Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Disabling Weak Ciphers Advice.

Posted on 2006-12-01
10
Medium Priority
?
3,428 Views
Last Modified: 2008-10-20
Hi,

 im looking to disable some OpenSSL Ciphers on our OWA/ISA server as its been identified there are some known weak ones in use :

EXP-RC2-CBC-MD5
EXP-RC4-MD5
EXP1024-DES-CBC-SHA
EXP1024-RC4-SHA
DES-CBC-SHA

Any advice on disabling these How/Where ?

 Thanks
0
Comment
Question by:mattash55
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 18052826
Neither Exchange nor ISA use OpenSSL ciphers, so it must be in another product installed on the machine.

Simon.
0
 

Author Comment

by:mattash55
ID: 18052831
Hmm could it be the web servers supporting OWA etc ?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18052886
No Microsoft product uses any part of OpenSSL. Can you imagine the fun the open source community would have?

You have to look elsewhere to find that "weakness".
Do you have any management tools installed on the server? They sometimes come with their own web server. I wouldn't be surprised if there is a copy of Apache on there for something, particularly if it is a branded server.

Simon.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:mattash55
ID: 18052985
Hmm ok i`ll have to check the websever then see whats on there, any suggestions what to applications/things to look for ?
0
 
LVL 104

Accepted Solution

by:
Sembee earned 1000 total points
ID: 18053030
Difficult to say - you will have to look through the machine for any non-Microsoft products.

Simon.
0
 

Author Comment

by:mattash55
ID: 18053035
Ok Thanks Simon, ill check it out
0
 

Author Comment

by:mattash55
ID: 18053078
Simon

Ive run Nessus on our ISA server and it seems to have identified the low strength ciphers

Export Ciphers
SSLv2
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
SSLv3
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export

Low Strength Ciphers (excluding export, < 128-bit key)
SSLv2
DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
SSLv3
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1

 can simply disable these in the ISA Registry ?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18053228
No idea on ISA - it isn't one of my topics.

Your best option for ISA is probably to look around the ISA Server web site at http://www.isaserver.org/
That site is frequented by Tom Shinder who eats, sleeps and drinks ISA server.

Simon.
0
 

Author Comment

by:mattash55
ID: 18053604
Running Nessus on the Exchange server here also returns the message that those weak Ciphers are in use :/, Ive posted on Isaserver.org also
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18055112
Probably a false positive then, unless you have something common on all the machines that could be causing it.

I have been working with Exchange for a number of years and have been through a number of security audits and this is the first time that anything about Ciphers has been raised. I work on a simple theory with Exchange - if there was an issue it would be well known by now. I pay close attention to anything Exchange related in the security media and I don't recall anything along these lines being flagged.

Simon
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New style of hardware planning for Microsoft Exchange server.
On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question