PCI Complaince failure "web server leaks a private IP address through its HTTP headers."
Hi
I am just sorting out the PCI compliance for our organisation.
We have failed due to the "web server leaks a private IP address through its HTTP headers. Description : This may expose internal IP addresses that are usually hidden or masked behind a Network Address"
The PCI complaince scan is reporting this leak on ports 443 and 80.
We are running SBS2008, IIS7 (IIS6 is installed just for FTP but this is disabled)
I found a possible solution at http://blogs.iis.net/rakkimk/archive/2008/06/07/iis7-prevent-the-server-sending-its-private-ip-address-for-a-request-made-by-http-1-0-clients-with-no-host-header.aspx
which instructs you to run the following
appcmd.exe set config -section:system.webServer/
I tried the above with no luck.
Any other ideas to solve this issue?
I am just sorting out the PCI compliance for our organisation.
We have failed due to the "web server leaks a private IP address through its HTTP headers. Description : This may expose internal IP addresses that are usually hidden or masked behind a Network Address"
The PCI complaince scan is reporting this leak on ports 443 and 80.
We are running SBS2008, IIS7 (IIS6 is installed just for FTP but this is disabled)
I found a possible solution at http://blogs.iis.net/rakkimk/archive/2008/06/07/iis7-prevent-the-server-sending-its-private-ip-address-for-a-request-made-by-http-1-0-clients-with-no-host-header.aspx
which instructs you to run the following
appcmd.exe set config -section:system.webServer/
I tried the above with no luck.
Any other ideas to solve this issue?
Cris Hanna
Have you reviewed this blog http://msmvps.com/blogs/bradley/archive/2007/12/30/pci-dss-compliance-in-the-smb-world.aspx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@ChrisHanna Yes I have read the post, but the main issue is that no credit card details are stored on this 2008SBS server, but it sits as the domain controller on a network with another server which does store credit card details. Therefore, as far the PCI guys are concerned all ports have to be screwed down to their perceived level of acceptability no matter how draconian they are.
The only issue stopping us from becomming compliant is this last issue.
@Shreedhar Just trying the solutions recommended on the links you gave me, just waiting for the PCI results. The scan takes roughly 3 hours.
The only issue stopping us from becomming compliant is this last issue.
@Shreedhar Just trying the solutions recommended on the links you gave me, just waiting for the PCI results. The scan takes roughly 3 hours.
ASKER
PCI scan results are "web server leaks a private IP address through its HTTP headers" on ports
443
80
This is with IIS7 and after I have tried the fixes in the links from Shreedhar
Any other suggestions, the router is a Draytek 2820, which is a good router with the latest firmware on it.
443
80
This is with IIS7 and after I have tried the fixes in the links from Shreedhar
Any other suggestions, the router is a Draytek 2820, which is a good router with the latest firmware on it.
Port 80 should not be open anyway...if you're doing PCI it should be over SSL port 443.
Is port 80 closed on the router?
Is port 80 closed on the router?
ASKER
It is open and directed to the SBS server.
The SBS server then redirects the user to port 443, for OWA, etc..
The redirect is the save me the hassle of people informing me they can not login because they forgot the s after http.
Port 80 being open is not the problem as I would still have the issue of port 443 leaking the internal IP address of the server.
The SBS server then redirects the user to port 443, for OWA, etc..
The redirect is the save me the hassle of people informing me they can not login because they forgot the s after http.
Port 80 being open is not the problem as I would still have the issue of port 443 leaking the internal IP address of the server.
Have you also disabled SSL 2?
http://msmvps.com/blogs/bradley/archive/2007/07/01/disabling-ssl-2-0-for-pci-compliance.aspx
http://msmvps.com/blogs/bradley/archive/2007/07/01/disabling-ssl-2-0-for-pci-compliance.aspx
ASKER
Yes, that was an issue with the PCI compliance last week.
I used the above to help close SSL 2 and force SSL3 and TLS.
I used the above to help close SSL 2 and force SSL3 and TLS.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Just passed the test! Hopefully will pass on the next schedule scan too.
On the thought that this issue may have to go to the "SBS Diva" my personal SBS poster girl, I was hopeful this is was not working.
Anyway, I returned again to the solutions suggested by both experts and slowly walked through the whole exercise again.
I do not know what I missed or which solution cured the problem as running a 3 hour port scan in-between each recommendation was just not practicable.
Thanks!
On the thought that this issue may have to go to the "SBS Diva" my personal SBS poster girl, I was hopeful this is was not working.
Anyway, I returned again to the solutions suggested by both experts and slowly walked through the whole exercise again.
I do not know what I missed or which solution cured the problem as running a 3 hour port scan in-between each recommendation was just not practicable.
Thanks!