2

One of our web servers just failed PCI-DSS compliance because the vuln. scan detected the OS was Windows Server 2003 Service Pack 1 (obviously very outdated!).

My question is how did the vuln scan detect this as I can't seem to find a way to source the same information without having AD access to that box (it's on a service providers network). Even with nmap, it only provides guesses to the OS version:

Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (99%) So how do I verify this before sending a very, very angry email to our provider? If this is accurate, then I'd say this is negligence and my email tone to them won't be very good.

I have no login access to this box.

SnakeDoc
  • 693

1 Answers1

0

Close all ports. Reassign the port RDP. Modify the TTL. And most likely your system does not determine from the response).

Modify the TTL:

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters]
DefaultTTL 64 DWORD

Reassign the port RDP (mstsc :3333):

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
PortNumber 3333 DWORD

Reassign the VPN port:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0003]
TCPPortNumber <VPN port number> DWORD

Disable IPv6

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
DisabledComponents 0xffffffff   DWORD

command, disable IPv6 Teredo, 6to4, ISATAP:

netsh interface teredo set state disabled
netsh interface ipv6 6to4 set state state=disabled undoonstop=disabled
netsh interface ipv6 isatap set state state=disabled

Change response services, and so on and so forth ...

Close all not need ports.

STTR
  • 6,891