Improving security on Exchange 2010 / Windows 2008 R2 server

As part of an effort to secure the corporate infrastructure I recently ran the test against a public facing Microsoft Exchange 2010 server running on Windows 2008 R2.

If you have your own exchange server (or any server with an SSL certificate) you can run that same test here for free.

My fully patched but otherwise unhardened server scored a C.

It turns out (rightly so) they take a dim view on the lack of support for TLS 1.2 as well as the ability to use the old RC4.

So I started googling. There are some links right there on the website where you get your report

First I needed to enable TLS 1.2. I found several sites that had step by step directions. Here is one.

And here is another

Then to disable the old RC4 ciphers I found this Microsoft Technet blog article

and here is another, where the author has saved the necessary regedits in a file for you already

All that was left was to reboot the server so these changes would take effect. Once that was done, I re-ran the test and found that I had cleared the "errors" and improved my grade from a C to a B.

Now it seems the test doesnt like my DH key exchange size... But I'll have to revisit that later on.