Avatar of Daniel Bertolone
Daniel Bertolone
Flag for United Kingdom of Great Britain and Northern Ireland asked on

PCI Compliance - SBS 2008

Evening All

A client of mine has recently failed his PCI compliance test on two areas:

1: SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)
Resolution: Disable SSLv3.

2: Microsoft Exchange Client Access Server Information Disclosure
Resolution: There is no known fix at this time.

Originally he failed the test a few months back because of the standard certificate his server was using, we managed to rectify this by installing a verified SSL cert. We also had to disable SSLv2 on the server as the test was also complaining about this.

Now can anybody advise if disabling SSLv3 is ok to do as I'm almost certain we need at least one variant of it running on the server.

As for the exchange error, if there is no known fix how can security metrics expect my client to pass the test?

Any help is greatly appreciated!
SSL / HTTPSEncryptionSBS

Avatar of undefined
Last Comment
Steph_M

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
David Johnson, CD

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
Cris Hanna

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Daniel Bertolone

ASKER
Hi Cris

I just confirmed with my client and he does not store credit card info on his server, he takes card payments via his website that is hosted externally to his company. In this case should the security metrics test be pointing at the location of where his website is hosted & not at his on premise server.
Cris Hanna

That would be correct, almost.  I suspect that some third party is actually doing the credit card transactions for the website, so then the question becomes is cc information being stored on the web server, or by the 3rd party?
Daniel Bertolone

ASKER
Thanks Cris,

The cc information is being held by a 3rd party (ekm powershop), i have just spoken with security metrics who run the PCI compliance test and they have advised that my clients server must still be be compliant. They advised that ssl 3.0 is disabled and to use TLS 1.0 as a minimum.

Now my question is that in the below registry key i only have a ssl 2.0 folder.
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

To disable ssl3.0 and enable tls 1.0 i have read online that i can create an ssl3.0 folder and enter the necessary dword value?
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
David Johnson, CD

use the powershell script I provided
Daniel Bertolone

ASKER
Thanks David, i have just run the script and made the IIS adjustments, i will let you know how the test goes!
Daniel Bertolone

ASKER
Test results came back as a pass, thanks for your prompt & accurate assistance, it's aporeciated!

Cris - thanks for your input on the issue!
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Steph_M