Plesk for Windows – PCI Compliance

This is somewhat of a work in progress. The only thing flagged by PCI compliance scans so far is the use of SSLv2. This can be disabled in Windows 2003 by adding the following registry entry in:

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders
\SCHANNEL\Protocols\SSL 2.0\Server

create a new DWORD named Enabled with the default value

Also disable weak ciphers:

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders
\SCHANNEL\Ciphers\DES 56/56

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders
\SCHANNEL\Ciphers\NULL

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders
\SCHANNEL\Ciphers\RC2 40/128

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders
\SCHANNEL\Ciphers\RC4 40/128

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders
\SCHANNEL\Ciphers\RC4 56/128

add a new DWord value to each one of them, The DWord value needs to be named Enabled and needs to have the default value of 0

Depending on the mail server installed, the scans may also flag the use of plain password authentication etc. The resolution to this depends on what your running.

You can leave a response, or trackback from your own site.

Leave a Reply