PCI Compliance Issues - A couple of questions
Hi:
I am a web developer, not a server administrator. Due to unfortunate circumstances at my office, we no longer have staff that manages our servers, and I have been asked to get our server PCI compliant. Good times. The server is running Windows 2008 R2 64 Bit. There were 9 issues and I have resolved 7 of them. I am having a hard time with the last two. I have been reading for the last two days and I am still unclear how to resolve the issues. Hopefully someone here has the missing pieces I am looking for.
The two issues are:
1. SSL/TLS Weak Encryption Algorithms
2. Reflected Cross-Site Scripting Vulnerability
I don't want to over simplify the solution, but if there's anyone out there who can help me resolve these two items I'd appreciate it. I've included a screenshot of IIS Crypto 2.0 below.
http://awesomescreenshot.com/0046ess867
Thanks for any guidance.
I am a web developer, not a server administrator. Due to unfortunate circumstances at my office, we no longer have staff that manages our servers, and I have been asked to get our server PCI compliant. Good times. The server is running Windows 2008 R2 64 Bit. There were 9 issues and I have resolved 7 of them. I am having a hard time with the last two. I have been reading for the last two days and I am still unclear how to resolve the issues. Hopefully someone here has the missing pieces I am looking for.
The two issues are:
1. SSL/TLS Weak Encryption Algorithms
2. Reflected Cross-Site Scripting Vulnerability
I don't want to over simplify the solution, but if there's anyone out there who can help me resolve these two items I'd appreciate it. I've included a screenshot of IIS Crypto 2.0 below.
http://awesomescreenshot.com/0046ess867
Thanks for any guidance.
ASKER
Right, but that screenshot shows adding Triple DES 168 back which would make me out of compliance again. How do I know which ones to remove and which ones to leave if that image shows adding things that causes a PCI compliance issue?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
PCI Compliance... sigh... I just went through this recently with a client.
The real issue is what service you use which certifies your compliance.
You can bring your system into what you think is compliance + use 20 different compliance testers + you'll get various passes + fails.
So if you're really going for PCI Compliance, start with the service you'll be using to certify your compliance.
Then run their scanner, which normally requires ssh access to perform all tests.
Then fix whatever errors are reported + you'll be in PCI Compliance, for that service.
This does not mean any other PCI Compliance service tester will pass 100%. It only means you can pass the service which reported the diagnostics you fixed.
PCI Compliance tends to be a mess.
The real issue is what service you use which certifies your compliance.
You can bring your system into what you think is compliance + use 20 different compliance testers + you'll get various passes + fails.
So if you're really going for PCI Compliance, start with the service you'll be using to certify your compliance.
Then run their scanner, which normally requires ssh access to perform all tests.
Then fix whatever errors are reported + you'll be in PCI Compliance, for that service.
This does not mean any other PCI Compliance service tester will pass 100%. It only means you can pass the service which reported the diagnostics you fixed.
PCI Compliance tends to be a mess.
ASKER
Apparently the company I work for has been using the same PCI compliance scanner for the last 15 years. It's provided by the bank they have their merchant account with. So I am using that scanner solely to tell me when we are compliant.
I will need to read the articles Aaron posted before disabling all those settings, I don't want to turn something off and lose access to the server. Not sure I will, but I like to kind of know what I'm doing. :-)
I will need to read the articles Aaron posted before disabling all those settings, I don't want to turn something off and lose access to the server. Not sure I will, but I like to kind of know what I'm doing. :-)
Excellent! If you already have your Scanner service running, you should be good.
Looking at your two reported issues...
The image you posted doesn't show anything related to 2nd issue.
Only 1st issue of SSL ciphers.
You can disable any SSL cipher you like which is flagged as weak, as these should be turned off.
Most recent versions of OpenSSL have completely dropped support for broken/weak/hackable ciphers, so you may be running an older version of OpenSSL or the Windows equivalent.
Looking at your two reported issues...
1. SSL/TLS Weak Encryption Algorithms
2. Reflected Cross-Site Scripting VulnerabilityThe image you posted doesn't show anything related to 2nd issue.
Only 1st issue of SSL ciphers.
You can disable any SSL cipher you like which is flagged as weak, as these should be turned off.
Most recent versions of OpenSSL have completely dropped support for broken/weak/hackable ciphers, so you may be running an older version of OpenSSL or the Windows equivalent.
ASKER
So, does that mean turn everything off in the second column of that screenshot except the bottom two (AES)? If so, will that make me lose RDP connection to the server or anything? This is an AWS server and no physical access. Any idea? Sorry for the elementary questions, I am kind of at a loss when it comes to this issue.
https://www.nartac.com/images/IISCrypto/Screenshot1.png