Hardening SSL Cipher Strength and SSL Protocol Support on ISA Servers

In a little known KB article there are instructions on how to get Windows to use only secure SSL connections. OK, SSL is a security technology by default, but there are varying cipher strength that govern the relative security of an SSL connection.

You might think that because there is a checkmark in the ISA firewall’s configuration interface that forces 128-bit encryption, that there can’t be any other levels of encryption negotiated. This isn’t true, although it is true that the ISA firewall will not pass traffic that isn’t 128bit encrypted when you enable this option. The problem is that Windows will negotiate a low level before ISA has a chance to block it and it leads to false positives when pen testing the firewall.

What’s the solution? Disable support for lower level cipher strengths. Jason Jones does it again with a fantastic article on how to do this in his blog post at:

http://blog.msfirewall.org.uk/2008/10/hardening-ssl-cipher-strength-and-ssl.html

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

image
Prowess Consulting www.prowessconsulting.com

PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: [email protected]
MVP — Forefront Edge Security (ISA/TMG/IAG)

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top