Results 1 to 19 of 19
  1. #1
    Join Date
    Nov 2005
    Posts
    1,224

    IIS 6 - Security Metrics says "Outdated" - PCI Scan Failed

    Our IIS 6 servers are now failing PCI scans with a risk level of 4 (4 or more is failing) because Security Metrics has declared IIS 6 "outdated".

    Web server vulnerability Synoposis: Microsoft-IIS/6.0 appears to be outdated (4.0 for NT 4, 5.0 for Win2k, current is at least 7.5) Risk Factor: Medium/ CVSS2 Base Score: 4.0
    Is anyone else getting a failing grade solely because of this? Server 2003 and IIS 6 are still fully supported by Microsoft, and will continue to be for another couple years.

    We've been using Security Metrics to scan the same servers every quarter for the past 3 years. Until now, every scan has passed with no problems. But now this.

  2. #2
    Join Date
    Feb 2004
    Location
    Scotland
    Posts
    2,833
    Why not just mask the output from the server? I know it's not a perfect solution, but their scanning methods are not perfect either.

  3. #3
    Join Date
    Jun 2011
    Location
    Miami, FL
    Posts
    825
    Quote Originally Posted by Sekweta View Post
    Server 2003 and IIS 6 are still fully supported by Microsoft, and will continue to be for another couple years.
    Not 100% accurate. Mainstream support ended in July/2010, leaving only paid support, or security updates that MS feels compelled to provide as your support options.

    (http://support.microsoft.com/lifecyc...ilter=FilterNO)

    Besides, just because something is "supported" by the vendor doesn't mean its the best option to ensure your data is secure...

  4. #4
    Join Date
    Nov 2005
    Posts
    1,224
    Mainstream support means no more added features, but security updates are just that-- security-- and this was a PCI security scan.

    Server 2003 is not necessarily the "best" option, but there are many servers in the world still running 2003 securely, and for many different reasons cannot be upgraded to 2008.

    But as long as MS is providing security fixes, there is no tangible reason to believe 2003 machines cannot be secure.

  5. #5
    Join Date
    Sep 2010
    Posts
    407
    You're going to have to upgrade at some point anyway, might as well get started now...

  6. #6
    Join Date
    Nov 2005
    Posts
    1,224
    We have some servers running apps not compatible with Server 2008, so at this time upgrading is not an option.

  7. #7
    Most apps just need some tweaks to get them running on w2k8. Are you sure that's not the case?

  8. #8
    Join Date
    Nov 2005
    Posts
    1,224
    Everyone seems to be missing the point of this thread.

    I'm not talking about an unsupported OS. Server 2003 and IS 6 are still fully supported in the security context by Microsoft. If a vulnerability is discovered, it gets patched, and that will be the case for another few years.

    Causing someone to fail a PCI scan, based solely on the premise the server is not running the latest OS, is wholly unjustified.
    Last edited by Sekweta; 05-30-2012 at 08:08 AM.

  9. #9
    Join Date
    Jan 2011
    Location
    UK
    Posts
    776
    Security Metrics base their PCI ASV scan on the very tight guidelines laid down by the PCI security standards council, which in turn refers to the CVSS scores for vulnerabilities. Any ASV should therefore produce exactly the same result, so it's not particularly Security Metrics you have a problem with, it's basically the whole security industry!

    The real problem is that older software versions, even while still officially security patched, won't get the same attention and responsiveness as newer versions of the same software. That increases the likelihood of a vulnerability going unpatched or unnoticed for longer which raises the risk score for the whole product. They may also only get critical security updates, whereas updates to the latest version will address lower priority issues. The CVSS score in your report was 4, the lowest grade of medium level vulnerability.

    I don't see you have a way out of this - PCI is deliberately drawn very tightly. A PCI compliant environment really should be very low risk, not just not high risk. Using old (even while still officially supported) software increases risk.

    I can understand why you would be hacked off about it, but I also see why it's designed the way it is. There's a great annual report on security breaches from Verizon, this year one stat included was that 96% of breaches in organisations subject to PCI, were in organisations who were non-compliant. The real stat is probably higher as even those with a compliance certificate can become non-compliant between scans/audits, and it's at those points the risk is highest.
    Advania Thor Data Centre Iceland - www.thordc.com
    High Spec Colocation and Dedicated Servers, powered by cheap, abundant and 100% renewable energy.
    Enterprise grade hosting, ISO27001 accredited for security, and all at fantastic pricing.

    brian.rae@thordc.com

  10. #10
    Join Date
    Nov 2005
    Posts
    1,224
    My other complaint is the number of false positives. Just had a scan claim "could be vulnerable" and listed patches from 2003 and 2006 to fix. The server was deployed three years ago with Server 2003 SP2 slipstreamed in, plus all available Windows Updates have rigorously been installed.

    I also object to their claim about not being able to scan the server fully, blaming a firewall or IDS/IPS device in the middle, which is absolutely not the case-- not unless Level3, GBLX, or InterNAP are running such devices inside THEIR networks without our knowledge.

  11. #11
    Join Date
    Apr 2004
    Location
    Pacific Palisades, CA
    Posts
    3,641
    Quote Originally Posted by Sekweta View Post
    Everyone seems to be missing the point of this thread.

    I'm not talking about an unsupported OS. Server 2003 and IS 6 are still fully supported in the security context by Microsoft. If a vulnerability is discovered, it gets patched, and that will be the case for another few years.

    Causing someone to fail a PCI scan, based solely on the premise the server is not running the latest OS, is wholly unjustified.
    Perhaps the reporting is wrong or its is vague due to age of OS. Have you tried other scans? Maybe go through a manual checklist of things then scan again, for example check for ssl2 v. ssl3, run IIS Lockdown tool, etc
    Collabora Hosting - Unlimited Windows and Linux Hosting
    Web Security - VPS - Dedicated Servers
    Cloud and Managed WordPress Hosting
    Read how we do Unlimited Hosting at the Unlimited FAQ

  12. #12
    Join Date
    Nov 2005
    Posts
    1,224
    I've looked the server over, top to bottom. This server is scanned every quarter, and ever quarter it passes. Most recent was Feb 2012 and it came through with a score of "0" risk.

    Now all of the sudden they're looking for two patches dating back to 2003 and 2006, and calling the OS outdated, producing a "Fail" result.

  13. #13
    Join Date
    Mar 2012
    Posts
    162
    Have you contacted Security Metrics support?

  14. #14
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,615
    Quote Originally Posted by Sekweta View Post
    My other complaint is the number of false positives. Just had a scan claim "could be vulnerable" and listed patches from 2003 and 2006 to fix. The server was deployed three years ago with Server 2003 SP2 slipstreamed in, plus all available Windows Updates have rigorously been installed.

    I also object to their claim about not being able to scan the server fully, blaming a firewall or IDS/IPS device in the middle, which is absolutely not the case-- not unless Level3, GBLX, or InterNAP are running such devices inside THEIR networks without our knowledge.
    I've had similar issues with RedHat/CentOS and their relatively 'old' packages which are actually patched fully up to date.

    Their test can't tell what patches/sp's you have and since it's an older version of IIS they rather fail it by default and let you prove it's up to date than make any assumptions.

    A simple email/support ticket will usually get these things resolved.

    About the firewall issue -- if during test known ports initially respond then stop responding, you will have this problem. If you're sure you don't have any SPI/BFD/IDS in place, make sure their testing isn't making your box unresponsive. I've only seen this happen in a few instances where a webserver was misconfigured badly and otherwise extremely vulnerable to DOS because of top heavy scripts. Servers with all but 80 and 443 completely blocked still pass their scans without firewall warnings.

    I'm not trying to stick up of SM but I'll be perfectly honest after having dealt with a few others I will tell you SM is by far the easiest to work with. If you can't get thru their tests even after going thru their support channels you should probably hire a 3rd party to manage your server.
    Last edited by FastServ; 05-30-2012 at 10:13 AM.
    Fast Serv Networks, LLC | AS29889 | DDOS Protected | Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  15. #15
    Join Date
    Jun 2011
    Location
    Miami, FL
    Posts
    825
    Brian addressed the "supported" statement better than I did previously.

    Quote Originally Posted by Sekweta View Post
    But as long as MS is providing security fixes, there is no tangible reason to believe 2003 machines cannot be secure.

    Quote Originally Posted by Brian_R View Post
    The real problem is that older software versions, even while still officially security patched, won't get the same attention and responsiveness as newer versions of the same software. That increases the likelihood of a vulnerability going unpatched or unnoticed for longer which raises the risk score for the whole product. They may also only get critical security updates, whereas updates to the latest version will address lower priority issues. The CVSS score in your report was 4, the lowest grade of medium level vulnerability.

  16. #16
    Join Date
    Nov 2005
    Posts
    1,224
    Followup.

    At the time of my OP, I had already followed the instructions on contacting Security Metrics support for false positives and disputes. I waited 4 days without any response at all before posting here.

    I finally phoned in and jumped through hoops documenting the state of the server (patch levels, etc) to prove to their satisfaction the server was already patched against the 2 supposed "vulnerabilities" back in 2010. They had no explanation why simply being IIS version 6 was cause to fail the test.

    Long story short, they manually removed all the failing items and gave the server a passing grade.

    But there IS a downside, per the rep I dealt with. The scans run quarterly and every time these specific false positives are raised, I have to go through the same dispute process. I said that their scanning engine needs adjustment since we've documented beyond doubt the hits were false-- thereby proving the flawed detection methodology for these specific items-- but all I got in return (twice) was an apology for the inconvenience and a reiteration this will be an ongoing battle.

  17. #17
    Join Date
    Apr 2004
    Location
    Pacific Palisades, CA
    Posts
    3,641
    Did they mention which vulnerabilities or KB number?
    Collabora Hosting - Unlimited Windows and Linux Hosting
    Web Security - VPS - Dedicated Servers
    Cloud and Managed WordPress Hosting
    Read how we do Unlimited Hosting at the Unlimited FAQ

  18. #18
    Quote Originally Posted by Sekweta View Post
    But there IS a downside, per the rep I dealt with. The scans run quarterly and every time these specific false positives are raised, I have to go through the same dispute process. I said that their scanning engine needs adjustment since we've documented beyond doubt the hits were false-- thereby proving the flawed detection methodology for these specific items-- but all I got in return (twice) was an apology for the inconvenience and a reiteration this will be an ongoing battle.
    If they are being paid by you, they should put all your documentation on file and act accordingly.

    It would be really interesting if you could get the Microsoft Security team involved in discussions with your vendor since they are maligning Microsoft's product with no good reason. Microsoft probably has enough techs, security experts, lawyers, motivation and money to get Security Metrics to sit up and take notice.
    edgedirector.com
    managed dns global failover and load balance (gslb)
    exactstate.com
    uptime report for webhostingtalk.com

  19. #19
    Join Date
    Nov 2005
    Posts
    1,224
    Quote Originally Posted by Collabora View Post
    Did they mention which vulnerabilities or KB number?
    1.) "Possible Microsoft IIS ASP Remote Code Execution vulnerability" and referenced MS Security bulletins 03-018, 06-034, 08-062, and 10-065.

    2.) "Possible Microsoft IIS ASP Upload Command Execution vulnerability" and referenced (the same) MS Security bulletins 03-018, 06-034, 08-062, and 10-065.

    I knew these to be false positives. Server was fully up to date on patches, plus to be sure, I pulled an update history and confirmed every patch that was applicable to Server 2003 and IIS 6 had been installed long ago.

    Then number 3 was the one which angered me, since Microsoft has committed to providing security updates through 2015 for Server 2003: "Web server vulnerability Synoposis: Microsoft-IIS/6.0 appears to be outdated (4.0 for NT 4, 5.0 for Win2k, current is at least 7.5)"

Similar Threads

  1. Replies: 0
    Last Post: 01-06-2012, 11:33 AM
  2. Replies: 0
    Last Post: 10-01-2006, 11:27 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •