Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

PCI DSS Compliance is Failing

Posted on 2016-11-28
2
Medium Priority
?
181 Views
Last Modified: 2017-02-02
Greetings to you.  As a business that accepts credit cards we have to get scanned by Control Scan for our PCI DSS compliance.  

We are currently failing compliance, but I am not sure how to resolve the problem.  My Remote Desktop is the only service running on the IP address and it is on a Windows 2012 server.  Most of my errors seem to be generated for systems I do not have, so I am wondering what the problem is.  I am running a pfSense router and a Cisco 2900 series router in addition to the W2k12 Remote instance if that helps solve the problem in anyway.  As far as I know my computer is fully updated.

Failure areas:
Buffer overflow in RegAPI.DLL
used by Windows NT 4.0
Terminal Server allows remote
attackers to execute arbitrary
commands via a long
username, aka the "Terminal
Server Login Buffer Overflow"
vulnerability.
CVE-2000-1149

Remote Data Protocol (RDP)
version 5.0 in Microsoft
Windows 2000 and RDP 5.1 in
Windows XP does not encrypt
the checksums of plaintext
session data, which could allow
a remote attacker to determine
the contents of encrypted
sessions via sniffing, aka
"Weak Encryption in RDP
Protocol."
CVE-2002-0863 (When I looked, the version that I am at is 6.3.9600.17415).  

The RC4 algorithm, as used in
the TLS protocol and SSL
protocol, does not properly
combine state data with key
data during the initialization
phase, which makes it easier
for remote attackers to conduct
plaintext-recovery attacks
against the initial bytes of a
stream by sniffing network
traffic that occasionally relies
on keys affected by the
Invariance Weakness, and
then using a brute-force
approach involving LSB values,
aka the "Bar Mitzvah" issue.
CVE-2015-2808

The RC4 algorithm, as used in
the TLS protocol and SSL
protocol, has many single-byte
biases, which makes it easier
for remote attackers to conduct
plaintext-recovery attacks via
statistical analysis of ciphertext
in a large number of sessions
that use the same plaintext.
CVE-2013-2566
0
Comment
Question by:aclaus225
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 41905589
The scanning report should flagged the affected device pertaining to those findings. Note it can be other unknown asset discovered as the scanning spawn across the segment and also note of virtual instance running with same host may also be one specific to the system finding. Need to trace the asset of concern in the report, the vendor should advice.

If it is pertaining to the Windows 2012 or other server, those CVE can be addressed through hardening configuration (need to restart machine). Especially for the RC4 issue and RDP they are related as RDP will use RC4. Microsoft strongly encourages customers to evaluate, test and implement the options for disabling RC4 below to increase the security of clients, servers and applications. Microsoft recommends enabling TLS1.2 and AES-GCM.

See MS advisory on disabling RC4 patch and the specific registry. Note RC4 is not turned off by default for all applications. However, you need to make sure this does not affect your RDP so do test in staged server before going production. See "Note" below
- https://support.microsoft.com/en-us/kb/2868725

Note - there are more insight and implication on effectively turning off RC4, there is need to have some manual setting
I would only disable TLS 1.0 on a per element basis.  Disabling RC4 with the suggested registry settings does not seem to work, as a service can still use the cipher.  

RDP will continue to use RC4 until it's settings are changed. To fix this run tsconfig.msc.  Double click on RDP-Tcp.  Change the Encryption Level to FIPS Compliant.  This should disable RC4-MD5 and RC4-SHA over RDP, which will probably clear the warnings you are receiving.

Additionally where tsconfig is no longer available you can set:

\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\MinEncryptionLevel to 4 which should produce the same results.
https://social.technet.microsoft.com/Forums/en-US/3f6f7cb7-b7f4-4f5e-90c3-a52f819e6ad0/remote-desktop-mssql-and-tls-10-and-rc4-ciphers?forum=winserverTS

but I fear this may break your appl or operations. There is one good to check out - IISCrypto which has template for PCI compliance to set the appropriate cipher
https://www.nartac.com/Products/IISCrypto/Default.aspx
0
 

Author Closing Comment

by:aclaus225
ID: 41906076
Thank you very much for your assistance.  What you said was very easy for me to follow and I did install IISCrypt.
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While it may be true that the internet is a place of possibilities, it is also a hostile environment lurking with many dangers. By clicking on the wrong link, trusting the wrong person or using a weak password, you are virtually inviting hackers to …
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question