[isalist] Re: ISA - Exchange and PCI Compliance

• From: Jim Harrison <Jim@xxxxxxxxxxxx>
• To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
• Date: Sat, 19 Jun 2010 18:07:02 +0000

Not necessarily - it depends on where SSL is being used that is under the 
purview of PCI.
PCI itself doesn't impose this requirement, but your auditors may.
Something else to consider is that disabling SSLv2 will cause client 
compatibility issues.

Also, unless you're passing or processing PII or related data via your email 
(silly idea in the extreme), PCI doesn't have any governance there.

Jim

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Bret Hanson
Sent: Saturday, June 19, 2010 9:35 AM
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] Re: ISA - Exchange and PCI Compliance

So is it safe to say SSLv2 and the weak ciphers need to be disabled on the ISA 
box only?

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Saturday, June 19, 2010 11:21 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA - Exchange and PCI Compliance

..and 
http://blogs.technet.com/b/isablog/archive/2010/03/24/meet-pci-compliance-with-hyperguard-solution-by-a-forefront-tmg-business-partner.aspx

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Stefaan Pouseele
Sent: Wednesday, June 16, 2010 8:31 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA - Exchange and PCI Compliance

Check out 
http://blogs.isaserver.org/pouseele/2007/05/19/require-128-bit-encryption-for-https-traffic-with-isa-server-2006-part3/

HTH,
Stefaan

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Bret Hanson
Sent: woensdag 16 juni 2010 17:23
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] ISA - Exchange and PCI Compliance

We are running ISA 2006 EE publishing Exchange 2007 OWA & Outlook Anywhere.  
Recently we had a vulnerability scan done by a 3rd party as required by the Pay 
Card Industry (PCI).

The report came back with two problems on the public IP of the mail server.


1.   SSLv2 Supported

2.   SSL Weak Encryption Algorithms

Researching a solution to this issue has made me even more confused.  Some say 
this needs to be fixed on the ISA box and other say on both.  Anyone else dealt 
with this - can ya help a guy out?


Thanks!

Bret

• References:
  • [isalist] ISA - Exchange and PCI Compliance
    • From: Bret Hanson
  • [isalist] Re: ISA - Exchange and PCI Compliance
    • From: Stefaan Pouseele
  • [isalist] Re: ISA - Exchange and PCI Compliance
    • From: Jim Harrison
  • [isalist] Re: ISA - Exchange and PCI Compliance
    • From: Bret Hanson

Other related posts:

• » [isalist] ISA - Exchange and PCI Compliance- Bret Hanson
• » [isalist] Re: ISA - Exchange and PCI Compliance- Stefaan Pouseele
• » [isalist] Re: ISA - Exchange and PCI Compliance- Steven Comeau
• » [isalist] Re: ISA - Exchange and PCI Compliance- Jim Harrison
• » [isalist] Re: ISA - Exchange and PCI Compliance- Bret Hanson
• » [isalist] Re: ISA - Exchange and PCI Compliance - Jim Harrison
• » [isalist] Re: ISA - Exchange and PCI Compliance- Steven Comeau
• » [isalist] Re: ISA - Exchange and PCI Compliance- Thomas W Shinder
• » [isalist] Re: ISA - Exchange and PCI Compliance- Steven Comeau

1. Home
2. isalist
3. Archive
4. 06-2010

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---