none
lync 2010 - Poodle vulnerability? RRS feed

Answers

  • In the "Protocols Enabled" box you just need to uncheck SSL 3.0. You should also uncheck SSL 2.0, if it is enabled.

    On Windows 2008 and 2008 R2 systems, TLS 1.1 and TLS 1.2 are not enabled. You should enable those to since TLS1.2 is the latest. I believe 2012 and 2012 R2 systems already have those enabled.

    You should not need to change anything else.


    Ed

    • Marked as answer by totalnet32 Thursday, October 23, 2014 11:01 PM
    Saturday, October 18, 2014 9:59 PM

All replies

  • POODLE affects SSLv3 or version 3 of the Secure Sockets Layer protocol, which is used to encrypt traffic between a browser and a web site or between a user’s email client and mail server.

    Edge server doesnt provide any Web services so its not the edge server 

    The Lync FE caters to http\https traffic 

    This a Man in middle kind of attack not sure what the hacker will gain my presenting you Lync Meeting page or a Lync dial-in page 


    As a server [administrator], you probably don’t need to panic if your customers are coming in over home connections. Only if they’re coming in over [something like] a Starbucks Wi-Fi

    POODLE  targets the clients.


    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer" Regards Edwin Anthony Joseph

    Friday, October 17, 2014 2:50 AM
  • Hi totalnet32,

    The POODLE attack (which stands for Padding Oracle On Downgraded Legacy Encryption) is an exploit which takes advantage of web browsers' fallback to SSL 3.0.

    You would not worry about the Lync servers.

    Best regards,

    Eric

    Friday, October 17, 2014 7:29 AM
  • Not IIS on the front end server?

    Friday, October 17, 2014 1:28 PM
  • Its a client side attack so user education is must 

    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer" Regards Edwin Anthony Joseph

    Friday, October 17, 2014 3:41 PM
  • You should disable SSL 3.0 (and 2.0) on all of your IIS servers (especially Internet facing). If you're using a reverse proxy, like TMG, you should also disable it there.

    You can find more information on how to do that in this article:

    http://support.microsoft.com/kb/187498

    I prefer to use IIS Crypto to do this:

    https://www.nartac.com/Products/IISCrypto/

    I'm still investigating whether this affect Lync Edge.


    Ed

    Friday, October 17, 2014 6:10 PM
  • I was looking at using the iiscrypto.exe.

    did you just select ssl3.0 and uncheck everything else including the ssl cipher suite order?

    Saturday, October 18, 2014 7:55 PM
  • In the "Protocols Enabled" box you just need to uncheck SSL 3.0. You should also uncheck SSL 2.0, if it is enabled.

    On Windows 2008 and 2008 R2 systems, TLS 1.1 and TLS 1.2 are not enabled. You should enable those to since TLS1.2 is the latest. I believe 2012 and 2012 R2 systems already have those enabled.

    You should not need to change anything else.


    Ed

    • Marked as answer by totalnet32 Thursday, October 23, 2014 11:01 PM
    Saturday, October 18, 2014 9:59 PM
  • Microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0. This is an industry-wide vulnerability affecting the SSL 3.0 protocol itself and is not specific to the Windows operating system. All supported versions of Microsoft Windows implement this protocol and are affected by this vulnerability.

    Here are some guidelines in TechNet around it

    https://technet.microsoft.com/en-us/library/security/3009008.aspx


    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer" Regards Edwin Anthony Joseph

    Tuesday, October 21, 2014 4:56 AM