A few years back I wrote a blog post for Exchange 2016 where we used IISCrypto to remove Protocols, Ciphers, Hashes, Key Exchanges etc. that posed a security risk externally if the servers were published to the internet however upon running a newer release it seemed to break Autodiscover and all newer releases had the same problem.
In my lab, I ran IISCrypto 3.3 and applied a strict template to the server to remove all the extras and it has not broken Autodiscover or given any Schannel errors in the event logs. If you open up IISCrypto and you check the server defaults, you can see that a lot is applied as shown below:
Applying the “Strict Template”
If you go to the Templates section, you can select a number of options from the drop-down list but in this case I chose “Strict” as you can see below:
Once the Template was applied, if you head over to Schannel as seen below, you can see that almost everything has been removed except for a few options:
This includes the Cipher Suites which has a few selected only:
After rebooting the server, it did take a bit longer to respond but the event logs are showing no errors in the Application or System event log. Performing the same task such as loading the Snapin for Exchange and running commands comes back with results and no errors.
The Exchange Admin Center (EAC) and Outlook on the Web (OWA) loaded without an issue. I tested a new profile in Outlook, no errors encountered as I had previously on Exchange Server 2016.
This is a test environment so I can make changes at will and roll them back if I need to but if you wanted to apply this in a production environment, perhaps use a server like a dedicated Hub to test with first or a new Mailbox Server and see what happens.
Hope it helps.
