1

We are a small business and we process credit cards through our desktop pc via the webpage myvirtualmerchant.com

And trustwave keeps scanning our pc and giving us a fail status. Below is the report showing why we fail the scan.

Can anyone tell me what to do to correct this problem.

Also, we use firefox as our web browser. Internet explorer has been uninstalled.

enter image description here

Robert
  • 5
  • 3
  • 4
    The TLS on your RDP port is running afoul of new requirements: see [PCI Compliance Scan Failing for supporting TLS 1.0, but removing support breaks < IE 10](http://security.stackexchange.com/questions/87071/pci-compliance-scan-failing-for-supporting-tls-1-0-but-removing-support-breaks). Look into [this patch](https://support.microsoft.com/en-us/kb/3080079) to fix the problem for the RDP server on your PC. – gowenfawr Oct 15 '15 at 14:07
  • The above mentioned patch is already installed – Robert Oct 15 '15 at 14:33
  • I believe you need to [tweak which SSL/TLS versions are used via the registry as well](https://technet.microsoft.com/en-us/library/dn786418.aspx#BKMK_SchannelTR_TLS10); the patch adds support for newer TLS versions but doesn't enforce their use. – gowenfawr Oct 15 '15 at 14:38
  • could I simply uninstall RDP all together? – Robert Oct 15 '15 at 14:52
  • Yes, if you're not using it, uninstalling RDP would be sufficient (the scanner would stop hitting it!) and better (less attack surface). – gowenfawr Oct 15 '15 at 15:10
  • Trustwave said to contact out local ISP, which I did. Local ISP said it looks like maybe my router is to blame. Just disable guest Wifi and scheduled a news scan. Waiting for the results – Robert Oct 15 '15 at 21:53

1 Answers1

1

I can see that most of the findings are related to port 3389 which is for remote desktop. You have some issues related to SSL certificate you use for remote desktop. I will try to mentioned and give some guidance for solving some of them.

  1. TLSv1.0 is supported the port support what seems to an obsolete version of TLS, you need to reconfigure the service to not support this protocol version, I haven't done this myself before but as described here, it seems that there is a patch for this.
  2. SS/TLS weak encryption algorithm, you remote desktop service support weak algorithms, for this one you need to set the encryption level to high from terminal services snap-in type tscc.msc in run please refer to this link if needed and this link as well.

For the rest, you can google the error messages and see which configuration you need to change in the terminal service configuration. I hope this helps a little. I would help with the rest as well if you struggle.

Community
  • 1
P3nT3ster
  • 877
  • 7
  • 10