We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
Course Of The Month
3 days, 16 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
BEAST attack PCI pen tests failing on 2003 web servers
Posted on 2013-01-06
Hi guys,
We have failed our monthly pen test which relates to the BEAST attack on CBC ciphers. I have read numerous articles and recommendations, and I think I know what needs to be done, but I just need someone to confirm this.
Affected systems are all web servers Windows 2003 IIS6 (yes getting on now I know)
From the copious amounts of reading and trying to understand the relationship between the protocols and ciphers i.e. is there one pool of ciphers which all the enabled protocols use etc. I think I need to disable all weak ciphers + ciphers that have CBC written in the description. This leaves just 2 ciphers - TLS_RSA_WITH_RC4_128_SHA & TLS_RSA_WITH_RC4_128_MD5 which if my understanding is correct, both SSL3.0 and TLS1.0 will use?!?!
On the Trustwave report, it states that to disable all Block based ciphers and to only support RC4 ciphers. But when using IIS Crypto to leave only RC4 128/128 ticked in the ciphers list, and using Qualys SSL labs to check the available cipher lists, it still shows a few CBC ciphers. So I have removed these from within the Schannel which leaves only - TLS_RSA_WITH_RC4_128_SHA & TLS_RSA_WITH_RC4_128_MD5
As these web servers are accessed by thousands of customers, I just need to be sure I have understood correctly what’s needed to be able to pass the pen test.
Many thanks in advance.
Regards,
James
We have failed our monthly pen test which relates to the BEAST attack on CBC ciphers. I have read numerous articles and recommendations, and I think I know what needs to be done, but I just need someone to confirm this.
Affected systems are all web servers Windows 2003 IIS6 (yes getting on now I know)
From the copious amounts of reading and trying to understand the relationship between the protocols and ciphers i.e. is there one pool of ciphers which all the enabled protocols use etc. I think I need to disable all weak ciphers + ciphers that have CBC written in the description. This leaves just 2 ciphers - TLS_RSA_WITH_RC4_128_SHA & TLS_RSA_WITH_RC4_128_MD5 which if my understanding is correct, both SSL3.0 and TLS1.0 will use?!?!
On the Trustwave report, it states that to disable all Block based ciphers and to only support RC4 ciphers. But when using IIS Crypto to leave only RC4 128/128 ticked in the ciphers list, and using Qualys SSL labs to check the available cipher lists, it still shows a few CBC ciphers. So I have removed these from within the Schannel which leaves only - TLS_RSA_WITH_RC4_128_SHA & TLS_RSA_WITH_RC4_128_MD5
As these web servers are accessed by thousands of customers, I just need to be sure I have understood correctly what’s needed to be able to pass the pen test.
Many thanks in advance.
Regards,
James
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
3-
2
6 Comments
Active today
Well, RFC2246 confirms the ciphersuite with TLS1.0 and I believe that SSL3.0 will also support the streaming cipher. Upgrading your webserver will enable you to leverage the enhancements that IIS6 was never designed for.
Active 1 day ago
Hi,
Thanks for your comment. We are planning to upgrade later this year, but in the meantime I need to have a solution in place as soon as possible.As we stand, I just need to confirm the above to cipher suite are the only ones I can have enabled on 2003 server side.
Many thanks netcmh
Thanks for your comment. We are planning to upgrade later this year, but in the meantime I need to have a solution in place as soon as possible.As we stand, I just need to confirm the above to cipher suite are the only ones I can have enabled on 2003 server side.
Many thanks netcmh
Active 1 day ago
I've requested that this question be closed as follows:
Accepted answer: 0 points for macleandata's comment #a38750078
for the following reason:
No solution was given so wanted to close the call
Accepted answer: 0 points for macleandata's comment #a38750078
for the following reason:
No solution was given so wanted to close the call
Active today
A confirmation on my part in regards to the question supported by an RFC was provided. No additional experts participated. A business solution was out of scope for the question.
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
- Windows OS
- Windows XP
- Windows 7
- Mac OS X
- Windows 10
- Windows 8, Software-Other, System Utilities, Vulnerabilities, Web Browsers
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others. This conference is aimed mainly at government agencies. So it addresses the various compli…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
- Microsoft Legacy OS
- Windows 10
- Windows 8
- Windows OS
- Windows 7
- Windows Vista, Windows XP, Windows 2000
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
Suggested Courses
Course of the Month3 days, 16 hours left to enroll
Earn Certification
MCSA Configuring Windows 7 Exam 70-680
$49.00$44.10
691 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.