In a little known KB article there are instructions on how to get Windows to use only secure SSL connections. OK, SSL is a security technology by default, but there are varying cipher strength that govern the relative security of an SSL connection.
You might think that because there is a checkmark in the ISA firewall’s configuration interface that forces 128-bit encryption, that there can’t be any other levels of encryption negotiated. This isn’t true, although it is true that the ISA firewall will not pass traffic that isn’t 128bit encrypted when you enable this option. The problem is that Windows will negotiate a low level before ISA has a chance to block it and it leads to false positives when pen testing the firewall.
What’s the solution? Disable support for lower level cipher strengths. Jason Jones does it again with a fantastic article on how to do this in his blog post at:
http://blog.msfirewall.org.uk/2008/10/hardening-ssl-cipher-strength-and-ssl.html
HTH,
Tom
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: [email protected]
MVP — Forefront Edge Security (ISA/TMG/IAG)