?
Solved

PCI scan fails Security Metrics

Posted on 2012-09-11
4
Medium Priority
?
1,770 Views
Last Modified: 2012-09-28
Hi,

I have been researching this for a week now and have tried everything, even the advice from a similar question here on EE.  I am running a website on a Windows 2008 R2 Standard server running IIS7.  My PCI scan fails because these block ciphers need to be disabled:
> Cipher_Strength: HIGH
>       Proto   Cipher       Encryption
>       -------------------------------
>       TLSv1 : AES256-SHA : 256
>       TLSv1 : AES128-SHA : 128
>       TLSv1 : DES-CBC3-SHA : 168
>       SSLv3 : DES-CBC3-SHA : 168
Sounds simple enough, but I can't seem to find a definite answer on this.  Any help is greatly appreciated.

Thanks,
0
Comment
Question by:W2Market
  • 2
4 Comments
 
LVL 26

Accepted Solution

by:
Tony J earned 1000 total points
ID: 38389845
0
 
LVL 2

Assisted Solution

by:lesterpenguinne
lesterpenguinne earned 1000 total points
ID: 38399644
You are not alone....Actually I have contacted Microsoft on this same issue and security metrics keeps pointing to MS10-049 which has been superceeded by 10-085 then again by MS12-006 ( I did send this to security metrics as well).  By the way if you do disable the ciphers there is a good chance that RDP will no longer work.

Here is what Microsoft said

I did some research on this and came across a few blog posts related to the identified ciphers.  Please review them at your convenience and let me know if you have additional questions.  Keep in mind, these blog posts are nearing a year old (although they have been updated to reflect MS12-006) so it is curious why your vendor would just now point them out.  From what I have read, it looks like as long as you have installed MS12-006 and MS11-099 you should have little exposure to this vulnerability.  However, we do recommending using TLS 1.1 and 1.2 if possible, and if the vendor requires you to disable the ciphers to be PCI compliant, you may need to do so. Regardless, the vendor should update their scan to more clearly identify the vulnerability rather than simply pointing you to MS10-049.  Thanks.

http://technet.microsoft.com/en-us/security/bulletin/ms12-006 (Review the FAQ)
http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspx
http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx
0
 

Author Closing Comment

by:W2Market
ID: 38405654
Both of you were really helpful but it was Tony1044's link to
http://www.nartac.com/Products/IISCrypto/Default.aspx

which really solved the issue.  Not only did I have to disable the Ciphers in the registry I also had to eliminate them from the priority list as well.  As long as they were available in that list, Security Metrics was seeing them as available.

The IIS crypto program made it really easy to apply these registry changes.

Thanks!
0
 
LVL 26

Expert Comment

by:Tony J
ID: 38405749
Glad to have helped. These things can be a pain sometimes.

Tony.
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many times while working on a computer regardless of any Operating System, lag and crashes seem to creep in, hindering your working speed. Sometimes, it can also cause your work to be lost unexpectedly and as a result, you are unable to meet your de…
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question