Solved

PCI DSS Compliance is Failing

Posted on 2016-11-28
2
93 Views
Last Modified: 2017-02-02
Greetings to you.  As a business that accepts credit cards we have to get scanned by Control Scan for our PCI DSS compliance.  

We are currently failing compliance, but I am not sure how to resolve the problem.  My Remote Desktop is the only service running on the IP address and it is on a Windows 2012 server.  Most of my errors seem to be generated for systems I do not have, so I am wondering what the problem is.  I am running a pfSense router and a Cisco 2900 series router in addition to the W2k12 Remote instance if that helps solve the problem in anyway.  As far as I know my computer is fully updated.

Failure areas:
Buffer overflow in RegAPI.DLL
used by Windows NT 4.0
Terminal Server allows remote
attackers to execute arbitrary
commands via a long
username, aka the "Terminal
Server Login Buffer Overflow"
vulnerability.
CVE-2000-1149

Remote Data Protocol (RDP)
version 5.0 in Microsoft
Windows 2000 and RDP 5.1 in
Windows XP does not encrypt
the checksums of plaintext
session data, which could allow
a remote attacker to determine
the contents of encrypted
sessions via sniffing, aka
"Weak Encryption in RDP
Protocol."
CVE-2002-0863 (When I looked, the version that I am at is 6.3.9600.17415).  

The RC4 algorithm, as used in
the TLS protocol and SSL
protocol, does not properly
combine state data with key
data during the initialization
phase, which makes it easier
for remote attackers to conduct
plaintext-recovery attacks
against the initial bytes of a
stream by sniffing network
traffic that occasionally relies
on keys affected by the
Invariance Weakness, and
then using a brute-force
approach involving LSB values,
aka the "Bar Mitzvah" issue.
CVE-2015-2808

The RC4 algorithm, as used in
the TLS protocol and SSL
protocol, has many single-byte
biases, which makes it easier
for remote attackers to conduct
plaintext-recovery attacks via
statistical analysis of ciphertext
in a large number of sessions
that use the same plaintext.
CVE-2013-2566
0
Comment
Question by:aclaus225
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 41905589
The scanning report should flagged the affected device pertaining to those findings. Note it can be other unknown asset discovered as the scanning spawn across the segment and also note of virtual instance running with same host may also be one specific to the system finding. Need to trace the asset of concern in the report, the vendor should advice.

If it is pertaining to the Windows 2012 or other server, those CVE can be addressed through hardening configuration (need to restart machine). Especially for the RC4 issue and RDP they are related as RDP will use RC4. Microsoft strongly encourages customers to evaluate, test and implement the options for disabling RC4 below to increase the security of clients, servers and applications. Microsoft recommends enabling TLS1.2 and AES-GCM.

See MS advisory on disabling RC4 patch and the specific registry. Note RC4 is not turned off by default for all applications. However, you need to make sure this does not affect your RDP so do test in staged server before going production. See "Note" below
- https://support.microsoft.com/en-us/kb/2868725

Note - there are more insight and implication on effectively turning off RC4, there is need to have some manual setting
I would only disable TLS 1.0 on a per element basis.  Disabling RC4 with the suggested registry settings does not seem to work, as a service can still use the cipher.  

RDP will continue to use RC4 until it's settings are changed. To fix this run tsconfig.msc.  Double click on RDP-Tcp.  Change the Encryption Level to FIPS Compliant.  This should disable RC4-MD5 and RC4-SHA over RDP, which will probably clear the warnings you are receiving.

Additionally where tsconfig is no longer available you can set:

\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\MinEncryptionLevel to 4 which should produce the same results.
https://social.technet.microsoft.com/Forums/en-US/3f6f7cb7-b7f4-4f5e-90c3-a52f819e6ad0/remote-desktop-mssql-and-tls-10-and-rc4-ciphers?forum=winserverTS

but I fear this may break your appl or operations. There is one good to check out - IISCrypto which has template for PCI compliance to set the appropriate cipher
https://www.nartac.com/Products/IISCrypto/Default.aspx
0
 

Author Closing Comment

by:aclaus225
ID: 41906076
Thank you very much for your assistance.  What you said was very easy for me to follow and I did install IISCrypt.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
A customer recently asked me about anti-malware and the different deployment options available for his business. Daily news about cyberattacks, zero-day vulnerabilities, and companies that suffered a security breach made him wonder if the endpoint a…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question