Skip to main content
Version: 2.2.1

Environment vulnerability

In Microsoft environments, there are some obsolete protocols and settings, which SoftExpert Suite does not use, and which, for security reasons, Microsoft itself recommends disabling. SoftExpert is not responsible for the administration of the server and does not apply these settings. The customer must contact Microsoft's support to configure the server. Please note that these changes affect the server as a whole; if there are other applications hosted, they will be subject to these rules, and it is up to the customer to check that their applications will not be negatively impacted. Enabling or disabling such settings does not affect the functioning of our application, except for customer-specific customizations applied by SoftExpert. Therefore, it is not a requirement for its operation.

For communication to occur between a browser and a secure HTTPS website, there must be a standard Internet authentication protocol, such as SSL/TLS. These protocols can be classified as strong and weak, and comprise types of encryption, key exchange algorithms, and hash functions.

Protocols​

The standard Internet authentication protocols, already deprecated, maintained only to support legacy, old systems when others cannot be used, are PCT v.1.0, SSL v.2, SSL v.3, TLS v.1.0.

Currently, it is possible to disable these weak protocols through Microsoft's Secure Channel.

â–ª If possible, keep the PCT v.1.0 protocol disabled.

â–ª If possible, keep the SSL v.2.0 protocol disabled.

â–ª If possible, keep the SSL v.3.0 protocol disabled.

â–ª If possible, keep the TLS v.1.0 protocol disabled.

Cipher suites​

Not all weak cipher suites are disabled by default in all Windows versions; check if it is possible to disable cipher suites based on:

â–ª RC4

â–ª RC2

â–ª DES

â–ª Null

Substitution cipher​

An algorithm among those used in the exchange of communication between the parties proved to be weak and more easily breakable, and can be disabled on the server.

â–ªIf possible, keep the Diffie Hellman (DH, or DHE for key exchange) algorithm disabled.

Last updated on