Solved

Upgrading Security on Server

Posted on 2013-01-22
3
354 Views
Last Modified: 2013-02-06
One of my machines is causing me to not be PCI compliant and I am not quite sure how to fix it.
One of my issues is with Remote Desktop.  I have a Win 2k3 server and it is failing because Terminal Services Doesn't Use Network Level Authentication (NLA).
How do I enable NLA on a 2003 server?
Additionally the scan flagged FTP at port 21 because FTP Supports Clear Text Authentication.  I know that I had FTP enabled before on another server and it was never flagged, so is there anyway to continue to use port 21?
0
Comment
Question by:aclaus225
  • 2
3 Comments
 
LVL 27

Expert Comment

by:Tolomir
ID: 38807292
NLA see for details: http://blogs.msdn.com/b/rextang/archive/2007/03/28/remote-desktop-6-0-network-level-authentication-not-work-on-os-prior-vista.aspx

... if you only RDP using Vista machines, you can set the third setting to turn on NLA, which should be more safe on handling your connections...

---
for ftp you should use FTPS, see for more details:

http://en.wikipedia.org/wiki/FTPS

(client and server software also listed)
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 38807311
for ftp if you need a free version use the opensource http://filezilla-project.org/index.php
Client and Server available.

It might be useful to change the service port for rdp to e.g. 19999 and ftps to 49999 to make the duration of portscans longer. there are many malware scripts in the internet probing the usual ports, like http / https / ftp / rdp
0
 
LVL 8

Accepted Solution

by:
ee_reach earned 500 total points
ID: 38807763
As of June 1st 2011, plain old FTP invalidates PCI.

For PCI, I doubt that changing the port number will be sufficient since it would still use plain text.

You can use ftps or sftp instead of ftp.  On Win2k3 you cannot do this natively in windows.  You will need a third party app.

To avoid confusion, I mention the difference between sftp and ftps, which are two incompatible protocols.

SFTP (Secure File Transfer Protocol) uses SSH to allow you to establish a secure connection before initiating FTP or SCP processes on the server. You can read more about SFTP here: http://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol.  

FTPS is an extension of FTP that allows security via encryption using TLS / SSL. You will also have to choose between implicit and explicit, etc.   You can read more about FTPS here: http://en.wikipedia.org/wiki/FTPS

On Win2k3,either protocol will require a thirdy-party product.  

For SFTP, we use WinSSHD by bitvise.  We have found it to be an excellent product, reasonably priced, with superb support.  You can try it for free for 30 days: http://www.bitvise.com/winsshd.html

For FTPS, you will need an SSL cert along with server software.  Commonly used freeware is server zilla, downloadable here: http://filezilla-project.org/download.php?type=server 
They mention that they support XP, Vista, and Win7.  No mention as to whether they still support Win2003 and since I no longer have a Win2k3 server, I cannot validate that for you.

Before you settle on a solution, you may want to check whether either or both third-party products are PCI compliant, etc.

Hope this helps.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now