Passing PCI Compliance Scan with SBS 2003

Published on
15,567 Points
7 Endorsements
Last Modified:
In the event you manage a Small Business Server 2003, and you are audited for PCI compliance, there are several changes you must make in order to pass the audit. I can take no credit for discovering any of these fixes or workarounds, but there is no single place to find all of the information you need, so I have put it together in this article. When you complete all steps, reboot your server, and you should be good to go. (You can restart IIS after each step, but I recommend you simply do all of them and then reboot). If you are strong with technology, you may conduct your own security audit to verify these changes to your server.  There is a tool called Nessus (http://www.nessus.org) which is free to download and use for 14 days.

I STRONGLY recommend you backup your entire server before you begin, and backup or export any files/registry keys that you change in the process of following these instructions.

Audit issue 1: SSL Weak Cipher Suites Supported

Description from Audit:
The remote service supports the use of weak SSL ciphers.
The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.


Click Start|Run, and type regedit, and click ok
Navigate to the following Key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers
For The following subkeys: RC2 40/128, RC4 40/128, and RC4 56/128 do the following:
Right-click to create a DWORD value called "Enabled" and leave it with the default value of 0.

Audit issue 2: SSL Version 2 (v2) Protocol Detection

Description from Audit:
The remote service encrypts traffic using a protocol with known weaknesses.
The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit
these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.


Click Start|Run, and type regedit, and click ok
Navigate to the following Key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
Right-click to create a DWORD value called "Enabled" and leave it with the default value of 0

Audit issue 3: Microsoft Outlook Web Access (OWA) owalogon.asp Redirection Account Enumeration

Description from Audit:
The remote web server is affected by a URL injection vulnerability.
The remote host is running Microsoft Outlook Web Access 2003. Due to a lack of sanitization of the user input, the remote version of this software is vulnerable to URL injection that can be exploited to redirect a user to a different, unauthorized web server after authenticating to OWA. This unauthorized site could be used to capture sensitive information by appearing to be part of the web application.


Open a command prompt (Start|Run "cmd")
Type the following two commands (substituting your correct OWA address)
CD  C:\Inetpub\AdminScripts
cscript.exe adsutil.vbs set w3svc/1/SetHostName mail.mydomain.com

Audit issue 4: This web server leaks a private IP address through its HTTP headers.

Description from Audit:
This web server leaks a private IP address through its HTTP headers.  
This may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server. There is a known issue with Microsoft IIS 4.0 doing this in its default configuration. This may also affect other web servers, web applications, web proxies, load balancers and through a variety of misconfigurations related to redirection.


Open C:\Program Files\Exchsrvr\exchweb\bin\auth\usa\logon.asp in notepad. Go to Line 54
Find:              redirectPath = Request.QueryString("url")
Change to:    redirectPath = "https://mail.yourdomain.com/exchange
To test, use a computer from outside the network to connect to:
Substitute mail.yourdomain.com with your Outlook Web Access address
Without the workaround, your browser will be redirected to Google.com
With the workaround, you will just see your OWA logon page

If everything went smoothly, after the server reboots OWA still works, and you will pass the PCI Audit (Nessus)scan.
Enjoy this complimentary article view.

Get unlimited access to our entire library of technical procedures, guides, and tutorials written by certified industry professionals.

Get 7 days free
Click here to view the full article

Using this article for work? Experts Exchange can benefit your whole team.

Learn More
Experts Exchange is a tech solutions provider where users receive personalized tech help from vetted certified professionals. These industry professionals also write and publish relevant articles on our site.
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Learn from the best.