Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2726
  • Last Modified:

SecurityMetrics to validate annual PCI Compliance requirement

We are receiving a failed “Compliance from Security metrics for which we have always pasted for the last 3 years. Nothing has changed that we are arware of and they have listed

Details are:
ISP: Comcast - WashingtonDC.hfc.comcastbusiness.net
OS: SBS 2011 – Fully patched and up to date
Network: Single Static IP and Single-site Domain
Router was provided by their VOIP group:
Edgewater Networks
The test was initiated from a Workstation running Win-7 Pro with Symantec Endpoint running.

I’m not sure if they are failing up because HTTPS is enabled or if I’m just reading the results wrong.

Has anyone seen this and does anyone know of a solution that will not affect the SBS 2011 functions pertaining to the phones and remote access.


PCI Compliance: Fail

Scan Target: -Our-Static Ip Address - WashingtonDC.hfc.comcastbusiness.net

 Scan ID: 4310329

 Start: 2012-09-07 13:45:53

 Finish: 2012-09-07 17:02:15

 Maximum score: 4.3

 Scan Length: 3:16:22

 Scan Expiration: 2012-12-11

 TCP/IP Fingerprint OS Estimate: Microsoft Windows Server 2008 Beta 3

Description: SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability Synoposis: It may be possible to obtain sensitive information from the remote host with SSL/TLS-enabled services. Impact: A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow information disclosure if an attacker intercepts encrypted traffic served from an affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected. This script tries to establish an SSL/TLS remote connection using an affected SSL version and cipher suite, and then solicits return data. If returned application data is not fragmented with an empty or one-byte record, it is likely vulnerable. OpenSSL uses empty fragments as a countermeasure unless the 'SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS' option is specified when OpenSSL is initialized. Microsoft implemented one-byte fragments as a countermeasure, and the setting can be controlled via the registry key H KEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders \\SCHANNEL\\SendExtraRecord. Therefore, if multiple applications use the same SSL/TLS implementation, some may be vulnerable while others may not, depending on whether or not a countermeasure has been enabled. Note that this script detects the vulnerability in the SSLv3/TLSv1 protocol implemented in the server. It does not detect the BEAST attack where it exploits the vulnerability at HTTPS client-side (i.e., Internet browser). The detection at server-side does not necessarily mean your server is vulnerable to the BEAST attack because the attack exploits the vulnerability at client-side, and both SSL/TLS clients and servers can independently employ the split record countermeasure. See also : http://www.openssl.org/~bodo/tls-cbc.txt http://vnhacker.blogspot.com/2011/09/beast.html http://technet.microsoft.com/en-us/security/bulletin/ms12-006 http://support.microsoft.com/kb/2643584 http://blogs.msdn.com/b/kaushal/archive/2012/01/21/fixing-the-beast.aspx Data Received: Negotiated cipher suite: AES128-SHA|TLSv1|Kx=RSA|Au=RSA|Enc=AES(128)|Mac=SHA1

 Resolution: Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported. Configure SSL/TLS servers to only support cipher suites that do not use block ciphers. Apply patches if available. Note that additional configuration may be required after the installation of the MS12-006 security update in order to enable the split-record countermeasure. See http://support.microsoft.com/kb/2643584 for details. Risk Factor: Medium/ CVSS2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE: CVE-2011-3389\


Thank you!
1 Solution
The PCI compliance audit scan was changed this year to "fail" any use of TLS 1.0 and/or SSL 2.0 (Google BEAST attack for more information - although its all hypothetical narrative).

You will need to change your server to only allow connections using TLS 1.2 and/or SSL 3.0 and most importantly only allow strong ciphers.

The details below relate to a Microsoft O/S environment:

How to configure Microsoft OS to not accept SSLv2 connections:

You will need to modify the system’s registry.

Merge the following keys to the Windows registry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]

Open in new window

Restart the system and ensure that the server is functional

How to configure Microsoft OS to not accept weak SSL ciphers:

Again you will need to modify the system’s registry.

Merge the following keys to the Windows registry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]

Open in new window

Restart the system and ensure that the server is functional.
Magothytech1Author Commented:
Awesome – This worked as design and was exactly what we needed – Thank you!

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now