Solved

Beast vulnerability PCI compliance

Posted on 2013-01-09
5
1,087 Views
Last Modified: 2013-01-14
Hello,

We just failed our PCI compliance test due to beast vulnerability on our servers.  Can anyone help me with how to correct this and also let me know if it is going to break anything on the web servers or on the Exchange server.  Is there an easy way to correct this?  What should I look out for after attempting the fix?  Is there a chance it will make things not work in any sort of way?

Thanks in advance.
0
Comment
Question by:danskoit
5 Comments
 
LVL 62

Expert Comment

by:btan
ID: 38761728
You should check out this, primarily the clean way is to go for TLS1.2. Even patch released by Microsoft to adjust the crypto part. You can also catch the phonefactor pdf in Link answer.

http://security.stackexchange.com/questions/14326/how-to-fix-ssl-2-0-and-beast-on-iis
0
 

Author Comment

by:danskoit
ID: 38762735
Do you know if changing these ciphers have any affect on the way Exchange 2010 functions?  i read somewhere that making this change could make certain services and server functions not work.  Thank you.
0
 
LVL 62

Accepted Solution

by:
btan earned 400 total points
ID: 38762833
Should look at the last post of this forum
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/5e17d836-39f7-4246-a382-b073d1130079

I dont think it should but as it impact all ssl communication, outlook anywhere running RDP over http, the crypto will need the client to be able to comms at that level as well

http://technet.microsoft.com/en-us/library/cc179036.aspx

TLS affect the following and those associated regardless exchange or other services needing these, can be implicated

http://msdn.microsoft.com/en-us/library/aa380516(v=vs.85).aspx

To use TLS for client/server communication

Handshake and cipher suite negotiation
Authentication of parties
Key-related information exchange
Application data exchange

Nonetheless, it is best to test out on staging first.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 38763187
to be not vulnerably to beast, you need to use SSLv3 or TLSv1.1 with RC4-MD5 or RC4-SHA cipher
0
 
LVL 18

Assisted Solution

by:Netflo
Netflo earned 100 total points
ID: 38764902
Hi,

The tried and tested solution you want is on this link: http://blogs.msdn.com/b/kaushal/archive/2011/10/03/taming-the-beast-browser-exploit-against-ssl-tls.aspx

After implementing the changes, you'll need to reboot your servers and yes your Exchange server will continue to work as expected. I've personally applied this to all servers with no issues or side effects.

You can use https://www.ssllabs.com/ssltest/index.html to verify if you've closed that vulnerability on your public facing server as well.

Hope this helps.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now