FAQ: Best practices to secure product related websites

Expand / Collapse

This article applies to:

  • Trustwave MailMarshal (SEG)
  • Trustwave ECM/MailMarshal Exchange
  • SEG Service Provider Edition/MailMarshal SPE
  • Marshal Reporting Console
  • All web sites created by the products


  • What are the recommended practices for secure (HTTPS) access to product websites?


Trustwave recommends that SSLv2 and SSLv3 should be disabled on all web servers that provide service for the named products (such as SQM/End user spam and quarantine management, remote consoles, and reporting consoles), if the sites are secured with HTTPS. These protocol versions are older and have known vulnerabilities. For example, CVE-2014-3566 ("Poodle") is a vulnerability in the SSLv3 protocol that potentially allows an attacker to view the plain text of encrypted material.

  • Some regulatory frameworks and companies are recommending and even requiring that TLSv1.0 and TLSv1.1 be disabled as well.


For technical details of how to disable SSLv2 and SSLv3 on Windows servers, refer to Microsoft documentation.

  • See Microsoft Knowledge Base article 245030.
  • A more detailed explanation can be found in this TechNet blog post.
  • A free third party tool that might be of use to simplify the process, for any version of TLS/SSL, is IISCrypto from Nartac Software.


To contact Trustwave about this article or to request support:

Rate this Article:

Add Your Comments

Comment submission is disabled for anonymous users.
Please send feedback to Trustwave Technical Support or the Webmaster