The first tweak I wanted to carry out was to set up a redirect from the root of the default website, the best way of doing this (for a number of reasons) was
covered quite nicely by ExchangeGeek, so I wont go into details aside from to say I modified the script to redirect to /exchange rather than /owa, as the linked article covers exchange 2007 and 2010 rather than 2003.
Next, as SSL 2.0 should no longer be considered secure, I wanted to disable it. This can be done manually on a per server basis by modifying the registry settings at HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols, as described in
KB187498, but a much better idea is to use Group Policy to ensure all IIS sites comply with the setting automatically. SChannel settings aren't something that show up by default in group policy management, however, someone has
created a custom adm file that can be imported and the settings managed from there.
So after loading the group policy management console, on one of the Domain Controllers, I created a new Group Policy named SChannel GPO.
After clicking on edit, you can then right-click the Administrative Templates node and choose Add/Remove templates.
After downloading the adm file, I added it in the screen above, it then appears under classic administrative templates, this is due to it being a adm file rather than the newer admx file typically used with Windows 2008.
I then disabled SSL 2.0 for both client and server requests.
And whilst in there I also took the opportunity to disable some of the less secure ciphers too.
I wanted a way to test that the change was successful, but actually perform connection tests, rather than just verifying the registry settings had been updated. Rather than download and install some utility such as nessus or metasploit to do this, I created a temporary public DNS record and firewall rule and ran the
SSL tester at ssllabs.com. There are quite a few sites out there that will perform SSL tests, but this seems to be one of the more comprehensive.
The first run (at least the part I was interested in) came back as follows;
I then ran a gpupdate /force on the exchange 2003 Front-End, followed by an IISRESET. I then re-ran the test and got back the following;
So it looks like the group policy is working as desired.
No comments:
Post a Comment