Solved

Beast vulnerability PCI compliance

Posted on 2013-01-09
5
1,101 Views
Last Modified: 2013-01-14
Hello,

We just failed our PCI compliance test due to beast vulnerability on our servers.  Can anyone help me with how to correct this and also let me know if it is going to break anything on the web servers or on the Exchange server.  Is there an easy way to correct this?  What should I look out for after attempting the fix?  Is there a chance it will make things not work in any sort of way?

Thanks in advance.
0
Comment
Question by:Tim Lewis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 64

Expert Comment

by:btan
ID: 38761728
You should check out this, primarily the clean way is to go for TLS1.2. Even patch released by Microsoft to adjust the crypto part. You can also catch the phonefactor pdf in Link answer.

http://security.stackexchange.com/questions/14326/how-to-fix-ssl-2-0-and-beast-on-iis
0
 

Author Comment

by:Tim Lewis
ID: 38762735
Do you know if changing these ciphers have any affect on the way Exchange 2010 functions?  i read somewhere that making this change could make certain services and server functions not work.  Thank you.
0
 
LVL 64

Accepted Solution

by:
btan earned 400 total points
ID: 38762833
Should look at the last post of this forum
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/5e17d836-39f7-4246-a382-b073d1130079

I dont think it should but as it impact all ssl communication, outlook anywhere running RDP over http, the crypto will need the client to be able to comms at that level as well

http://technet.microsoft.com/en-us/library/cc179036.aspx

TLS affect the following and those associated regardless exchange or other services needing these, can be implicated

http://msdn.microsoft.com/en-us/library/aa380516(v=vs.85).aspx

To use TLS for client/server communication

Handshake and cipher suite negotiation
Authentication of parties
Key-related information exchange
Application data exchange

Nonetheless, it is best to test out on staging first.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 38763187
to be not vulnerably to beast, you need to use SSLv3 or TLSv1.1 with RC4-MD5 or RC4-SHA cipher
0
 
LVL 18

Assisted Solution

by:Netflo
Netflo earned 100 total points
ID: 38764902
Hi,

The tried and tested solution you want is on this link: http://blogs.msdn.com/b/kaushal/archive/2011/10/03/taming-the-beast-browser-exploit-against-ssl-tls.aspx

After implementing the changes, you'll need to reboot your servers and yes your Exchange server will continue to work as expected. I've personally applied this to all servers with no issues or side effects.

You can use https://www.ssllabs.com/ssltest/index.html to verify if you've closed that vulnerability on your public facing server as well.

Hope this helps.
0

Featured Post

What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question