PCI compliance SBS 2003 DMZ

I have a site which requires to be PCI compliant.
It contains an SBS2003 server providing DC /  Exchange OWA / File and Print. THere is no DMZ.

Due to OWA it looks like it requires to be located in a DMZ, I would be grateful if any one with experience of above could assist.

Does that sound right?  are there issues with placeing an SBS 2003 server in a DMZ? does SBS2003 blow the one function per server rule for PCI compliance?

Many thanks
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Michael WorshamStaff Infrastructure ArchitectCommented:
PCI compliance is required for credit card payments. The SBS platform really wasn't designed for PCI compliance nor Sarbanes-Oxley (sox) either. However, there is a blog/thread that explains what needs to be done for allowing an SBS server to be PCI compliant.

Disabling SSL 2.0 for PCI compliance
dbhsupportAuthor Commented:
Thanks, the vulnerability scan we ran highlighted the SSL 2  issue.
Do you know if applying that fix, means

the SBS 2003 box ( due to its web facing app OWA) does not have to go into the DMZ.

any info on wether the SBS is permitted at all with  the only one function per server rule.

Michael WorshamStaff Infrastructure ArchitectCommented:
If you add the SBS to your DMZ, you are pretty much allowing every open port on the server to be exposed, thus will be against the PCI compliance rules. The server needs to be heavily firewalled (only certain ports available externally) and audited to be seen as PCI compliant.
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

I need to ask you one question... Does that server process, transmit or store credit card information?  
If not then it is considered to be not in scope.  If you have data on it then it will simply need to be encrypted and you will need a policy that states several things about why the Data is there.  If it is there then again it will need to be encrypted and you will need a hardening policy for your server.  You will also need all kinds of controls for remote users (like RSA) and have IDS/IPS external on your DMZ interface.

Please ask away as I am VERY confident that I can pretty tell you what YOU will need to do to become PCI compliant.  Boxes are usually not the problem when it comes to PCI compliance.  It is all just risk assessment and policy.  PCI is just a way to mitigate liability.  

We really just need to see if that server is in scope.  The fact that it is SBS2003 does not matter at all as long as there are security hardening standards that are being met (like the Center for Internet Security standards).

Please let me know as I will be more than happy to help.  I am an up and coming QSA/CISM.  

dbhsupportAuthor Commented:
thanks for your help

The SBS server should hold no credit card data, but it is on the same network as servers which have an application that does hold and store credit card data.

The only remote users on the SBS serer are OWA users.

Ok, no problem then.  How many other systems are in the card data environment (CDE)?

What you do is make a scope of systems that need to be protected or set to DMZ and then other systems that are 'Out of Scope' like DC's, app servers, and workstations.

I am running a network, and I have scoped out 4 servers that are to be segmented in the CDE DMZ.  I have them on another FW segment with a different IP scope.  They are set with hardening standards from the Center for Internet Security.  I have them on a 'dumb' switch off of that FW segment so I do not have to harden it to PCI standards.  Every device at the store level is also in this same CDE DMZ.  All of the servers have encrypted data.  All of the non-console access is SSHv2 or SSL.  These are just the basics of the flow.

You need to scope off that entire network that Transmits, Processes, and stores CC data.  You mentioned that it is on the same network as the servers and devices that do this...well you sure as heck don't want to enforce 262 rules onto your entire network right?  Again, PCI compliance is just a liability standard.  It doesn't mean that you aren't going to get breached, it just means that if you do then you will have the VISA required level of safeguards to protect and not be subject to punitive fines.

Unless you are a level 1 merchant or a level 1 or 2 service provider then you can Self Assess and then just turn in the Self Assessment Questionaire, and the results of the external scans of the IN SCOPE networks (stores included).  If your stores (if you are a merchant) take CC's and then just send the information strait to Veriphone or something and then just report back to the POS that the transaction was fine then you should be good to go on the store level.  However, if they process that CC data across your WAN over VPN then you have to get external scans for ALL of your stores and the IN SCOPE area of your segmented systems.  If you have a web facing server that S, T, P credit card data (like your web site or something) then you will need an application firewall in between it and the internet.  And most importantly, the systems in the CDE DMZ cannot be accessible via the internet.  If they are then there has to be an application firewall in between them and the internet and they are expensive!

This is all just trivial.  I don't know your entire situation and I would only assume that you are a level 4 merchant since level 1-3 as of this year had to be fully compliant according to VISA.  Level 4's are dictated by their banks and you are subject to their rule as VISA only states that it is 'strongly recommended' that we are PCI compliant.  

You can read more at www.pcisecuritystandards.org and http://usa.visa.com/merchants/risk_management/cisp.html?ep=v_sym_cisp

Please, I am an open book here.  Please ask as many questions as you have.

dbhsupportAuthor Commented:
thanks for this, you are correct we are level 4, self assessment questionaire type D

Sadly the SBS2003 server is the DC which provides the logins for the PCS which access the the CCD servers.

My understanding is they are in scope then, it is not a large network 7 PCs. Ther is no user WAN access to the CCD system. Some remote support of the credit card storing application is required.

Heres where I think I am;

I have to harden the SBS 2003 to a required standard ( Centre for Internet Security ).
Move the SBS2003 to a DMZ to allow the OWA component to be used, is there any technical  issue with the DC being in the DMZ?

Grateful for your thoughts.

Michael WorshamStaff Infrastructure ArchitectCommented:
Since there are limitations to the SBS environment, you might be better looking at the Transition Pack:

Windows Small Business Server 2003 R2 Transition Pack
Hi there, sorry I haven't responded in a while.  I have been crazy busy.  

You will not have to put anything into a DMZ.  Outlook Web Access is web facing email on a server that does not store, process, or transmit CC data, therefore out of scope.  

The only thing that you should have to do is identify the applications that the users are using and see how the CC data is accessed.  If the users go right over the internet and just grab some info from a website, and that service provider is PCI compliant then you are PCI compliant as your environment doesn't STP CC data!  Just because those PC's go out to an internet application and do something with the business doesn't mean that everything that they touch is in scope.  As a matter of fact, it doesn't really sound like you will have to do anything to your server.  

Now, if the business is something where the data is stored or processed through the server then you would have to implement 2 factor authentication.  You can go to www.rsa.com for information on this.  In order for users to access CC data in a Card Data Environment, the data has to be encrypted, their session has to be encrypted, the server cannot be directly connected to the internet and they (really only remote administators) will require 2 factor authentication.

Doesn't sound like you have this.

What is your business flow like?  Are you at liberty to describe it here? Did I touch it all?

Thanks, and sorry for the slow response.  I don't know what my week will be like, but I will be around on Friday and next week at night.  But continue to post.
From your post I am imagining something like this to this:

dbhsupportAuthor Commented:
thanks for the info - still digesting I will get back
I hate to throw all of this out at you, but there are simply NO cut and dry answers to PCI compliance as it is simply risk assessment compliance.  Whatever you interpret the rules to be then thats what they are.  Now the bank may have another idea and this is where QSA'a, CISA, and CISM's come into play.  They can interpret the steps, and then give out detailed steps and what we call remediation roadmaps for full compliance.  Just remember that all you have to submit to the bank are the external scans of your networks (in scope), and the self assessment questionnaire.  Now you could just answer yes to absolutely everything and just pray that you don't suffer a breach, but if you do then your company will not only be subject to punitive fines, but also a PR nightmare.  

Just post again if you need some more assistance.  

I would be happy to make some suggestions for QSA's in your area that could assess your network and flow.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.