Solved

SBS 2008 Pci Compliance

Posted on 2011-02-22
6
912 Views
Last Modified: 2012-05-11
PCI compliance scan is failing because of this, I'm aware of adjustements that need to be made for 2003, but this is on a SBS 2008. Anybody have any ideas for a fix? RWW must be enable, users need it so that is not an option.


Description: Microsoft IIS Authentication Method Disclosed remote.mbros.com67.139.88.218Windows Server 2008Feb 22 14:46:38 2011newSeverity: Area of Concern CVE: CVE-2002-0419 5.02738new11Impact: An attacker could determine which authentication scheme is required for confidential web pages. This can be used for
brute force attacks against known User IDs. Background: Microsoft IIS web servers support Basic and NTLM authentication. Determination of which authentication is used by a server may help with further intelligent attacks against the server or brute force password attacks. Resolution Use Fix information in [http://seclists.org/bugtraq/2002/Mar/00 94.html] Considerations for IIS authentication. Vulnerability Details: Service: https Sent: GET  / HTTP/1.1 Host: remote.mbros.com Authorization: Negotiate TlRMTVNTUAABAAAAB4IAoAAAAAAAAAAAAAAAAAAAA AA= Received: 401 Unauthorized returned indicating NTLM Authentication [More]
[Hide]
0
Comment
Question by:Expetec-Roseville
  • 3
  • 2
6 Comments
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 34961792
Susan Bradley "SBS DIVA" has posted a number of blog entries for PCI Compliance on SBS 2008 and 2003  found here http://msmvps.com/blogs/bradley/search.aspx?q=PCI+Compliance&o=Relevance

The key is usually disabling SSL 2.0

The reality is that the SBS server shouldn't be hosting websites for ecommerce or processing online credit card transactions
0
 
LVL 1

Author Comment

by:Expetec-Roseville
ID: 34961838
The server isn't processing any cards or payments but because we have a network and server we are required to pass PCI compliance.  Its a scam put in place by credit card company's but there's no choice, it must be done.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 34961856
Yup..I hear this a lot...Hopefully the information in Susan's blogs will get you squared away
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:Expetec-Roseville
ID: 34983470
The info really didn't help with this issue, does anyone else have any ideas?
0
 
LVL 1

Accepted Solution

by:
VAA-C earned 500 total points
ID: 35165933
I run sbs 2003. To fix the problem i performed the following.

Set the UseHostName property
To set the UseHostName property, follow these steps:

   1. Click Start, click Run, type cmd, and then click OK to open a command prompt.
   2. Change to the folder where the Adsutil.vbs tool is located. By default, this folder is the following:
      %SYSTEMROOT%\Inetpub\AdminScripts
   3. Type the following command, where x is your site identifier:
      cscript adsutil.vbs set w3svc/x/UseHostName true

Here is the microsoft kb link

http://support.microsoft.com/kb/834141

0
 
LVL 1

Author Closing Comment

by:Expetec-Roseville
ID: 35165958
The solution did not work for us but this is the correct solution to the problem.  We have fixed our problem on our end but it required a bit more in depth configuration.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Many admins will agree: WSUS is is a nice invention but using it on the client side when updating a newly installed computer is still time consuming as you have to do several reboots and furthermore, the procedure of installing updates, rebooting an…
Online collaboration is quickly becoming embedded in the workplace, and its benefits are tangible. See what the current landscape looks like and what the future holds for collaboration tools and the future of work.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now