Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SSL ver2

Status
Not open for further replies.

joepc

MIS
Jul 26, 2002
647
US
I have a Windows 2003 server running Exchange 2003 SP2. We have OWA/EAS configured for SSL only. Should I disable SSL ver 2 via the registry for security reasons? I am running some security auditing tools and it is making note of it. Thanks!
 
Considering that SSL ver3(and TLS) has superseded ver 2, and most browsers are equipped to handle the updated versions, I would say yes, you should disable SSL ver 2.
 
there are considerations you need to make before being so rash. The primary consideration is the OS and potential IE level of any clients that connect to your site.....along with potential other browser types that may access the site (firefox, mozilla, etc.). if you are certain that all browser types and operating systems connecting to your site can utilize ssl 3, then, its probably safe to go forward, OR, if it is acceptable by business security rule that any browsers that cannot use ssl 3 should not be allowed to connect, then again, you're golden.
in my personal and professional opinion, i would not disable it to ensure full compatibility with all clients I may have (including older Windows Mobile 5 devices, for instance)

- Brandon Wilson
MCSE:Security00/03; MCSA:Security03
MCSA:Messaging00; MCP; A+
IT Pangaea (
 
I have looked at several browsers, and the most common browsers all support SSL v3.
 
that is very true, but my point was that you never know when youre gonna have some schmuck running Windows 98 out there in the world trying to get in...for instance....and a decision needs to made whether that will be accepted or not (but it is applicable more to public facing websites since build types can be a little more guaranteed internally)

- Brandon Wilson
MCSE:Security00/03; MCSA:Security03
MCSA:Messaging00; MCP; A+
IT Pangaea (
 
I understand what you are stating, and I can agree to a certain point. However, being a security professional, my goal is to have the most secure space I can.

If I remember correctly, 98 could run IE 6, which I believe was SSL v3 compliant, but I get your point. If they are still running 98, who says the update at all anyway...

I know, it is more a business decision.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top