Solved

SSL 3.0 and TLS 1.0 BEAST - use TLS 1.1 and/or TLS 1.2?  How?

Posted on 2013-01-17
5
1,812 Views
Last Modified: 2013-02-12
We've had a security scan recently and found that SSL 3.0 and TLS 1.0, which is being used on our Exchange server is susceptible by BEAST attacks.  According to MS under this article, http://technet.microsoft.com/en-us/security/bulletin/ms12-006, and several other related KB's for patching or registry key changes should allow for disabling TLS 1.0 and force use of TLS 1.1 or higher.  Though, there are issues with TLS 1.1 and 1.2 which suggests various disadvantages with webpages not connecting/working.  

Anyway, I tried using the patches provided, http://www.microsoft.com/en-us/download/search.aspx?q=kb2585542, but execution of the patch file states that the patch is incompatible with the corresponding server.  Knowing that I downloaded the Windows 2008 server patch and ran it on a Windows 2008 server, I was receiving the error.

I thought that if this key is set to a value of 2, it might prevent the use of the patch indicated above.  So I attempted to look for the schannel registry key, sendextrarecord, it does not exist.

Can someone shed some light on this issue?  I need another set of eyes or some advise on what to do in order to comply with the security measures suggested by the penetration scan/test.  Or if someone can advise if we should even comply with this particular suggestion from the scan?
0
Comment
Question by:SloanIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 63

Expert Comment

by:btan
ID: 38795762
another means is use MBSA to check as advised in the ms12-006, see under Detection and Deployment Tools and Guidance. It states the minimal 2008 baseline to apply the patch eg. 2008 SP2 or 2008 R2 or 2008 R2 SP1.

Subsequent release of KB2643584 was introduced to address the compatibility issues caused by the MS12-006 security patch. To disable SendExtraRecord (set to 2) means the patch applied on the server and the server is exposed to the vulnerability again.

http://blogs.msdn.com/b/kaushal/archive/2012/01/21/fixing-the-beast.aspx
0
 

Author Comment

by:SloanIT
ID: 38799942
I am not sure how this answers the question.  Maybe I am not reading clearly, but it looks as if the server versions that I am using are not tls1.1 or 1.2 compatible.
0
 
LVL 63

Expert Comment

by:btan
ID: 38799952
The mbsa may helps to do the check and the link has the pre- req of I recalled correctly. I will try to do any manual editing in registry. .maybe on staging server first
0
 

Accepted Solution

by:
SloanIT earned 0 total points
ID: 38866747
turns out that the articles are quite confusing.  The patches for this is already installed.  My two servers, 2003 and 2008 (non r2) does not support anything higher than tls 1.0.
0
 

Author Closing Comment

by:SloanIT
ID: 38879537
called MS technical support and that's what they said
0

Featured Post

Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question