Solved

Sbs 2011 Trustwave security updates

Posted on 2014-02-21
17
1,738 Views
Last Modified: 2014-03-28
Hello,

We have recently received the report from Trustwave, which is the organisation that performs security checks for the Credit card PDQ machine.

The below is the report which fails on iis 7.5. It gives links to the Microsoft website to download the appropriate patches but unfortunately i am unable to apply any of the updates on the Small Business Server 2011 as it states  ' The update is not applicable to you computer'.

I have tried Windows 2008 x64, i386, Windows 2008 R2 x64, i386, which all return the same error.

The server is fully patched and up to date via Windows Updates and MSBPA.

Any ideas as to how to apply patches manually or patch the vulnerabilities?



Report:
Port: tcp/443
Several security updates have been released to address security
vulnerabilities in this version of IIS. Although this installation was
detected as version 7.5, the presence or absence of several
specific updates could not be determined.
This finding is based on version information which may not have
been updated by previously installed patches (e.g., Red Hat "back
ports"). Please submit a "Patched Service" dispute in TrustKeeper
if this vulnerability has already been patched.
CVE: CVE-2010-1256, CVE-2010-1899, CVE-2010-2730,
CVE-2010-2731
NVD: CVE-2010-1256, CVE-2010-1899, CVE-2010-2730,
CVE-2010-2731
CVSSv2: AV:N/AC:M/Au:N/C:C/I:C/A:C
Service: http
Reference:
http://technet.microsoft.com/en-us/security/Bulletin/MS10-040
http://technet.microsoft.com/en-us/security/Bulletin/MS10-065
Evidence:
Match: equals '7.5'
Remediation:
Ensure that all security updates available for this version of IIS
0
Comment
Question by:suresh187
  • 6
  • 6
  • 4
17 Comments
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39878699
Are you processing or storing credit card information on your SBS 2011 computer?
0
 
LVL 61

Expert Comment

by:btan
ID: 39878845
Windows SBS 2011 Standard is built on Windows Server® 2008 R2 Standard, may want to try running the MSBA 2.3 @ http://technet.microsoft.com/en-us/security/cc184924

There would be slight error to note below from MBSA FAQ

When scanning a Windows Small Business Server I see a red icon for a "SBS Backup User" in the IE Zones check; Is this expected?

Yes, this is a known issue in the Windows Small Business Server products. This may appear if the SBS Backup User has been used by the backup task at least one time, and will continue until that same user account has been logged into at the console interactively at least one time.

The update as in website did not include SBS 2011 and tendency the packaged patch does not "see" this platform applicable. Then most of the time have to go manual. In each bulletin

For bulletin MS10-040

a) CVE-2010-1256 - (mitigating) Without the installation of KB973917 on the platform, , systems will not have the Extended Protection for Authentication feature and will not be vulnerable.  Extended Protection for Authentication is not enabled by default on any affected platform, even when a system has installed KB973917. Systems are only affected when this feature is enabled.

For MS10-065

The steps are mostly disabling as stated in the mitigation of the bulletin. Do assess with your appl team is that viable and it is good to disable and not have those unnecessary service running where possible. However, the (d) is more of internal code though and patching if not overall IIS lockdown is preferred.

b) CVE-2010-1899 - Change the status for ASP from ALLOWED to PROHIBITED in the IIS manager. You can see more steps in the mitigation of the bulletin

c) CVE-2010-2730 - Disable FastCGI or Install the URL Rewrite module

d) CVE-2010-2731 - Sites that are not using authentication are not vulnerable to this

If possible go for upgrade to 2008 R2 above and patch instead. I suspect the scanner will be either checking for latest patch and also testing through those vulnerable services. it may not be foolproof for manual patch and possible go latest version platform is more long term planning ahead.

Else another means is to scope the data process out of this server for the time being such that it does not handle any of the card PII etc
0
 

Author Comment

by:suresh187
ID: 39881970
Thank you for you comments.
Unfortunately we are unable to PROHIBITE ASP.
I agree the MS patches are unable the recognize SBS 2011 as the Windows 2008 R2 operating system.

We are unable to upgrade as all components are part of SBS 2011, which is our sole server.

I  will try to contact Trustwave as the server is fully patched and may be mis-reported.

Thanks
0
 
LVL 61

Expert Comment

by:btan
ID: 39882211
Noted it is well received. That is part of the risk assessment as also do remember that having to comply to security baseline, does not necessarily means the overall security controls are in place and the systems are secure either. We just at times also need to layered process and governance to checkpoint those potential gaps in view that total overhaul takes time for refresh and to maintain business continuity (esp for legacy apps and services)
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39882655
But you really haven't answered the key question here...are you processing and storing credit card information on the SBS server?
0
 

Author Comment

by:suresh187
ID: 39882828
Sorry, We are not storing or processing any Credit card information on the SBS server.
The check is performed on our static IP addresses by Trustwave regardless of whether any information is being stored.
I have heard the same from others,
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39882884
Well that just doesn't make any sense.  But you might want to have a look at this blog by Microsoft MVP Susan Bradley.  Susan is known as the SBS Diva and recently changed from SBS MVP to Enterprise Security MVP...Hope this helps

http://msmvps.com/blogs/bradley/archive/2013/03/26/server-flagged-as-failing-iis-beast-vulnerability.aspx
0
 
LVL 61

Expert Comment

by:btan
ID: 39884352
Strange though as mentioned by expert too.

It is probably for full Enterprise compliance to standardise hardening across but why specific static IP address, will that be testing IP and thereafter "return" back to original production IP addresses. Sometimes I guess it is to have only specific destination IP due to firewall rule created to allow only that dest IP.

Nonetheless, specific to PCI DSS compliance, if the server in assessment exclude processing, storing and transiting of customer credit card info and related data. It should be out of scope for compliance. May be good to ascertain the assessment need at the first place as this may help in prioritising overall patching of this server and other more.  It may be better to just isolate this server out from internet to internal access and establish safeguard of the enclaves via allowing specific clients or endpoint only for access to it.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:suresh187
ID: 39892646
Thank you for all your comments.
I raised an exception and trustwave have accepted and acknowledged it as a false positive.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39892931
Excellent!   Always good to challenge things like this
0
 
LVL 61

Expert Comment

by:btan
ID: 39893591
Thanks for sharing
0
 

Author Comment

by:suresh187
ID: 39953486
I've requested that this question be closed as follows:

Accepted answer: 0 points for suresh187's comment #a39892646

for the following reason:

Resolved with trustwave
0
 
LVL 35

Assisted Solution

by:Cris Hanna
Cris Hanna earned 250 total points
ID: 39953488
if it hadn't been for the responses that breadtan and myself provided, the author would not have raised the exception with Trustwave and would not have been able to resolve this
0
 
LVL 61

Accepted Solution

by:
btan earned 250 total points
ID: 39954913
Had hope the author has taken both expert the advice and form the action plan. likewise we did went into the details of the cve to further explain means to address his question as below

Any ideas as to how to apply patches manually or patch the vulnerabilities?
0
 
LVL 61

Expert Comment

by:btan
ID: 39961714
thanks for sharing.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39961863
appreciate the assistance
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Read about achieving the basic levels of HRIS security in the workplace.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now