[isapros] Re: ISA Cookie Encryption?
- From: Jim Harrison <Jim@xxxxxxxxxxxx>
- To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
- Date: Thu, 15 Nov 2007 06:16:48 -0800
Nope; that's strictly the purview of SChannel (the Windows component that
handles SSL/TLS).
http://support.microsoft.com/kb/245030
http://support.microsoft.com/kb/259122
http://support.microsoft.com/kb/216482
http://support.microsoft.com/kb/299520
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jason Jones
Sent: Thursday, November 15, 2007 12:01 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA Cookie Encryption?
On a similar note, I got rid of a lot of ISA pen testing "noise" by upping the
minimum cipher strength standards supported by our ISA deployments...now the
testers are starting to say that SSL v2 is available and this represents a
risk...
Does the ISA "enforce 128bit" option also dictate SSLv3 or is this another reg
entry to add to my cipher strength reg file?
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: 15 November 2007 02:46
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA Cookie Encryption?
This is nothing less than security by obscurity.
1. The cookies set by ISA will not work outside of the TCP and HTTP sessions.
2. There is no ASPSessionState or anything else of value to anyone who may try
to persist these cookies elsewhere
Therefore, there is no gain to trying to obfuscate these cookies.
Whomever is making these suggestions is regurgistating; not thinking.
Jim
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jason Jones
Sent: Wednesday, November 14, 2007 3:46 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] ISA Cookie Encryption?
Is this possible to solve?
http://forums.isaserver.org/m_2002057159/mpage_1/key_/tm.htm#2002057159
________________________________
This email and any files transmitted with it are confidential and intended
solely for the use of the individual to whom it is addressed. If you have
received this email in error, or if you believe this email is unsolicited and
wish to be removed from any future mailings, please contact our Support Desk
immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
If this email contains a quotation then unless otherwise stated it is valid for
7 days and offered subject to Silversands Professional Services Terms and
Conditions, a copy of which is available on request. Any pricing information,
design information or information concerning specific Silversands' staff
contained in this email is considered confidential or of commercial interest
and exempt from the Freedom of Information Act 2000.
Any view or opinions presented are solely those of the author and do not
necessarily represent those of Silversands
Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
Company Registration Number : 2141393.
This email and any files transmitted with it are confidential and intended
solely for the use of the individual to whom it is addressed. If you have
received this email in error, or if you believe this email is unsolicited and
wish to be removed from any future mailings, please contact our Support Desk
immediately on 01202 360360 or email helpdesk@xxxxxxxxxxxxxxxxx
If this email contains a quotation then unless otherwise stated it is valid for
7 days and offered subject to Silversands Professional Services Terms and
Conditions, a copy of which is available on request. Any pricing information,
design information or information concerning specific Silversands' staff
contained in this email is considered confidential or of commercial interest
and exempt from the Freedom of Information Act 2000.
Any view or opinions presented are solely those of the author and do not
necessarily represent those of Silversands
Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
Company Registration Number : 2141393.
Other related posts:
