Solved

Security Metrics PCI Scan Failure

Posted on 2010-09-20
7
1,968 Views
Last Modified: 2012-05-10
We have had Security Metrics passing tests for the last four quarters.  The last passing quarterly compliance test was in June.  This time, September, we failed.  I am running four Server 2003 Standard SP2 servers, one of which is the Domain Controller, one is a Terminal Service server, on is a file/print server, and the fourth is a POS server  There have been no changes or any other disturbance in the force since the last test...
 
Here is the full content of each of the two SecurityMetrics fail messages:
Failure one:
Protocol  Port   Program    Risk Summary
  TCP       443     https              5
Synopsis : The remote web server is affected by an information disclosure vulnerability. Description : The remote host appears to be running a version of IIS which allows remote users to determine which authentication schemes are required for confidential web pages. That is, by requesting valid web pages with purposely invalid credentials, you can ascertain whether or not the authentication scheme is in use. This can be used for brute-force attacks against known USerIDs. See also : http://marc.info/?l=bugtraq m=101535399100534 w=2 Solution: If the application allows, disable any authentication methods that are not used in the IIS Properties interface. Risk Factor: Medium  / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSS Temporal Score : 5.0 (CVSS2#E:H/RL:U/RC:ND) CVE : CVE-2002-0419 BID : 4235 Other references : OSVDB:13426 -------------

Failure 2:
Protocol  Port   Program    Risk Summary
  TCP       80        http              5
Synopsis : The remote web server is affected by an information disclosure vulnerability. Description : The remote host appears to be running a version of IIS which allows remote users to determine which authentication schemes are required for confidential web pages. That is, by requesting valid web pages with purposely invalid credentials, you can ascertain whether or not the authentication scheme is in use. This can be used for brute-force attacks against known USerIDs. See also : http://marc.info/?l=bugtraq m=101535399100534 w=2 Solution: If the application allows, disable any authentication methods that are not used in the IIS Properties interface. Risk Factor: Medium  / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSS Temporal Score : 5.0 (CVSS2#E:H/RL:U/RC:ND) CVE : CVE-2002-0419 BID : 4235 Other references : OSVDB:13426
---------
I beat these guys back a year ago from a failing score of 90.  I have no idea where to start this time as I am current in all MS patches and everything else as I monitored it all through the year
0
Comment
Question by:NILLC
7 Comments
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33721494
Hi,
You solution is on the nist list. You usually this one is tied to internal IP disclosure or basic authentication.
 
http://marc.info/?l=bugtraq&m=101535399100534&w=2
Fix Information
***************
If the server is intended for public use then it may be possible to
simply disable both Basic and Integrated Windows authentication. Sites
that use forms based logins, for example when users are authenticated
against a database, and track logged in users with cookies will be able
to disable these authentication methods. Doing this will prevent such
attacks.

If Basic or Integrated Windows authentication are required then it is
possible to mitigate the risk.

Setting account lockout will help minimize the risk of successful brute
force attacks. Using the "passprop" utility it is possible to enable
account lockout for the default "administrator" account.

One should also seriously consider renaming this administrator account
if this has not already been done.

To prevent internal IP address disclosure take the following steps.

Open a command prompt and change the current directory to

c:\inetpub\adminscripts or to where the adminscripts can be found.

Run the commands
adsutil set w3svc/UseHostName True
net stop iisadmin /y
net start w3svc

This will cause the IIS server to use the machine's host name rather
than its IP address.


-Hades666
 
0
 
LVL 10

Expert Comment

by:yasserd
ID: 33734211
This vulnerability is associated only with IIS 4, 5, and 5.1. If you are using a newer version, then this would be a false positive and you should just ignore it.
0
 

Author Comment

by:NILLC
ID: 33736315
Unfortunately I cant ignore it as this has thrown me out of PCI compliance and I face possible monthly fines from the credit card issuers.  I have IIS 6.0 on one server.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 10

Accepted Solution

by:
yasserd earned 250 total points
ID: 33739349
I know about the fines, but, this issue is with IIS versions prior to 6.0. So, you have no vulnerability. It's a false positive and its like saying you have to install Windows XP SP3 on a machine running Windows 2003!
You need to contact Security Metrics for them to solve this problem with their scan as it is their engine that is providing the false report and for you to be confident about what you're doing.
0
 

Assisted Solution

by:sksaathoff
sksaathoff earned 250 total points
ID: 33748216
I received a similar report/failure.  I just spoke with a "scanning tech" at Security Metrics and he confirmed that it was a scan issue.  They have modified their scan scripts to eliminate that error.  Log on to your account and re-run the test and it should come back clean.
0
 

Author Closing Comment

by:NILLC
ID: 33748513
I hope this is an equitable payout of points.  Thank you for your trouble..
0
 

Author Comment

by:NILLC
ID: 33748536
We passed a subsequent scan.  Security Metrics was not so willing to admit their engine was flawed at the beginning of last week...thanks for the community support
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
use subinacle for permission translation on Win 10 machine 3 52
EXCHANGE 2007, EXCHANGE 2013 8 80
Securing Azure Oracle instance of Linux VM 4 59
PCI compliance 16 33
The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques.
One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question