OWA 2003 and SSL Security Vulnerability

E

ExchangeGuy

Hello--

I'm hoping you can provide some direction. We currently are running
Exchange 2003 Enterprise with an OWA server in the DMZ. Yes.. I know
best practices recommend routing this traffic through an ISA server.
There is a trusted SSL certificate on the server and we have many
mobile device users.

Anyway, on a recent scan, we received the following security notice.

SSLv2 Supported
This SSL service supports SSLv2 connections. SSLv2 has known
cryptographic weaknesses. Secure web applications should only enable
the SSLv3 or TLSv1 protocols. For PCI compliance validation scans,
note that either or both of the SSLv3 or TLSv1 protocols must be
enabled (i.e., SSLv2 can not be the only supported protocol version).

They provide the following resolution suggestion:

Disable the use of SSL 2.0 if possible. Note that some older client
software may not support the most recent protocol versions.

Refer to the following:

Microsoft Knowledge Base article to remove SSLv2 support from
Microsoft's Internet Information Server (IIS):
http://support.microsoft.com/kb/187498
http://support.microsoft.com/kb/245030

I've been scouring the boards trying to find out if:

1. Does OWA 2003 support SSL v3?
2. If I follow the suggestions and disable SSLv2, will it affect the
users of mobile devices running Windows Mobile 5/6?

I haven't been able to locate documentation regarding the supported
versions.

Any direction would be appreciated!
 
M

Milly Staples [MVP - Outlook]

Since OWA is a part of Exchange and not Outlook, you should probably post this "down the hall" in one of the Exchange groups.

--
Milly Staples [MVP - Outlook]

Post all replies to the group to keep the discussion intact.
How to ask a question:
http://support.microsoft.com/KB/555375


After furious head scratching, ExchangeGuy asked:

| Hello--
|
| I'm hoping you can provide some direction. We currently are running
| Exchange 2003 Enterprise with an OWA server in the DMZ. Yes.. I know
| best practices recommend routing this traffic through an ISA server.
| There is a trusted SSL certificate on the server and we have many
| mobile device users.
|
| Anyway, on a recent scan, we received the following security notice.
|
| SSLv2 Supported
| This SSL service supports SSLv2 connections. SSLv2 has known
| cryptographic weaknesses. Secure web applications should only enable
| the SSLv3 or TLSv1 protocols. For PCI compliance validation scans,
| note that either or both of the SSLv3 or TLSv1 protocols must be
| enabled (i.e., SSLv2 can not be the only supported protocol version).
|
| They provide the following resolution suggestion:
|
| Disable the use of SSL 2.0 if possible. Note that some older client
| software may not support the most recent protocol versions.
|
| Refer to the following:
|
| Microsoft Knowledge Base article to remove SSLv2 support from
| Microsoft's Internet Information Server (IIS):
| http://support.microsoft.com/kb/187498
| http://support.microsoft.com/kb/245030
|
| I've been scouring the boards trying to find out if:
|
| 1. Does OWA 2003 support SSL v3?
| 2. If I follow the suggestions and disable SSLv2, will it affect the
| users of mobile devices running Windows Mobile 5/6?
|
| I haven't been able to locate documentation regarding the supported
| versions.
|
| Any direction would be appreciated!
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top