[isapros] Re: ISA Penetration Test - SSL Weak Cipher False Positive

• From: "Jason Jones" <Jason.Jones@xxxxxxxxxxxxxxxxx>
• To: <isapros@xxxxxxxxxxxxx>
• Date: Thu, 22 Mar 2007 08:35:09 -0000

Thanks Jim - so the ISA SSL listener is handed off to the OS and
Schannel.dll then? 

Surprised ISA doesn't have it's own. What happens if there is a
vulnerability in this dll then as I thought the OS was protected by the
ISA kernel mode driver?

Cheers for the feedback...

For those interested, the cipher restriction article is
http://support.microsoft.com/?kbid=245030 

-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: 22 March 2007 01:28
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA Penetration Test - SSL Weak Cipher False
Positive

ISA doesn't control this; Windows does.
The registry changes to limit SSL ciphers are the right answer.
The only choice you get with ISA is to require 128-bit SSL or not; the
only thing this affects about the choice of cipher suite is
(whodathunkit) the minimum cipher length.

-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jason Jones
Sent: Wednesday, March 21, 2007 5:30 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] ISA Penetration Test - SSL Weak Cipher False Positive

Hi All, 

After seeing a few ISA security or penetration tests a few times
recently, a common theme relating to weak SSL ciphers is appearing. The
first time this was reported by a customer, I contacted PSS who
explained that the issue was due to the fact that the operating system
would negotiate SSL at a low cipher strength irrespective of ISA and
that ISA would drop all weak cipher traffic if the "use 128 bit
encryption" option was enabled on the web listener. E.g. you *can*
negotiate a low cipher, but ISA will drop traffic that does not meet 128
bit. The 'SSL digger' tool is an example of how to generate the false
positive.

PSS provide a KB of how to configure the OS to only allow specific
ciphers, but this is pretty full on and includes some hardcore registry
changes. Not all customers have been keen to make these changes to pass
the tests.

Does anyone know if MS plans to create a KB to explain this false
positive when using ISA? If not, can someone suggest it is created to
provide customers with an explanation.

I am managing to convince most customers, but a few have asked for a
written response from Microsoft to confirm the issue is indeed a false
positive and not a legitimate issue.

Any help appreciated... 

JJ 



All mail to and from this domain is GFI-scanned.

• Follow-Ups:
  • [isapros] Re: ISA Penetration Test - SSL Weak Cipher False Positive
    • From: Jim Harrison

• References:
  • [isapros] ISA Penetration Test - SSL Weak Cipher False Positive
    • From: Jason Jones
  • [isapros] Re: ISA Penetration Test - SSL Weak Cipher False Positive
    • From: Jim Harrison

Other related posts:

• » [isapros] ISA Penetration Test - SSL Weak Cipher False Positive
• » [isapros] Re: ISA Penetration Test - SSL Weak Cipher False Positive
• » [isapros] Re: ISA Penetration Test - SSL Weak Cipher False Positive
• » [isapros] Re: ISA Penetration Test - SSL Weak Cipher False Positive
• » [isapros] Re: ISA Penetration Test - SSL Weak Cipher False Positive
• » [isapros] Re: ISA Penetration Test - SSL Weak Cipher False Positive
• » [isapros] Re: ISA Penetration Test - SSL Weak Cipher False Positive
• » [isapros] Re: ISA Penetration Test - SSL Weak Cipher False Positive
• » [isapros] Re: ISA Penetration Test - SSL Weak Cipher False Positive
• » [isapros] Re: ISA Penetration Test - SSL Weak Cipher False Positive

1. Home
2. isapros
3. Archive
4. 03-2007

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---