SloanIT
asked on
SSL 3.0 and TLS 1.0 BEAST - use TLS 1.1 and/or TLS 1.2? How?
We've had a security scan recently and found that SSL 3.0 and TLS 1.0, which is being used on our Exchange server is susceptible by BEAST attacks. According to MS under this article, http://technet.microsoft.com/en-us/security/bulletin/ms12-006, and several other related KB's for patching or registry key changes should allow for disabling TLS 1.0 and force use of TLS 1.1 or higher. Though, there are issues with TLS 1.1 and 1.2 which suggests various disadvantages with webpages not connecting/working.
Anyway, I tried using the patches provided, http://www.microsoft.com/en-us/download/search.aspx?q=kb2585542, but execution of the patch file states that the patch is incompatible with the corresponding server. Knowing that I downloaded the Windows 2008 server patch and ran it on a Windows 2008 server, I was receiving the error.
I thought that if this key is set to a value of 2, it might prevent the use of the patch indicated above. So I attempted to look for the schannel registry key, sendextrarecord, it does not exist.
Can someone shed some light on this issue? I need another set of eyes or some advise on what to do in order to comply with the security measures suggested by the penetration scan/test. Or if someone can advise if we should even comply with this particular suggestion from the scan?
Anyway, I tried using the patches provided, http://www.microsoft.com/en-us/download/search.aspx?q=kb2585542, but execution of the patch file states that the patch is incompatible with the corresponding server. Knowing that I downloaded the Windows 2008 server patch and ran it on a Windows 2008 server, I was receiving the error.
I thought that if this key is set to a value of 2, it might prevent the use of the patch indicated above. So I attempted to look for the schannel registry key, sendextrarecord, it does not exist.
Can someone shed some light on this issue? I need another set of eyes or some advise on what to do in order to comply with the security measures suggested by the penetration scan/test. Or if someone can advise if we should even comply with this particular suggestion from the scan?
ASKER
I am not sure how this answers the question. Maybe I am not reading clearly, but it looks as if the server versions that I am using are not tls1.1 or 1.2 compatible.
The mbsa may helps to do the check and the link has the pre- req of I recalled correctly. I will try to do any manual editing in registry. .maybe on staging server first
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
called MS technical support and that's what they said
Subsequent release of KB2643584 was introduced to address the compatibility issues caused by the MS12-006 security patch. To disable SendExtraRecord (set to 2) means the patch applied on the server and the server is exposed to the vulnerability again.
http://blogs.msdn.com/b/kaushal/archive/2012/01/21/fixing-the-beast.aspx