Solved

Disabling Weak Ciphers Advice.

Posted on 2006-12-01
10
3,413 Views
Last Modified: 2008-10-20
Hi,

 im looking to disable some OpenSSL Ciphers on our OWA/ISA server as its been identified there are some known weak ones in use :

EXP-RC2-CBC-MD5
EXP-RC4-MD5
EXP1024-DES-CBC-SHA
EXP1024-RC4-SHA
DES-CBC-SHA

Any advice on disabling these How/Where ?

 Thanks
0
Comment
Question by:mattash55
  • 5
  • 5
10 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 18052826
Neither Exchange nor ISA use OpenSSL ciphers, so it must be in another product installed on the machine.

Simon.
0
 

Author Comment

by:mattash55
ID: 18052831
Hmm could it be the web servers supporting OWA etc ?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18052886
No Microsoft product uses any part of OpenSSL. Can you imagine the fun the open source community would have?

You have to look elsewhere to find that "weakness".
Do you have any management tools installed on the server? They sometimes come with their own web server. I wouldn't be surprised if there is a copy of Apache on there for something, particularly if it is a branded server.

Simon.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:mattash55
ID: 18052985
Hmm ok i`ll have to check the websever then see whats on there, any suggestions what to applications/things to look for ?
0
 
LVL 104

Accepted Solution

by:
Sembee earned 250 total points
ID: 18053030
Difficult to say - you will have to look through the machine for any non-Microsoft products.

Simon.
0
 

Author Comment

by:mattash55
ID: 18053035
Ok Thanks Simon, ill check it out
0
 

Author Comment

by:mattash55
ID: 18053078
Simon

Ive run Nessus on our ISA server and it seems to have identified the low strength ciphers

Export Ciphers
SSLv2
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
SSLv3
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export

Low Strength Ciphers (excluding export, < 128-bit key)
SSLv2
DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
SSLv3
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1

 can simply disable these in the ISA Registry ?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18053228
No idea on ISA - it isn't one of my topics.

Your best option for ISA is probably to look around the ISA Server web site at http://www.isaserver.org/
That site is frequented by Tom Shinder who eats, sleeps and drinks ISA server.

Simon.
0
 

Author Comment

by:mattash55
ID: 18053604
Running Nessus on the Exchange server here also returns the message that those weak Ciphers are in use :/, Ive posted on Isaserver.org also
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18055112
Probably a false positive then, unless you have something common on all the machines that could be causing it.

I have been working with Exchange for a number of years and have been through a number of security audits and this is the first time that anything about Ciphers has been raised. I work on a simple theory with Exchange - if there was an issue it would be well known by now. I pay close attention to anything Exchange related in the security media and I don't recall anything along these lines being flagged.

Simon
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Find out what you should include to make the best professional email signature for your organization.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question