SecurityMetrics to validate annual PCI Compliance requirement
We are receiving a failed “Compliance from Security metrics for which we have always pasted for the last 3 years. Nothing has changed that we are arware of and they have listed
Details are:
ISP: Comcast - WashingtonDC.hfc.comcastbu
OS: SBS 2011 – Fully patched and up to date
Network: Single Static IP and Single-site Domain
Router was provided by their VOIP group:
Edgewater Networks
The test was initiated from a Workstation running Win-7 Pro with Symantec Endpoint running.
I’m not sure if they are failing up because HTTPS is enabled or if I’m just reading the results wrong.
Has anyone seen this and does anyone know of a solution that will not affect the SBS 2011 functions pertaining to the phones and remote access.
THE RESULTS THAT THEY LISTED ARE:
PCI Compliance: Fail
Scan Target: -Our-Static Ip Address - WashingtonDC.hfc.comcastbu
Scan ID: 4310329
Start: 2012-09-07 13:45:53
Finish: 2012-09-07 17:02:15
Maximum score: 4.3
Scan Length: 3:16:22
Scan Expiration: 2012-12-11
TCP/IP Fingerprint OS Estimate: Microsoft Windows Server 2008 Beta 3
Description: SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability Synoposis: It may be possible to obtain sensitive information from the remote host with SSL/TLS-enabled services. Impact: A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow information disclosure if an attacker intercepts encrypted traffic served from an affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected. This script tries to establish an SSL/TLS remote connection using an affected SSL version and cipher suite, and then solicits return data. If returned application data is not fragmented with an empty or one-byte record, it is likely vulnerable. OpenSSL uses empty fragments as a countermeasure unless the 'SSL_OP_DONT_INSERT_EMPTY_
Resolution: Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported. Configure SSL/TLS servers to only support cipher suites that do not use block ciphers. Apply patches if available. Note that additional configuration may be required after the installation of the MS12-006 security update in order to enable the split-record countermeasure. See http://support.microsoft.com/kb/2643584 for details. Risk Factor: Medium/ CVSS2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389
Thank you!
Details are:
ISP: Comcast - WashingtonDC.hfc.comcastbu
OS: SBS 2011 – Fully patched and up to date
Network: Single Static IP and Single-site Domain
Router was provided by their VOIP group:
Edgewater Networks
The test was initiated from a Workstation running Win-7 Pro with Symantec Endpoint running.
I’m not sure if they are failing up because HTTPS is enabled or if I’m just reading the results wrong.
Has anyone seen this and does anyone know of a solution that will not affect the SBS 2011 functions pertaining to the phones and remote access.
THE RESULTS THAT THEY LISTED ARE:
PCI Compliance: Fail
Scan Target: -Our-Static Ip Address - WashingtonDC.hfc.comcastbu
Scan ID: 4310329
Start: 2012-09-07 13:45:53
Finish: 2012-09-07 17:02:15
Maximum score: 4.3
Scan Length: 3:16:22
Scan Expiration: 2012-12-11
TCP/IP Fingerprint OS Estimate: Microsoft Windows Server 2008 Beta 3
Description: SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability Synoposis: It may be possible to obtain sensitive information from the remote host with SSL/TLS-enabled services. Impact: A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow information disclosure if an attacker intercepts encrypted traffic served from an affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected. This script tries to establish an SSL/TLS remote connection using an affected SSL version and cipher suite, and then solicits return data. If returned application data is not fragmented with an empty or one-byte record, it is likely vulnerable. OpenSSL uses empty fragments as a countermeasure unless the 'SSL_OP_DONT_INSERT_EMPTY_
Resolution: Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported. Configure SSL/TLS servers to only support cipher suites that do not use block ciphers. Apply patches if available. Note that additional configuration may be required after the installation of the MS12-006 security update in order to enable the split-record countermeasure. See http://support.microsoft.com/kb/2643584 for details. Risk Factor: Medium/ CVSS2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389
Thank you!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER