0

I have been given a task to disable all "weak" ciphers/protocols on our very old ISA server based on Windows Server 2003. I have disabled all protocols but TLS1.0, and all ciphers but RC2/128, RC4/128 and Triple DES 168/168. But Qualys SSL Labs test utility does not display me that I have a 3DES encryption available on my ISA server. The only cipher suites listed are:

TLS_RSA_WITH_RC4_128_MD5 (0x4)  
TLS_RSA_WITH_RC4_128_SHA (0x5)

This KB says that when Triple DES 168 cipher is enabled, the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite is available. However, it is not. We need this cipher suite to allow a Windows 8.1 Phone connecting to ActiveSync published by this ISA. What could be the reason of 3DES encryption to be unavailable in this configuration, and what should we do in order to allow the connection for a Windows 8.1 phone without being vulnerable to POODLE?

EDIT: There was apparently a server-side malfunction of some sort, a reboot fixed 3DES availability, although the same KB states that registry change should have worked at once. I've got another server with the same problem, got it fixed with registry modification only, though.

Vesper
  • 754
  • 1
  • 9
  • 29
  • And I hope you're ready to decommission that thing. It goes out of support in a few months. – Michael Hampton Oct 22 '14 at 13:35
  • NO :D While the ISA server is about to get decommissioned indeed, the other server is about to last a few more years. – Vesper Oct 23 '14 at 04:57
  • 1
    You **should not** be planning to run Server 2003 for "a few more years"! – Michael Hampton Oct 23 '14 at 12:31
  • **ME**? No, my **BOSS** plans to. While I agree about it should be migrated away to more modern platforms, the actual decision hits money wall. – Vesper Oct 24 '14 at 05:28
  • He's gonna have to pay a hell of a lot more money when you guys inevitably get hacked, sued, and/or your application breaks. I've attached a rough cost justification as to what may happen should your ISA server be compromised: https://origin.ih.constantcontact.com/fs195/1118397859495/img/18.gif – Michael Bailey Jul 09 '15 at 05:06
  • Basically what I'm saying is it may be in your best interest to cost justify. Show him the potential outcomes should you guys remain with '03. Infosec pains, IT guys won't even be trained in '03 two years from now is my guess. – Michael Bailey Jul 09 '15 at 05:07
  • Given that a lot of nowadays viruses depend on .NET, having a standalone W2000 server on an obsolete hardware (just enough to carry the workload involved) can be a "security through obscurity" measure against most if not all undirected attacks. Directed attacks are not usually targeted against the front door, but rather target users by spear-phishing, or use a vulnerability on an exposed server of some kind (RDP, HTTP/S, etc). Anyway, I went away from that company already. – Vesper Jul 09 '15 at 06:39

2 Answers2

0

If your registry change didn't take effect immediately, then just restart your computer.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • That'll be a good solution if that restart won't impact other users en masse. Still, a restart of any Windows system is likely to fix many problems. – Vesper Oct 23 '14 at 04:58
  • Still, a restart indeed fixed this stupid problem. – Vesper Jul 09 '15 at 06:40
-1

Triple DES 168 worked for me and disabled TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher

DisabledByDefault --> 1 Enabled --> 0

A'Jain
  • 1