Thanks! Those docs will be revised soon as TLS 1.0 has also been cracked. (My ancient server does not yet use TLS 1.1, which is currently still "secure".)
Now to deal with the TLS Renegotiation... I found a Citrix patch (PSE450R06W2K3030). Now this is where inheriting a Citrix system comes to bite. That hot fix requires a previously release roll-up. That roll-up requires a new version of license server (I seem to remember 11.something). The page goes on to say the roll-up will work with older license server versions, but it will then make the hosted applications unavailable. NICE! From: Webster [mailto:webs...@carlwebster.com] Sent: Tuesday, January 10, 2012 4:58 PM To: NT System Admin Issues Subject: RE: IIS 6.0 Security The Citrix eDocs says if you are using SSL v3 you are not FIPS compliant. You have to use TLS 1.0. SSL/TLS and FIPS Compliance When configured properly, deployments using TLS 1.0 can use FIPS 140-validated cryptographic modules in a manner that is compliant with FIPS 140-2; SSL 3.0 is not FIPS compliant. For more information, refer to the Guidelines for the Selection and Use of the Transport Layer Security (TLS) implementations at http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com<http://www.carlwebster.com/> From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Tuesday, January 10, 2012 2:52 PM To: NT System Admin Issues Subject: RE: IIS 6.0 Security Ain't just FIPS. Also NIST and PCI and... etc. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Webster [mailto:webs...@carlwebster.com]<mailto:[mailto:webs...@carlwebster.com]> Sent: Tuesday, January 10, 2012 3:11 PM To: NT System Admin Issues Subject: Re: IIS 6.0 Security I am in the process of writing four books simultaneously (XA5/2003, XA5/2008, XA6.0 and XA6.5). After this thread, I will make sure I add this SSL v3/TLS(FIPS) stuff. Thanks Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com<http://www.carlwebster.com/> From: Richard McClary <richard.mccl...@aspca.org<mailto:richard.mccl...@aspca.org>> Reply-To: NT Issues <ntsysadmin@lyris.sunbelt-software.com<mailto:ntsysadmin@lyris.sunbelt-software.com>> Date: Tue, 10 Jan 2012 19:14:26 +0000 To: NT Issues <ntsysadmin@lyris.sunbelt-software.com<mailto:ntsysadmin@lyris.sunbelt-software.com>> Subject: RE: IIS 6.0 Security Thanks! Went to your web site, but 4.5 seems to be too old for anything there. I think I have all but the "microsoft iis content location internal ip address leak" taken care of, and I have a bunch of tabs open concerning that. I'll find out for sure what has been taken care of after this upcoming scan... From: Webster [mailto:webs...@carlwebster.com] Sent: Tuesday, January 10, 2012 11:38 AM To: NT System Admin Issues Subject: Re: IIS 6.0 Security I am checking. Please hold for the next available Citrix support person. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com<http://www.carlwebster.com/> From: Michael Smith <mich...@smithcons.com<mailto:mich...@smithcons.com>> Reply-To: NT Issues <ntsysadmin@lyris.sunbelt-software.com<mailto:ntsysadmin@lyris.sunbelt-software.com>> Date: Tue, 10 Jan 2012 16:49:40 +0000 To: NT Issues <ntsysadmin@lyris.sunbelt-software.com<mailto:ntsysadmin@lyris.sunbelt-software.com>> Subject: RE: IIS 6.0 Security Just gotta know the right search string. http://blogs.iis.net/sakyad/archive/2008/12/11/enforcing-ssl-3-0-and-removing-weak-encryption-vulnerability-over-ssl-iis-6-0-and-isa.aspx http://geekswithblogs.net/dchristiansen/archive/2009/03/24/pcidss-disablessl2andweakciphersoniis6.aspx Now: Citrix/XenApp support for SSL 3.0 - I don't know anything about that. Carl Webster needs to speak to that! :) Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Richard McClary [mailto:richard.mccl...@aspca.org] Sent: Tuesday, January 10, 2012 10:06 AM To: NT System Admin Issues Subject: IIS 6.0 Security Hopefully, the subject line is not a complete oxymoron... Yes, I am continuing to search Google as well as the MS TechNet pages (that Google returns) concerning IIS 6.0. We failed a PCI compliance audit on our Citrix server (Presentation Server 4.5, and yes, a new Citrix system is in the works, but this one needs to pass a scan test.) The system does have a VeriSign SSL certificate. -- Here are the issues found by the scan: Disable TLS Renegotiation Fix Microsoft IIS Content Location Internal IP Address Leak (Note - the server is accessed via web through a MIP's IP address) Upgrade to the latest version of OpenSSL Disable SSL support for weak ciphers Disable SSL v2 protocol support -- Anyway, we need assistance in dealing with those security issues without hosing the Citrix services (which our clients are paying for). Thank you; back to Google and Technet... - richard ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals(r) (ASPCA(r)) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals® (ASPCA®) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
