mattash55
asked on
Disabling Weak Ciphers Advice.
Hi,
im looking to disable some OpenSSL Ciphers on our OWA/ISA server as its been identified there are some known weak ones in use :
EXP-RC2-CBC-MD5
EXP-RC4-MD5
EXP1024-DES-CBC-SHA
EXP1024-RC4-SHA
DES-CBC-SHA
Any advice on disabling these How/Where ?
Thanks
im looking to disable some OpenSSL Ciphers on our OWA/ISA server as its been identified there are some known weak ones in use :
EXP-RC2-CBC-MD5
EXP-RC4-MD5
EXP1024-DES-CBC-SHA
EXP1024-RC4-SHA
DES-CBC-SHA
Any advice on disabling these How/Where ?
Thanks
ASKER
Hmm could it be the web servers supporting OWA etc ?
No Microsoft product uses any part of OpenSSL. Can you imagine the fun the open source community would have?
You have to look elsewhere to find that "weakness".
Do you have any management tools installed on the server? They sometimes come with their own web server. I wouldn't be surprised if there is a copy of Apache on there for something, particularly if it is a branded server.
Simon.
You have to look elsewhere to find that "weakness".
Do you have any management tools installed on the server? They sometimes come with their own web server. I wouldn't be surprised if there is a copy of Apache on there for something, particularly if it is a branded server.
Simon.
ASKER
Hmm ok i`ll have to check the websever then see whats on there, any suggestions what to applications/things to look for ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok Thanks Simon, ill check it out
ASKER
Simon
Ive run Nessus on our ISA server and it seems to have identified the low strength ciphers
Export Ciphers
SSLv2
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
SSLv3
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
Low Strength Ciphers (excluding export, < 128-bit key)
SSLv2
DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
SSLv3
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
can simply disable these in the ISA Registry ?
Ive run Nessus on our ISA server and it seems to have identified the low strength ciphers
Export Ciphers
SSLv2
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
SSLv3
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
Low Strength Ciphers (excluding export, < 128-bit key)
SSLv2
DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
SSLv3
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
can simply disable these in the ISA Registry ?
No idea on ISA - it isn't one of my topics.
Your best option for ISA is probably to look around the ISA Server web site at http://www.isaserver.org/
That site is frequented by Tom Shinder who eats, sleeps and drinks ISA server.
Simon.
Your best option for ISA is probably to look around the ISA Server web site at http://www.isaserver.org/
That site is frequented by Tom Shinder who eats, sleeps and drinks ISA server.
Simon.
ASKER
Running Nessus on the Exchange server here also returns the message that those weak Ciphers are in use :/, Ive posted on Isaserver.org also
Probably a false positive then, unless you have something common on all the machines that could be causing it.
I have been working with Exchange for a number of years and have been through a number of security audits and this is the first time that anything about Ciphers has been raised. I work on a simple theory with Exchange - if there was an issue it would be well known by now. I pay close attention to anything Exchange related in the security media and I don't recall anything along these lines being flagged.
Simon
I have been working with Exchange for a number of years and have been through a number of security audits and this is the first time that anything about Ciphers has been raised. I work on a simple theory with Exchange - if there was an issue it would be well known by now. I pay close attention to anything Exchange related in the security media and I don't recall anything along these lines being flagged.
Simon
Simon.