Solved

PCI DSS Compliance is Failing

Posted on 2016-11-28
2
12 Views
Last Modified: 2016-11-29
Greetings to you.  As a business that accepts credit cards we have to get scanned by Control Scan for our PCI DSS compliance.  

We are currently failing compliance, but I am not sure how to resolve the problem.  My Remote Desktop is the only service running on the IP address and it is on a Windows 2012 server.  Most of my errors seem to be generated for systems I do not have, so I am wondering what the problem is.  I am running a pfSense router and a Cisco 2900 series router in addition to the W2k12 Remote instance if that helps solve the problem in anyway.  As far as I know my computer is fully updated.

Failure areas:
Buffer overflow in RegAPI.DLL
used by Windows NT 4.0
Terminal Server allows remote
attackers to execute arbitrary
commands via a long
username, aka the "Terminal
Server Login Buffer Overflow"
vulnerability.
CVE-2000-1149

Remote Data Protocol (RDP)
version 5.0 in Microsoft
Windows 2000 and RDP 5.1 in
Windows XP does not encrypt
the checksums of plaintext
session data, which could allow
a remote attacker to determine
the contents of encrypted
sessions via sniffing, aka
"Weak Encryption in RDP
Protocol."
CVE-2002-0863 (When I looked, the version that I am at is 6.3.9600.17415).  

The RC4 algorithm, as used in
the TLS protocol and SSL
protocol, does not properly
combine state data with key
data during the initialization
phase, which makes it easier
for remote attackers to conduct
plaintext-recovery attacks
against the initial bytes of a
stream by sniffing network
traffic that occasionally relies
on keys affected by the
Invariance Weakness, and
then using a brute-force
approach involving LSB values,
aka the "Bar Mitzvah" issue.
CVE-2015-2808

The RC4 algorithm, as used in
the TLS protocol and SSL
protocol, has many single-byte
biases, which makes it easier
for remote attackers to conduct
plaintext-recovery attacks via
statistical analysis of ciphertext
in a large number of sessions
that use the same plaintext.
CVE-2013-2566
0
Comment
Question by:aclaus225
2 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
The scanning report should flagged the affected device pertaining to those findings. Note it can be other unknown asset discovered as the scanning spawn across the segment and also note of virtual instance running with same host may also be one specific to the system finding. Need to trace the asset of concern in the report, the vendor should advice.

If it is pertaining to the Windows 2012 or other server, those CVE can be addressed through hardening configuration (need to restart machine). Especially for the RC4 issue and RDP they are related as RDP will use RC4. Microsoft strongly encourages customers to evaluate, test and implement the options for disabling RC4 below to increase the security of clients, servers and applications. Microsoft recommends enabling TLS1.2 and AES-GCM.

See MS advisory on disabling RC4 patch and the specific registry. Note RC4 is not turned off by default for all applications. However, you need to make sure this does not affect your RDP so do test in staged server before going production. See "Note" below
- https://support.microsoft.com/en-us/kb/2868725

Note - there are more insight and implication on effectively turning off RC4, there is need to have some manual setting
I would only disable TLS 1.0 on a per element basis.  Disabling RC4 with the suggested registry settings does not seem to work, as a service can still use the cipher.  

RDP will continue to use RC4 until it's settings are changed. To fix this run tsconfig.msc.  Double click on RDP-Tcp.  Change the Encryption Level to FIPS Compliant.  This should disable RC4-MD5 and RC4-SHA over RDP, which will probably clear the warnings you are receiving.

Additionally where tsconfig is no longer available you can set:

\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\MinEncryptionLevel to 4 which should produce the same results.
https://social.technet.microsoft.com/Forums/en-US/3f6f7cb7-b7f4-4f5e-90c3-a52f819e6ad0/remote-desktop-mssql-and-tls-10-and-rc4-ciphers?forum=winserverTS

but I fear this may break your appl or operations. There is one good to check out - IISCrypto which has template for PCI compliance to set the appropriate cipher
https://www.nartac.com/Products/IISCrypto/Default.aspx
0
 

Author Closing Comment

by:aclaus225
Comment Utility
Thank you very much for your assistance.  What you said was very easy for me to follow and I did install IISCrypt.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

So, a cyberiminal’s ultimate goal and motivation has to involve financial gain, right?—not necessarily. There are at least five other motivations behind cybercriminal activities.
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now