Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1107
  • Last Modified:

Beast vulnerability PCI compliance

Hello,

We just failed our PCI compliance test due to beast vulnerability on our servers.  Can anyone help me with how to correct this and also let me know if it is going to break anything on the web servers or on the Exchange server.  Is there an easy way to correct this?  What should I look out for after attempting the fix?  Is there a chance it will make things not work in any sort of way?

Thanks in advance.
0
Tim Lewis
Asked:
Tim Lewis
2 Solutions
 
btanExec ConsultantCommented:
You should check out this, primarily the clean way is to go for TLS1.2. Even patch released by Microsoft to adjust the crypto part. You can also catch the phonefactor pdf in Link answer.

http://security.stackexchange.com/questions/14326/how-to-fix-ssl-2-0-and-beast-on-iis
0
 
Tim LewisNetwork ManagerAuthor Commented:
Do you know if changing these ciphers have any affect on the way Exchange 2010 functions?  i read somewhere that making this change could make certain services and server functions not work.  Thank you.
0
 
btanExec ConsultantCommented:
Should look at the last post of this forum
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/5e17d836-39f7-4246-a382-b073d1130079

I dont think it should but as it impact all ssl communication, outlook anywhere running RDP over http, the crypto will need the client to be able to comms at that level as well

http://technet.microsoft.com/en-us/library/cc179036.aspx

TLS affect the following and those associated regardless exchange or other services needing these, can be implicated

http://msdn.microsoft.com/en-us/library/aa380516(v=vs.85).aspx

To use TLS for client/server communication

Handshake and cipher suite negotiation
Authentication of parties
Key-related information exchange
Application data exchange

Nonetheless, it is best to test out on staging first.
0
 
ahoffmannCommented:
to be not vulnerably to beast, you need to use SSLv3 or TLSv1.1 with RC4-MD5 or RC4-SHA cipher
0
 
NetfloCommented:
Hi,

The tried and tested solution you want is on this link: http://blogs.msdn.com/b/kaushal/archive/2011/10/03/taming-the-beast-browser-exploit-against-ssl-tls.aspx

After implementing the changes, you'll need to reboot your servers and yes your Exchange server will continue to work as expected. I've personally applied this to all servers with no issues or side effects.

You can use https://www.ssllabs.com/ssltest/index.html to verify if you've closed that vulnerability on your public facing server as well.

Hope this helps.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now