PCI Compliance

We have a customer who keeps failing PCI Vulnerability scan from security metrics.
The errors we receive say no resolution and Security metrics support does not know how to resolve. Here are the errors.
I attached the 2 errors i cannot resolve.
Capture.PNG
Capture2.PNG
BBraytonAsked:
Who is Participating?
 
skullnobrainsCommented:
you can hide this information in a variety of ways. adding a reverse proxy would likely be the easiest choice and would add other helpful security features. but then leaking a private IP is not really that bad. honestly, it denotes some bad practice in the software but in itself, i see little to no reason to bother. if your exchange server faces the internet, you probably have other things to think about.
0
 
Russ SuterCommented:
Need more information about the environment being scanned. What is the OS version? What firewall is being used and what are the rules (open ports)? What IIS version is in use? The screenshot in capture2.png makes reference to IIS 4.0. I certainly hope that isn't being used. The customer should be using at least IIS 7.0.

Both errors indicate a failure to mask internal IP addresses. This tends to make me think there's something wrong with the NAT rules on the firewall but without more info all I can do is guess.
0
 
btanExec ConsultantCommented:
Looks like very out dated Web server version is used and the Configuration of CAS is not hardened.

For CAS, according to the article (http://foofus.net/?p=758), the disclosed information is the mail server's internal IP address. Review the patch latest version and also block any HTTP access as it should not be allow at the first place. Noted the scan is via port 443 and the leak can be prevented if we can mask the IP address out. See suggested mitigations to replace FQDN to Realm Field instead.
http://blog.kurtiskent.com/2014/09/workaround-for-iis-multiple-internal-ip.html

 Likewise for the IIS leak, see also this as bith disclosure is pertaining to probably HTTP 1.0 which should not be allowed.
https://support.microsoft.com/en-sg/kb/967342
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
BBraytonAuthor Commented:
Thanks btan. I found that article yesterday and it did work.

now the only issue i have is "This web server leaks a private IP address through its HTTP headers."

Its A sbs2011 Standard OS.
IIS 7.5
We have a juniper router but I dont think that is the issue.
0
 
BBraytonAuthor Commented:
This is the article that security metrics sent me to resolve issue with the headers.
Let me know what you think.
https://www.iis.net/configreference/system.webserver/httpprotocol/customheaders
0
 
btanExec ConsultantCommented:
If you did not see any internal IP or ip of proxy or router them I agree it is non applicable. Otherwise look at this

https://support.microsoft.com/en-us/kb/967342

Another way to address the IP leak is to use URL Rewrite module and block all HTTP 1.0 requests, e.g.
https://blogs.msdn.microsoft.com/jaskis/2008/12/09/iis-7-ip-address-revealed-on-redirection-requests-on-http1-0-protocol/

For custom header, I am not certain how it address the concern raised as it is just adding another header field. The HTTP headers are still return so issue may not be addressed if it is pertaining to the existing HTTP header issues.
0
 
BBraytonAuthor Commented:
the hotfix is only for windows Vista.
and for iis7.0.
we have iis 7.5. might now work.
0
 
btanExec ConsultantCommented:
I am thinking of the below to set UseHostName or SetHostName property in the metabase to stop the server sending the private IP address.
this MS blog page details how to resolve the issues in IIS 7+.


appcmd.exe set config -section:system.webServer/serverRuntime /alternateHostName:"serverName" /commit:apphost

appcmd.exe set config -section:system.webServer/serverRuntime /alternateHostName:"serverName" /commit:apphost
Where "serverName" is what you wish to show in place of the I.P. address.

As it is less than ideal to run a command that patches a vulnerability, without understanding exactly what it is doing, I verified the applicationHost.config, which sits under the %Windows%\System32\inetsrv\config\ folder,

As expected  the following was added to the applicationHost.config file.


<serverRuntime alternateHostName="serverName" />

<serverRuntime alternateHostName="serverName" />
http://blog.catalystlogic.com.au/?p=168

e.g. appcmd.exe set config  -section:system.webServer/serverRuntime /alternateHostName:"YourServerName"  /commit:apphost

Otherwise the deploying StripHeaders and remove specific header
The StripHeaders Native-Code module has been created to allow an easy to deploy method of removing unnecessary headers in IIS 7.0 and above. By default, it removes the "Server", "X-Aspnet-Version" and any "X-Powered-By" headers and additional headers to remove can be easily configured.

In an effort to make the module as easy to use as possible, it is provided as an MSI installer, which can be installed directly on web servers, or deployed through group policy to all required servers in an organisation.

https://www.dionach.com/blog/easily-remove-unwanted-http-headers-in-iis-70-to-85
0
 
btanExec ConsultantCommented:
As suggested on options.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.