PCI Compliance Scans for Windows-based Accounts
If you or your client are required to ensure your website and
webspace meet the standards of PCI Compliance, this article will explain
various issues that can arise in our particular Windows based
environment and how they relate to any PCI compliance scans you may need
to perform. There are a number of common issues users run into when
first performing such scans. Below are the basic reasons for these
errors and how they can be resolved.
ASP.NET Web Server Information Disclosure
The most common issue incurred is that detailed errors are visible to the web for asp.net applications by default.
Unless you or your clients developer needs to see these error
details for development reasons, you can enable custom error pages to
over-ride that setting. This is done using a web.config file in the root
of your site space. A quick example of one such web.config file is
provided below. Placing the following content into a text file, renaming
it web.config and posting this to your site space will do the trick and
will redirect any asp.net error pages to your root index.html file.
<customErrors defaultRedirect="index.html" mode="On">
Some scans will indicate that our Serv-U installation is out of date
and requires an update to resolve a vulnerability to SFTP connections on
that Serv-U version.
While it is true we are running the version the scan has likely
detected, SFTP is also completely disabled in our environment so the
vulnerability does not affect your services.
Anonymous FTP Access
Another common issue is that by default and for your convenience, an
Anonymous FTP user is enabled. This user has only Read permissions and
is limited to the FTP subdirectory created by default on your account.
This user has no access outside of this folder nor are they able to
write any data.
Should this continue to be problematic please contact firstname.lastname@example.org for more details.