How to lock down an hosted 2008 R2 web server

I have a hosted 2008 R2 web server that I need to make PCI compliant. This server will process credit card transactions so I am running the external vulnerability scans against it. Below are the results from the most recent scan. Below you will also see the remaining enabled firewall rules.

In response to the scan results below, I disabled all core networking and networking rules in the firewall. I am not sure how much this may or may not of taken care of yet b/c a new scan takes 24-72 hours to get done.

I need to make sure I have removed all of these vulnerabilities and would like some advice on how to go about doing that. I think I am close, I just need a little more help.

Thanks,

Justin



 firewall rules PCI scan results
JustinGSEIWIAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

c0sCommented:
If you do not have a hardware firewall lock those ports down with the windows firewall and only allow traffic for the protocols that you need to have in use. Also you might want to look on CIS benchmarks for windows 2008 so you cna lock down and harden your system a little bit.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JustinGSEIWIAuthor Commented:
We don't have a hardware firewall. This is a server hosted by a 3rd party and this machine is available to the internet. I will need to lock everything down using windows firewall. I have blocked several ports already but the issue is I am not sure what else I can block without causing an issue. The server only has two web forms on it that collects user information and places it in a MySQL database and then also places it in an e-mail and sends it to a staff member. That is all that this server is used for.

I need to know what else I can safely block without breaking that functionality.

Thanks,

Justin
0
c0sCommented:
allow traffic for those ports only from the specific ip`s that it needs access from/to
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

JustinGSEIWIAuthor Commented:
I will do that for the services that are accessed by my web admin and myself. However, I would like to correct the outlined issues above first and then restrict by IP address.

Thanks,

Justin
0
c0sCommented:
Do you need to have this server enabled as a DNS server? From your requirements it doesn`t look like it so stop and disable the dns server service. In case you need it disable recursive queries

Make sure your MailEnable application is up to date from your scan it doesnt look like it is

Upgrade your mysql.

That should solve most of them Do a scan after this and send us an update
0
JustinGSEIWIAuthor Commented:
I wasn't sure how to disable recursive DNS. So to do that, I just need to stop and disable the DNS service? I though it would be taken care of if I blocked DNS in the firewall but I guess now.

I disputed the MailEnable one because it is already up to date.

I want to update mysql but I don't want to cause any issues with the current database. Can I just download MySQL and update it in place without trouble? Basically, I don't want to risk a problem with this.

Thanks,

Justin
0
c0sCommented:
You can either remove the dns service or disable the service under administrative tools -> services

Make a backup of the current mysql database and then upgrade it and do a restore.

You should take a snapshot or a backup of the machine before you start doing anything so you can get back to a previous state if needed.
0
JustinGSEIWIAuthor Commented:
I checked DNS and their is just a DNS client service and it is set to manual and is stopped. I don't think that takes care of the recursive issue?

I don't thinK I can make an image of the machine. It is hosted and I don't think that option is available.
0
c0sCommented:
In server manager under roles, remove the dns server role.
0
JustinGSEIWIAuthor Commented:
I checked, their role is not enabled. The only role enabled is IIS.
0
c0sCommented:
then im not sure why that error is there about dns... can you try to telnet to port 53 on that server and nslookup using that server?
0
JustinGSEIWIAuthor Commented:
Maybe it is a false positive? Telnet is blocked and not enabled on the remote server. I did an NSlookup and appeared to receive good results.
0
c0sCommented:
you checking it wrong :)

open command prompt from another machine that has telnet installed
type in telnet ip 53

to check dns with nslookup
open command prompt
nslookup
>server ip
>google.com
0
JustinGSEIWIAuthor Commented:
I tried to telnet and I get nothing. I am assuming that is good. I did NSlookup and received a proper response for server and address.

However, I just found out that disabling the firewall rule in Windows 2008 R2 server is not the same as enabling the rule and then blocking the protocol. I enabled all the rules for the protocols outlined in the scan results and then I blocked all of them. I am doing a rescan now and i'll report back when I know if this corrected my issue or not.

Thanks,

Justin
0
JustinGSEIWIAuthor Commented:
I blocked all the protocol's in the firewall that were listed in the report above and did another scan last night. It only removed two of the port 3306 issues. The rest of them remain. Since all the ports are blocked, i'm not sure what I am missing here.
0
c0sCommented:
can you try ussing another product to scan it? like nessus maybe? or nmap?
0
JustinGSEIWIAuthor Commented:
I suppose I could try but those are internal scans and what I need are external scans. Are you thinking they would provide me with different information? I do have another company that did a separate external scan but the information they provided was not much better.

Thanks,

Justin
0
JustinGSEIWIAuthor Commented:
I noticed that their are several inbound rules that are disabled but the action is set to allow. Do I need to enable all of these rules and set them to block to lock everything down? This is what it is looking like.

Thanks,

Justin
0
c0sCommented:
oh, if you do an internal scan those are always going to show up because they are wide open to the local system, you need to do an external scan to check if the firewall is actually working.
0
c0sCommented:
you could award some points you know... :)
0
JustinGSEIWIAuthor Commented:
I was not sure if I could give partial points or not. I can give you some points for your first answer. It wasn't exactly what I was looking for but it is pointing in the correct direction.
0
c0sCommented:
well were all here to help so whatever you feel is best
0
JustinGSEIWIAuthor Commented:
I gave a B grade because the solution was generic and didn't fully provide instruction on how to obtain the results needed. It was correct though.

Thanks for all the help!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.