?
Solved

PCI compliance SBS 2003 DMZ

Posted on 2008-11-19
12
Medium Priority
?
1,267 Views
Last Modified: 2012-05-05
I have a site which requires to be PCI compliant.
It contains an SBS2003 server providing DC /  Exchange OWA / File and Print. THere is no DMZ.

Due to OWA it looks like it requires to be located in a DMZ, I would be grateful if any one with experience of above could assist.

Does that sound right?  are there issues with placeing an SBS 2003 server in a DMZ? does SBS2003 blow the one function per server rule for PCI compliance?

Many thanks
0
Comment
Question by:dbhsupport
  • 5
  • 4
  • 3
12 Comments
 
LVL 29

Expert Comment

by:Michael Worsham
ID: 23000397
PCI compliance is required for credit card payments. The SBS platform really wasn't designed for PCI compliance nor Sarbanes-Oxley (sox) either. However, there is a blog/thread that explains what needs to be done for allowing an SBS server to be PCI compliant.

Disabling SSL 2.0 for PCI compliance
http://msmvps.com/blogs/bradley/archive/2007/07/01/disabling-ssl-2-0-for-pci-compliance.aspx
0
 

Author Comment

by:dbhsupport
ID: 23002156
Thanks, the vulnerability scan we ran highlighted the SSL 2  issue.
Do you know if applying that fix, means

the SBS 2003 box ( due to its web facing app OWA) does not have to go into the DMZ.

any info on wether the SBS is permitted at all with  the only one function per server rule.

0
 
LVL 29

Expert Comment

by:Michael Worsham
ID: 23004768
If you add the SBS to your DMZ, you are pretty much allowing every open port on the server to be exposed, thus will be against the PCI compliance rules. The server needs to be heavily firewalled (only certain ports available externally) and audited to be seen as PCI compliant.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 20

Expert Comment

by:MightySW
ID: 23019846
I need to ask you one question... Does that server process, transmit or store credit card information?  
If not then it is considered to be not in scope.  If you have data on it then it will simply need to be encrypted and you will need a policy that states several things about why the Data is there.  If it is there then again it will need to be encrypted and you will need a hardening policy for your server.  You will also need all kinds of controls for remote users (like RSA) and have IDS/IPS external on your DMZ interface.

Please ask away as I am VERY confident that I can pretty tell you what YOU will need to do to become PCI compliant.  Boxes are usually not the problem when it comes to PCI compliance.  It is all just risk assessment and policy.  PCI is just a way to mitigate liability.  

We really just need to see if that server is in scope.  The fact that it is SBS2003 does not matter at all as long as there are security hardening standards that are being met (like the Center for Internet Security standards).

Please let me know as I will be more than happy to help.  I am an up and coming QSA/CISM.  

Thanks
0
 

Author Comment

by:dbhsupport
ID: 23027273
thanks for your help

The SBS server should hold no credit card data, but it is on the same network as servers which have an application that does hold and store credit card data.

The only remote users on the SBS serer are OWA users.

0
 
LVL 20

Expert Comment

by:MightySW
ID: 23028872
Ok, no problem then.  How many other systems are in the card data environment (CDE)?

What you do is make a scope of systems that need to be protected or set to DMZ and then other systems that are 'Out of Scope' like DC's, app servers, and workstations.

I am running a network, and I have scoped out 4 servers that are to be segmented in the CDE DMZ.  I have them on another FW segment with a different IP scope.  They are set with hardening standards from the Center for Internet Security.  I have them on a 'dumb' switch off of that FW segment so I do not have to harden it to PCI standards.  Every device at the store level is also in this same CDE DMZ.  All of the servers have encrypted data.  All of the non-console access is SSHv2 or SSL.  These are just the basics of the flow.

You need to scope off that entire network that Transmits, Processes, and stores CC data.  You mentioned that it is on the same network as the servers and devices that do this...well you sure as heck don't want to enforce 262 rules onto your entire network right?  Again, PCI compliance is just a liability standard.  It doesn't mean that you aren't going to get breached, it just means that if you do then you will have the VISA required level of safeguards to protect and not be subject to punitive fines.

Unless you are a level 1 merchant or a level 1 or 2 service provider then you can Self Assess and then just turn in the Self Assessment Questionaire, and the results of the external scans of the IN SCOPE networks (stores included).  If your stores (if you are a merchant) take CC's and then just send the information strait to Veriphone or something and then just report back to the POS that the transaction was fine then you should be good to go on the store level.  However, if they process that CC data across your WAN over VPN then you have to get external scans for ALL of your stores and the IN SCOPE area of your segmented systems.  If you have a web facing server that S, T, P credit card data (like your web site or something) then you will need an application firewall in between it and the internet.  And most importantly, the systems in the CDE DMZ cannot be accessible via the internet.  If they are then there has to be an application firewall in between them and the internet and they are expensive!

This is all just trivial.  I don't know your entire situation and I would only assume that you are a level 4 merchant since level 1-3 as of this year had to be fully compliant according to VISA.  Level 4's are dictated by their banks and you are subject to their rule as VISA only states that it is 'strongly recommended' that we are PCI compliant.  

You can read more at www.pcisecuritystandards.org and http://usa.visa.com/merchants/risk_management/cisp.html?ep=v_sym_cisp

Please, I am an open book here.  Please ask as many questions as you have.

HTH
0
 

Author Comment

by:dbhsupport
ID: 23036281
thanks for this, you are correct we are level 4, self assessment questionaire type D

Sadly the SBS2003 server is the DC which provides the logins for the PCS which access the the CCD servers.

My understanding is they are in scope then, it is not a large network 7 PCs. Ther is no user WAN access to the CCD system. Some remote support of the credit card storing application is required.

Heres where I think I am;

I have to harden the SBS 2003 to a required standard ( Centre for Internet Security ).
Move the SBS2003 to a DMZ to allow the OWA component to be used, is there any technical  issue with the DC being in the DMZ?

Grateful for your thoughts.





0
 
LVL 29

Expert Comment

by:Michael Worsham
ID: 23038729
Since there are limitations to the SBS environment, you might be better looking at the Transition Pack:

Windows Small Business Server 2003 R2 Transition Pack
http://www.microsoft.com/windowsserver2003/sbs/techinfo/planning/transition.mspx
0
 
LVL 20

Expert Comment

by:MightySW
ID: 23047018
Hi there, sorry I haven't responded in a while.  I have been crazy busy.  

You will not have to put anything into a DMZ.  Outlook Web Access is web facing email on a server that does not store, process, or transmit CC data, therefore out of scope.  

The only thing that you should have to do is identify the applications that the users are using and see how the CC data is accessed.  If the users go right over the internet and just grab some info from a website, and that service provider is PCI compliant then you are PCI compliant as your environment doesn't STP CC data!  Just because those PC's go out to an internet application and do something with the business doesn't mean that everything that they touch is in scope.  As a matter of fact, it doesn't really sound like you will have to do anything to your server.  

Now, if the business is something where the data is stored or processed through the server then you would have to implement 2 factor authentication.  You can go to www.rsa.com for information on this.  In order for users to access CC data in a Card Data Environment, the data has to be encrypted, their session has to be encrypted, the server cannot be directly connected to the internet and they (really only remote administators) will require 2 factor authentication.

Doesn't sound like you have this.

What is your business flow like?  Are you at liberty to describe it here? Did I touch it all?

Thanks, and sorry for the slow response.  I don't know what my week will be like, but I will be around on Friday and next week at night.  But continue to post.
0
 
LVL 20

Expert Comment

by:MightySW
ID: 23047108
From your post I am imagining something like this to this:

Drawing1.jpg
0
 

Author Comment

by:dbhsupport
ID: 23075938
thanks for the info - still digesting I will get back
0
 
LVL 20

Accepted Solution

by:
MightySW earned 2000 total points
ID: 23078036
I hate to throw all of this out at you, but there are simply NO cut and dry answers to PCI compliance as it is simply risk assessment compliance.  Whatever you interpret the rules to be then thats what they are.  Now the bank may have another idea and this is where QSA'a, CISA, and CISM's come into play.  They can interpret the steps, and then give out detailed steps and what we call remediation roadmaps for full compliance.  Just remember that all you have to submit to the bank are the external scans of your networks (in scope), and the self assessment questionnaire.  Now you could just answer yes to absolutely everything and just pray that you don't suffer a breach, but if you do then your company will not only be subject to punitive fines, but also a PR nightmare.  

Just post again if you need some more assistance.  

I would be happy to make some suggestions for QSA's in your area that could assess your network and flow.

HTH
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses
Course of the Month13 days, 18 hours left to enroll

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question