PCI DSS Compliance is Failing

Greetings to you.  As a business that accepts credit cards we have to get scanned by Control Scan for our PCI DSS compliance.  

We are currently failing compliance, but I am not sure how to resolve the problem.  My Remote Desktop is the only service running on the IP address and it is on a Windows 2012 server.  Most of my errors seem to be generated for systems I do not have, so I am wondering what the problem is.  I am running a pfSense router and a Cisco 2900 series router in addition to the W2k12 Remote instance if that helps solve the problem in anyway.  As far as I know my computer is fully updated.

Failure areas:
Buffer overflow in RegAPI.DLL
used by Windows NT 4.0
Terminal Server allows remote
attackers to execute arbitrary
commands via a long
username, aka the "Terminal
Server Login Buffer Overflow"
vulnerability.
CVE-2000-1149

Remote Data Protocol (RDP)
version 5.0 in Microsoft
Windows 2000 and RDP 5.1 in
Windows XP does not encrypt
the checksums of plaintext
session data, which could allow
a remote attacker to determine
the contents of encrypted
sessions via sniffing, aka
"Weak Encryption in RDP
Protocol."
CVE-2002-0863 (When I looked, the version that I am at is 6.3.9600.17415).  

The RC4 algorithm, as used in
the TLS protocol and SSL
protocol, does not properly
combine state data with key
data during the initialization
phase, which makes it easier
for remote attackers to conduct
plaintext-recovery attacks
against the initial bytes of a
stream by sniffing network
traffic that occasionally relies
on keys affected by the
Invariance Weakness, and
then using a brute-force
approach involving LSB values,
aka the "Bar Mitzvah" issue.
CVE-2015-2808

The RC4 algorithm, as used in
the TLS protocol and SSL
protocol, has many single-byte
biases, which makes it easier
for remote attackers to conduct
plaintext-recovery attacks via
statistical analysis of ciphertext
in a large number of sessions
that use the same plaintext.
CVE-2013-2566
aclaus225Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
btanConnect With a Mentor Exec ConsultantCommented:
The scanning report should flagged the affected device pertaining to those findings. Note it can be other unknown asset discovered as the scanning spawn across the segment and also note of virtual instance running with same host may also be one specific to the system finding. Need to trace the asset of concern in the report, the vendor should advice.

If it is pertaining to the Windows 2012 or other server, those CVE can be addressed through hardening configuration (need to restart machine). Especially for the RC4 issue and RDP they are related as RDP will use RC4. Microsoft strongly encourages customers to evaluate, test and implement the options for disabling RC4 below to increase the security of clients, servers and applications. Microsoft recommends enabling TLS1.2 and AES-GCM.

See MS advisory on disabling RC4 patch and the specific registry. Note RC4 is not turned off by default for all applications. However, you need to make sure this does not affect your RDP so do test in staged server before going production. See "Note" below
- https://support.microsoft.com/en-us/kb/2868725

Note - there are more insight and implication on effectively turning off RC4, there is need to have some manual setting
I would only disable TLS 1.0 on a per element basis.  Disabling RC4 with the suggested registry settings does not seem to work, as a service can still use the cipher.  

RDP will continue to use RC4 until it's settings are changed. To fix this run tsconfig.msc.  Double click on RDP-Tcp.  Change the Encryption Level to FIPS Compliant.  This should disable RC4-MD5 and RC4-SHA over RDP, which will probably clear the warnings you are receiving.

Additionally where tsconfig is no longer available you can set:

\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\MinEncryptionLevel to 4 which should produce the same results.
https://social.technet.microsoft.com/Forums/en-US/3f6f7cb7-b7f4-4f5e-90c3-a52f819e6ad0/remote-desktop-mssql-and-tls-10-and-rc4-ciphers?forum=winserverTS

but I fear this may break your appl or operations. There is one good to check out - IISCrypto which has template for PCI compliance to set the appropriate cipher
https://www.nartac.com/Products/IISCrypto/Default.aspx
0
 
aclaus225Author Commented:
Thank you very much for your assistance.  What you said was very easy for me to follow and I did install IISCrypt.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.