Best practices to secure product related websites


This article applies to:

  • Trustwave MailMarshal (SEG)
  • Trustwave ECM/MailMarshal Exchange
  • SEG Service Provider Edition/MailMarshal SPE
  • Marshal Reporting Console
  • All web sites created by the products

Question:

  • What are the recommended practices for secure (HTTPS) access to product websites?

Information:

Trustwave recommends that SSLv2 and SSLv3 should be disabled on all web servers that provide service for the named products (such as SQM/End user spam and quarantine management, remote consoles, and reporting consoles), if the sites are secured with HTTPS. These protocol versions are older and have known vulnerabilities. For example, CVE-2014-3566 ("Poodle") is a vulnerability in the SSLv3 protocol that potentially allows an attacker to view the plain text of encrypted material.

  • Some regulatory frameworks and companies are recommending and even requiring that TLSv1.0 and TLSv1.1 be disabled as well.

Notes:

For technical details of how to disable SSLv2 and SSLv3 on Windows servers, refer to Microsoft documentation.

  • See Microsoft Knowledge Base article 245030.
  • A more detailed explanation can be found in this TechNet blog post.
  • A free third party tool that might be of use to simplify the process, for any version of TLS/SSL, is IISCrypto from Nartac Software.

 


Last Modified 2/28/2023.
https://support.trustwave.com/kb/KnowledgebaseArticle19998.aspx