Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3432
  • Last Modified:

Disabling Weak Ciphers Advice.

Hi,

 im looking to disable some OpenSSL Ciphers on our OWA/ISA server as its been identified there are some known weak ones in use :

EXP-RC2-CBC-MD5
EXP-RC4-MD5
EXP1024-DES-CBC-SHA
EXP1024-RC4-SHA
DES-CBC-SHA

Any advice on disabling these How/Where ?

 Thanks
0
mattash55
Asked:
mattash55
  • 5
  • 5
1 Solution
 
SembeeCommented:
Neither Exchange nor ISA use OpenSSL ciphers, so it must be in another product installed on the machine.

Simon.
0
 
mattash55Author Commented:
Hmm could it be the web servers supporting OWA etc ?
0
 
SembeeCommented:
No Microsoft product uses any part of OpenSSL. Can you imagine the fun the open source community would have?

You have to look elsewhere to find that "weakness".
Do you have any management tools installed on the server? They sometimes come with their own web server. I wouldn't be surprised if there is a copy of Apache on there for something, particularly if it is a branded server.

Simon.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
mattash55Author Commented:
Hmm ok i`ll have to check the websever then see whats on there, any suggestions what to applications/things to look for ?
0
 
SembeeCommented:
Difficult to say - you will have to look through the machine for any non-Microsoft products.

Simon.
0
 
mattash55Author Commented:
Ok Thanks Simon, ill check it out
0
 
mattash55Author Commented:
Simon

Ive run Nessus on our ISA server and it seems to have identified the low strength ciphers

Export Ciphers
SSLv2
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
SSLv3
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export

Low Strength Ciphers (excluding export, < 128-bit key)
SSLv2
DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
SSLv3
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1

 can simply disable these in the ISA Registry ?
0
 
SembeeCommented:
No idea on ISA - it isn't one of my topics.

Your best option for ISA is probably to look around the ISA Server web site at http://www.isaserver.org/
That site is frequented by Tom Shinder who eats, sleeps and drinks ISA server.

Simon.
0
 
mattash55Author Commented:
Running Nessus on the Exchange server here also returns the message that those weak Ciphers are in use :/, Ive posted on Isaserver.org also
0
 
SembeeCommented:
Probably a false positive then, unless you have something common on all the machines that could be causing it.

I have been working with Exchange for a number of years and have been through a number of security audits and this is the first time that anything about Ciphers has been raised. I work on a simple theory with Exchange - if there was an issue it would be well known by now. I pay close attention to anything Exchange related in the security media and I don't recall anything along these lines being flagged.

Simon
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now