Good points also. Actually, our head IPS technical guy gets it, and I saw him the other day at lunch and stopped to speak to him. He understands but has his paperwork to fill out. Turns out others are challenging the results given from PCI testing. Again, when challenging the results, have hard evidence to refute (i.e. registry printouts, etc.). Steve Comeau Associate Director of IT Rutgers Athletics 83 Rockafeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com<http://www.scarletknights.com> [cid:image004.png@01CB1126.75A8B050] [cid:image006.jpg@01CB1126.75A8B050] From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Saturday, June 19, 2010 2:37 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA - Exchange and PCI Compliance Steve, Very good advice. You have to realize that this compliance guys are morons and totally clueless. If you challenge them, they'll give in - they don't want to risk a lawsuit. Tom From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steven Comeau Sent: Saturday, June 19, 2010 1:03 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA - Exchange and PCI Compliance I did it on both, however, the error also came up on my other ISA boxes that weren't serving OWA (or any HTTP/s protocol) - so I did it on those ISA boxes just to shut up our Information Protection Department. I've also gotten bogus warnings (failures) about the version of PPTP I'm using for site-to-site VPN as well as user VPN - yet the scan doesn't report the error on both end IPs. PCI is maddening. They kept failing our website for non-compliancy, yet I kept telling them that our website doesn't collect credit card information - we link to a URL @ Barnes and Noble to buy gear... so, I simply took that IP out of their range to scan. Don't hesitate to challenge the results with good, hard evidence. Steve Comeau Associate Director of IT Rutgers Athletics 83 Rockafeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com<http://www.scarletknights.com> [cid:image007.png@01CB1125.AC172050] [cid:image008.jpg@01CB1125.AC172050] From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Bret Hanson Sent: Saturday, June 19, 2010 12:35 PM To: 'isalist@xxxxxxxxxxxxx' Subject: [isalist] Re: ISA - Exchange and PCI Compliance So is it safe to say SSLv2 and the weak ciphers need to be disabled on the ISA box only? From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Saturday, June 19, 2010 11:21 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA - Exchange and PCI Compliance ..and http://blogs.technet.com/b/isablog/archive/2010/03/24/meet-pci-compliance-with-hyperguard-solution-by-a-forefront-tmg-business-partner.aspx From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Stefaan Pouseele Sent: Wednesday, June 16, 2010 8:31 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA - Exchange and PCI Compliance Check out http://blogs.isaserver.org/pouseele/2007/05/19/require-128-bit-encryption-for-https-traffic-with-isa-server-2006-part3/ HTH, Stefaan From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Bret Hanson Sent: woensdag 16 juni 2010 17:23 To: 'isalist@xxxxxxxxxxxxx' Subject: [isalist] ISA - Exchange and PCI Compliance We are running ISA 2006 EE publishing Exchange 2007 OWA & Outlook Anywhere. Recently we had a vulnerability scan done by a 3rd party as required by the Pay Card Industry (PCI). The report came back with two problems on the public IP of the mail server. 1. SSLv2 Supported 2. SSL Weak Encryption Algorithms Researching a solution to this issue has made me even more confused. Some say this needs to be fixed on the ISA box and other say on both. Anyone else dealt with this - can ya help a guy out? Thanks! Bret *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA 83 Rockafeller Road Piscataway, NJ 08854 www.scarletknights.com<http://www.scarletknights.com> *** *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA 83 Rockafeller Road Piscataway, NJ 08854 www.scarletknights.com ***