Solved

Beast vulnerability PCI compliance

Posted on 2013-01-09
5
1,096 Views
Last Modified: 2013-01-14
Hello,

We just failed our PCI compliance test due to beast vulnerability on our servers.  Can anyone help me with how to correct this and also let me know if it is going to break anything on the web servers or on the Exchange server.  Is there an easy way to correct this?  What should I look out for after attempting the fix?  Is there a chance it will make things not work in any sort of way?

Thanks in advance.
0
Comment
Question by:Tim Lewis
5 Comments
 
LVL 63

Expert Comment

by:btan
ID: 38761728
You should check out this, primarily the clean way is to go for TLS1.2. Even patch released by Microsoft to adjust the crypto part. You can also catch the phonefactor pdf in Link answer.

http://security.stackexchange.com/questions/14326/how-to-fix-ssl-2-0-and-beast-on-iis
0
 

Author Comment

by:Tim Lewis
ID: 38762735
Do you know if changing these ciphers have any affect on the way Exchange 2010 functions?  i read somewhere that making this change could make certain services and server functions not work.  Thank you.
0
 
LVL 63

Accepted Solution

by:
btan earned 400 total points
ID: 38762833
Should look at the last post of this forum
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/5e17d836-39f7-4246-a382-b073d1130079

I dont think it should but as it impact all ssl communication, outlook anywhere running RDP over http, the crypto will need the client to be able to comms at that level as well

http://technet.microsoft.com/en-us/library/cc179036.aspx

TLS affect the following and those associated regardless exchange or other services needing these, can be implicated

http://msdn.microsoft.com/en-us/library/aa380516(v=vs.85).aspx

To use TLS for client/server communication

Handshake and cipher suite negotiation
Authentication of parties
Key-related information exchange
Application data exchange

Nonetheless, it is best to test out on staging first.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 38763187
to be not vulnerably to beast, you need to use SSLv3 or TLSv1.1 with RC4-MD5 or RC4-SHA cipher
0
 
LVL 18

Assisted Solution

by:Netflo
Netflo earned 100 total points
ID: 38764902
Hi,

The tried and tested solution you want is on this link: http://blogs.msdn.com/b/kaushal/archive/2011/10/03/taming-the-beast-browser-exploit-against-ssl-tls.aspx

After implementing the changes, you'll need to reboot your servers and yes your Exchange server will continue to work as expected. I've personally applied this to all servers with no issues or side effects.

You can use https://www.ssllabs.com/ssltest/index.html to verify if you've closed that vulnerability on your public facing server as well.

Hope this helps.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question