set-perfectFSecutity.ps1.txt

<div>
Hi Cris<br />
<br />
I just confirmed with my client and he does not store credit card info on his server, he takes card payments via his website that is hosted externally to his company. In this case should the security metrics test be pointing at the location of where his website is hosted &amp;&nbsp;not at his on premise server.
</div>


<div>
That would be correct, almost. &nbsp;I suspect that some third party is actually doing the credit card transactions for the website, so then the question becomes is cc information being stored on the web server, or by the 3rd party?
</div>


<div>
Thanks Cris, <br />
<br />
The cc information is being held by a 3rd party (ekm powershop), i have just spoken with security metrics who run the PCI compliance test and they have advised that my clients server must still be be compliant. They advised that ssl 3.0 is disabled and to use TLS 1.0 as a minimum. <br />
<br />
Now my question is that in the below registry key i only have a ssl 2.0 folder.<br />
HKey_Local_Machine\System\<wbr />CurrentCon<wbr />trolSet\Co<wbr />ntrol\Secu<wbr />rityProvid<wbr />ers\SCHANN<wbr />EL\Protoco<wbr />ls<br />
<br />
To disable ssl3.0 and enable tls 1.0 i have read online that i can create an ssl3.0 folder and enter the necessary dword value?
</div>


<div>
use the powershell script I provided
</div>


<div>
Thanks David, i have just run the script and made the IIS adjustments, i will let you know how the test goes!
</div>


<div>
Test results came back as a pass, thanks for your prompt &amp;&nbsp;accurate assistance, it's aporeciated!<br />
<br />
Cris - thanks for your input on the issue!
</div>


<div>
PCI has posted that SSL v3 is no longer acceptable. <br />
<a href="http://training.pcisecuritystandards.org/pci-ssc-bulletin-on-impending-revisions-to-pci-dss-pa-dss-assessor" rel="ugc">http://training.pcisecuritystandards.org/pci-ssc-bulletin-on-impending-revisions-to-pci-dss-pa-dss-assessor</a>
</div>


<div>
<div class="content wysiwyg-content">
Evening All<br />
<br />
A client of mine has recently failed his PCI compliance test on two areas:<br />
<br />
1: SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE) <br />
Resolution: Disable SSLv3.<br />
<br />
2: Microsoft Exchange Client Access Server Information Disclosure<br />
Resolution: There is no known fix at this time.<br />
<br />
Originally he failed the test a few months back because of the standard certificate his server was using, we managed to rectify this by installing a verified SSL cert. We also had to disable SSLv2 on the server as the test was also complaining about this.<br />
<br />
Now can anybody advise if disabling SSLv3 is ok to do as I'm almost certain we need at least one variant of it running on the server.<br />
<br />
As for the exchange error, if there is no known fix how can security metrics expect my client to pass the test?<br />
<br />
Any help is greatly appreciated!
</div>
</div>


Evening All

A client of mine has recently failed his PCI compliance test on two areas:

1: SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE) 
Resolution: Disable SSLv3.

2: Microsoft Exchange Client Access Server Information Disclosure
Resolution: There is no known fix at this time.

Originally he failed the test a few months back because of the standard certificate his server was using, we managed to rectify this by installing a verified SSL cert. We also had to disable SSLv2 on the server as the test was also complaining about this.

Now can anybody advise if disabling SSLv3 is ok to do as I'm almost certain we need at least one variant of it running on the server.

As for the exchange error, if there is no known fix how can security metrics expect my client to pass the test?

Any help is greatly appreciated!

PCI Compliance - SBS 2008

HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data. HTTPS is widely used for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.

SSL / HTTPS

Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. In an encryption scheme, the intended communication information or message, referred to as plaintext, is encrypted using an encryption algorithm, generating ciphertext that can only be read if decrypted. For technical reasons, an encryption scheme usually uses a pseudo-random encryption key generated by an algorithm. An authorized recipient can easily decrypt the message with the key provided by the originator to recipients, but not to unauthorized interceptors.

Encryption

Small Business Server (SBS) is a line of server operating systems targeted at small businesses by bundling the operating system with a number of other Microsoft products that would normally need to be purchased or licensed separately. The most notable inclusions are Exchange, SQL Server, SharePoint and ISA/TMG (Microsoft's firewall and proxy server).