Solved

PCI Compliance

Posted on 2016-10-03
9
55 Views
Last Modified: 2016-10-28
We have a customer who keeps failing PCI Vulnerability scan from security metrics.
The errors we receive say no resolution and Security metrics support does not know how to resolve. Here are the errors.
I attached the 2 errors i cannot resolve.
Capture.PNG
Capture2.PNG
0
Comment
Question by:BBrayton
9 Comments
 
LVL 20

Assisted Solution

by:Russ Suter
Russ Suter earned 125 total points (awarded by participants)
ID: 41826794
Need more information about the environment being scanned. What is the OS version? What firewall is being used and what are the rules (open ports)? What IIS version is in use? The screenshot in capture2.png makes reference to IIS 4.0. I certainly hope that isn't being used. The customer should be using at least IIS 7.0.

Both errors indicate a failure to mask internal IP addresses. This tends to make me think there's something wrong with the NAT rules on the firewall but without more info all I can do is guess.
0
 
LVL 62

Assisted Solution

by:btan
btan earned 250 total points (awarded by participants)
ID: 41827273
Looks like very out dated Web server version is used and the Configuration of CAS is not hardened.

For CAS, according to the article (http://foofus.net/?p=758), the disclosed information is the mail server's internal IP address. Review the patch latest version and also block any HTTP access as it should not be allow at the first place. Noted the scan is via port 443 and the leak can be prevented if we can mask the IP address out. See suggested mitigations to replace FQDN to Realm Field instead.
http://blog.kurtiskent.com/2014/09/workaround-for-iis-multiple-internal-ip.html

 Likewise for the IIS leak, see also this as bith disclosure is pertaining to probably HTTP 1.0 which should not be allowed.
https://support.microsoft.com/en-sg/kb/967342
0
 

Author Comment

by:BBrayton
ID: 41828426
Thanks btan. I found that article yesterday and it did work.

now the only issue i have is "This web server leaks a private IP address through its HTTP headers."

Its A sbs2011 Standard OS.
IIS 7.5
We have a juniper router but I dont think that is the issue.
0
 

Author Comment

by:BBrayton
ID: 41828445
This is the article that security metrics sent me to resolve issue with the headers.
Let me know what you think.
https://www.iis.net/configreference/system.webserver/httpprotocol/customheaders
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 62

Assisted Solution

by:btan
btan earned 250 total points (awarded by participants)
ID: 41828994
If you did not see any internal IP or ip of proxy or router them I agree it is non applicable. Otherwise look at this

https://support.microsoft.com/en-us/kb/967342

Another way to address the IP leak is to use URL Rewrite module and block all HTTP 1.0 requests, e.g.
https://blogs.msdn.microsoft.com/jaskis/2008/12/09/iis-7-ip-address-revealed-on-redirection-requests-on-http1-0-protocol/

For custom header, I am not certain how it address the concern raised as it is just adding another header field. The HTTP headers are still return so issue may not be addressed if it is pertaining to the existing HTTP header issues.
0
 

Author Comment

by:BBrayton
ID: 41829945
the hotfix is only for windows Vista.
and for iis7.0.
we have iis 7.5. might now work.
0
 
LVL 62

Assisted Solution

by:btan
btan earned 250 total points (awarded by participants)
ID: 41830241
I am thinking of the below to set UseHostName or SetHostName property in the metabase to stop the server sending the private IP address.
this MS blog page details how to resolve the issues in IIS 7+.


appcmd.exe set config -section:system.webServer/serverRuntime /alternateHostName:"serverName" /commit:apphost

appcmd.exe set config -section:system.webServer/serverRuntime /alternateHostName:"serverName" /commit:apphost
Where "serverName" is what you wish to show in place of the I.P. address.

As it is less than ideal to run a command that patches a vulnerability, without understanding exactly what it is doing, I verified the applicationHost.config, which sits under the %Windows%\System32\inetsrv\config\ folder,

As expected  the following was added to the applicationHost.config file.


<serverRuntime alternateHostName="serverName" />

<serverRuntime alternateHostName="serverName" />
http://blog.catalystlogic.com.au/?p=168

e.g. appcmd.exe set config  -section:system.webServer/serverRuntime /alternateHostName:"YourServerName"  /commit:apphost

Otherwise the deploying StripHeaders and remove specific header
The StripHeaders Native-Code module has been created to allow an easy to deploy method of removing unnecessary headers in IIS 7.0 and above. By default, it removes the "Server", "X-Aspnet-Version" and any "X-Powered-By" headers and additional headers to remove can be easily configured.

In an effort to make the module as easy to use as possible, it is provided as an MSI installer, which can be installed directly on web servers, or deployed through group policy to all required servers in an organisation.

https://www.dionach.com/blog/easily-remove-unwanted-http-headers-in-iis-70-to-85
0
 
LVL 26

Accepted Solution

by:
skullnobrains earned 125 total points (awarded by participants)
ID: 41836052
you can hide this information in a variety of ways. adding a reverse proxy would likely be the easiest choice and would add other helpful security features. but then leaking a private IP is not really that bad. honestly, it denotes some bad practice in the software but in itself, i see little to no reason to bother. if your exchange server faces the internet, you probably have other things to think about.
0
 
LVL 62

Expert Comment

by:btan
ID: 41863593
As suggested on options.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
You may have a outside contractor who comes in once a week or seasonal to do some work in your office but you only want to give him access to the programs and files he needs and keep privet all other documents and programs, can you do this on a loca…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now