Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Sbs 2011 Trustwave security updates

Posted on 2014-02-21
17
Medium Priority
?
1,817 Views
Last Modified: 2014-03-28
Hello,

We have recently received the report from Trustwave, which is the organisation that performs security checks for the Credit card PDQ machine.

The below is the report which fails on iis 7.5. It gives links to the Microsoft website to download the appropriate patches but unfortunately i am unable to apply any of the updates on the Small Business Server 2011 as it states  ' The update is not applicable to you computer'.

I have tried Windows 2008 x64, i386, Windows 2008 R2 x64, i386, which all return the same error.

The server is fully patched and up to date via Windows Updates and MSBPA.

Any ideas as to how to apply patches manually or patch the vulnerabilities?



Report:
Port: tcp/443
Several security updates have been released to address security
vulnerabilities in this version of IIS. Although this installation was
detected as version 7.5, the presence or absence of several
specific updates could not be determined.
This finding is based on version information which may not have
been updated by previously installed patches (e.g., Red Hat "back
ports"). Please submit a "Patched Service" dispute in TrustKeeper
if this vulnerability has already been patched.
CVE: CVE-2010-1256, CVE-2010-1899, CVE-2010-2730,
CVE-2010-2731
NVD: CVE-2010-1256, CVE-2010-1899, CVE-2010-2730,
CVE-2010-2731
CVSSv2: AV:N/AC:M/Au:N/C:C/I:C/A:C
Service: http
Reference:
http://technet.microsoft.com/en-us/security/Bulletin/MS10-040
http://technet.microsoft.com/en-us/security/Bulletin/MS10-065
Evidence:
Match: equals '7.5'
Remediation:
Ensure that all security updates available for this version of IIS
0
Comment
Question by:suresh187
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
  • 4
17 Comments
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39878699
Are you processing or storing credit card information on your SBS 2011 computer?
0
 
LVL 65

Expert Comment

by:btan
ID: 39878845
Windows SBS 2011 Standard is built on Windows Server® 2008 R2 Standard, may want to try running the MSBA 2.3 @ http://technet.microsoft.com/en-us/security/cc184924

There would be slight error to note below from MBSA FAQ

When scanning a Windows Small Business Server I see a red icon for a "SBS Backup User" in the IE Zones check; Is this expected?

Yes, this is a known issue in the Windows Small Business Server products. This may appear if the SBS Backup User has been used by the backup task at least one time, and will continue until that same user account has been logged into at the console interactively at least one time.

The update as in website did not include SBS 2011 and tendency the packaged patch does not "see" this platform applicable. Then most of the time have to go manual. In each bulletin

For bulletin MS10-040

a) CVE-2010-1256 - (mitigating) Without the installation of KB973917 on the platform, , systems will not have the Extended Protection for Authentication feature and will not be vulnerable.  Extended Protection for Authentication is not enabled by default on any affected platform, even when a system has installed KB973917. Systems are only affected when this feature is enabled.

For MS10-065

The steps are mostly disabling as stated in the mitigation of the bulletin. Do assess with your appl team is that viable and it is good to disable and not have those unnecessary service running where possible. However, the (d) is more of internal code though and patching if not overall IIS lockdown is preferred.

b) CVE-2010-1899 - Change the status for ASP from ALLOWED to PROHIBITED in the IIS manager. You can see more steps in the mitigation of the bulletin

c) CVE-2010-2730 - Disable FastCGI or Install the URL Rewrite module

d) CVE-2010-2731 - Sites that are not using authentication are not vulnerable to this

If possible go for upgrade to 2008 R2 above and patch instead. I suspect the scanner will be either checking for latest patch and also testing through those vulnerable services. it may not be foolproof for manual patch and possible go latest version platform is more long term planning ahead.

Else another means is to scope the data process out of this server for the time being such that it does not handle any of the card PII etc
0
 

Author Comment

by:suresh187
ID: 39881970
Thank you for you comments.
Unfortunately we are unable to PROHIBITE ASP.
I agree the MS patches are unable the recognize SBS 2011 as the Windows 2008 R2 operating system.

We are unable to upgrade as all components are part of SBS 2011, which is our sole server.

I  will try to contact Trustwave as the server is fully patched and may be mis-reported.

Thanks
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 65

Expert Comment

by:btan
ID: 39882211
Noted it is well received. That is part of the risk assessment as also do remember that having to comply to security baseline, does not necessarily means the overall security controls are in place and the systems are secure either. We just at times also need to layered process and governance to checkpoint those potential gaps in view that total overhaul takes time for refresh and to maintain business continuity (esp for legacy apps and services)
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39882655
But you really haven't answered the key question here...are you processing and storing credit card information on the SBS server?
0
 

Author Comment

by:suresh187
ID: 39882828
Sorry, We are not storing or processing any Credit card information on the SBS server.
The check is performed on our static IP addresses by Trustwave regardless of whether any information is being stored.
I have heard the same from others,
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39882884
Well that just doesn't make any sense.  But you might want to have a look at this blog by Microsoft MVP Susan Bradley.  Susan is known as the SBS Diva and recently changed from SBS MVP to Enterprise Security MVP...Hope this helps

http://msmvps.com/blogs/bradley/archive/2013/03/26/server-flagged-as-failing-iis-beast-vulnerability.aspx
0
 
LVL 65

Expert Comment

by:btan
ID: 39884352
Strange though as mentioned by expert too.

It is probably for full Enterprise compliance to standardise hardening across but why specific static IP address, will that be testing IP and thereafter "return" back to original production IP addresses. Sometimes I guess it is to have only specific destination IP due to firewall rule created to allow only that dest IP.

Nonetheless, specific to PCI DSS compliance, if the server in assessment exclude processing, storing and transiting of customer credit card info and related data. It should be out of scope for compliance. May be good to ascertain the assessment need at the first place as this may help in prioritising overall patching of this server and other more.  It may be better to just isolate this server out from internet to internal access and establish safeguard of the enclaves via allowing specific clients or endpoint only for access to it.
0
 

Author Comment

by:suresh187
ID: 39892646
Thank you for all your comments.
I raised an exception and trustwave have accepted and acknowledged it as a false positive.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39892931
Excellent!   Always good to challenge things like this
0
 
LVL 65

Expert Comment

by:btan
ID: 39893591
Thanks for sharing
0
 

Author Comment

by:suresh187
ID: 39953486
I've requested that this question be closed as follows:

Accepted answer: 0 points for suresh187's comment #a39892646

for the following reason:

Resolved with trustwave
0
 
LVL 35

Assisted Solution

by:Cris Hanna
Cris Hanna earned 1000 total points
ID: 39953488
if it hadn't been for the responses that breadtan and myself provided, the author would not have raised the exception with Trustwave and would not have been able to resolve this
0
 
LVL 65

Accepted Solution

by:
btan earned 1000 total points
ID: 39954913
Had hope the author has taken both expert the advice and form the action plan. likewise we did went into the details of the cve to further explain means to address his question as below

Any ideas as to how to apply patches manually or patch the vulnerabilities?
0
 
LVL 65

Expert Comment

by:btan
ID: 39961714
thanks for sharing.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39961863
appreciate the assistance
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question