Knowledgebase
Knowledgebase:
SBS 2003 and Exchange 2003 PCI Complience
Posted by Russ Richards on 27 July 2012 10:41 AM
Audit issue 1: SSL Weak Cipher Suites Supported

Description from Audit: 
The remote service supports the use of weak SSL ciphers.
The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.

Workaround:

Click Start|Run, and type regedit, and click ok
Navigate to the following Key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers
For The following subkeys: RC2 40/128, RC4 40/128, and RC4 56/128 do the following:
Right-click to create a DWORD value called "Enabled" and leave it with the default value of 0.

Audit issue 2: SSL Version 2 (v2) Protocol Detection

Description from Audit: 
The remote service encrypts traffic using a protocol with known weaknesses.
The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit
these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.

Workaround:

Click Start|Run, and type regedit, and click ok
Navigate to the following Key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
Right-click to create a DWORD value called "Enabled" and leave it with the default value of 0

Audit issue 3: Microsoft Outlook Web Access (OWA) owalogon.asp Redirection Account Enumeration

Description from Audit:
The remote web server is affected by a URL injection vulnerability.
The remote host is running Microsoft Outlook Web Access 2003. Due to a lack of sanitization of the user input, the remote version of this software is vulnerable to URL injection that can be exploited to redirect a user to a different, unauthorized web server after authenticating to OWA. This unauthorized site could be used to capture sensitive information by appearing to be part of the web application.

Workaround:

Open a command prompt (Start|Run "cmd")
Type the following two commands (substituting your correct OWA address)
CD  C:\Inetpub\AdminScripts
cscript.exe adsutil.vbs set w3svc/1/SetHostName mail.mydomain.com

Audit issue 4: This web server leaks a private IP address through its HTTP headers. 

Description from Audit:
This web server leaks a private IP address through its HTTP headers.  
This may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server. There is a known issue with Microsoft IIS 4.0 doing this in its default configuration. This may also affect other web servers, web applications, web proxies, load balancers and through a variety of misconfigurations related to redirection.

Workaround:

Open C:\Program Files\Exchsrvr\exchweb\bin\auth\usa\logon.asp in notepad. Go to Line 54 
Find:              redirectPath = Request.QueryString("url") 
Change to:    redirectPath = "https://mail.yourdomain.com/exchange
To test, use a computer from outside the network to connect to:
https://mail.yourdomain.com/exchweb/bin/auth/owalogon.asp?url=https://google.com
Substitute mail.yourdomain.com with your Outlook Web Access address
Without the workaround, your browser will be redirected to Google.com
With the workaround, you will just see your OWA logon page

If everything went smoothly, after the server reboots OWA still works, and you will pass the PCI Audit (Nessus)scan.
(0 vote(s))
Helpful
Not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).