Hello!
One of our clients has reported the following two issues reported by their Network Security Scanner tool. Based on the R&D I have done so far these errors are not related to SharePoint. Instead these just seem to be security loopholes in security policies that client has applied to all of their servers.
Identified Vulnerabilities |
| ||||||
No | Vulnerability | Rating | Description | Solution | Host/Application | IP Address: Port | |
1 | SSL Certificate with wrong Host Name Cannot Be Trusted | Medium | The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-middle attack against the remote host. | Purchase or generate a proper certificate for this service. | SharePoint-WFE-1 SharePoint-WFE-2 SharePoint-APP-1 SharePoint-APP-2 SharePoint-SQL | xx.xxx.x.151:3389 xx.xxx.x.152:3389 xx.xxx.x.153:3389 xx.xxx.x.154:3389 xx.xxx.x.155:1433,3389 | |
2 | SSL Certificate Chain Contains RSA Keys Less Than 2048 bits | Low | At least one of the X.509 certificates sent by the remote host has a key that is shorter than 2048 bits. According to industry standards set by the Certification Authority/Browser (CA/B) Forum, certificates issued after January 1, 2014 must be at least 2048 bits. | Replace the certificate in the chain with the RSA key less than 2048 bits in length with a longer key, and reissue any certificates signed by the old certificate. | SharePoint-SQL | xx.xxx.x.155:1433 | |
Issue 1:
Based on my findings I think this issue is directly related to 3389 port used by RDP. I believe if RDP-tcp is configured with port 443 using trusted CA-Signed certificate the issue should be resolved.
The client and my colleagues in Network team think differently and say that this issue is most probably caused by services that operate on https. I have checked all the SharePoint and SQL server(s) and could not find any web application or service that
uses https(SSL).
The only web services I could found that have https bindings in ISS are the ones that are created by SharePoint (Ex: Secure Store Service). But these services use port 3384 not 3389.
Issue 2:
From the R&D I have so far on this issue, it seems that this issue can be fixed by identifying certificates that are using RSA key less than 1024 and increasing their minimum length to 2048.
I found the solution on
this technet article.
I would really appreciate if someone can shed further light on these issues.