[isalist] Re: ISA - Exchange and PCI Compliance

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
  • To: <isalist@xxxxxxxxxxxxx>
  • Date: Sat, 19 Jun 2010 13:36:58 -0500

Steve,

 

Very good advice. You have to realize that this compliance guys are
morons and totally clueless. If you challenge them, they'll give in -
they don't want to risk a lawsuit.

 

Tom

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Steven Comeau
Sent: Saturday, June 19, 2010 1:03 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA - Exchange and PCI Compliance

 

I did it on both, however, the error also came up on my other ISA boxes
that weren't serving OWA (or any HTTP/s protocol) - so I did it on those
ISA boxes just to shut up our Information Protection Department.

 

I've also gotten bogus warnings (failures) about the version of PPTP I'm
using for site-to-site VPN as well as user VPN - yet the scan doesn't
report the error on both end IPs.  PCI is maddening.  They kept failing
our website for non-compliancy, yet I kept telling them that our website
doesn't collect credit card information - we link to a URL @ Barnes and
Noble to buy gear... so, I simply took that IP out of their range to
scan.  Don't hesitate to challenge the results with good, hard evidence.

 

Steve Comeau

Associate Director of IT  Rutgers Athletics

83 Rockafeller Road

Piscataway, NJ  08854

732-445-7802

732-445-4623 (fax)

www.scarletknights.com <http://www.scarletknights.com> 

                   

 

   

        

 

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Bret Hanson
Sent: Saturday, June 19, 2010 12:35 PM
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] Re: ISA - Exchange and PCI Compliance

 

So is it safe to say SSLv2 and the weak ciphers need to be disabled on
the ISA box only?

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Saturday, June 19, 2010 11:21 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA - Exchange and PCI Compliance

 

..and 
http://blogs.technet.com/b/isablog/archive/2010/03/24/meet-pci-complianc
e-with-hyperguard-solution-by-a-forefront-tmg-business-partner.aspx 

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Stefaan Pouseele
Sent: Wednesday, June 16, 2010 8:31 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA - Exchange and PCI Compliance

 

Check out 
http://blogs.isaserver.org/pouseele/2007/05/19/require-128-bit-encryptio
n-for-https-traffic-with-isa-server-2006-part3/

 

HTH, 

Stefaan

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Bret Hanson
Sent: woensdag 16 juni 2010 17:23
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] ISA - Exchange and PCI Compliance

 

We are running ISA 2006 EE publishing Exchange 2007 OWA & Outlook
Anywhere.  Recently we had a vulnerability scan done by a 3rd party as
required by the Pay Card Industry (PCI).

 

The report came back with two problems on the public IP of the mail
server.

 

1.   SSLv2 Supported

2.   SSL Weak Encryption Algorithms

 

Researching a solution to this issue has made me even more confused.
Some say this needs to be fixed on the ISA box and other say on both.
Anyone else dealt with this - can ya help a guy out? 

 

Thanks!

 

Bret  

 

 

***  This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be 
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses.  The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com *** 
 

PNG image

JPEG image

Other related posts: