Solved

Security Metrics PCI Scan Failure

Posted on 2010-09-20
7
1,960 Views
Last Modified: 2012-05-10
We have had Security Metrics passing tests for the last four quarters.  The last passing quarterly compliance test was in June.  This time, September, we failed.  I am running four Server 2003 Standard SP2 servers, one of which is the Domain Controller, one is a Terminal Service server, on is a file/print server, and the fourth is a POS server  There have been no changes or any other disturbance in the force since the last test...
 
Here is the full content of each of the two SecurityMetrics fail messages:
Failure one:
Protocol  Port   Program    Risk Summary
  TCP       443     https              5
Synopsis : The remote web server is affected by an information disclosure vulnerability. Description : The remote host appears to be running a version of IIS which allows remote users to determine which authentication schemes are required for confidential web pages. That is, by requesting valid web pages with purposely invalid credentials, you can ascertain whether or not the authentication scheme is in use. This can be used for brute-force attacks against known USerIDs. See also : http://marc.info/?l=bugtraq m=101535399100534 w=2 Solution: If the application allows, disable any authentication methods that are not used in the IIS Properties interface. Risk Factor: Medium  / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSS Temporal Score : 5.0 (CVSS2#E:H/RL:U/RC:ND) CVE : CVE-2002-0419 BID : 4235 Other references : OSVDB:13426 -------------

Failure 2:
Protocol  Port   Program    Risk Summary
  TCP       80        http              5
Synopsis : The remote web server is affected by an information disclosure vulnerability. Description : The remote host appears to be running a version of IIS which allows remote users to determine which authentication schemes are required for confidential web pages. That is, by requesting valid web pages with purposely invalid credentials, you can ascertain whether or not the authentication scheme is in use. This can be used for brute-force attacks against known USerIDs. See also : http://marc.info/?l=bugtraq m=101535399100534 w=2 Solution: If the application allows, disable any authentication methods that are not used in the IIS Properties interface. Risk Factor: Medium  / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSS Temporal Score : 5.0 (CVSS2#E:H/RL:U/RC:ND) CVE : CVE-2002-0419 BID : 4235 Other references : OSVDB:13426
---------
I beat these guys back a year ago from a failing score of 90.  I have no idea where to start this time as I am current in all MS patches and everything else as I monitored it all through the year
0
Comment
Question by:NILLC
7 Comments
 
LVL 30

Expert Comment

by:Brad Howe
Comment Utility
Hi,
You solution is on the nist list. You usually this one is tied to internal IP disclosure or basic authentication.
 
http://marc.info/?l=bugtraq&m=101535399100534&w=2
Fix Information
***************
If the server is intended for public use then it may be possible to
simply disable both Basic and Integrated Windows authentication. Sites
that use forms based logins, for example when users are authenticated
against a database, and track logged in users with cookies will be able
to disable these authentication methods. Doing this will prevent such
attacks.

If Basic or Integrated Windows authentication are required then it is
possible to mitigate the risk.

Setting account lockout will help minimize the risk of successful brute
force attacks. Using the "passprop" utility it is possible to enable
account lockout for the default "administrator" account.

One should also seriously consider renaming this administrator account
if this has not already been done.

To prevent internal IP address disclosure take the following steps.

Open a command prompt and change the current directory to

c:\inetpub\adminscripts or to where the adminscripts can be found.

Run the commands
adsutil set w3svc/UseHostName True
net stop iisadmin /y
net start w3svc

This will cause the IIS server to use the machine's host name rather
than its IP address.


-Hades666
 
0
 
LVL 10

Expert Comment

by:yasserd
Comment Utility
This vulnerability is associated only with IIS 4, 5, and 5.1. If you are using a newer version, then this would be a false positive and you should just ignore it.
0
 

Author Comment

by:NILLC
Comment Utility
Unfortunately I cant ignore it as this has thrown me out of PCI compliance and I face possible monthly fines from the credit card issuers.  I have IIS 6.0 on one server.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 10

Accepted Solution

by:
yasserd earned 250 total points
Comment Utility
I know about the fines, but, this issue is with IIS versions prior to 6.0. So, you have no vulnerability. It's a false positive and its like saying you have to install Windows XP SP3 on a machine running Windows 2003!
You need to contact Security Metrics for them to solve this problem with their scan as it is their engine that is providing the false report and for you to be confident about what you're doing.
0
 

Assisted Solution

by:sksaathoff
sksaathoff earned 250 total points
Comment Utility
I received a similar report/failure.  I just spoke with a "scanning tech" at Security Metrics and he confirmed that it was a scan issue.  They have modified their scan scripts to eliminate that error.  Log on to your account and re-run the test and it should come back clean.
0
 

Author Closing Comment

by:NILLC
Comment Utility
I hope this is an equitable payout of points.  Thank you for your trouble..
0
 

Author Comment

by:NILLC
Comment Utility
We passed a subsequent scan.  Security Metrics was not so willing to admit their engine was flawed at the beginning of last week...thanks for the community support
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now