I wanted to check with the community about the following situation.
SERVERs are Windows 2012 running DA.
We have a third party security company that runs PCI audit scans on a regular basis, they have recently detected the a vulnerability on the DA servers (see below). The DA servers are fully patched.
The proposed solution seems a little obscure and doing some research I have found the following article which describes the issue and a way to get it fix in IIS servers (How to configure Microsoft IIS to not accept weak SSL ciphers).
http://blog.zenone.org/2009/03/pci-compliance-disable-sslv2-and-weak.html
This is a standard security scan and my assumption is that a lot of Microsoft DA customers facing PCI scans will be experiencing the same issue.
We would appreciate if someone can advise or guide us into the right direction.
VULNERABILITY DETAILS
CVSS Base Score: 5.4 AV:N/AC:H/Au:N/C:C/I:N/A:N
CVSS Temporal Score: 4.4 E:F/RL:TF/RC:UR
Severity: 4
QID: 38143
Category: General remote services
CVE ID: -
Vendor Reference: -
Bugtraq ID: -
Last Update: 08/06/2008
THREAT:
The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server.
The client-server communication is general encrypted using a symmetric cipher like RC2, RC4, DES or 3DES. However, some SSL ciphers allow
communication without encryption. This vulnerability allows anyone who can sniff the traffic between the client and the server to see the
communication.
Please note that this detection only checks for weak cipher support at the SSL layer. Some servers may implement additional protection at the data
layer. For example, some SSL servers and SSL proxies (such as SSL accelerators) allow cipher negotiation to complete but send back an error
message and abort further communication on the secure channel. This vulnerability may not be exploitable for such configurations.
IMPACT:
An attacker can exploit this vulnerability to read apparently secure communication.
SOLUTION:
Disable ciphers which support cleartext communication.L Server Allows Cleartext Communication Vulnerability