One of the companys I work with take Credit Card payments and therefore want to be PCI compliant, and use security metrics to scan the network for compliance.
Lately they’ve been failing their online scan for a few reasons.
- Windows 2003 has been detected and that now unsupport
- TLS version 1.0 is still enabled
- SSL RC4 is still enabled.
Security Metrics PCI Compliance Site Certification Failed…
Microsoft Windows Server 2003 Unsupported Installation Detection
Firstly let me tell you they do not have a Windows Server 2003 on site, or indeed at all. I’ve been pullling my hair out trying to find out how this is being reported.
We have 3 ports open on the firewall, all for the exchange server : 25, 80 and 443 and the Exchange server is running Windows Server 2012 R2 with Exchange 2013.
After a site wide search, both physical looking and network scanning, we could not find anything that could be resulting in this detection, and anyway as I mention the only 3 ports open were all pointing at a Windows Server 2012 R2.
Anyway we contacted Security Metrics who said it may be a false report and to send them a screenshot. We email them a screenshot of the Windows Server 2012 R2 system properties and they have overridden this scan failure.
TLS Version 1.0 Protocol Detection
We are unable to disable this protocol as Exchange 2013 needs TLS 1.0. We are running all Exchange services on 1 server, so it may be different for you – only certain elements of Exchange 2013 need TLS 1.0.
Again we explained this to Security Metrics and verified we have have prioritised other protocols and ciphers first by default. Security Metrics were happy with this and have again overridden the fail.
SSL RC4 Cipher Suite Supported
We have disable RC4 from being support by running IISCrypto which you can get from :
This allowed us to select which Protocols and Ciphers we want and has a option to run as PCI complient or A Best Practice option. You will need to reboot the server after you run this for it to take effect.
I hope this helps, and maybe saves you time by contacting Security Metrics instead of spending time trying to lock down a server when it can’t be done.
Have you had similar problems ? Please let me know in the comments.