I have a new install of Exchange 2013 - single server environment, with a small business. I am failing the following PCI compliancy items. Does anyone have any information on how to fix these issues? Do I need to look at like a Forefront TMG product to pass?  Does Microsoft even make a Forefront TMG product anymore?

x.x.x.x:443 osCommerce allows

cross-site scripting

CVE-2003-1219

medium 4.3 FAIL SQL/XSS

/SSL

vulnerabilities

are not PCI

compliant

x.x.x.x:443 SSL/TLS server supports

RC4 ciphers

CVE-2013-2566

medium 4.3 FAIL

x.x.x.x:443 SSL/TLS server supports

RC4 ciphers

CVE-2015-2808

medium 4.3 FAIL

x.x.x.x:443 server is susceptible to

BEAST attack

CVE-2011-3389

medium 4.3 FAIL

x.x.x.x:443 server is susceptible to SSL

POODLE attack

CVE-2014-3566

medium 4.3 FAIL

TMG is no longer available.

I have a new install of Exchange 2013 - single server environment, with a small business. I am failing the following PCI compliancy items. Does anyone have any information on how to fix these issues? Do I need to look at like a Forefront TMG product to pass?  Does Microsoft even make a Forefront TMG product anymore?

x.x.x.x:443 osCommerce allows

cross-site scripting

CVE-2003-1219

medium 4.3 FAIL SQL/XSS

/SSL

vulnerabilities

are not PCI

compliant

x.x.x.x:443 SSL/TLS server supports

RC4 ciphers

CVE-2013-2566

medium 4.3 FAIL

x.x.x.x:443 SSL/TLS server supports

RC4 ciphers

CVE-2015-2808

medium 4.3 FAIL

x.x.x.x:443 server is susceptible to

BEAST attack

CVE-2011-3389

medium 4.3 FAIL

x.x.x.x:443 server is susceptible to SSL

POODLE attack

CVE-2014-3566

medium 4.3 FAIL

These items can all be resolved by applying the correct configurations to your webserver/web-applications.
(you're probably using the out-of-the-box defaults, which leave a lot of these items enabled...)

In the case of the first item, talk to the folks at osCommerce and get their product fixed.

If you don't already have some kind of firewall appliance or product, there are plenty to choose from.

It is an out of the box install of Exchange 2013 on Server 2012R2.  Besides an antivirus product, nothing else is installed on this machine.  It all sits behind a sonicwall firewall.

It is an out of the box install of Exchange 2013 on Server 2012R2.  Besides an antivirus product, nothing else is installed on this machine.  It all sits behind a sonicwall firewall.

take a stroll through here, or ask questions there is you need to, there's a lot of related Q&A there for your items:
https://social.technet.microsoft.com/Forums/en-US/home?forum=winserversecurity

Hi ,

Thank you for your question.

Did you install Exchange server 2013 on DC?

Whats role you want to install on this server? If this is an Exchange 2013 Edge server, we could refer to the following link:

https://technet.microsoft.com/en-us/library/dn635117(v=exchg.150).aspx

What is about cross site?

We could uninstall anti-virus production on this server, then re-run the prerequisites on this server by the following link to check if the issue persist:

https://technet.microsoft.com/en-us/library/bb691354(v=exchg.150).aspx

If it is successful, we could install anti-virus production later.

In addition, we could check if there are any errors in application log then send them to ibsexc@microsoft.com for our troubleshooting.

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

This is a 2012 R2 server with Exchange 2013. Nothing else. It does not have the edge roll installed.  I changed the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server enabled registry key to a value of 0, and I still show as vulnerable to the POODLE and BEAST vulnerabilities.

Hi RD,

 We could deploy Exchange 2013 step by step though the following link:

https://technet.microsoft.com/en-us/library/aa998636%28v=exchg.150%29.aspx

we should make sure we have install all requirements.

If not, you could post the snapshot of error for our troubleshooting.

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

There is no error. Exchange functions perfectly, other than it is failing an external PCI compliancy test.

What about disabling the RC4 reg keys?  And after you made the change to the reg keys for POODLE and BEAST vulnerabilities, did you restart the server to apply the changes?

Hi RD,

If the Exchange work, it may be problematic with PCI, we suggest you ask third-party for help.

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim

To B0ndoo7, yes I did disable the RC4 keys.  I got a passed test today for both POODLE and BEAST.  It's odd, because the other online test I was using was still indicating a failure.

The only failure I still have is the osCommerce allows cross-site scripting one, which is odd, because osCommerce is not installed on this machine.

CVE-2003-1219

Very strange if you're not using their products.  Can you search for a file named "html_output.php"?  Following article - https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1219 This vulnerability is old too, originally recorded in 2003.

Not finding a html_output.php file on that machine.

According to this site:

http://forums.oscommerce.com/topic/390308-pci-compliance-scan-failures-oscommerce-or-my-host-provider/

That osCommerce failure (CVE-2003-1219) is a false-positive.  You said it yourself, "osCommerce is not installed on this machine."  I'd got back to the vendor doing the PCI scan and inform them of this, if you haven't already.  I've been involved in several PCI scans for clients and there are some things that can't be resolved, or are false-positives.  For those items, sometimes the PCI vendor will grant a waiver (exception) and give you a passing compliance scan.