Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Security Metrics PCI Scan Failure

Posted on 2010-09-20
7
Medium Priority
?
2,005 Views
Last Modified: 2012-05-10
We have had Security Metrics passing tests for the last four quarters.  The last passing quarterly compliance test was in June.  This time, September, we failed.  I am running four Server 2003 Standard SP2 servers, one of which is the Domain Controller, one is a Terminal Service server, on is a file/print server, and the fourth is a POS server  There have been no changes or any other disturbance in the force since the last test...
 
Here is the full content of each of the two SecurityMetrics fail messages:
Failure one:
Protocol  Port   Program    Risk Summary
  TCP       443     https              5
Synopsis : The remote web server is affected by an information disclosure vulnerability. Description : The remote host appears to be running a version of IIS which allows remote users to determine which authentication schemes are required for confidential web pages. That is, by requesting valid web pages with purposely invalid credentials, you can ascertain whether or not the authentication scheme is in use. This can be used for brute-force attacks against known USerIDs. See also : http://marc.info/?l=bugtraq m=101535399100534 w=2 Solution: If the application allows, disable any authentication methods that are not used in the IIS Properties interface. Risk Factor: Medium  / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSS Temporal Score : 5.0 (CVSS2#E:H/RL:U/RC:ND) CVE : CVE-2002-0419 BID : 4235 Other references : OSVDB:13426 -------------

Failure 2:
Protocol  Port   Program    Risk Summary
  TCP       80        http              5
Synopsis : The remote web server is affected by an information disclosure vulnerability. Description : The remote host appears to be running a version of IIS which allows remote users to determine which authentication schemes are required for confidential web pages. That is, by requesting valid web pages with purposely invalid credentials, you can ascertain whether or not the authentication scheme is in use. This can be used for brute-force attacks against known USerIDs. See also : http://marc.info/?l=bugtraq m=101535399100534 w=2 Solution: If the application allows, disable any authentication methods that are not used in the IIS Properties interface. Risk Factor: Medium  / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSS Temporal Score : 5.0 (CVSS2#E:H/RL:U/RC:ND) CVE : CVE-2002-0419 BID : 4235 Other references : OSVDB:13426
---------
I beat these guys back a year ago from a failing score of 90.  I have no idea where to start this time as I am current in all MS patches and everything else as I monitored it all through the year
0
Comment
Question by:NILLC
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33721494
Hi,
You solution is on the nist list. You usually this one is tied to internal IP disclosure or basic authentication.
 
http://marc.info/?l=bugtraq&m=101535399100534&w=2
Fix Information
***************
If the server is intended for public use then it may be possible to
simply disable both Basic and Integrated Windows authentication. Sites
that use forms based logins, for example when users are authenticated
against a database, and track logged in users with cookies will be able
to disable these authentication methods. Doing this will prevent such
attacks.

If Basic or Integrated Windows authentication are required then it is
possible to mitigate the risk.

Setting account lockout will help minimize the risk of successful brute
force attacks. Using the "passprop" utility it is possible to enable
account lockout for the default "administrator" account.

One should also seriously consider renaming this administrator account
if this has not already been done.

To prevent internal IP address disclosure take the following steps.

Open a command prompt and change the current directory to

c:\inetpub\adminscripts or to where the adminscripts can be found.

Run the commands
adsutil set w3svc/UseHostName True
net stop iisadmin /y
net start w3svc

This will cause the IIS server to use the machine's host name rather
than its IP address.


-Hades666
 
0
 
LVL 10

Expert Comment

by:yasserd
ID: 33734211
This vulnerability is associated only with IIS 4, 5, and 5.1. If you are using a newer version, then this would be a false positive and you should just ignore it.
0
 

Author Comment

by:NILLC
ID: 33736315
Unfortunately I cant ignore it as this has thrown me out of PCI compliance and I face possible monthly fines from the credit card issuers.  I have IIS 6.0 on one server.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 10

Accepted Solution

by:
yasserd earned 1000 total points
ID: 33739349
I know about the fines, but, this issue is with IIS versions prior to 6.0. So, you have no vulnerability. It's a false positive and its like saying you have to install Windows XP SP3 on a machine running Windows 2003!
You need to contact Security Metrics for them to solve this problem with their scan as it is their engine that is providing the false report and for you to be confident about what you're doing.
0
 

Assisted Solution

by:sksaathoff
sksaathoff earned 1000 total points
ID: 33748216
I received a similar report/failure.  I just spoke with a "scanning tech" at Security Metrics and he confirmed that it was a scan issue.  They have modified their scan scripts to eliminate that error.  Log on to your account and re-run the test and it should come back clean.
0
 

Author Closing Comment

by:NILLC
ID: 33748513
I hope this is an equitable payout of points.  Thank you for your trouble..
0
 

Author Comment

by:NILLC
ID: 33748536
We passed a subsequent scan.  Security Metrics was not so willing to admit their engine was flawed at the beginning of last week...thanks for the community support
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question