Solved

Beast vulnerability PCI compliance

Posted on 2013-01-09
5
1,089 Views
Last Modified: 2013-01-14
Hello,

We just failed our PCI compliance test due to beast vulnerability on our servers.  Can anyone help me with how to correct this and also let me know if it is going to break anything on the web servers or on the Exchange server.  Is there an easy way to correct this?  What should I look out for after attempting the fix?  Is there a chance it will make things not work in any sort of way?

Thanks in advance.
0
Comment
Question by:Tim Lewis
5 Comments
 
LVL 62

Expert Comment

by:btan
ID: 38761728
You should check out this, primarily the clean way is to go for TLS1.2. Even patch released by Microsoft to adjust the crypto part. You can also catch the phonefactor pdf in Link answer.

http://security.stackexchange.com/questions/14326/how-to-fix-ssl-2-0-and-beast-on-iis
0
 

Author Comment

by:Tim Lewis
ID: 38762735
Do you know if changing these ciphers have any affect on the way Exchange 2010 functions?  i read somewhere that making this change could make certain services and server functions not work.  Thank you.
0
 
LVL 62

Accepted Solution

by:
btan earned 400 total points
ID: 38762833
Should look at the last post of this forum
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/5e17d836-39f7-4246-a382-b073d1130079

I dont think it should but as it impact all ssl communication, outlook anywhere running RDP over http, the crypto will need the client to be able to comms at that level as well

http://technet.microsoft.com/en-us/library/cc179036.aspx

TLS affect the following and those associated regardless exchange or other services needing these, can be implicated

http://msdn.microsoft.com/en-us/library/aa380516(v=vs.85).aspx

To use TLS for client/server communication

Handshake and cipher suite negotiation
Authentication of parties
Key-related information exchange
Application data exchange

Nonetheless, it is best to test out on staging first.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 38763187
to be not vulnerably to beast, you need to use SSLv3 or TLSv1.1 with RC4-MD5 or RC4-SHA cipher
0
 
LVL 18

Assisted Solution

by:Netflo
Netflo earned 100 total points
ID: 38764902
Hi,

The tried and tested solution you want is on this link: http://blogs.msdn.com/b/kaushal/archive/2011/10/03/taming-the-beast-browser-exploit-against-ssl-tls.aspx

After implementing the changes, you'll need to reboot your servers and yes your Exchange server will continue to work as expected. I've personally applied this to all servers with no issues or side effects.

You can use https://www.ssllabs.com/ssltest/index.html to verify if you've closed that vulnerability on your public facing server as well.

Hope this helps.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question