-1

I have a client that was scanned and determined not to be PCI Compliant. I looked and they had IIS setup to allow a program from central office to push/pull info from their server. Many of the reasons they failed appeared to have been fixed in SPs (they were on SP2) or security updates. I fully patched the server to (Windows XP Pro) SP3 with all optional updates. I had them scan again and again they failed with only one less vulnerability that I manually corrected (server was showing debugging/error messages). The main issue I'm having is that when I research the CVE code for each error, they say they are fixed in SP2 and up. I'm wondering if I need to remove IIS and resetup since I have patched to SP3. Any ideas?

CodesInChaos
  • 143
  • 7
Mudman266
  • 13
  • 3
  • 4
    Yes, use a real Windows Server. – Rilindo Oct 26 '11 at 15:19
  • 4
    "I fully patched the server to (Windows XP Pro) SP3" - **o_O** – Chris S Oct 26 '11 at 15:21
  • 3
    Are you sure the vulnerabilities weren't fixed in *Windows Server 2003 SP2*, and not *Windows XP SP2*? Windows XP is not a server OS, and IIS 5 is ancient. – Shane Madden Oct 26 '11 at 15:21
  • 10
    I'm curious to know what company needs to meet PCI compliance and is using IIS 5 on Windows XP as a server. I'd like to make sure that I never ever ever do any online business with them. – MDMarra Oct 26 '11 at 15:23
  • @ShaneMadden [link]http://technet.microsoft.com/en-us/security/bulletin/ms03-018[/link] If you click through this to Patch Availability, IIS 5.1, X86, it gives you the Win XP SP2 patch which can only be applied to SP1. The only content being served is the point of sale information (sales, timekeeping, etc). There is no web ordering or website setup. – Mudman266 Oct 26 '11 at 16:00
  • @Mudman266 It detected a vulnerability from 2003? You've probably successfully patched that, then, meaning the scanner has some faulty detection logic - but, come on, it's IIS 5. Good scanning and detection for it shouldn't be at the top of any vulnerability scanner's priorities. – Shane Madden Oct 26 '11 at 17:22
  • 1
    I think @Rilindo's answer, while hard work, is the only real solution. Many of the issues in IIS 5 will not be fixed - the recommendation is to upgrade, not to patch. – Rory Alsop Nov 23 '11 at 15:37

1 Answers1

8

It's been said in comments, but I don't see an answer posted, so I'll say it here:

Use a real Server OS, and a current version of IIS.

Support for IIS 5.0 ended on July 13 2010, so any newly-discovered security vulnerabilities for that version will not be patched. Even if you apply all the available patches, any zero-day exploits developed against IIS 5 will be forever usable against your system unless you upgrade to a newer version.

Similarly, support for Windows XP is (or already has, depending on Service Pack) coming quickly to an end. Microsoft stopped releasing updates for Service Pack 2 at the same time as IIS 5. Support for Service Pack 3 is currently scheduled to expire (and we're not expecting any more extensions this time) on April 8 2014.

The latest version of IIS is 7.5 and can only be run as a part of Server 2008 R2. Support (including security updates) for those products should extent until at least 2018. After (but preferably some time in advance of) that point, you should again upgrade to the latest Service Packs or a newer version - whichever is applicable.

Sources:

https://en.wikipedia.org/wiki/Windows_XP#Support_lifecycle
https://en.wikipedia.org/wiki/Internet_Information_Services#Versions
http://support.microsoft.com/lifecycle/search/default.aspx

Rob
  • 647
  • 1
  • 7
  • 27
Iszi
  • 2,376
  • 8
  • 25
  • 33
  • 1
    I would also suggest that you audit the environment against the relevant PCI standards (https://www.pcisecuritystandards.org/security_standards/documents.php - PCI DSS 2.0 is almost certainly what you want to match up with) to ensure true compliance. A vulnerability scan is only a very small part of what is required here... – voretaq7 Nov 23 '11 at 17:40