No announcement yet.

SBS and PCI compliance scans

  • Filter
  • Time
  • Show
Clear All
new posts

  • SBS and PCI compliance scans


    We are running SBS2003 and have to pass PCI comiance scans ... Which appear to be Nessus scans (Security Metrics are our bank's chosen company)

    All was well until recently.

    I'd locked things down and we were passing their scans. (I'd disabled the weak SSL ciphers and protocols, no IMAP, closed the apparent tendency of Exchange to relay in its out of the box configuration and felt all was good.

    Now we are suddenly failing due to a "possible vulnerability in PKI net tools ... Which may not have Hotfix 3.0 applied. - apparently shows up on port 444.

    As far as I know SBS doesn't have Net Tools PKI server running on port 444?

    I'm confused. The scan is only highlighting this as a possible vulnerability in software that may possibly exist and may possibly not have the Hotfix, but we still fail because of this ... Fines from the bank start next month unless we can get a pass.

    I don't know what to do.

    Has anyone any advice?

    Thanks in advance.

  • #2
    Re: SBS and PCI compliance scans

    Excerpt from the report:

    Protocol Port Program Score Summary
    TCP 444 N/A 7.5
    Title: Possible vulnerability in Net Tools PKI Server Impact: Several vulnerabilities in Net Tools PKI server, if present, could allow a remote attacker to execute arbitrary code or to view and download any file on the server.*Resolution: Contact the vendor for Hotfix 3 for Net Tools PKI Server 1.0. If Hotfix 3 or higher has already been applied, then the system does not have these vulnerabilities. Versions higher than 1.0 are not affected by these vulnerabilities.*Risk Factor: High/ CVSS2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE:*CVE-2000-0741*BID: 1536 1537 1538 Additional CVEs:**CVE-2000-0740*CVE-2000-0739*[Less]


    How do I find out what is running on port 444

    When I run a list from the command prompt all I get is the Firewall PID nothing else ...

    Does IIS run on 444? Does IIS use Net Tools?

    Sorry for the additional questions but I am stuck!


    • #3
      Re: SBS and PCI compliance scans

      Doesnt sharepoint run on 444?
      I had a utility company that failed a PCI scan due to RWW and OWA


      • #4
        Re: SBS and PCI compliance scans

        Originally posted by dbwillis View Post
        Doesnt sharepoint run on 444?
        I had a utility company that failed a PCI scan due to RWW and OWA
        Thanks - although you should still be able to pass PCI with OWA and RWW - we did for over six months. The mystery is that nothing has changed on our server yet we are now failing for a "POSSIBLE" vulnerability.

        I need to show the security company that the vulnerability does not exist (or patch it if it does!)

        IIS is running on 80 this passes PCI
        IIS is running on 443 (SSL) this also passes PCI

        nmap shows the following on the attached screenshot.

        This fails the PCI due to the possible issue with Net Tools PKI Server

        - My big question is does IIS (or SBS2003 SP2) actually use Net Tools PKI Server at all?

        And if so, surely any vulnerability would have been patched (the server is up to date with all Windows Updates)

        Thanks once again - I am hoping that if SBS does not have Net Tools then this is simply a "false positive" from the scan and we can persuade the company to give us a pass.

        Also ... the PCI compliance requirement is going to be coming round worldwide everybody .... It's the latest craze and very profitable for the "security companies". We have to pay to be "audited", and we have to be scanned as part of our banks requirements, therefore, we - and thousands of other companies - are paying big bucks for this.
        Attached Files


        • #5
          Re: SBS and PCI compliance scans

          Problem answered:

          Just in case anyone else comes up against this:

          SBS does not use Net Tools PKI server ... The fail was a "false positive".

          We sent the company our own nmap scan results, and a screen shot of a Netstat port report from the cmd line showing the PID of what was running on port 444

          This was enough to get them to manually adjust our scan results to a pass.

          IIS runs on 444 for ' companyweb' but this passes, the PCI scan assumes Net Tools may be present when port 444 is open.

          You can get SBS 2003 to pass PCI compliance with companyweb site an things like OWA and other services running (and a Win2k server to pass also) but you do have to make quite a few adjustments to get there.

          Just thought I'd pass on the news!!

          We are finally back


          • #6
            Re: SBS and PCI compliance scans

            Thanks for reporting back
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd

            ** Remember to give credit where credit is due and leave reputation points where appropriate **


            • #7
              Re: SBS and PCI compliance scans

              FYI Sharepoint companyweb runs on port 444, but you cant get to it directly unless you open 4125 also. I forget the exact sequence but it is something like you go in on https to 443 using your daomain username and password. Then....
              never mind it is all written here

              Steven Teiger [SBS-MVP(2003-2009)]
              Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

              We donít stop playing because we grow old, we grow old because we stop playing.