troubleshooting Question

BEAST attack PCI pen tests failing on 2003 web servers

Avatar of macleandata
macleandata asked on
Web BrowsersEncryptionMicrosoft Legacy OS
5 Comments1 Solution558 ViewsLast Modified:
Hi guys,

We have failed our monthly pen test which relates to the BEAST attack on CBC ciphers.  I have read numerous articles and recommendations, and I think I know what needs to be done, but I just need someone to confirm this.

Affected systems are all web servers Windows 2003 IIS6 (yes getting on now I know)
From the copious amounts of reading and trying to understand the relationship between the protocols and ciphers i.e. is there one pool of ciphers which all the enabled protocols use etc. I think I need to disable all weak ciphers + ciphers that have CBC written in the description.  This leaves just 2 ciphers - TLS_RSA_WITH_RC4_128_SHA & TLS_RSA_WITH_RC4_128_MD5 which if my understanding is correct, both SSL3.0 and TLS1.0 will use?!?!

On the Trustwave report, it states that to disable all Block based ciphers and to only support RC4 ciphers. But when using IIS Crypto to leave only RC4 128/128 ticked in the ciphers list, and using Qualys SSL labs to check the available cipher lists, it still shows a few CBC ciphers.  So I have removed these from within the Schannel which leaves only - TLS_RSA_WITH_RC4_128_SHA & TLS_RSA_WITH_RC4_128_MD5

As these web servers are accessed by thousands of customers, I just need to be sure I have understood correctly what’s needed to be able to pass the pen test.

Many thanks in advance.

Regards,

James
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 5 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 5 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros