This video was made mainly because I had spent most of last week preparing for a quarterly security review which includes an external PCI vulnerability scan. After lots of testing, I finaly figured out how to consistently pass the PCI scan and get a compliant score.
The trick is to get your SSL squared away and hide what software versions your web servers are running. This week's video talks about how to do those things. For quick reference I wrote about how to do most of the stuff already on Bauer-Power. You can read those posts here:
To hide your IIS version you need to download a free tool called URLScan from Microsoft and install it. Then you need to edit c:\windows\system32\inetsrv\urlscan\urlscan.ini and change RemoveServerHeader=0 to RemoveServerHeader=1 and restart IIS.
That's pretty much it. After doing those things the PCI scanner won't be able to enumerate what software you are using, and won't be able to pinpoint known vulnerabilities and thus will give you a passing score.
Please note that this does not replace the need for patching. You still need to stay on top of vulnerabilities and make sure your systems have the right patches.
What other things do you do to get your servers ready for PCI scans? Let us know in the comments.
Support Tech Chop By Doing Your Amazon Shopping at: http://amazon.techchop.com