Solved

Upgrading Security on Server

Posted on 2013-01-22
3
356 Views
Last Modified: 2013-02-06
One of my machines is causing me to not be PCI compliant and I am not quite sure how to fix it.
One of my issues is with Remote Desktop.  I have a Win 2k3 server and it is failing because Terminal Services Doesn't Use Network Level Authentication (NLA).
How do I enable NLA on a 2003 server?
Additionally the scan flagged FTP at port 21 because FTP Supports Clear Text Authentication.  I know that I had FTP enabled before on another server and it was never flagged, so is there anyway to continue to use port 21?
0
Comment
Question by:aclaus225
  • 2
3 Comments
 
LVL 27

Expert Comment

by:Tolomir
ID: 38807292
NLA see for details: http://blogs.msdn.com/b/rextang/archive/2007/03/28/remote-desktop-6-0-network-level-authentication-not-work-on-os-prior-vista.aspx

... if you only RDP using Vista machines, you can set the third setting to turn on NLA, which should be more safe on handling your connections...

---
for ftp you should use FTPS, see for more details:

http://en.wikipedia.org/wiki/FTPS

(client and server software also listed)
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 38807311
for ftp if you need a free version use the opensource http://filezilla-project.org/index.php
Client and Server available.

It might be useful to change the service port for rdp to e.g. 19999 and ftps to 49999 to make the duration of portscans longer. there are many malware scripts in the internet probing the usual ports, like http / https / ftp / rdp
0
 
LVL 8

Accepted Solution

by:
ee_reach earned 500 total points
ID: 38807763
As of June 1st 2011, plain old FTP invalidates PCI.

For PCI, I doubt that changing the port number will be sufficient since it would still use plain text.

You can use ftps or sftp instead of ftp.  On Win2k3 you cannot do this natively in windows.  You will need a third party app.

To avoid confusion, I mention the difference between sftp and ftps, which are two incompatible protocols.

SFTP (Secure File Transfer Protocol) uses SSH to allow you to establish a secure connection before initiating FTP or SCP processes on the server. You can read more about SFTP here: http://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol.  

FTPS is an extension of FTP that allows security via encryption using TLS / SSL. You will also have to choose between implicit and explicit, etc.   You can read more about FTPS here: http://en.wikipedia.org/wiki/FTPS

On Win2k3,either protocol will require a thirdy-party product.  

For SFTP, we use WinSSHD by bitvise.  We have found it to be an excellent product, reasonably priced, with superb support.  You can try it for free for 30 days: http://www.bitvise.com/winsshd.html

For FTPS, you will need an SSL cert along with server software.  Commonly used freeware is server zilla, downloadable here: http://filezilla-project.org/download.php?type=server 
They mention that they support XP, Vista, and Win7.  No mention as to whether they still support Win2003 and since I no longer have a Win2k3 server, I cannot validate that for you.

Before you settle on a solution, you may want to check whether either or both third-party products are PCI compliant, etc.

Hope this helps.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Bizarre hard disk problem 15 131
MS Endpoint Protection 2 44
Using VBScript. How to obtain the recomended paging file size? 8 70
Domain Controller FSMO 7 67
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question