Categories Articles

Locking down your Exchange server with cipher suites

In today’s world, security is the keyword on everyone’s lips. This not only applies to your front door but to your applications that are exposed to the Internet. Hackers — those guys and sometimes gals who thrive on dishing out malware or ransomware — look for every opportunity to gain access to your environment and to wreak havoc. In this article, we will be looking at the newer versions of Exchange and the cipher suites they use and how you can minimize the blast area by securing your environment. Let’s dive straight in.

What is a cipher suite?

Cipher suites are a set of algorithms that you need to secure your environment, either by using SSL and TLS.

  • SSL (Secure Sockets Layer)
  • TLS (Transport Layer Security)

Cipher suites: Algorithms weak and strong

There are several algorithms, some very weak and others strong. The weak ones mean that the Dark Web can attack and gain access to your system if you do not properly secure it. What are these algorithms?

Key Exchange examples

  • ECDH
  • ECDHE
  • DH
  • RSA

Authentication algorithm examples

  • ECDSA
  • DSA

Encryption algorithm examples

  • CAMELLIA
  • 3DES
  • AES

Locking down your Exchange server, firewall, and load balancer

When working with these cipher suites, you need to look at locking down not only your Exchange server but also the firewall or load balancer in front of it. I went through an exercise of testing all the scenarios to get to that A+ or higher status and it involves many things, namely:

  • Using a tool like IIS Crypto to make changes to the operating system.
  • Adding another layer to IIS to give you that extra layer of security.
  • Removing cipher suites on your F5 device or firewall that don’t need to be there. This will lessen the surface attack area.

First of all, how would you know your URL, which you believe is secure, is actually not so secure? Well, you can use a website like SSL Labs that will go and put it through its paces and give you a report of how good or bad your website is and show you what you need to fix. It is a good starting point because it will tell you if you have weak ciphers enabled or are using older protocols that can be attacked because they have been in the past. It also checks your SSL certificate and tells you of any issues such as missing the root certificate or if the chain is not valid.

Every company has its own requirements and with the IIS Crypto Tool, you can experiment on a server (not in production) and a new partition on your F5, for example, to get to that sweet spot. Maybe you have installed a “free” certificate because you want to save costs, but you are just inviting people into your environment as they can now spoof or imitate an SSL certificate.

Let’s take a brief look at the IIS Crypto tool. Version 3 is out now. I have used this tool, which is why I am writing about it, but you can search the web for others if you not comfortable using it.

With the tool, you can perform the following:

  • Changing the SChannel
  • Changing the cipher suites
  • Create templates

You can make use of the best practices or you can toggle between:

  • Server protocols
  • Ciphers
  • Hashes
  • Key exchanges
  • Client protocols

TLS 1.2: The future is now

As you know, many organizations are moving away from TLS 1.0 and TLS 1.1 and now require TLS 1.2 or will be requiring it, not only for email but also for payments. I would advise that you make a backup of your registry before making changes and as mentioned, test it out first before applying it to a production server. The next thing you would need to do is take a backup of your load balancer if it is Kemp or F5 before making changes.

Once you have worked on what you want enabled and removed on your server, you need to apply the same to your load balancer so they match. When you are finished, head over to SSL Labs or any other website that does the checking and see what your site is scoring. If you are happy with the result then leave it and set it as your new “blueprint” for the next server. You can create a template from your current settings and then use the command line to just import it to the next one. As mentioned, if you are not comfortable using a third-party to modify the SChannels, you can head over to Microsoft’s website and use their settings.

What are some of the attacks that are on the Internet that can cause harm to your company? Here are a few, but I will not go into much detail on them:

  • Poodle
  • Freak
  • Beast
  • Drown

Some of them listed above caused havoc and have been around for several years. You can do a Google search on each one to better understand the dangers they pose for you.

Make the right choice — buy an SSL certificate from a reputable company. Spend the time and ensure that you have your company’s interests at heart and secure your environment. Nobody wants to come into work and have to fix an attack from one of the above or deal with other issues like ransomware or hijacking of your SSL certificate.

Featured image: Shutterstock

Edward van Biljon

Edward van Biljon is an experienced messaging specialist working in the IT and services industry. He is skilled in WSUS, domain name system, datacenters, printer support, and System Center Configuration Manager (SCCM). He has a background as a strong IT professional and has an international diploma in programming focused on computer programming.

Share
Published by
Edward van Biljon

Recent Posts

Facebook creating deep fakes — and for genuinely good reasons

Deep fakes are a catastrophe waiting to happen. Facebook’s attempt to create a tool that differentiates between real and fake…

1 day ago

Microsoft Intune gets a new streamlined user experience

Microsoft Intune is getting a bunch of new updates that will streamline the administration experience for users of the popular…

1 day ago

SD-WAN: Is this going to be your network of the future?

As businesses evolve into a SaaS/IaaS model for accessing applications, new network technology is crucial. SD-WAN is just such a…

1 day ago

Monitoring Exchange and the rest of your network to avert disasters

What you don’t know about Exchange and your network can come back to bite you. Monitoring Exchange is one way…

2 days ago

Quick tip: Removing warning messages from Azure cmdlets

Warnings are nice, except when they are annoying and unnecessary. Here’s a tip to show you how to remove warning…

2 days ago

Is the Group Policy Central Store still relevant in the age of Windows 10?

Having a Group Policy Central Store in Active Directory made life easier for administrators. But does it still work in…

2 days ago