Fellow MVP Andy David has written a post about his discovery that Exchange cumulative updates are re-enabling SSL 3.0 on servers where it has been disabled.

If you have been vigilant, you disabled SSL 3.0 a long time ago on your servers. You may be surprised to find it enabled again after you apply an Exchange Update.

This is obviously not a good thing, and the cumulative updates should not be re-enabling something that admins have disabled for best practices compliance. After all, it is Microsoft’s recommendation to disable SSL 3.0 in the first place.

Microsoft Suggested Actions to mitigate or eliminate the SSL 3.0 vulnerability are to disable 3.0 usage on clients (browsers, devices) and servers…

Although this is bad, I am pleased that checking the configuration of SSL 3.0 is already built in to Exchange Analyzer (Wiki page here). I had always considered that Exchange Analyzer would be a good tool to run on a regular basis, say monthly, to detect any administrator errors that might cause an environment to stray from best practice. But now it seems wise to recommend running Exchange Analyzer after cumulative update installs as well.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Leave a Reply