troubleshooting Question

PCI Compliance - SBS 2008

Avatar of Daniel Bertolone
Daniel BertoloneFlag for United Kingdom of Great Britain and Northern Ireland asked on
SBSEncryptionSSL / HTTPS
9 Comments2 Solutions1943 ViewsLast Modified:
Evening All

A client of mine has recently failed his PCI compliance test on two areas:

1: SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)
Resolution: Disable SSLv3.

2: Microsoft Exchange Client Access Server Information Disclosure
Resolution: There is no known fix at this time.

Originally he failed the test a few months back because of the standard certificate his server was using, we managed to rectify this by installing a verified SSL cert. We also had to disable SSLv2 on the server as the test was also complaining about this.

Now can anybody advise if disabling SSLv3 is ok to do as I'm almost certain we need at least one variant of it running on the server.

As for the exchange error, if there is no known fix how can security metrics expect my client to pass the test?

Any help is greatly appreciated!
ASKER CERTIFIED SOLUTION
David Johnson, CD
The More I know, the more I don't know
Join our community to see this answer!
Unlock 2 Answers and 9 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 9 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros