[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

PCI Compliance on SBS 2003 Server

Posted on 2011-10-20
2
Medium Priority
?
1,707 Views
Last Modified: 2012-05-12
We have to pass PCI compliance on our Windows Small Business Server 2003. There are 3 failures that I cannot seem to overcome. I wonder if anyone might be able to advise on how to solve them.

I have tried all the patches mentioned in the failure descriptions. Point 1 and 3 were not on the original scans that I did but only appeared later. I think it may be a setting in IIS but I am not sure what.

The failures are listed below:

1. Protocol: TCP Port: 443 Program: HTTPS Risk: 10

Description: Possible Microsoft IIS ASP Remote Code Execution vulnerability Severity: Potential Problem CVE: CVE-2008-0075 Impact: An attacker could send a specially constructed request which crashes the server or executes arbitrary code with the privileges of the web server. Background: Microsoft IIS web servers accept requests for a number of different types of files. The most common methods of requesting a file are GET and POST. In addition to the request itself, the web browser sends the IIS server additional information called headers which are not seen by the user. Information in the header can include browser type, content type, content length, and other information. Some of the file types for which IIS may accept requests are .HTR files (for remote administration of passwords), .IDC files (Internet Database Connectors), .STM files (server side include files), .PRINTER files (printers), .IDA files (Internet Data Administration), .IDQ files (Internet Data Query), and .ASP files (Active Server Pages). Whenever any file of one of these types is requested by a client, a corresponding DLL file is executed on the server, regardless of whether or not the requested file actually exists on the server. IIS supports redirection, which allows a user to specify that requests for a particular URL on the server should be redirected such that the user's browser loads a file from another directory, a network share, or a URL on another web server. Resolution Install the patches referenced in Microsoft Security Bulletins [http://www.microsoft.com/technet/security/bulletin/ms03-018.mspx] 03-018, [http://www.microsoft.com/technet/security/bulletin/ms06-034.mspx] 06-034 (for Windows 2000), [http://www.microsoft.com/technet/security/bulletin/ms08-062.mspx] 08-062, and [http://technet.microsoft.com/en-us/security/bulletin/MS10-065] 10-065. For IIS 5.1, also install the patches referenced in [http://www.microsoft.com/technet/security/bulletin/ms07-041.mspx] 07-041. Note that the patch referenced in [http://www.microsoft.com/technet/securi ty/bulletin/ms02-050.mspx] Microsoft Security Bulletin 02-050 must also be installed if client side certificates are to function. IIS 4.0 users should also install the patch referenced in [http://www.microsoft.com/technet/security/bulletin/ms04-021.mspx] Microsoft Security Bulletin 04-021 or disable the permanent redirection option under the Home Directory tab in the web site properties. Vulnerability Details: Service: https IIS 6 detected and cannot check for patch (credentials required)

2. Protocol: TCP Port: 25 Program: SMTP Risk: 9

Description: Microsoft Exchange TNEF PidTagRtfCompressed integer underflow Severity: Critical Problem CVE: CVE-2009-0098 Impact: A remote attacker could crash the mail service or execute arbitrary code. Background: Microsoft Exchange is an e-mail server for Microsoft Windows operating systems. Exchange 5.5 includes an Internet Mail Connector (IMC) service which acts as a Mail Transfer Agent (MTA) for sending, receiving, or routing e-mail across a network. The IMC implements the Extended Simple Mail Transfer Protocol (ESMTP). Exchange 2000 and 2003 use the native Windows ESMTP service. An ESMTP session typically begins with the client sending an EHLO command to the server to indicate that it supports ESMTP. The Exchange server replies with the fully qualified domain name of both itself and the client. The client's name is determined by a reverse DNS lookup. Exchange servers use ESMTP extensions known as extended verbs to communicate certain information specific to the Exchange environment. Resolution Vulnerability Details: Service: smtp Received:+OK Microsoft Exchange Server 2003 POP3 server version 6.5.7638.1 (crafters-server.Crafters.local) ready.

3. Protocol: TCP Port: 443 Program: HTTPS Risk: 6

Description: Possible Microsoft IIS ASP Upload Command Execution vulnerability Severity: Potential Problem CVE: CVE-2006-0026 Impact: An attacker could send a specially constructed request which crashes the server or executes arbitrary code with the privileges of the web server. Background: Microsoft IIS web servers accept requests for a number of different types of files. The most common methods of requesting a file are GET and POST. In addition to the request itself, the web browser sends the IIS server additional information called headers which are not seen by the user. Information in the header can include browser type, content type, content length, and other information. Some of the file types for which IIS may accept requests are .HTR files (for remote administration of passwords), .IDC files (Internet Database Connectors), .STM files (server side include files), .PRINTER files (printers), .IDA files (Internet Data Administration), .IDQ files (Internet Data Query), and .ASP files (Active Server Pages). Whenever any file of one of these types is requested by a client, a corresponding DLL file is executed on the server, regardless of whether or not the requested file actually exists on the server. IIS supports redirection, which allows a user to specify that requests for a particular URL on the server should be redirected such that the user's browser loads a file from another directory, a network share, or a URL on another web server. Resolution Install the patches referenced in Microsoft Security Bulletins [http://www.microsoft.com/technet/security/bulletin/ms03-018.mspx] 03-018, [http://www.microsoft.com/technet/security/bulletin/ms06-034.mspx] 06-034 (for Windows 2000), [http://www.microsoft.com/technet/security/bulletin/ms08-062.mspx] 08-062, and [http://technet.microsoft.com/en-us/security/bulletin/MS10-065] 10-065. For IIS 5.1, also install the patches referenced in [http://www.microsoft.com/technet/security/bulletin/ms07-041.mspx] 07-041. Note that the patch referenced in [http://www.microsoft.com/technet/securi ty/bulletin/ms02-050.mspx] Microsoft Security Bulletin 02-050 must also be installed if client side certificates are to function. IIS 4.0 users should also install the patch referenced in [http://www.microsoft.com/technet/security/bulletin/ms04-021.mspx] Microsoft Security Bulletin 04-021 or disable the permanent redirection option under the Home Directory tab in the web site properties. Vulnerability Details: Service: https IIS 6 detected and cannot check for patch (credentials required)
0
Comment
Question by:abotech
2 Comments
 
LVL 5

Accepted Solution

by:
Comsyco earned 1500 total points
ID: 37000373
I had a similar problem for one of our clients. These PCI scans are brutal. 443 basically means disable webmail access (or the port forwarding.) and the port 25 ideally needs to be locked down to an external spam filter so you only accept port 25 connections from their servers.

Not the best situaltion to be in but if you wanted to cheat slightly you could use a 2nd internet connection for web mail?
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 37001562
SBS Is not PCI compliant, nor can it be made to be. Short answer is you should not be storing credit card info on SBS. and if you aren't then PCI-DSS has no bearing.

If, however, for some reason you feel the need to put that green check mark on your resume, you CAN make an SBS network PCI compliant by disabling access to some SBS services. A good wiki page covers that here:

http://social.technet.microsoft.com/wiki/contents/articles/adjustments-needed-for-a-small-business-server-to-pass-a-pci-dss-scan.aspx

-Cliff
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Integration Management Part 2
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question