Solved

PCI Compliance - SBS 2008

Posted on 2014-11-07
9
1,781 Views
Last Modified: 2015-02-22
Evening All

A client of mine has recently failed his PCI compliance test on two areas:

1: SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)
Resolution: Disable SSLv3.

2: Microsoft Exchange Client Access Server Information Disclosure
Resolution: There is no known fix at this time.

Originally he failed the test a few months back because of the standard certificate his server was using, we managed to rectify this by installing a verified SSL cert. We also had to disable SSLv2 on the server as the test was also complaining about this.

Now can anybody advise if disabling SSLv3 is ok to do as I'm almost certain we need at least one variant of it running on the server.

As for the exchange error, if there is no known fix how can security metrics expect my client to pass the test?

Any help is greatly appreciated!
0
Comment
Question by:Daniel Bertolone
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 82

Accepted Solution

by:
David Johnson, CD, MVP earned 250 total points
ID: 40429543
Use this script to set your security suites

There is a workaround for the information disclosure and it means editing all of the basic authentication and changing the realm to your fqdn and not leaving it blank
http://blog.kurtiskent.com/2014/09/workaround-for-iis-multiple-internal-ip.html
set-perfectFSecutity.ps1.txt
0
 
LVL 35

Assisted Solution

by:Cris Hanna
Cris Hanna earned 250 total points
ID: 40430252
Yes there is a vulnerability in SSL v3, so it does need to be disabled, v2 should be ok.  Is you customer actually storing credit card information on their server?
0
 

Author Comment

by:Daniel Bertolone
ID: 40432414
Hi Cris

I just confirmed with my client and he does not store credit card info on his server, he takes card payments via his website that is hosted externally to his company. In this case should the security metrics test be pointing at the location of where his website is hosted & not at his on premise server.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 35

Expert Comment

by:Cris Hanna
ID: 40432481
That would be correct, almost.  I suspect that some third party is actually doing the credit card transactions for the website, so then the question becomes is cc information being stored on the web server, or by the 3rd party?
0
 

Author Comment

by:Daniel Bertolone
ID: 40433595
Thanks Cris,

The cc information is being held by a 3rd party (ekm powershop), i have just spoken with security metrics who run the PCI compliance test and they have advised that my clients server must still be be compliant. They advised that ssl 3.0 is disabled and to use TLS 1.0 as a minimum.

Now my question is that in the below registry key i only have a ssl 2.0 folder.
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

To disable ssl3.0 and enable tls 1.0 i have read online that i can create an ssl3.0 folder and enter the necessary dword value?
0
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 40433626
use the powershell script I provided
0
 

Author Comment

by:Daniel Bertolone
ID: 40433646
Thanks David, i have just run the script and made the IIS adjustments, i will let you know how the test goes!
0
 

Author Comment

by:Daniel Bertolone
ID: 40433956
Test results came back as a pass, thanks for your prompt & accurate assistance, it's aporeciated!

Cris - thanks for your input on the issue!
0
 

Expert Comment

by:Steph_M
ID: 40624235
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question