New Exchange 2013 install failing PCI compliancy testing
I have a new install of Exchange 2013 - single server environment, with a small business. I am failing the following PCI compliancy items. Does anyone have any information on how to fix these issues? Do I need to look at like a Forefront TMG product to pass?  Does Microsoft even make a Forefront TMG product anymore?


x.x.x.x:443 osCommerce allows

cross-site scripting


CVE-2003-1219

medium 4.3 FAIL SQL/XSS

/SSL

vulnerabilities

are not PCI

compliant

x.x.x.x:443 SSL/TLS server supports

RC4 ciphers


CVE-2013-2566

medium 4.3 FAIL


x.x.x.x:443 SSL/TLS server supports

RC4 ciphers


CVE-2015-2808

medium 4.3 FAIL


x.x.x.x:443 server is susceptible to

BEAST attack


CVE-2011-3389

medium 4.3 FAIL


x.x.x.x:443 server is susceptible to SSL

POODLE attack


CVE-2014-3566

medium 4.3 FAIL

June 12th, 2015 9:23pm

TMG is no longer available.
Free Windows Admin Tool Kit Click here and download it now
June 13th, 2015 2:46am

I have a new install of Exchange 2013 - single server environment, with a small business. I am failing the following PCI compliancy items. Does anyone have any information on how to fix these issues? Do I need to look at like a Forefront TMG product to pass?  Does Microsoft even make a Forefront TMG product anymore?


x.x.x.x:443 osCommerce allows

cross-site scripting


CVE-2003-1219

medium 4.3 FAIL SQL/XSS

/SSL

vulnerabilities

are not PCI

compliant

x.x.x.x:443 SSL/TLS server supports

RC4 ciphers


CVE-2013-2566

medium 4.3 FAIL


x.x.x.x:443 SSL/TLS server supports

RC4 ciphers


CVE-2015-2808

medium 4.3 FAIL


x.x.x.x:443 server is susceptible to

BEAST attack


CVE-2011-3389

medium 4.3 FAIL


x.x.x.x:443 server is susceptible to SSL

POODLE attack


CVE-2014-3566

medium 4.3 FAIL

These items can all be resolved by applying the correct configurations to your webserver/web-applications.
(you're probably using the out-of-the-box defaults, which leave a lot of these items enabled...)

In the case of the first item, talk to the folks at osCommerce and get their product fixed.

If you don't already have some kind of firewall appliance or product, there are plenty to choose from.

June 13th, 2015 6:38am

It is an out of the box install of Exchange 2013 on Server 2012R2.  Besides an antivirus product, nothing else is installed on this machine.  It all sits behind a sonicwall firewall.

Free Windows Admin Tool Kit Click here and download it now
June 13th, 2015 4:15pm

It is an out of the box install of Exchange 2013 on Server 2012R2.  Besides an antivirus product, nothing else is installed on this machine.  It all sits behind a sonicwall firewall.


take a stroll through here, or ask questions there is you need to, there's a lot of related Q&A there for your items:
https://social.technet.microsoft.com/Forums/en-US/home?forum=winserversecurity
June 13th, 2015 7:02pm

Hi ,

Thank you for your question.

Did you install Exchange server 2013 on DC?

Whats role you want to install on this server? If this is an Exchange 2013 Edge server, we could refer to the following link:

https://technet.microsoft.com/en-us/library/dn635117(v=exchg.150).aspx

What is about cross site?

We could uninstall anti-virus production on this server, then re-run the prerequisites on this server by the following link to check if the issue persist:

https://technet.microsoft.com/en-us/library/bb691354(v=exchg.150).aspx

If it is successful, we could install anti-virus production later.

In addition, we could check if there are any errors in application log then send them to ibsexc@microsoft.com for our troubleshooting.

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

Free Windows Admin Tool Kit Click here and download it now
June 17th, 2015 10:36pm

This is a 2012 R2 server with Exchange 2013. Nothing else. It does not have the edge roll installed.  I changed the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server enabled registry key to a value of 0, and I still show as vulnerable to the POODLE and BEAST vulnerabilities.
June 28th, 2015 1:09pm

Hi RD,

 We could deploy Exchange 2013 step by step though the following link:

https://technet.microsoft.com/en-us/library/aa998636%28v=exchg.150%29.aspx

we should make sure we have install all requirements.

If not, you could post the snapshot of error for our troubleshooting.

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

Free Windows Admin Tool Kit Click here and download it now
June 29th, 2015 3:42am

There is no error. Exchange functions perfectly, other than it is failing an external PCI compliancy test.
June 29th, 2015 1:38pm

What about disabling the RC4 reg keys?  And after you made the change to the reg keys for POODLE and BEAST vulnerabilities, did you restart the server to apply the changes?

Free Windows Admin Tool Kit Click here and download it now
June 29th, 2015 4:13pm

Hi RD,

If the Exchange work, it may be problematic with PCI, we suggest you ask third-party for help.

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

June 29th, 2015 9:57pm

To B0ndoo7, yes I did disable the RC4 keys.  I got a passed test today for both POODLE and BEAST.  It's odd, because the other online test I was using was still indicating a failure.

The only failure I still have is the osCommerce allows cross-site scripting one, which is odd, because osCommerce is not installed on this machine.

CVE-2003-1219

Free Windows Admin Tool Kit Click here and download it now
June 29th, 2015 11:42pm

Very strange if you're not using their products.  Can you search for a file named "html_output.php"?  Following article - https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1219 This vulnerability is old too, originally recorded in 2003.
June 30th, 2015 8:52am

Not finding a html_output.php file on that machine.
Free Windows Admin Tool Kit Click here and download it now
June 30th, 2015 10:20am

According to this site:

http://forums.oscommerce.com/topic/390308-pci-compliance-scan-failures-oscommerce-or-my-host-provider/

That osCommerce failure (CVE-2003-1219) is a false-positive.  You said it yourself, "osCommerce is not installed on this machine."  I'd got back to the vendor doing the PCI scan and inform them of this, if you haven't already.  I've been involved in several PCI scans for clients and there are some things that can't be resolved, or are false-positives.  For those items, sometimes the PCI vendor will grant a waiver (exception) and give you a passing compliance scan.

June 30th, 2015 1:18pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics