![]() When renewing or creating new requests, request SHA 256-bit or better.Use RSA-2048 when creating new certificate keys.Do NOT use MD5/MD2 certificate hashing anywhere in the chain.Strongly consider disabling RC4 ciphers.Prioritize TLS 1.2 ciphers, and AES/3DES above others.Disable support for SSL 3.0 on the server.Disable support for SSL 3.0 on the client.Test everything by disabling SSL 3.0 on Internet Explorer.Deploy supported operating systems, clients, browsers, and Exchange versions.The current recommendations, which will continue evolving, are as follows: TLS 1.0 is not widely viewed as insecure when SSL 3.0 is disabled, machines are properly updated, and proper ciphers are used. While disabling TLS 1.0 on Exchange is not advised at this time, there are definite steps which can be taken today. We believe that the first step towards a more secure environment is to have a TLS organizational awareness. More importantly, many customers may not have taken initial steps towards following current best practices. That said, we will continue to work towards the goal of making TLS 1.1 & 1.2 work fully with Exchange and a broad array of clients. Of course, security is rarely a binary decision: disabling TLS 1.0 doesn’t suddenly turn something insecure into something secure. While we believe the intentions of both proposals are good and will promote adoption of TLS 1.1 & 1.2, at this time, we do not yet recommend disabling TLS 1.0 on your Exchange Server(s).Īdditionally, while TLS 1.1 & 1.2 are superior to TLS 1.0, the real world risks may be somewhat overstated at this point due to mitigations that have been taken across the industry. Another piece of guidance suggests that TLS 1.0 should not be used with internal-only applications (we do not believe that Exchange is typically used in this manner, as it connects to the outside world via SMTP). One piece of guidance we are aware of suggests taking steps to prepare to disable TLS 1.0 in summer of 2016. It has been suggested by some external parties that customers need to disable TLS 1.0 support. Microsoft is committed to giving you the information needed to make informed decisions on how to properly secure your environment. Whether you are running Exchange on-premises, in the cloud, or somewhere in between, we know that security is a top priority. Note: for more up to date guidance on TLS, please see this post.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |