?
Solved

PCI Compliance

Posted on 2016-10-03
9
Medium Priority
?
250 Views
Last Modified: 2016-10-28
We have a customer who keeps failing PCI Vulnerability scan from security metrics.
The errors we receive say no resolution and Security metrics support does not know how to resolve. Here are the errors.
I attached the 2 errors i cannot resolve.
Capture.PNG
Capture2.PNG
0
Comment
Question by:BBrayton
9 Comments
 
LVL 20

Assisted Solution

by:Russ Suter
Russ Suter earned 500 total points (awarded by participants)
ID: 41826794
Need more information about the environment being scanned. What is the OS version? What firewall is being used and what are the rules (open ports)? What IIS version is in use? The screenshot in capture2.png makes reference to IIS 4.0. I certainly hope that isn't being used. The customer should be using at least IIS 7.0.

Both errors indicate a failure to mask internal IP addresses. This tends to make me think there's something wrong with the NAT rules on the firewall but without more info all I can do is guess.
0
 
LVL 66

Assisted Solution

by:btan
btan earned 1000 total points (awarded by participants)
ID: 41827273
Looks like very out dated Web server version is used and the Configuration of CAS is not hardened.

For CAS, according to the article (http://foofus.net/?p=758), the disclosed information is the mail server's internal IP address. Review the patch latest version and also block any HTTP access as it should not be allow at the first place. Noted the scan is via port 443 and the leak can be prevented if we can mask the IP address out. See suggested mitigations to replace FQDN to Realm Field instead.
http://blog.kurtiskent.com/2014/09/workaround-for-iis-multiple-internal-ip.html

 Likewise for the IIS leak, see also this as bith disclosure is pertaining to probably HTTP 1.0 which should not be allowed.
https://support.microsoft.com/en-sg/kb/967342
0
 

Author Comment

by:BBrayton
ID: 41828426
Thanks btan. I found that article yesterday and it did work.

now the only issue i have is "This web server leaks a private IP address through its HTTP headers."

Its A sbs2011 Standard OS.
IIS 7.5
We have a juniper router but I dont think that is the issue.
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 

Author Comment

by:BBrayton
ID: 41828445
This is the article that security metrics sent me to resolve issue with the headers.
Let me know what you think.
https://www.iis.net/configreference/system.webserver/httpprotocol/customheaders
0
 
LVL 66

Assisted Solution

by:btan
btan earned 1000 total points (awarded by participants)
ID: 41828994
If you did not see any internal IP or ip of proxy or router them I agree it is non applicable. Otherwise look at this

https://support.microsoft.com/en-us/kb/967342

Another way to address the IP leak is to use URL Rewrite module and block all HTTP 1.0 requests, e.g.
https://blogs.msdn.microsoft.com/jaskis/2008/12/09/iis-7-ip-address-revealed-on-redirection-requests-on-http1-0-protocol/

For custom header, I am not certain how it address the concern raised as it is just adding another header field. The HTTP headers are still return so issue may not be addressed if it is pertaining to the existing HTTP header issues.
0
 

Author Comment

by:BBrayton
ID: 41829945
the hotfix is only for windows Vista.
and for iis7.0.
we have iis 7.5. might now work.
0
 
LVL 66

Assisted Solution

by:btan
btan earned 1000 total points (awarded by participants)
ID: 41830241
I am thinking of the below to set UseHostName or SetHostName property in the metabase to stop the server sending the private IP address.
this MS blog page details how to resolve the issues in IIS 7+.


appcmd.exe set config -section:system.webServer/serverRuntime /alternateHostName:"serverName" /commit:apphost

appcmd.exe set config -section:system.webServer/serverRuntime /alternateHostName:"serverName" /commit:apphost
Where "serverName" is what you wish to show in place of the I.P. address.

As it is less than ideal to run a command that patches a vulnerability, without understanding exactly what it is doing, I verified the applicationHost.config, which sits under the %Windows%\System32\inetsrv\config\ folder,

As expected  the following was added to the applicationHost.config file.


<serverRuntime alternateHostName="serverName" />

<serverRuntime alternateHostName="serverName" />
http://blog.catalystlogic.com.au/?p=168

e.g. appcmd.exe set config  -section:system.webServer/serverRuntime /alternateHostName:"YourServerName"  /commit:apphost

Otherwise the deploying StripHeaders and remove specific header
The StripHeaders Native-Code module has been created to allow an easy to deploy method of removing unnecessary headers in IIS 7.0 and above. By default, it removes the "Server", "X-Aspnet-Version" and any "X-Powered-By" headers and additional headers to remove can be easily configured.

In an effort to make the module as easy to use as possible, it is provided as an MSI installer, which can be installed directly on web servers, or deployed through group policy to all required servers in an organisation.

https://www.dionach.com/blog/easily-remove-unwanted-http-headers-in-iis-70-to-85
0
 
LVL 27

Accepted Solution

by:
skullnobrains earned 500 total points (awarded by participants)
ID: 41836052
you can hide this information in a variety of ways. adding a reverse proxy would likely be the easiest choice and would add other helpful security features. but then leaking a private IP is not really that bad. honestly, it denotes some bad practice in the software but in itself, i see little to no reason to bother. if your exchange server faces the internet, you probably have other things to think about.
0
 
LVL 66

Expert Comment

by:btan
ID: 41863593
As suggested on options.
0

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This blog will spread awareness about Dropbox. We have given the statements based upon our experience. Along with this, there is a section of some new plans that should be added in Dropbox this year. This will make the storage service enhanced from …
A question that many companies need to answer until May 25th of 2018... Is your company ready for GDPR?
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

588 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question