Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

BEAST attack PCI pen tests failing on 2003 web servers

Posted on 2013-01-06
6
Medium Priority
?
433 Views
Last Modified: 2014-03-20
Hi guys,

We have failed our monthly pen test which relates to the BEAST attack on CBC ciphers.  I have read numerous articles and recommendations, and I think I know what needs to be done, but I just need someone to confirm this.

Affected systems are all web servers Windows 2003 IIS6 (yes getting on now I know)
From the copious amounts of reading and trying to understand the relationship between the protocols and ciphers i.e. is there one pool of ciphers which all the enabled protocols use etc. I think I need to disable all weak ciphers + ciphers that have CBC written in the description.  This leaves just 2 ciphers - TLS_RSA_WITH_RC4_128_SHA & TLS_RSA_WITH_RC4_128_MD5 which if my understanding is correct, both SSL3.0 and TLS1.0 will use?!?!

On the Trustwave report, it states that to disable all Block based ciphers and to only support RC4 ciphers. But when using IIS Crypto to leave only RC4 128/128 ticked in the ciphers list, and using Qualys SSL labs to check the available cipher lists, it still shows a few CBC ciphers.  So I have removed these from within the Schannel which leaves only - TLS_RSA_WITH_RC4_128_SHA & TLS_RSA_WITH_RC4_128_MD5

As these web servers are accessed by thousands of customers, I just need to be sure I have understood correctly what’s needed to be able to pass the pen test.

Many thanks in advance.

Regards,

James
0
Comment
Question by:macleandata
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 21

Accepted Solution

by:
netcmh earned 2000 total points
ID: 38749429
Well, RFC2246 confirms the ciphersuite with TLS1.0 and I believe that SSL3.0 will also support the streaming cipher. Upgrading your webserver will enable you to leverage the enhancements that IIS6 was never designed for.
0
 

Author Comment

by:macleandata
ID: 38750078
Hi,

Thanks for your comment.  We are planning to upgrade later this year, but in the meantime I need to have a solution in place as soon as possible.As we stand, I just need to confirm the above to cipher suite are the only ones I can have enabled on 2003 server side.

Many thanks netcmh
0
 

Author Comment

by:macleandata
ID: 39934039
I've requested that this question be closed as follows:

Accepted answer: 0 points for macleandata's comment #a38750078

for the following reason:

No solution was given so wanted to close the call
0
 
LVL 21

Expert Comment

by:netcmh
ID: 39934040
A confirmation on my part in regards to the question supported by an RFC was provided. No additional experts participated. A business solution was out of scope for the question.
0
 
LVL 21

Expert Comment

by:netcmh
ID: 39942185
Thank you.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question