Solved

PCI Compliant - Custom Error Pages - Default web site - wont work!

Posted on 2014-12-02
17
166 Views
Last Modified: 2015-01-08
Hi All.

We have a client who is failing port 80 - PCI compliance checks.

Navigating to an unknown directory gives away too much information for PCI - See below.

404 Error we dont want
We have tried a few solutions but to no avail. I have re-configured the web.config file as per -  (http://msdn.microsoft.com/en-us/library/994a1482(v=vs.100).aspx

Also added a custom error page in the Inetpub folders for the 'Default Web Site' but the above page is still shown.

Does anyone have a solution to this please as my customer needs to become complaint.

Thank you
Regards
Andy

The st
0
Comment
Question by:AndyKeen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
  • 4
17 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 250 total points
ID: 40475683
Do they need port 80 open on their firewall?

As you have SBS in the tags - unless they are hosting a website on port 80 - the port isn't needed for SBS to function properly, so close the port and pass the test.

If you need a website hosted - move it to external hosting somewhere and close the port.

Alan
0
 
LVL 1

Author Comment

by:AndyKeen
ID: 40475692
Hi Alan.

Thanks for the reply.

In answer to your question, I am not sure - but I don't think they do.

They heavily use RRW which is on port 443 and email is picked up on iPhone, which I believe is SSL secured so port 443 again - and I am not sure how to close port 80 from within SBS 2011.

I can test this so if I can close port 80 and test that would be great - Can you advise how to do this?

Thank you
Andy
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40475698
The port will be open on your firewall / router.  If you stop port forwarding port 80 to the server the problem should go away.

Port 80 on SBS is only used for website traffic and if you don't have any sites hosted on the server (other than the default one), then it won't cause you any pain.

Alan
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 1

Author Comment

by:AndyKeen
ID: 40475754
Thank you Alan.

let me check this out and I will come back to you.

Regards
Andy
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40475757
No problems - here if you get stuck or have any further questions.
0
 
LVL 1

Author Comment

by:AndyKeen
ID: 40475863
Hi Alan.

Ok I have closed port 80 on the SBS Firewall.

What I have found is that if I port check, port 80 is closed if I query it by IP address, but its still open if I query it via the URL.

Closing port 80 on the SBS windows firewall did not help.

The client has Microsoft TMG installed - can I close port 80 on here and if so - do you know how.

Thank you.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40475866
Ah - that's a very different ball-game!

Been a long time since I've looked at TMG.
0
 
LVL 1

Author Comment

by:AndyKeen
ID: 40475870
Join that awful club Alan......
0
 
LVL 1

Author Comment

by:AndyKeen
ID: 40476130
Can I move back to my original request - that is to configure the custom error pages for IIS / SBS2011.

Can anyone assist with this please - see my question at the top.

Thank you
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 40478380
It's not clear from question which version of SBS your client is running.
How many active NICs in the server and what are they connected to?
0
 
LVL 1

Author Comment

by:AndyKeen
ID: 40478993
Hi Cris.

Thank you for your help - sorry for the delay in replying.

The client has a bit of a strange setup - were talking SBS2011 with once Nic going to a Microsoft TMG Box which in turn has 2 nic cards - one facing-in one facing-out going to.... A Safe@office firewall box - this in turn has two BB connections - One Fibre and One ADSL copper.

Thank you
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 40479042
You need to disable port 80 forwarding on both the firewall and the TMG box.
0
 
LVL 1

Author Comment

by:AndyKeen
ID: 40479053
Thanks Chris.

I have done this on the windows firewall without success, I am not sure how to do this on TMG.

Do you know this software please and if so - how to do it.

Thank you.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 40479068
Let me see what I can find for you...do you know what version of TMG?
0
 
LVL 35

Assisted Solution

by:Cris Hanna
Cris Hanna earned 250 total points
ID: 40480082
Do you know how to access and modify the rules in TMG?  If so, you need to find the rule that passes HTTP or Port 80 to the server.

But ideally you would stop it at  the Safe@office box...then you don't have to worry about tmg configuration
Find the port forwarding rule for port 80 in the Safe@office box and disable/uncheck it.
BTW, checkpoint is discontinuing those devices at the end of this year.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 40480084
The other thing I would mention here is that you have two boxes capable of doing the same thing   TMG and the safe@office device.   So you have a bit of an out of the box configuration.

TMG is also discontinued by Microsoft.   I'd get rid of that.

Is your customer storing Credit Card information on their LAN somewhere (which is a very bad practice)
Most of us don't recommend screwing with IIS Default Website as it's likely to wind up breaking OWA or RWA
0
 
LVL 1

Author Closing Comment

by:AndyKeen
ID: 40537742
There were two solutions to this issue - firstly the 404 error was being generated by the TMG box NOT SBS - this was my error (Someone had enabled IIS on TMG) - once I stopped IIS on the TMG server the 404 error went away, however Security Metrics PCI then came back with another port 80 issue - so as per the comment and support above I closed Port 80 on the checkpoint firewall after having created rules to allow 443 traffic through first - worked a treat.

For this reason I felt both experts above gave good advice and split the points between them.

Thank you Both
(Sorry for the delay in accepting a solution)
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What is an ISAPI filter?   •      It's an assembly (.dll file) that can add or change the way IIS works.   •      They can be enabled globally for your web server or on a site-by-site basis.   When the IIS server receives a request, enabling the ISAPI fi…
I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question