That's not humor...we really are!! From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Mike Anderson Sent: Monday, January 04, 2010 2:19 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Failing PCI Compliance tests The sense of humor the members of this list possess never ceases to put a smile on my face :) From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Saturday, January 02, 2010 11:28 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Failing PCI Compliance tests We all feel naked Mike. But that's because many of us really are. t From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Mike Anderson Sent: Saturday, January 02, 2010 9:04 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Failing PCI Compliance tests Thank you all SO MUCH for your amazingly quick replies - my boss will be very pleased once I put these changes into place. I can't begin to tell you how naked I felt, diving into this whole area. Again, thank you and have a great new year everybody!!! Mike From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steven Comeau Sent: Thursday, December 31, 2009 10:31 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Failing PCI Compliance tests Mike, I had the same issues w/PCI compliance even though we technically don't take credit cards and use the Ticketmaster application (direct VPN tunnel) for the orders. Jerry's recommendations did the trick for me, but it had to be done on the ISA servers - it was NOT an issue with certs, just the SSL settings on the ISA boxes. Steve Comeau Associate Director of IT Rutgers Athletics 83 Rockafeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com<http://www.scarletknights.com> [rutgers100px.gif] [cid:image002.jpg@01CA8D49.2BF906F0] From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Mike Anderson Sent: Thursday, December 31, 2009 7:46 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Failing PCI Compliance tests Hello All, We have Win2K3 web server behind an ISA 2004 Server, which hosts our website (with a SSL Certificate for doing credit card transactions). As of 3 months ago, we started getting these warning e-mails from our credit card merchant people stating that we failed their PCI Compliance test. If we don't get this fixed, we will start to be penalized and we can't let that happen. SSL Certs are probably one of my weakest areas and I just know enough to get by. The PDF generated from their automated system, outlined the trouble areas and offered some websites we could visit that could help remedy the problem. I must say, being a technical person myself, I had a hard time navigating the documents in addition to understanding how they applied to our problem. The next 2 blocks of text are the 2 primary areas that killed our PCI Compliance score, and if we can fix this, we should be okay once again. BTW, the following blocks of text, correspond to TCP, Port 443 & HTTPS... The first one: Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also : http://www.openssl.org/docs/apps/ciphers.html Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers... The second one: Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. Risk Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) Now my question is, does the ISA Server come into play with this whole thing? Or is the primary problem relating to our Web Server and how the SSL Cert was originally created? I didn't create the initial key and purchase the original certificate, but I know darn sure that the person who did, would have selected the strongest encryption available at the time - which would have given us the peace of mind secure transactions. I know that in order to get the SSL to pass through the ISA Server, we had to export the SSL Cert from the Web Server and install it on the ISA Server. Was there something different that I should have done during that process? Do we possibly have to trash our existing SSL Cert, and reapply for a newer strong one? Again, I apologize for being so green in this area - I can only be good at so many things :) Thank you all again in advance, for all your wonderful help. Mike *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA 83 Rockafeller Road Piscataway, NJ 08854 www.scarletknights.com<http://www.scarletknights.com> *** ________________________________ avast!/SMTP2000 Antivirus: Inbound message clean. Virus Database (VPS): 12/31/2009 Tested on: 12/31/2009 10:34:08 -0500 avast! - copyright (c) 1988-2009 ALWIL Software. ________________________________ avast!/SMTP2000 Antivirus: Inbound message clean. Virus Database (VPS): 1/2/2010 Tested on: 1/2/2010 11:29:35 -0500 avast! - copyright (c) 1988-2010 ALWIL Software.