Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Failing SSL report at SSL Labs

Posted on 2013-12-05
5
Medium Priority
?
2,780 Views
Last Modified: 2013-12-23
Hi,

We’re getting an F: grade for our Webmail URL on  https://www.ssllabs.com/ssltest/analyze.html the reason being:

##############
This server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F:
##############

The URL that’s failing is a link for OWA that’s goes our Firewall > TMG > Exchange 2010.  TMG and Exchange are both 2008 r2 SP1 x64 and fully MS patched.  I’ve done a bit of reading and found a tool that apparently should fix called "IIS Crypto"

https://www.nartac.com/Products/IISCrypto/

I’ve run on the TMG server and rebooted but it’s still failing. ):

What exactly should we be doing to fix this and on which server (e.g. TMG or Exchange)?


Cheers
0
Comment
Question by:kswan_expert
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 64

Accepted Solution

by:
btan earned 1500 total points
ID: 39700643
rightfully if the requests is to be consumed by the exchange server, TMG should be not part of the assessment. You may want to check if TMG on supporting secure ssl renegotiation
http://www.carbonwind.net/blog/post/Forefront-TMG-2010-now-supports-the-secure-TLS-renegotiation-extension.aspx

Good to take note of this as well
http://social.technet.microsoft.com/Forums/forefront/en-US/dae29c85-0714-48fb-873e-0e93936ff67d/tmg-vulnerable-to-beast-attack-qualys-ssl-lab-test?forum=Forefrontedgegeneral

Overall, I suggest you also check this EE - the MITM is covered under addressing item (2). Extracted one of the patches to address the vulnerabilities. See in the MS bulletion on "TLS/SSL Renegotiation Vulnerability - CVE-2009-3555"

http://www.experts-exchange.com/Security/Vulnerabilities/Q_28282855.html

b) CVE-2009-3555 which is SSL/TLS renegotiation vulnerability
http://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2009-3555
> Microsoft release security bulletin which you can drill into  Vulnerability Information (based on the CVE) and the affected version. The Microsoft Baseline Security Analyzer should be able to check if this bulletin is installed in the machine

@ http://technet.microsoft.com/en-us/security/bulletin/MS10-049
0
 

Author Comment

by:kswan_expert
ID: 39707023
Thanks, will have a look at the Exchanger server.  I'm a bit wary of running IIS crypto on our Prod Exchange VM so will see if i can find the reg changes to add manually. The URL mentioned in your link above for MITM is dead. ):
0
 
LVL 64

Expert Comment

by:btan
ID: 39707384
Sure keep us posted. Rather not introduce another lockdown tool unnecessarily
0
 

Author Comment

by:kswan_expert
ID: 39735073
Fixed!!

If interested -

On TMG server under ---  HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\

added

DisableRenegoOnServer      1
AllowInsecureRenegoClients       0


See article but needed to add
http://www.isaserver.org/articles-tutorials/configuration-security/improving-ssl-security-forefront-threat-management-gateway-tmg-2010-published-web-sites.html


Thanks breadtan
0
 
LVL 64

Expert Comment

by:btan
ID: 39735894
thanks for sharing!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question