Disabling 3DES for the Endpoint Protection Manager
Article ID: 165185
Updated On:
Products
Endpoint Protection
Issue/Introduction
Vulnerability testing performed on a server running the Symantec Endpoint Protection Manager (SEPM) may throw an alert for use of a weak 64-bit block cipher (3DES). To address this alert, and to mitigate against possible exploitation attacks against the weak cipher (such as SWEET32), it becomes necessary to disable the use of 3DES on the SEPM server.
Cause
3DES allows for legacy operating systems (XP and 2003) to communicate with a SEPM over TLS, however it is a vulnerable cipher and one which may need to be disabled by some organizations to comply with vulnerability scanning requirements.
Resolution
To disable 3DES for client communications and SEPM Reporting functions, please make the following changes:
1.) Create backups first, then edit the ssl.conf and sslForClients.conf files within the following path:
\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl
2.) Locate the following lines - the same lines will be found in both files:
####APACHE_DIRECTIVE_OVERRIDE for_12.1.2.2
SSLCipherSuite HIGH:!MEDIUM:!LOW:!aNULL:!eNUL
3.) Make the following change, inserting a "bang" (!) before 3DES to disable that cipher - the same change will be made in both files:
####APACHE_DIRECTIVE_OVERRIDE for_12.1.2.2
SSLCipherSuite HIGH:!MEDIUM:!LOW:!aNULL:!eNUL
4.) Save the changes made to each file.
5.) Reboot the SEPM server, or restart the Symantec Endpoint Protection Manager and Symantec Endpoint Protection Manager Webserver services.
6.) Re-run any vulnerability scans as needed to confirm that vulnerabilities relating to 64-bit block cipher are now resolved. (By default tests would be run against ports 443 for secure client communications, and port 8445 for SEPM Reporting.)
Note: Disabling 3DES in sslForClients.conf will prevent Windows XP and 2003 systems from communicating, even if these clients have had TLS enabled per TECH231025. If there are still managed XP and 2003 clients which need to maintain communication with the SEPM, it will be necessary to leave 3DES enabled in sslForClients.conf.
6.) Re-run any vulnerability scans as needed to confirm that vulnerabilities relating to 64-bit block cipher are now resolved. (By default tests would be run against ports 443 for secure client communications, and port 8445 for SEPM Reporting.)
Note: Disabling 3DES in sslForClients.conf will prevent Windows XP and 2003 systems from communicating, even if these clients have had TLS enabled per TECH231025. If there are still managed XP and 2003 clients which need to maintain communication with the SEPM, it will be necessary to leave 3DES enabled in sslForClients.conf.
To disable 3DES for internal SEPM server communications and web services:
- Create a backup of the following files
- .../tomcat/conf/server.xml
- .../tomcat/instances/sepm-api/conf/server.xml
- Edit .../tomcat/conf/server.xml
- Search for instances of "3DES" containd within strings that being with "SSLCipherSuite" (example below)
- SSLCipherSuite HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:3DES:!RC4
- Add an exclamation point (!) before the "3DES" to disable that cipher (example below)
- SSLCipherSuite HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!3DES:!RC4
- Save the file
- Search for instances of "3DES" containd within strings that being with "SSLCipherSuite" (example below)
- Repeat Step 2 for the file .../tomcat/instances/sepm-api/conf/server.xml
- Restart the following SEPM Services
- Symantec Endpoint Protection Manager
- Symantec Endpoint Protection Manager API Service
- Symantec Endpoint Protection Manager Webserver
Feedback
Yes
No
Powered by
