Improve company productivity with a Business Account.Sign Up

x
?
Solved

Security Metrics PCI Scan Failure

Posted on 2010-09-20
7
Medium Priority
?
2,028 Views
Last Modified: 2012-05-10
We have had Security Metrics passing tests for the last four quarters.  The last passing quarterly compliance test was in June.  This time, September, we failed.  I am running four Server 2003 Standard SP2 servers, one of which is the Domain Controller, one is a Terminal Service server, on is a file/print server, and the fourth is a POS server  There have been no changes or any other disturbance in the force since the last test...
 
Here is the full content of each of the two SecurityMetrics fail messages:
Failure one:
Protocol  Port   Program    Risk Summary
  TCP       443     https              5
Synopsis : The remote web server is affected by an information disclosure vulnerability. Description : The remote host appears to be running a version of IIS which allows remote users to determine which authentication schemes are required for confidential web pages. That is, by requesting valid web pages with purposely invalid credentials, you can ascertain whether or not the authentication scheme is in use. This can be used for brute-force attacks against known USerIDs. See also : http://marc.info/?l=bugtraq m=101535399100534 w=2 Solution: If the application allows, disable any authentication methods that are not used in the IIS Properties interface. Risk Factor: Medium  / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSS Temporal Score : 5.0 (CVSS2#E:H/RL:U/RC:ND) CVE : CVE-2002-0419 BID : 4235 Other references : OSVDB:13426 -------------

Failure 2:
Protocol  Port   Program    Risk Summary
  TCP       80        http              5
Synopsis : The remote web server is affected by an information disclosure vulnerability. Description : The remote host appears to be running a version of IIS which allows remote users to determine which authentication schemes are required for confidential web pages. That is, by requesting valid web pages with purposely invalid credentials, you can ascertain whether or not the authentication scheme is in use. This can be used for brute-force attacks against known USerIDs. See also : http://marc.info/?l=bugtraq m=101535399100534 w=2 Solution: If the application allows, disable any authentication methods that are not used in the IIS Properties interface. Risk Factor: Medium  / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSS Temporal Score : 5.0 (CVSS2#E:H/RL:U/RC:ND) CVE : CVE-2002-0419 BID : 4235 Other references : OSVDB:13426
---------
I beat these guys back a year ago from a failing score of 90.  I have no idea where to start this time as I am current in all MS patches and everything else as I monitored it all through the year
0
Comment
Question by:NILLC
7 Comments
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33721494
Hi,
You solution is on the nist list. You usually this one is tied to internal IP disclosure or basic authentication.
 
http://marc.info/?l=bugtraq&m=101535399100534&w=2
Fix Information
***************
If the server is intended for public use then it may be possible to
simply disable both Basic and Integrated Windows authentication. Sites
that use forms based logins, for example when users are authenticated
against a database, and track logged in users with cookies will be able
to disable these authentication methods. Doing this will prevent such
attacks.

If Basic or Integrated Windows authentication are required then it is
possible to mitigate the risk.

Setting account lockout will help minimize the risk of successful brute
force attacks. Using the "passprop" utility it is possible to enable
account lockout for the default "administrator" account.

One should also seriously consider renaming this administrator account
if this has not already been done.

To prevent internal IP address disclosure take the following steps.

Open a command prompt and change the current directory to

c:\inetpub\adminscripts or to where the adminscripts can be found.

Run the commands
adsutil set w3svc/UseHostName True
net stop iisadmin /y
net start w3svc

This will cause the IIS server to use the machine's host name rather
than its IP address.


-Hades666
 
0
 
LVL 10

Expert Comment

by:yasserd
ID: 33734211
This vulnerability is associated only with IIS 4, 5, and 5.1. If you are using a newer version, then this would be a false positive and you should just ignore it.
0
 

Author Comment

by:NILLC
ID: 33736315
Unfortunately I cant ignore it as this has thrown me out of PCI compliance and I face possible monthly fines from the credit card issuers.  I have IIS 6.0 on one server.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
LVL 10

Accepted Solution

by:
yasserd earned 1000 total points
ID: 33739349
I know about the fines, but, this issue is with IIS versions prior to 6.0. So, you have no vulnerability. It's a false positive and its like saying you have to install Windows XP SP3 on a machine running Windows 2003!
You need to contact Security Metrics for them to solve this problem with their scan as it is their engine that is providing the false report and for you to be confident about what you're doing.
0
 

Assisted Solution

by:sksaathoff
sksaathoff earned 1000 total points
ID: 33748216
I received a similar report/failure.  I just spoke with a "scanning tech" at Security Metrics and he confirmed that it was a scan issue.  They have modified their scan scripts to eliminate that error.  Log on to your account and re-run the test and it should come back clean.
0
 

Author Closing Comment

by:NILLC
ID: 33748513
I hope this is an equitable payout of points.  Thank you for your trouble..
0
 

Author Comment

by:NILLC
ID: 33748536
We passed a subsequent scan.  Security Metrics was not so willing to admit their engine was flawed at the beginning of last week...thanks for the community support
0

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

There's never been a better time to become a computer scientist. Employment growth in the field is expected to reach 22% overall by 2020, and if you want to get in on the action, it’s a good idea to think about at least minoring in computer science …
A question that many companies need to answer until May 25th of 2018... Is your company ready for GDPR?
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

606 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question