PCI Compliance Scans for Windows-based Accounts
If you or your client are required to ensure your website and webspace meet the standards of PCI Compliance, this article will explain various issues that can arise in our particular Windows based environment and how they relate to any PCI compliance scans you may need to perform. There are a number of common issues users run into when first performing such scans. Below are the basic reasons for these errors and how they can be resolved.
ASP.NET Web Server Information Disclosure
The most common issue incurred is that detailed errors are visible to the web for asp.net applications by default.
Unless you or your clients developer needs to see these error details for development reasons, you can enable custom error pages to over-ride that setting. This is done using a web.config file in the root of your site space. A quick example of one such web.config file is provided below. Placing the following content into a text file, renaming it web.config and posting this to your site space will do the trick and will redirect any asp.net error pages to your root index.html file.
<customErrors defaultRedirect="index.html" mode="On">
Some scans will indicate that our Serv-U installation is out of date and requires an update to resolve a vulnerability to SFTP connections on that Serv-U version.
While it is true we are running the version the scan has likely detected, SFTP is also completely disabled in our environment so the vulnerability does not affect your services.
Anonymous FTP Access
Another common issue is that by default and for your convenience, an Anonymous FTP user is enabled. This user has only Read permissions and is limited to the FTP subdirectory created by default on your account. This user has no access outside of this folder nor are they able to write any data.
Should this continue to be problematic please contact firstname.lastname@example.org for more details.