In the event you manage a Small Business Server 2003, and you are audited for PCI compliance, there are several changes you must make in order to pass the audit. I can take no credit for discovering any of these fixes or workarounds, but there is no single place to find all of the information you need, so I have put it together in this article. When you complete all steps, reboot your server, and you should be good to go. (You can restart IIS after each step, but I recommend you simply do all of them and then reboot). If you are strong with technology, you may conduct your own security audit to verify these changes to your server. There is a tool called Nessus (http://www.nessus.org) which is free to download and use for 14 days.
I STRONGLY recommend you backup your entire server before you begin, and backup or export any files/registry keys that you change in the process of following these instructions.
Audit issue 1: SSL Weak Cipher Suites Supported
Description from Audit:
The remote service supports the use of weak SSL ciphers.
The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.
Workaround:
Click Start|Run, and type regedit, and click ok
Navigate to the following Key: HKLM\SYSTEM\CurrentControl
For The following subkeys: RC2 40/128, RC4 40/128, and RC4 56/128 do the following:
Right-click to create a DWORD value called "Enabled" and leave it with the default value of 0.
Audit issue 2: SSL Version 2 (v2) Protocol Detection
Description from Audit:
The remote service encrypts traffic using a protocol with known weaknesses.
The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit
these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.
Workaround:
Click Start|Run, and type regedit, and click ok
Navigate to the following Key: HKLM\SYSTEM\CurrentControl
Right-click to create a DWORD value called "Enabled" and leave it with the default value of 0
Audit issue 3: Microsoft Outlook Web Access (OWA) owalogon.asp Redirection Account Enumeration
Description from Audit:
The remote web server is affected by a URL injection vulnerability.
The remote host is running Microsoft Outlook Web Access 2003. Due to a lack of sanitization of the user input, the remote version of this software is vulnerable to URL injection that can be exploited to redirect a user to a different, unauthorized web server after authenticating to OWA. This unauthorized site could be used to capture sensitive information by appearing to be part of the web application.
Workaround:
Open a command prompt (Start|Run "cmd")
Type the following two commands (substituting your correct OWA address)
CD C:\Inetpub\AdminScripts
cscript.exe adsutil.vbs set w3svc/1/SetHostName mail.mydomain.com
Audit issue 4: This web server leaks a private IP address through its HTTP headers.
Description from Audit:
This web server leaks a private IP address through its HTTP headers.
This may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server. There is a known issue with Microsoft IIS 4.0 doing this in its default configuration. This may also affect other web servers, web applications, web proxies, load balancers and through a variety of misconfigurations related to redirection.
Workaround:
Open C:\Program Files\Exchsrvr\exchweb\bin
Find: redirectPath = Request.QueryString("url")
Change to: redirectPath = "https://mail.yourdomain.c
To test, use a computer from outside the network to connect to:
https://mail.yourdomain.co
Substitute mail.yourdomain.com with your Outlook Web Access address
Without the workaround, your browser will be redirected to Google.com
With the workaround, you will just see your OWA logon page
If everything went smoothly, after the server reboots OWA still works, and you will pass the PCI Audit (Nessus)scan.
JTG
I STRONGLY recommend you backup your entire server before you begin, and backup or export any files/registry keys that you change in the process of following these instructions.
Audit issue 1: SSL Weak Cipher Suites Supported
Description from Audit:
The remote service supports the use of weak SSL ciphers.
The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.
Workaround:
Click Start|Run, and type regedit, and click ok
Navigate to the following Key: HKLM\SYSTEM\CurrentControl
For The following subkeys: RC2 40/128, RC4 40/128, and RC4 56/128 do the following:
Right-click to create a DWORD value called "Enabled" and leave it with the default value of 0.
Audit issue 2: SSL Version 2 (v2) Protocol Detection
Description from Audit:
The remote service encrypts traffic using a protocol with known weaknesses.
The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit
these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.
Workaround:
Click Start|Run, and type regedit, and click ok
Navigate to the following Key: HKLM\SYSTEM\CurrentControl
Right-click to create a DWORD value called "Enabled" and leave it with the default value of 0
Audit issue 3: Microsoft Outlook Web Access (OWA) owalogon.asp Redirection Account Enumeration
Description from Audit:
The remote web server is affected by a URL injection vulnerability.
The remote host is running Microsoft Outlook Web Access 2003. Due to a lack of sanitization of the user input, the remote version of this software is vulnerable to URL injection that can be exploited to redirect a user to a different, unauthorized web server after authenticating to OWA. This unauthorized site could be used to capture sensitive information by appearing to be part of the web application.
Workaround:
Open a command prompt (Start|Run "cmd")
Type the following two commands (substituting your correct OWA address)
CD C:\Inetpub\AdminScripts
cscript.exe adsutil.vbs set w3svc/1/SetHostName mail.mydomain.com
Audit issue 4: This web server leaks a private IP address through its HTTP headers.
Description from Audit:
This web server leaks a private IP address through its HTTP headers.
This may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server. There is a known issue with Microsoft IIS 4.0 doing this in its default configuration. This may also affect other web servers, web applications, web proxies, load balancers and through a variety of misconfigurations related to redirection.
Workaround:
Open C:\Program Files\Exchsrvr\exchweb\bin
Find: redirectPath = Request.QueryString("url")
Change to: redirectPath = "https://mail.yourdomain.c
To test, use a computer from outside the network to connect to:
https://mail.yourdomain.co
Substitute mail.yourdomain.com with your Outlook Web Access address
Without the workaround, your browser will be redirected to Google.com
With the workaround, you will just see your OWA logon page
If everything went smoothly, after the server reboots OWA still works, and you will pass the PCI Audit (Nessus)scan.
JTG