Solved

PCI Compliance

Posted on 2016-10-03
9
82 Views
Last Modified: 2016-10-28
We have a customer who keeps failing PCI Vulnerability scan from security metrics.
The errors we receive say no resolution and Security metrics support does not know how to resolve. Here are the errors.
I attached the 2 errors i cannot resolve.
Capture.PNG
Capture2.PNG
0
Comment
Question by:BBrayton
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 20

Assisted Solution

by:Russ Suter
Russ Suter earned 125 total points (awarded by participants)
ID: 41826794
Need more information about the environment being scanned. What is the OS version? What firewall is being used and what are the rules (open ports)? What IIS version is in use? The screenshot in capture2.png makes reference to IIS 4.0. I certainly hope that isn't being used. The customer should be using at least IIS 7.0.

Both errors indicate a failure to mask internal IP addresses. This tends to make me think there's something wrong with the NAT rules on the firewall but without more info all I can do is guess.
0
 
LVL 63

Assisted Solution

by:btan
btan earned 250 total points (awarded by participants)
ID: 41827273
Looks like very out dated Web server version is used and the Configuration of CAS is not hardened.

For CAS, according to the article (http://foofus.net/?p=758), the disclosed information is the mail server's internal IP address. Review the patch latest version and also block any HTTP access as it should not be allow at the first place. Noted the scan is via port 443 and the leak can be prevented if we can mask the IP address out. See suggested mitigations to replace FQDN to Realm Field instead.
http://blog.kurtiskent.com/2014/09/workaround-for-iis-multiple-internal-ip.html

 Likewise for the IIS leak, see also this as bith disclosure is pertaining to probably HTTP 1.0 which should not be allowed.
https://support.microsoft.com/en-sg/kb/967342
0
 

Author Comment

by:BBrayton
ID: 41828426
Thanks btan. I found that article yesterday and it did work.

now the only issue i have is "This web server leaks a private IP address through its HTTP headers."

Its A sbs2011 Standard OS.
IIS 7.5
We have a juniper router but I dont think that is the issue.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 

Author Comment

by:BBrayton
ID: 41828445
This is the article that security metrics sent me to resolve issue with the headers.
Let me know what you think.
https://www.iis.net/configreference/system.webserver/httpprotocol/customheaders
0
 
LVL 63

Assisted Solution

by:btan
btan earned 250 total points (awarded by participants)
ID: 41828994
If you did not see any internal IP or ip of proxy or router them I agree it is non applicable. Otherwise look at this

https://support.microsoft.com/en-us/kb/967342

Another way to address the IP leak is to use URL Rewrite module and block all HTTP 1.0 requests, e.g.
https://blogs.msdn.microsoft.com/jaskis/2008/12/09/iis-7-ip-address-revealed-on-redirection-requests-on-http1-0-protocol/

For custom header, I am not certain how it address the concern raised as it is just adding another header field. The HTTP headers are still return so issue may not be addressed if it is pertaining to the existing HTTP header issues.
0
 

Author Comment

by:BBrayton
ID: 41829945
the hotfix is only for windows Vista.
and for iis7.0.
we have iis 7.5. might now work.
0
 
LVL 63

Assisted Solution

by:btan
btan earned 250 total points (awarded by participants)
ID: 41830241
I am thinking of the below to set UseHostName or SetHostName property in the metabase to stop the server sending the private IP address.
this MS blog page details how to resolve the issues in IIS 7+.


appcmd.exe set config -section:system.webServer/serverRuntime /alternateHostName:"serverName" /commit:apphost

appcmd.exe set config -section:system.webServer/serverRuntime /alternateHostName:"serverName" /commit:apphost
Where "serverName" is what you wish to show in place of the I.P. address.

As it is less than ideal to run a command that patches a vulnerability, without understanding exactly what it is doing, I verified the applicationHost.config, which sits under the %Windows%\System32\inetsrv\config\ folder,

As expected  the following was added to the applicationHost.config file.


<serverRuntime alternateHostName="serverName" />

<serverRuntime alternateHostName="serverName" />
http://blog.catalystlogic.com.au/?p=168

e.g. appcmd.exe set config  -section:system.webServer/serverRuntime /alternateHostName:"YourServerName"  /commit:apphost

Otherwise the deploying StripHeaders and remove specific header
The StripHeaders Native-Code module has been created to allow an easy to deploy method of removing unnecessary headers in IIS 7.0 and above. By default, it removes the "Server", "X-Aspnet-Version" and any "X-Powered-By" headers and additional headers to remove can be easily configured.

In an effort to make the module as easy to use as possible, it is provided as an MSI installer, which can be installed directly on web servers, or deployed through group policy to all required servers in an organisation.

https://www.dionach.com/blog/easily-remove-unwanted-http-headers-in-iis-70-to-85
0
 
LVL 27

Accepted Solution

by:
skullnobrains earned 125 total points (awarded by participants)
ID: 41836052
you can hide this information in a variety of ways. adding a reverse proxy would likely be the easiest choice and would add other helpful security features. but then leaking a private IP is not really that bad. honestly, it denotes some bad practice in the software but in itself, i see little to no reason to bother. if your exchange server faces the internet, you probably have other things to think about.
0
 
LVL 63

Expert Comment

by:btan
ID: 41863593
As suggested on options.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows 10 GUEST Account 10 71
What is the goal of SOC2 compliance? 4 50
Windows 10 Errors 11 114
Having private conversations... 3 24
Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question