Solved

Disabling Weak Ciphers Advice.

Posted on 2006-12-01
10
3,406 Views
Last Modified: 2008-10-20
Hi,

 im looking to disable some OpenSSL Ciphers on our OWA/ISA server as its been identified there are some known weak ones in use :

EXP-RC2-CBC-MD5
EXP-RC4-MD5
EXP1024-DES-CBC-SHA
EXP1024-RC4-SHA
DES-CBC-SHA

Any advice on disabling these How/Where ?

 Thanks
0
Comment
Question by:mattash55
  • 5
  • 5
10 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 18052826
Neither Exchange nor ISA use OpenSSL ciphers, so it must be in another product installed on the machine.

Simon.
0
 

Author Comment

by:mattash55
ID: 18052831
Hmm could it be the web servers supporting OWA etc ?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18052886
No Microsoft product uses any part of OpenSSL. Can you imagine the fun the open source community would have?

You have to look elsewhere to find that "weakness".
Do you have any management tools installed on the server? They sometimes come with their own web server. I wouldn't be surprised if there is a copy of Apache on there for something, particularly if it is a branded server.

Simon.
0
 

Author Comment

by:mattash55
ID: 18052985
Hmm ok i`ll have to check the websever then see whats on there, any suggestions what to applications/things to look for ?
0
 
LVL 104

Accepted Solution

by:
Sembee earned 250 total points
ID: 18053030
Difficult to say - you will have to look through the machine for any non-Microsoft products.

Simon.
0
Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

 

Author Comment

by:mattash55
ID: 18053035
Ok Thanks Simon, ill check it out
0
 

Author Comment

by:mattash55
ID: 18053078
Simon

Ive run Nessus on our ISA server and it seems to have identified the low strength ciphers

Export Ciphers
SSLv2
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
SSLv3
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export

Low Strength Ciphers (excluding export, < 128-bit key)
SSLv2
DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
SSLv3
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1

 can simply disable these in the ISA Registry ?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18053228
No idea on ISA - it isn't one of my topics.

Your best option for ISA is probably to look around the ISA Server web site at http://www.isaserver.org/
That site is frequented by Tom Shinder who eats, sleeps and drinks ISA server.

Simon.
0
 

Author Comment

by:mattash55
ID: 18053604
Running Nessus on the Exchange server here also returns the message that those weak Ciphers are in use :/, Ive posted on Isaserver.org also
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18055112
Probably a false positive then, unless you have something common on all the machines that could be causing it.

I have been working with Exchange for a number of years and have been through a number of security audits and this is the first time that anything about Ciphers has been raised. I work on a simple theory with Exchange - if there was an issue it would be well known by now. I pay close attention to anything Exchange related in the security media and I don't recall anything along these lines being flagged.

Simon
0

Featured Post

Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

Join & Write a Comment

Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
This video discusses moving either the default database or any database to a new volume.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now