Link to home
Create AccountLog in
Avatar of SidFishes
SidFishesFlag for Canada

asked on

PCI BEAST Mitigation on IIS6 server2003

I've recently failed a trustkeeper PCI scan due to a newly added BEAST scan parameter.

I've had a look at the IISCrypto tool for fixing the issues and currently show

SSL 3.0
TLS 1.0, 1.1 & 1.2

RC4 128/128
TripleDFES 168/168
AES 128/128
AES 256/256

MD5
SHA

Diffie-hellman
PKCS

My server is fully patched afaik including mitigation supplied in MS12-006. I assume the presence of the AES ciphers means the patch is applied.  From what I've read, the failure is due to the cipher suite order which isn't changeable in 2003.

My real solution is a migration to server2012, but that's about 3 months away. In the meantime, are there any additional protocols or ciphers that can/should disabled?

Anything else I can do?

Anyone successfully disputed the failure and if so, what were your grounds?


(btw, in case anyone else is tempted to use the IIScrypto tool and play around with the various templates, the FIPS 140-2 template breaks RDP...)
SOLUTION
Avatar of ArneLovius
ArneLovius
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
ASKER CERTIFIED SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of SidFishes

ASKER

Thanks for the links.

For future reference the answer is as follows.

For PCI compliance (for Trustkeeper/Trustwave at least) on server 2003, the ONLY solution to BEAST mitigation is to disable all ciphers except RC4 128

based on the information at https://community.qualys.com/blogs/securitylabs/2012/07/17/how-good-is-client-side-support-for-rc4 the risk of breaking clients is small to non-existent as all modern browsers support RC4.

HOWEVER, if you need to be PCI compliant AND FIPS or HIPAA compliant you are in a world of bad. Neither FIPS nor HIPAA support RC4 and PCI doesn't support 3DES or AES  which are the only protocols supported by FIPs & HIPAA

Your only option in that case is a server upgrade and then use the cipher order fix using iiscrypto or group policy as outlined in numerous posts linked above and elsewhere.

For me, I'm in Canada and don't have those US compliance needs so my scan just ran clean and I'm a happy guy again.

Now to build that new server....
Avatar of btan
btan

Thanks for sharing...good chance to upgrade ;)