Solved

Security Metrics PCI Scan Failure

Posted on 2010-09-20
7
1,972 Views
Last Modified: 2012-05-10
We have had Security Metrics passing tests for the last four quarters.  The last passing quarterly compliance test was in June.  This time, September, we failed.  I am running four Server 2003 Standard SP2 servers, one of which is the Domain Controller, one is a Terminal Service server, on is a file/print server, and the fourth is a POS server  There have been no changes or any other disturbance in the force since the last test...
 
Here is the full content of each of the two SecurityMetrics fail messages:
Failure one:
Protocol  Port   Program    Risk Summary
  TCP       443     https              5
Synopsis : The remote web server is affected by an information disclosure vulnerability. Description : The remote host appears to be running a version of IIS which allows remote users to determine which authentication schemes are required for confidential web pages. That is, by requesting valid web pages with purposely invalid credentials, you can ascertain whether or not the authentication scheme is in use. This can be used for brute-force attacks against known USerIDs. See also : http://marc.info/?l=bugtraq m=101535399100534 w=2 Solution: If the application allows, disable any authentication methods that are not used in the IIS Properties interface. Risk Factor: Medium  / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSS Temporal Score : 5.0 (CVSS2#E:H/RL:U/RC:ND) CVE : CVE-2002-0419 BID : 4235 Other references : OSVDB:13426 -------------

Failure 2:
Protocol  Port   Program    Risk Summary
  TCP       80        http              5
Synopsis : The remote web server is affected by an information disclosure vulnerability. Description : The remote host appears to be running a version of IIS which allows remote users to determine which authentication schemes are required for confidential web pages. That is, by requesting valid web pages with purposely invalid credentials, you can ascertain whether or not the authentication scheme is in use. This can be used for brute-force attacks against known USerIDs. See also : http://marc.info/?l=bugtraq m=101535399100534 w=2 Solution: If the application allows, disable any authentication methods that are not used in the IIS Properties interface. Risk Factor: Medium  / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSS Temporal Score : 5.0 (CVSS2#E:H/RL:U/RC:ND) CVE : CVE-2002-0419 BID : 4235 Other references : OSVDB:13426
---------
I beat these guys back a year ago from a failing score of 90.  I have no idea where to start this time as I am current in all MS patches and everything else as I monitored it all through the year
0
Comment
Question by:NILLC
7 Comments
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33721494
Hi,
You solution is on the nist list. You usually this one is tied to internal IP disclosure or basic authentication.
 
http://marc.info/?l=bugtraq&m=101535399100534&w=2
Fix Information
***************
If the server is intended for public use then it may be possible to
simply disable both Basic and Integrated Windows authentication. Sites
that use forms based logins, for example when users are authenticated
against a database, and track logged in users with cookies will be able
to disable these authentication methods. Doing this will prevent such
attacks.

If Basic or Integrated Windows authentication are required then it is
possible to mitigate the risk.

Setting account lockout will help minimize the risk of successful brute
force attacks. Using the "passprop" utility it is possible to enable
account lockout for the default "administrator" account.

One should also seriously consider renaming this administrator account
if this has not already been done.

To prevent internal IP address disclosure take the following steps.

Open a command prompt and change the current directory to

c:\inetpub\adminscripts or to where the adminscripts can be found.

Run the commands
adsutil set w3svc/UseHostName True
net stop iisadmin /y
net start w3svc

This will cause the IIS server to use the machine's host name rather
than its IP address.


-Hades666
 
0
 
LVL 10

Expert Comment

by:yasserd
ID: 33734211
This vulnerability is associated only with IIS 4, 5, and 5.1. If you are using a newer version, then this would be a false positive and you should just ignore it.
0
 

Author Comment

by:NILLC
ID: 33736315
Unfortunately I cant ignore it as this has thrown me out of PCI compliance and I face possible monthly fines from the credit card issuers.  I have IIS 6.0 on one server.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 10

Accepted Solution

by:
yasserd earned 250 total points
ID: 33739349
I know about the fines, but, this issue is with IIS versions prior to 6.0. So, you have no vulnerability. It's a false positive and its like saying you have to install Windows XP SP3 on a machine running Windows 2003!
You need to contact Security Metrics for them to solve this problem with their scan as it is their engine that is providing the false report and for you to be confident about what you're doing.
0
 

Assisted Solution

by:sksaathoff
sksaathoff earned 250 total points
ID: 33748216
I received a similar report/failure.  I just spoke with a "scanning tech" at Security Metrics and he confirmed that it was a scan issue.  They have modified their scan scripts to eliminate that error.  Log on to your account and re-run the test and it should come back clean.
0
 

Author Closing Comment

by:NILLC
ID: 33748513
I hope this is an equitable payout of points.  Thank you for your trouble..
0
 

Author Comment

by:NILLC
ID: 33748536
We passed a subsequent scan.  Security Metrics was not so willing to admit their engine was flawed at the beginning of last week...thanks for the community support
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question