[isalist] Re: ISA - Exchange and PCI Compliance
- From: Steven Comeau <scomeau@xxxxxxxxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 21 Jun 2010 09:45:19 -0400
Good points also. Actually, our head IPS technical guy gets it, and I saw him
the other day at lunch and stopped to speak to him. He understands but has his
paperwork to fill out. Turns out others are challenging the results given from
PCI testing. Again, when challenging the results, have hard evidence to refute
(i.e. registry printouts, etc.).
Steve Comeau
Associate Director of IT Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>
[cid:image004.png@01CB1126.75A8B050]
[cid:image006.jpg@01CB1126.75A8B050]
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Thomas W Shinder
Sent: Saturday, June 19, 2010 2:37 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA - Exchange and PCI Compliance
Steve,
Very good advice. You have to realize that this compliance guys are morons and
totally clueless. If you challenge them, they'll give in - they don't want to
risk a lawsuit.
Tom
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Steven Comeau
Sent: Saturday, June 19, 2010 1:03 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA - Exchange and PCI Compliance
I did it on both, however, the error also came up on my other ISA boxes that
weren't serving OWA (or any HTTP/s protocol) - so I did it on those ISA boxes
just to shut up our Information Protection Department.
I've also gotten bogus warnings (failures) about the version of PPTP I'm using
for site-to-site VPN as well as user VPN - yet the scan doesn't report the
error on both end IPs. PCI is maddening. They kept failing our website for
non-compliancy, yet I kept telling them that our website doesn't collect credit
card information - we link to a URL @ Barnes and Noble to buy gear... so, I
simply took that IP out of their range to scan. Don't hesitate to challenge
the results with good, hard evidence.
Steve Comeau
Associate Director of IT Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>
[cid:image007.png@01CB1125.AC172050]
[cid:image008.jpg@01CB1125.AC172050]
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Bret Hanson
Sent: Saturday, June 19, 2010 12:35 PM
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] Re: ISA - Exchange and PCI Compliance
So is it safe to say SSLv2 and the weak ciphers need to be disabled on the ISA
box only?
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Saturday, June 19, 2010 11:21 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA - Exchange and PCI Compliance
..and
http://blogs.technet.com/b/isablog/archive/2010/03/24/meet-pci-compliance-with-hyperguard-solution-by-a-forefront-tmg-business-partner.aspx
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Stefaan Pouseele
Sent: Wednesday, June 16, 2010 8:31 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA - Exchange and PCI Compliance
Check out
http://blogs.isaserver.org/pouseele/2007/05/19/require-128-bit-encryption-for-https-traffic-with-isa-server-2006-part3/
HTH,
Stefaan
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Bret Hanson
Sent: woensdag 16 juni 2010 17:23
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] ISA - Exchange and PCI Compliance
We are running ISA 2006 EE publishing Exchange 2007 OWA & Outlook Anywhere.
Recently we had a vulnerability scan done by a 3rd party as required by the Pay
Card Industry (PCI).
The report came back with two problems on the public IP of the mail server.
1. SSLv2 Supported
2. SSL Weak Encryption Algorithms
Researching a solution to this issue has made me even more confused. Some say
this needs to be fixed on the ISA box and other say on both. Anyone else dealt
with this - can ya help a guy out?
Thanks!
Bret
*** This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com<http://www.scarletknights.com> ***
*** This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com ***
Other related posts:
