocol downgrade attacks and other TLS vulnerabilities, it is recommended to carefully plan and disable TLS 1.1. Failure to plan carefully may cause clients to lose connectivity.
Run the following command from an elevated PowerShell window to enable TLS 1.1 for client and server connections:
Disable TLS 1.1
Run the following command from an elevated PowerShell window to disable TLS 1.1 for client and server connections:
Steps to configure TLS 1.0
The following table shows the Exchange Server/Windows Server combinations on which TLS 1.0 is supported. The table also shows the default configuration:
Enable TLS 1.0
Note
The Microsoft TLS 1.0 implementation has no known security vulnerabilities. But because of the potential for future protocol downgrade attacks and other TLS vulnerabilities, it is recommended to carefully plan and disable TLS 1.0. Failure to plan carefully may cause clients to lose connectivity.
Run the following command from an elevated PowerShell window to enable TLS 1.0 for client and server connections:
Disable TLS 1.0
Run the following command from an elevated PowerShell window to disable TLS 1.0 for client and server connections:
You can use the Exchange HealthChecker script to check the current TLS configuration of your Exchange server.
Please make sure that every application supports the TLS versions, which remain enabled. Considerations such as (but not limited to):
Do your Domain Controllers and Global Catalog servers support, for example, a TLS 1.2 only configuration?
Do partner applications (such as, but not limited to, SharePoint, Lync, Skype for Business, etc.) support, for example, a TLS 1.2 only configuration?
Have you updated older Windows 7 desktops using Outlook to support TLS 1.2 over WinHTTP?
Do your load balancers support TLS 1.2 being used?
Do your desktop, mobile, and browser applications support TLS 1.2?
Do devices such as multi-function printers support TLS 1.2?
Do your third-party or custom in-house applications that integrate with Exchange Server or Microsoft 356 support a strong TLS implementation?
As such we strongly recommend any steps you take to transition to TLS 1.2 and away from older security protocols are first performed in labs which simulate your production environments before you slowly start rolling them out in production.
- The steps used to disable a specific TLS version as outlined below, will apply to the following: Exchange Server functionalities:Simple Mail Transport Protocol (SMTP)
- Outlook Client Connectivity (Outlook Anywhere / MAPI/HTTP)
- Exchange Active Sync (EAS)
- Outlook on the Web (OWA)
- Exchange Admin Center (EAC) and Exchange Control Panel (ECP)
- AutoDiscover
- Exchange Web Services (EWS)
- REST (Exchange Server 2016/2019)
- Use of PowerShell by Exchange over HTTPS
- POP and IMAP
Prerequisites
TLS 1.2 support was added with Exchange Server 2013 CU19 and Exchange Server 2016 CU8. Exchange Server 2019 supports TLS 1.2 by default.Exchange Server cannot run without Windows Server and therefore it is important to have the latest operating system updates installed to run a stable and secure TLS implementation.
It's also required to have the latest version of .NET Framework and associated patches supported by your CU in place.
Based on your operating system, make sure that the following updates are also in place (they should be installed if your server is current on Windows Updates):
If your operating system is Windows Server 2012 or Windows Server 2012 R2, KB3161949 and KB2973337 must be installed before TLS 1.2 can be enabled.
Make sure to reboot the Exchange Server after the TLS configuration has been applied. It becomes active after the server was restarted.
Preparing .NET Framework to inherit defaults from Schannel
The following table shows the Exchange Server/Windows Server combinations with the default .NET Framework Schannel inheritance configuration:Expand table
Exchange Server | Windows Server | Supported | Configured by default |
---|---|---|---|
Exchange Server 2019 CU14 or later | Any | Yes | Yes (new installations only) |
Exchange Server 2019 | Any | Yes | Partially (SchUseStrongCrypto must be configured manually) |
Exchange Server 2016 | Any | Yes | No (OS defaults will be used) |
Exchange Server 2013 | Any | Yes | No (OS defaults will be used) |
The SystemDefaultTlsVersions registry value defines which security protocol version defaults will be used by .NET Framework 4.x. If the value is set to 1, then .NET Framework 4.x inherits its defaults from the Windows Secure Channel (Schannel) DisabledByDefault registry values. If the value is undefined, it behaves as if the value is set to 0.
The strong cryptography (configured by the SchUseStrongCrypto registry value) uses more secure network protocols (TLS 1.2 and TLS 1.1) and blocks protocols that are not secure. SchUseStrongCrypto affects only client (outgoing) connections in your application. By configuring .NET Framework 4.x to inherit its values from Schannel we gain the ability to use the latest versions of TLS supported by the OS, including TLS 1.2.
Enable .NET Framework 4.x Schannel inheritance
Run the following commands from an elevated PowerShell window to configure the .NET Framework 4.x Schannel inheritance:
1 2 3 4 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" -Name "SystemDefaultTlsVersions" -Value 1 -Type DWord Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" -Name "SchUseStrongCrypto" -Value 1 -Type DWord Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" -Name "SystemDefaultTlsVersions" -Value 1 -Type DWord Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" -Name "SchUseStrongCrypto" -Value 1 -Type DWord |
Note
Exchange Server 2013 and later do not need this setting. However, we recommend configuring it identically to the .NET 4.x settings to ensure a consistent configuration.
Run the following commands from an elevated PowerShell window to configure the .NET Framework 3.5 Schannel inheritance:
1 2 3 4 | Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" -Name "SystemDefaultTlsVersions" -Value 1 -Type DWord Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" -Name "SchUseStrongCrypto" -Value 1 -Type DWord Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" -Name "SystemDefaultTlsVersions" -Value 1 -Type DWord Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" -Name "SchUseStrongCrypto" -Value 1 -Type DWord |
The following table shows the Exchange Server/Windows Server combinations on which TLS 1.2 is supported. The table also shows the default configuration:
Exchange Server | Windows Server | Supported | Configured by default |
---|---|---|---|
Exchange Server 2019 | Any | Yes | Yes (enabled ) |
Exchange Server 2016 | Any | Yes | No |
Exchange Server 2013 | Any | Yes | No |
Enable TLS 1.2
Run the following command from an elevated PowerShell window to enable TLS 1.2 for client and server connections:
1 2 3 4 5 6 7 | New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" -Name "TLS 1.2" -ErrorAction SilentlyContinue New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2" -Name "Client" -ErrorAction SilentlyContinue New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2" -Name "Server" -ErrorAction SilentlyContinue Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -Name "DisabledByDefault" -Value 0 -Type DWord Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -Name "Enabled" -Value 1 -Type DWord Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -Name "DisabledByDefault" -Value 0 -Type DWord Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -Name "Enabled" -Value 1 -Type DWord |
Run the following command from an elevated PowerShell window to disable TLS 1.2 for client and server connections:
1 2 3 4 5 6 7 | New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" -Name "TLS 1.2" -ErrorAction SilentlyContinue New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2" -Name "Client" -ErrorAction SilentlyContinue New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2" -Name "Server" -ErrorAction SilentlyContinue Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -Name "DisabledByDefault" -Value 1 -Type DWord Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -Name "Enabled" -Value 0 -Type DWord Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -Name "DisabledByDefault" -Value 1 -Type DWord Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -Name "Enabled" -Value 0 -Type DWord |
The following table shows the Exchange Server/Windows Server combinations on which TLS 1.1 is supported. The table also shows the default configuration:
Exchange Server | Windows Server | Supported | Configured by default |
---|---|---|---|
Exchange Server 2019 | Any | Yes | Yes (disabled ) |
Exchange Server 2016 | Any | Yes | No |
Exchange Server 2013 | Any | Yes | No |
Enable TLS 1.1
Note
The Microsoft TLS 1.1 implementation has no known security vulnerabilities. But because of the potential for future protocol downgrade attacks and other TLS vulnerabilities, it is recommended to carefully plan and disable TLS 1.1. Failure to plan carefully may cause clients to lose connectivity.
Run the following command from an elevated PowerShell window to enable TLS 1.1 for client and server connections:
1 2 3 4 5 6 7 | New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" -Name "TLS 1.1" -ErrorAction SilentlyContinue New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1" -Name "Client" -ErrorAction SilentlyContinue New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1" -Name "Server" -ErrorAction SilentlyContinue Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" -Name "DisabledByDefault" -Value 0 -Type DWord Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" -Name "Enabled" -Value 1 -Type DWord Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -Name "DisabledByDefault" -Value 0 -Type DWord Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -Name "Enabled" -Value 1 -Type DWord |
Run the following command from an elevated PowerShell window to disable TLS 1.1 for client and server connections:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | <!-- HTML generated using hilite.me --><div style="background: #ffffff; overflow:auto;width:auto;border:solid orange;border-width:.1em .1em .1em .8em;padding:.2em .6em;"><table><tr><td><pre style="margin: 0; line-height: 125%">1 2 3 4 5 6 7</pre></td><td><pre style="margin: 0; line-height: 125%"><span style="color: #007020">New-Item</span> -Path <span style="background-color: #fff0f0">"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols"</span> -Name <span style="background-color: #fff0f0">"TLS 1.1"</span> -ErrorAction SilentlyContinue <span style="color: #007020">New-Item</span> -Path <span style="background-color: #fff0f0">"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1"</span> -Name <span style="background-color: #fff0f0">"Client"</span> -ErrorAction SilentlyContinue <span style="color: #007020">New-Item</span> -Path <span style="background-color: #fff0f0">"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1"</span> -Name <span style="background-color: #fff0f0">"Server"</span> -ErrorAction SilentlyContinue <span style="color: #007020">Set-ItemProperty</span> -Path <span style="background-color: #fff0f0">"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client"</span> -Name <span style="background-color: #fff0f0">"DisabledByDefault"</span> -Value 0 -Type DWord <span style="color: #007020">Set-ItemProperty</span> -Path <span style="background-color: #fff0f0">"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client"</span> -Name <span style="background-color: #fff0f0">"Enabled"</span> -Value 1 -Type DWord <span style="color: #007020">Set-ItemProperty</span> -Path <span style="background-color: #fff0f0">"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server"</span> -Name <span style="background-color: #fff0f0">"DisabledByDefault"</span> -Value 0 -Type DWord <span style="color: #007020">Set-ItemProperty</span> -Path <span style="background-color: #fff0f0">"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server"</span> -Name <span style="background-color: #fff0f0">"Enabled"</span> -Value 1 -Type DWord </pre></td></tr></table></div> |
The following table shows the Exchange Server/Windows Server combinations on which TLS 1.0 is supported. The table also shows the default configuration:
Exchange Server | Windows Server | Supported | Configured by default |
---|---|---|---|
Exchange Server 2019 | Any | Yes | Yes (disabled ) |
Exchange Server 2016 | Any | Yes | No |
Exchange Server 2013 | Any | Yes | No |
Enable TLS 1.0
Note
The Microsoft TLS 1.0 implementation has no known security vulnerabilities. But because of the potential for future protocol downgrade attacks and other TLS vulnerabilities, it is recommended to carefully plan and disable TLS 1.0. Failure to plan carefully may cause clients to lose connectivity.
Run the following command from an elevated PowerShell window to enable TLS 1.0 for client and server connections:
1 2 3 4 5 6 7 | New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" -Name "TLS 1.0" -ErrorAction SilentlyContinue New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0" -Name "Client" -ErrorAction SilentlyContinue New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0" -Name "Server" -ErrorAction SilentlyContinue Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" -Name "DisabledByDefault" -Value 0 -Type DWord Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" -Name "Enabled" -Value 1 -Type DWord Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -Name "DisabledByDefault" -Value 0 -Type DWord Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -Name "Enabled" -Value 1 -Type DWord |
Run the following command from an elevated PowerShell window to disable TLS 1.0 for client and server connections:
1 2 3 4 5 6 7 | New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" -Name "TLS 1.1" -ErrorAction SilentlyContinue New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1" -Name "Client" -ErrorAction SilentlyContinue New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1" -Name "Server" -ErrorAction SilentlyContinue Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" -Name "DisabledByDefault" -Value 1 -Type DWord Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" -Name "Enabled" -Value 0 -Type DWord Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -Name "DisabledByDefault" -Value 1 -Type DWord Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -Name "Enabled" -Value 0 -Type DWord |
No comments:
Post a Comment