Solved

Sbs 2011 Trustwave security updates

Posted on 2014-02-21
17
1,761 Views
Last Modified: 2014-03-28
Hello,

We have recently received the report from Trustwave, which is the organisation that performs security checks for the Credit card PDQ machine.

The below is the report which fails on iis 7.5. It gives links to the Microsoft website to download the appropriate patches but unfortunately i am unable to apply any of the updates on the Small Business Server 2011 as it states  ' The update is not applicable to you computer'.

I have tried Windows 2008 x64, i386, Windows 2008 R2 x64, i386, which all return the same error.

The server is fully patched and up to date via Windows Updates and MSBPA.

Any ideas as to how to apply patches manually or patch the vulnerabilities?



Report:
Port: tcp/443
Several security updates have been released to address security
vulnerabilities in this version of IIS. Although this installation was
detected as version 7.5, the presence or absence of several
specific updates could not be determined.
This finding is based on version information which may not have
been updated by previously installed patches (e.g., Red Hat "back
ports"). Please submit a "Patched Service" dispute in TrustKeeper
if this vulnerability has already been patched.
CVE: CVE-2010-1256, CVE-2010-1899, CVE-2010-2730,
CVE-2010-2731
NVD: CVE-2010-1256, CVE-2010-1899, CVE-2010-2730,
CVE-2010-2731
CVSSv2: AV:N/AC:M/Au:N/C:C/I:C/A:C
Service: http
Reference:
http://technet.microsoft.com/en-us/security/Bulletin/MS10-040
http://technet.microsoft.com/en-us/security/Bulletin/MS10-065
Evidence:
Match: equals '7.5'
Remediation:
Ensure that all security updates available for this version of IIS
0
Comment
Question by:suresh187
  • 6
  • 6
  • 4
17 Comments
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39878699
Are you processing or storing credit card information on your SBS 2011 computer?
0
 
LVL 62

Expert Comment

by:btan
ID: 39878845
Windows SBS 2011 Standard is built on Windows Server® 2008 R2 Standard, may want to try running the MSBA 2.3 @ http://technet.microsoft.com/en-us/security/cc184924

There would be slight error to note below from MBSA FAQ

When scanning a Windows Small Business Server I see a red icon for a "SBS Backup User" in the IE Zones check; Is this expected?

Yes, this is a known issue in the Windows Small Business Server products. This may appear if the SBS Backup User has been used by the backup task at least one time, and will continue until that same user account has been logged into at the console interactively at least one time.

The update as in website did not include SBS 2011 and tendency the packaged patch does not "see" this platform applicable. Then most of the time have to go manual. In each bulletin

For bulletin MS10-040

a) CVE-2010-1256 - (mitigating) Without the installation of KB973917 on the platform, , systems will not have the Extended Protection for Authentication feature and will not be vulnerable.  Extended Protection for Authentication is not enabled by default on any affected platform, even when a system has installed KB973917. Systems are only affected when this feature is enabled.

For MS10-065

The steps are mostly disabling as stated in the mitigation of the bulletin. Do assess with your appl team is that viable and it is good to disable and not have those unnecessary service running where possible. However, the (d) is more of internal code though and patching if not overall IIS lockdown is preferred.

b) CVE-2010-1899 - Change the status for ASP from ALLOWED to PROHIBITED in the IIS manager. You can see more steps in the mitigation of the bulletin

c) CVE-2010-2730 - Disable FastCGI or Install the URL Rewrite module

d) CVE-2010-2731 - Sites that are not using authentication are not vulnerable to this

If possible go for upgrade to 2008 R2 above and patch instead. I suspect the scanner will be either checking for latest patch and also testing through those vulnerable services. it may not be foolproof for manual patch and possible go latest version platform is more long term planning ahead.

Else another means is to scope the data process out of this server for the time being such that it does not handle any of the card PII etc
0
 

Author Comment

by:suresh187
ID: 39881970
Thank you for you comments.
Unfortunately we are unable to PROHIBITE ASP.
I agree the MS patches are unable the recognize SBS 2011 as the Windows 2008 R2 operating system.

We are unable to upgrade as all components are part of SBS 2011, which is our sole server.

I  will try to contact Trustwave as the server is fully patched and may be mis-reported.

Thanks
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 62

Expert Comment

by:btan
ID: 39882211
Noted it is well received. That is part of the risk assessment as also do remember that having to comply to security baseline, does not necessarily means the overall security controls are in place and the systems are secure either. We just at times also need to layered process and governance to checkpoint those potential gaps in view that total overhaul takes time for refresh and to maintain business continuity (esp for legacy apps and services)
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39882655
But you really haven't answered the key question here...are you processing and storing credit card information on the SBS server?
0
 

Author Comment

by:suresh187
ID: 39882828
Sorry, We are not storing or processing any Credit card information on the SBS server.
The check is performed on our static IP addresses by Trustwave regardless of whether any information is being stored.
I have heard the same from others,
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39882884
Well that just doesn't make any sense.  But you might want to have a look at this blog by Microsoft MVP Susan Bradley.  Susan is known as the SBS Diva and recently changed from SBS MVP to Enterprise Security MVP...Hope this helps

http://msmvps.com/blogs/bradley/archive/2013/03/26/server-flagged-as-failing-iis-beast-vulnerability.aspx
0
 
LVL 62

Expert Comment

by:btan
ID: 39884352
Strange though as mentioned by expert too.

It is probably for full Enterprise compliance to standardise hardening across but why specific static IP address, will that be testing IP and thereafter "return" back to original production IP addresses. Sometimes I guess it is to have only specific destination IP due to firewall rule created to allow only that dest IP.

Nonetheless, specific to PCI DSS compliance, if the server in assessment exclude processing, storing and transiting of customer credit card info and related data. It should be out of scope for compliance. May be good to ascertain the assessment need at the first place as this may help in prioritising overall patching of this server and other more.  It may be better to just isolate this server out from internet to internal access and establish safeguard of the enclaves via allowing specific clients or endpoint only for access to it.
0
 

Author Comment

by:suresh187
ID: 39892646
Thank you for all your comments.
I raised an exception and trustwave have accepted and acknowledged it as a false positive.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39892931
Excellent!   Always good to challenge things like this
0
 
LVL 62

Expert Comment

by:btan
ID: 39893591
Thanks for sharing
0
 

Author Comment

by:suresh187
ID: 39953486
I've requested that this question be closed as follows:

Accepted answer: 0 points for suresh187's comment #a39892646

for the following reason:

Resolved with trustwave
0
 
LVL 35

Assisted Solution

by:Cris Hanna
Cris Hanna earned 250 total points
ID: 39953488
if it hadn't been for the responses that breadtan and myself provided, the author would not have raised the exception with Trustwave and would not have been able to resolve this
0
 
LVL 62

Accepted Solution

by:
btan earned 250 total points
ID: 39954913
Had hope the author has taken both expert the advice and form the action plan. likewise we did went into the details of the cve to further explain means to address his question as below

Any ideas as to how to apply patches manually or patch the vulnerabilities?
0
 
LVL 62

Expert Comment

by:btan
ID: 39961714
thanks for sharing.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39961863
appreciate the assistance
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question