PCI compliance --

PCI compliance failed.

Hi there experts,

A customer asked me to look at why their pci scan failed. The failing row shows TLS v.1.0, the public IP address, and 3389 port.  Evidently it failed because of TLSv1 but I can't find the source of it. At first I thought port forwarding was enable on the router but it was not the case, then i checked to see if the server we added months ago had rdp enabled, it didn't. I then ran an nmap scan and  and 3389 is not open on any host.  My hypothesis is that a host (may be a laptop) with rdp enabled was connected to the network at the time of the scan but they told me that was not the case. I scheduled another scan  but it won't run until tomorrow...

Has anyone dealt with something like this before? can the scan show that's a tls v1 on a port that's not enabled?
LVL 7
jorge diazSEAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jose Gabriel Ortega CastroCEOCommented:
It can.

What version of windows OS are you running?

They are usually used on web servers from 2008 R2, by default 2012 R2 takes (tls 1.2) but tls 1.0 needs to be disabled to comply (PCI).

Here's a script that after running it you will get disabled the TLS1.0 and another PCI-compliance setting called SWEET32.

https://gallery.technet.microsoft.com/scriptcenter/Solve-SWEET32-Birthday-d2df9cf1
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
masnrockCommented:
Well, since there are port scans, a bit more detail might help. But I would ask three questions to you:
1) Can the firewall be managed remotely?
2) What is RDP in use for? RDP would fail for PCI compliance. Require that users connect to the VPN first, then RDP in. That way, you can close port 3389 open on your firewall.
3) Have you checked the registry on the Windows server? Scroll to the appropriate TLS version in this MS article: https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.