Home » Exchange Server » Detecting SSL 3.0 Configuration Changes with Exchange Analyzer

Detecting SSL 3.0 Configuration Changes with Exchange Analyzer

Fellow MVP Andy David has written a post about his discovery that Exchange cumulative updates are re-enabling SSL 3.0 on servers where it has been disabled.

If you have been vigilant, you disabled SSL 3.0 a long time ago on your servers. You may be surprised to find it enabled again after you apply an Exchange Update.

This is obviously not a good thing, and the cumulative updates should not be re-enabling something that admins have disabled for best practices compliance. After all, it is Microsoft’s recommendation to disable SSL 3.0 in the first place.

Microsoft Suggested Actions to mitigate or eliminate the SSL 3.0 vulnerability are to disable 3.0 usage on clients (browsers, devices) and servers…

Although this is bad, I am pleased that checking the configuration of SSL 3.0 is already built in to Exchange Analyzer (Wiki page here). I had always considered that Exchange Analyzer would be a good tool to run on a regular basis, say monthly, to detect any administrator errors that might cause an environment to stray from best practice. But now it seems wise to recommend running Exchange Analyzer after cumulative update installs as well.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server

Leave a Reply

Your email address will not be published. Required fields are marked *