And a follow-up…(Servers in a PCI Compliant Environment)

Hello-
So I was the individual who wrote up this question initially and I do have some followup questions. I read about the MS recommendation of deploying in ISA server along with the CAS server to provide the necessary security – but I guess I was looking for a different solution that didn’t involve deploying a horrible Microsoft product to solve their forced insecure architectural problem.

Does HALOCK currently use a reverse proxy server for their CAS server? I doubt it. In fact, I know almost no companies that do this.

So it seems to me like people have just decided to ignore PCI for this particular issue that MS has created.. If the only solution Microsoft offers to be compliant with PCI while still allowing an architecturally blessed email system is to install their horrible designed firewall product I am not sure what to say…

Well, the idea is to use a reverse proxy to keep the CAS from being exposed to the Internet.  That doesn’t mean you need to use ISA Server.  Of course, that’s what Microsoft will talk about, but any reverse proxy will do.  At HALOCK, we have a policy of never disclosing details about our own internal infrastructure design, but I will say that a popular approach is to use a WAF or Web Application Firewall (a Layer-7 firewall) to handle the pre-authentication and proxy functionality.  There’s often no need to deploy a separate proxy server.

Jeremy Simon, PCI QSA, CISSP, CISA
Practice Lead, PCI Compliance Services

 

PCI DSS Requirements

PCI DSS Requirement 5.4.1: Anti-spoofing controls such as DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) can help stop phishers from spoofing the entity’s domain and impersonating personnel. 

Clarification on eCommerce Outsourcing PCI DSS requirements 6.4.3 and 11.6.1

Unpacking the New PCI DSS Password Standards

Is Your Organization Prepared for PCI DSS Automation – Requirement 10.4.1.1?

What is the PCI DSS v4 Authenticated Scanning Mandate – Requirement 11.3.1.2?

What is the PCI DSS v4.0.1 Requirement for PoLP – Requirement 7.2.5?

PCI SSC Updates SAQ A: Removal of Key eCommerce Security and New Eligibility Criteria – Requirements 6.4.3, 11.6.1, 12.3.1

The New PCI DSS v4.0.1 Software Catalog Mandate – Requirement 6.3.2

How PCI DSS 4.0.1 Tackles Service Account Vulnerabilities – Requirements 8.6.1, 7.2.5.1, 8.6.2, 8.6.3, 10.2.1.2

Are You Keeping an Inventory of Cipher Suites and Certificates for the New PCI DSS – Requirements 12.3.3, 4.2.1.1?

How to Analyze An Attestation of Compliance (AOC)

PCI Compliance New Requirements and Targeted Risk Analysis (TRA)

 

RESOURCES & NEWS

Learn more about Penetration Testing and new exploits in HALOCK’s Exploit Insider.

The Dangers of Legacy Protocols

Exploiting API Endpoints

Abusing Default Credentials

Weaponizing Legacy Software

 

PCI Targeted Risk Analysis & DoCRA

https://www.halock.com/pci-compliance-new-requirements-and-targeted-risk-analysis/

 

HIPAA & Penetration Testing & Incident Response Plans

https://www.halock.com/are-you-ready-for-the-enhanced-hipaa-requirements-for-penetration-testing-and-more/

 

Top Threats in Healthcare

https://www.halock.com/top-cyber-threats-in-healthcare/

 

Cloud Security Risk Management

https://www.halock.com/prioritized-findings-and-remediation-in-cloud-security-reporting/

 

Penetration Testing Reports to Manage and Prioritize Risk

https://www.halock.com/a-threat-based-approach-to-penetration-test-reporting/

 

HALOCK is headquartered in Schaumburg, IL, in the Chicago area and advises clients on reasonable security and conducts PCI preparedness assessment, scoping, remediation, validation, and compliance maintenance services throughout the US.