SBS 2008 Pci Compliance

PCI compliance scan is failing because of this, I'm aware of adjustements that need to be made for 2003, but this is on a SBS 2008. Anybody have any ideas for a fix? RWW must be enable, users need it so that is not an option.

Description: Microsoft IIS Authentication Method Disclosed remote.mbros.com67.139.88.218Windows Server 2008Feb 22 14:46:38 2011newSeverity: Area of Concern CVE: CVE-2002-0419 5.02738new11Impact: An attacker could determine which authentication scheme is required for confidential web pages. This can be used for
brute force attacks against known User IDs. Background: Microsoft IIS web servers support Basic and NTLM authentication. Determination of which authentication is used by a server may help with further intelligent attacks against the server or brute force password attacks. Resolution Use Fix information in [ 94.html] Considerations for IIS authentication. Vulnerability Details: Service: https Sent: GET  / HTTP/1.1 Host: Authorization: Negotiate TlRMTVNTUAABAAAAB4IAoAAAAAAAAAAAAAAAAAAAA AA= Received: 401 Unauthorized returned indicating NTLM Authentication [More]
Who is Participating?
VAA-CConnect With a Mentor Commented:
I run sbs 2003. To fix the problem i performed the following.

Set the UseHostName property
To set the UseHostName property, follow these steps:

   1. Click Start, click Run, type cmd, and then click OK to open a command prompt.
   2. Change to the folder where the Adsutil.vbs tool is located. By default, this folder is the following:
   3. Type the following command, where x is your site identifier:
      cscript adsutil.vbs set w3svc/x/UseHostName true

Here is the microsoft kb link

Cris HannaCommented:
Susan Bradley "SBS DIVA" has posted a number of blog entries for PCI Compliance on SBS 2008 and 2003  found here

The key is usually disabling SSL 2.0

The reality is that the SBS server shouldn't be hosting websites for ecommerce or processing online credit card transactions
Expetec-RosevilleAuthor Commented:
The server isn't processing any cards or payments but because we have a network and server we are required to pass PCI compliance.  Its a scam put in place by credit card company's but there's no choice, it must be done.
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Cris HannaCommented:
Yup..I hear this a lot...Hopefully the information in Susan's blogs will get you squared away
Expetec-RosevilleAuthor Commented:
The info really didn't help with this issue, does anyone else have any ideas?
Expetec-RosevilleAuthor Commented:
The solution did not work for us but this is the correct solution to the problem.  We have fixed our problem on our end but it required a bit more in depth configuration.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.