[ExchangeList] Re: ISA - Exchange and PCI Compliance

  • From: "Naphade, Milind" <milind.naphade@xxxxxxxxx>
  • To: exchangelist@xxxxxxxxxxxxx
  • Date: Sat, 19 Jun 2010 15:03:09 +0530

SSL 2.0 is enabled on windows server computers by default. You disable it 
through registry. From my experience, even though you disable it, VA tools like 
nessus do not recognize it on 64 bit machines. You can also suggest your vendor 
to check if it falls under false -ve reports if they aare using nessus. Also, 
if you disable SSL 2.0 then clients not compatible with 3.0 will have troubles. 
Office 2003 and later works just fine.

Sent using my mobile device.

-original message-
Subject: [ExchangeList] ISA - Exchange and PCI Compliance
From: Bret Hanson <Bhanson@xxxxxxxxxx>
Date: 18/06/2010 9:04 pm

I also posted this to the ISA list.  I have the info I need for ISA but looking for an answer to the Exchange side.


We are running ISA 2006 EE publishing Exchange 2007 OWA & Outlook Anywhere.  Recently we had a vulnerability scan done by a 3rd party as required by the Pay Card Industry (PCI).


The report came back with two problems on the public IP of the mail server.


1.    SSLv2 Supported

2.    SSL Weak Encryption Algorithms


Researching a solution to this issue has made me even more confused.  Some say this needs to be fixed on the ISA box and other say on both ISA and Exchange.  Anyone else dealt with this – can ya help a guy out?






Other related posts: