?
Solved

PCI DSS Compliance is Failing

Posted on 2016-11-28
2
Medium Priority
?
147 Views
Last Modified: 2017-02-02
Greetings to you.  As a business that accepts credit cards we have to get scanned by Control Scan for our PCI DSS compliance.  

We are currently failing compliance, but I am not sure how to resolve the problem.  My Remote Desktop is the only service running on the IP address and it is on a Windows 2012 server.  Most of my errors seem to be generated for systems I do not have, so I am wondering what the problem is.  I am running a pfSense router and a Cisco 2900 series router in addition to the W2k12 Remote instance if that helps solve the problem in anyway.  As far as I know my computer is fully updated.

Failure areas:
Buffer overflow in RegAPI.DLL
used by Windows NT 4.0
Terminal Server allows remote
attackers to execute arbitrary
commands via a long
username, aka the "Terminal
Server Login Buffer Overflow"
vulnerability.
CVE-2000-1149

Remote Data Protocol (RDP)
version 5.0 in Microsoft
Windows 2000 and RDP 5.1 in
Windows XP does not encrypt
the checksums of plaintext
session data, which could allow
a remote attacker to determine
the contents of encrypted
sessions via sniffing, aka
"Weak Encryption in RDP
Protocol."
CVE-2002-0863 (When I looked, the version that I am at is 6.3.9600.17415).  

The RC4 algorithm, as used in
the TLS protocol and SSL
protocol, does not properly
combine state data with key
data during the initialization
phase, which makes it easier
for remote attackers to conduct
plaintext-recovery attacks
against the initial bytes of a
stream by sniffing network
traffic that occasionally relies
on keys affected by the
Invariance Weakness, and
then using a brute-force
approach involving LSB values,
aka the "Bar Mitzvah" issue.
CVE-2015-2808

The RC4 algorithm, as used in
the TLS protocol and SSL
protocol, has many single-byte
biases, which makes it easier
for remote attackers to conduct
plaintext-recovery attacks via
statistical analysis of ciphertext
in a large number of sessions
that use the same plaintext.
CVE-2013-2566
0
Comment
Question by:aclaus225
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 41905589
The scanning report should flagged the affected device pertaining to those findings. Note it can be other unknown asset discovered as the scanning spawn across the segment and also note of virtual instance running with same host may also be one specific to the system finding. Need to trace the asset of concern in the report, the vendor should advice.

If it is pertaining to the Windows 2012 or other server, those CVE can be addressed through hardening configuration (need to restart machine). Especially for the RC4 issue and RDP they are related as RDP will use RC4. Microsoft strongly encourages customers to evaluate, test and implement the options for disabling RC4 below to increase the security of clients, servers and applications. Microsoft recommends enabling TLS1.2 and AES-GCM.

See MS advisory on disabling RC4 patch and the specific registry. Note RC4 is not turned off by default for all applications. However, you need to make sure this does not affect your RDP so do test in staged server before going production. See "Note" below
- https://support.microsoft.com/en-us/kb/2868725

Note - there are more insight and implication on effectively turning off RC4, there is need to have some manual setting
I would only disable TLS 1.0 on a per element basis.  Disabling RC4 with the suggested registry settings does not seem to work, as a service can still use the cipher.  

RDP will continue to use RC4 until it's settings are changed. To fix this run tsconfig.msc.  Double click on RDP-Tcp.  Change the Encryption Level to FIPS Compliant.  This should disable RC4-MD5 and RC4-SHA over RDP, which will probably clear the warnings you are receiving.

Additionally where tsconfig is no longer available you can set:

\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\MinEncryptionLevel to 4 which should produce the same results.
https://social.technet.microsoft.com/Forums/en-US/3f6f7cb7-b7f4-4f5e-90c3-a52f819e6ad0/remote-desktop-mssql-and-tls-10-and-rc4-ciphers?forum=winserverTS

but I fear this may break your appl or operations. There is one good to check out - IISCrypto which has template for PCI compliance to set the appropriate cipher
https://www.nartac.com/Products/IISCrypto/Default.aspx
0
 

Author Closing Comment

by:aclaus225
ID: 41906076
Thank you very much for your assistance.  What you said was very easy for me to follow and I did install IISCrypt.
0

Featured Post

Get proactive database performance tuning online

At Percona’s web store you can order full Percona Database Performance Audit in minutes. Find out the health of your database, and how to improve it. Pay online with a credit card. Improve your database performance now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question