Re: OWA 2003 and SSLv2 Security Vulnerability

---

• From: Andy David {MVP} <adavid@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Sat, 09 Aug 2008 18:47:57 -0400

---

On Fri, 8 Aug 2008 18:26:00 -0700 (PDT), ExchangeGuy
<GovExchangeAdmin@xxxxxxxxx> wrote:

Hello--

I'm hoping you can provide some direction. We currently are running
Exchange 2003 Enterprise with an OWA server in the DMZ. Yes.. I know
best practices recommend routing this traffic through an ISA server.
There is a trusted SSL certificate on the server and we have many
mobile device users.


Anyway, on a recent scan, we received the following security notice.


SSLv2 Supported
This SSL service supports SSLv2 connections. SSLv2 has known
cryptographic weaknesses. Secure web applications should only enable
the SSLv3 or TLSv1 protocols. For PCI compliance validation scans,
note that either or both of the SSLv3 or TLSv1 protocols must be
enabled (i.e., SSLv2 can not be the only supported protocol version).


They provide the following resolution suggestion:


Disable the use of SSL 2.0 if possible. Note that some older client
software may not support the most recent protocol versions.


Refer to the following:


Microsoft Knowledge Base article to remove SSLv2 support from
Microsoft's Internet Information Server (IIS):
http://support.microsoft.com/kb/187498
http://support.microsoft.com/kb/245030


I've been scouring the boards trying to find out if:


1. Does OWA 2003 support SSL v3?

TLS support is not an OWA issue per se.
IE7 ( and most recent versions of all browsers) no longer support SSL
2.0, its disabled by default.

2. If I follow the suggestions and disable SSLv2, will it affect the
users of mobile devices running Windows Mobile 5/6?

Nope.

I haven't been able to locate documentation regarding the supported
versions.


Any direction would be appreciated!

.

---

• References:
  • OWA 2003 and SSLv2 Security Vulnerability
    • From: ExchangeGuy

• Prev by Date: Re: Apple, MS Entourage to Exchange 2007 error -18500
• Next by Date: Re: IMF/Exchange 2007
• Previous by thread: Re: OWA 2003 and SSLv2 Security Vulnerability
• Next by thread: Creation of mail boc from one domain to another domain
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: Adding OWA to the ISA2004 server on a second IP Address ... I need to add this email service to my ISA server." ... Create a server publishing rule to publish the OWA web site on the ISA ... Microsoft Online Partner Support ... (microsoft.public.isa) Re: OWA 2003 and SSLv2 Security Vulnerability ... "Next the client and server negotiate the level of encryption to use ... Chapter 6 - Managing Microsoft Certificate Services and SSL ... You can disable using SSLv2 to get rid of that error. ... software may not support the most recent protocol versions. ... (microsoft.public.exchange.admin) Is there any way to manually install OWA under an already existing web site? ... We have several websites running on a Windows 2003 Server. ... under this web site and enforce SSL connections to those directories. ... We have tried using Exchange 2003 System Administrator to set up OWA, ... (microsoft.public.exchange2000.setup.installation) Is there any way to manually install OWA under an already existing web site? ... We have several websites running on a Windows 2003 Server. ... under this web site and enforce SSL connections to those directories. ... We have tried using Exchange 2003 System Administrator to set up OWA, ... (microsoft.public.exchange2000.general) Re: problem with OWA redirection Exch 2k7 ... This is loaded on Win2k3 server and I allow SSL ... through the firewall to this exchange 2007 server for OWA, ... The problem is when I implement the first proceedure listed, the redirect ... (microsoft.public.exchange.admin)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Exchange  > microsoft.public.exchange.admin  > 2008-08