Solved

PCI Compliance

Posted on 2016-10-03
9
104 Views
Last Modified: 2016-10-28
We have a customer who keeps failing PCI Vulnerability scan from security metrics.
The errors we receive say no resolution and Security metrics support does not know how to resolve. Here are the errors.
I attached the 2 errors i cannot resolve.
Capture.PNG
Capture2.PNG
0
Comment
Question by:BBrayton
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 20

Assisted Solution

by:Russ Suter
Russ Suter earned 125 total points (awarded by participants)
ID: 41826794
Need more information about the environment being scanned. What is the OS version? What firewall is being used and what are the rules (open ports)? What IIS version is in use? The screenshot in capture2.png makes reference to IIS 4.0. I certainly hope that isn't being used. The customer should be using at least IIS 7.0.

Both errors indicate a failure to mask internal IP addresses. This tends to make me think there's something wrong with the NAT rules on the firewall but without more info all I can do is guess.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 250 total points (awarded by participants)
ID: 41827273
Looks like very out dated Web server version is used and the Configuration of CAS is not hardened.

For CAS, according to the article (http://foofus.net/?p=758), the disclosed information is the mail server's internal IP address. Review the patch latest version and also block any HTTP access as it should not be allow at the first place. Noted the scan is via port 443 and the leak can be prevented if we can mask the IP address out. See suggested mitigations to replace FQDN to Realm Field instead.
http://blog.kurtiskent.com/2014/09/workaround-for-iis-multiple-internal-ip.html

 Likewise for the IIS leak, see also this as bith disclosure is pertaining to probably HTTP 1.0 which should not be allowed.
https://support.microsoft.com/en-sg/kb/967342
0
 

Author Comment

by:BBrayton
ID: 41828426
Thanks btan. I found that article yesterday and it did work.

now the only issue i have is "This web server leaks a private IP address through its HTTP headers."

Its A sbs2011 Standard OS.
IIS 7.5
We have a juniper router but I dont think that is the issue.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:BBrayton
ID: 41828445
This is the article that security metrics sent me to resolve issue with the headers.
Let me know what you think.
https://www.iis.net/configreference/system.webserver/httpprotocol/customheaders
0
 
LVL 64

Assisted Solution

by:btan
btan earned 250 total points (awarded by participants)
ID: 41828994
If you did not see any internal IP or ip of proxy or router them I agree it is non applicable. Otherwise look at this

https://support.microsoft.com/en-us/kb/967342

Another way to address the IP leak is to use URL Rewrite module and block all HTTP 1.0 requests, e.g.
https://blogs.msdn.microsoft.com/jaskis/2008/12/09/iis-7-ip-address-revealed-on-redirection-requests-on-http1-0-protocol/

For custom header, I am not certain how it address the concern raised as it is just adding another header field. The HTTP headers are still return so issue may not be addressed if it is pertaining to the existing HTTP header issues.
0
 

Author Comment

by:BBrayton
ID: 41829945
the hotfix is only for windows Vista.
and for iis7.0.
we have iis 7.5. might now work.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 250 total points (awarded by participants)
ID: 41830241
I am thinking of the below to set UseHostName or SetHostName property in the metabase to stop the server sending the private IP address.
this MS blog page details how to resolve the issues in IIS 7+.


appcmd.exe set config -section:system.webServer/serverRuntime /alternateHostName:"serverName" /commit:apphost

appcmd.exe set config -section:system.webServer/serverRuntime /alternateHostName:"serverName" /commit:apphost
Where "serverName" is what you wish to show in place of the I.P. address.

As it is less than ideal to run a command that patches a vulnerability, without understanding exactly what it is doing, I verified the applicationHost.config, which sits under the %Windows%\System32\inetsrv\config\ folder,

As expected  the following was added to the applicationHost.config file.


<serverRuntime alternateHostName="serverName" />

<serverRuntime alternateHostName="serverName" />
http://blog.catalystlogic.com.au/?p=168

e.g. appcmd.exe set config  -section:system.webServer/serverRuntime /alternateHostName:"YourServerName"  /commit:apphost

Otherwise the deploying StripHeaders and remove specific header
The StripHeaders Native-Code module has been created to allow an easy to deploy method of removing unnecessary headers in IIS 7.0 and above. By default, it removes the "Server", "X-Aspnet-Version" and any "X-Powered-By" headers and additional headers to remove can be easily configured.

In an effort to make the module as easy to use as possible, it is provided as an MSI installer, which can be installed directly on web servers, or deployed through group policy to all required servers in an organisation.

https://www.dionach.com/blog/easily-remove-unwanted-http-headers-in-iis-70-to-85
0
 
LVL 27

Accepted Solution

by:
skullnobrains earned 125 total points (awarded by participants)
ID: 41836052
you can hide this information in a variety of ways. adding a reverse proxy would likely be the easiest choice and would add other helpful security features. but then leaking a private IP is not really that bad. honestly, it denotes some bad practice in the software but in itself, i see little to no reason to bother. if your exchange server faces the internet, you probably have other things to think about.
0
 
LVL 64

Expert Comment

by:btan
ID: 41863593
As suggested on options.
0

Featured Post

Raise the IQ of Your IT Alerts

From IT major incidents to manufacturing line slowdowns, every business process generates insights that need to reach the people required to take action. You need a platform that integrates with your business tools to create fully enabled DevOps toolchains.

You need xMatters.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question