PCI Vulnerability 86645: Frontpage Extensions

So I can't lie - I'm not a big fan of PCI compliance in the slightest. One of my favorite quotes about the subject comes from a thread on the hMailServer forum where a user states "PCI compliance is a load of rubbish, the CC companies can't secure their shit, so they make everyone else do it for them and charge them for the privilege." In my position I do have to deal with certain aspects of it from time to time so every time I get frustrated in my dealings with it I can come back to this quote and at least crack a smile.

Recently I ran into a problem that I was tasked with dealing with in regards to QID 86645 - FrontPage Extensions Configuration Information Obtained:

You would think this one is pretty straightforward based on the information in the screenshot. The scanner application I was using says that it was able to obtain the frontpage configuration from the webserver by requesting the "_vti_inf.html" file which contains this information. To remediate it they say that all you have to do is restrict access to this file so that it can't be publically obtained. In doing my research on this vulnerability I found one person who fixed this by disabling anonymous authentication in IIS but I could not do that because this was a public facing site. So I figured I would just find the file and see if I could rename it or delete it - easy enough right?

So I hunted through the IIS directories on the server trying to find this _vti_inf.html file and I couldn't find it anywhere. For that matter I couldn't find it anywhere on the server at all. Figuring that the file not existing was a pretty good workaround I took this information to the security vendor that I work with and they basically said this:

They could still retrieve the information from the server so even though the file itself didn't live there, it was somehow being returned. After some head scratching which in turn led to head banging onto desk I finally figured out why - Sharepoint!

I should have made the connection from the blog post I linked to earlier where he couldn't find the file on the server either but for some reason I missed it. Since this particular server hosted sites that live in Sharepoint that means the _vti_inf.html file was stored inside some content database somewhere that I did not have access to rather than on the server itself in the file system. Is it possible that I could have gone into the database and purged out the file? I'm honestly not sure - I didn't like the idea of going spelunking into a database that I didn't have much business being in so I didn't want that to be the answer. So along with our fine friends at Microsoft we came up with a decent workaround on how to fix this issue without messing with the Sharepoint databases:

Step 1: Launch IIS Manager and select/connect to the server you are working with.

Step 2: From the main workpane, select "Request Filtering"

Step 3: Click on the URL tab and then click "Deny Sequence"

Step 4: In the Deny Sequence box, enter in "/_vti_inf.html" and then click OK.

That should be it! I don't believe you need to restart IIS for this to take effect so you should be able to test immediately by browsing to http://yourserver/_vti_inf.html and if it's working you should get a 404 error but you may not depending on the browser you are using. If you get a blank page instead of a 404 do a quick view source in your browser and if there's nothing there then you should be in business. Hopefully this helps some folks out there save some time who may run into a similar situation!

Cisco CCNA DC - Part 1

It's been a while since my last blog entry but I wanted to take a few minutes tonight to write about what I've been working on recently - going after the Cisco CCNA Datacenter certification. In my current position I am basically an IT generalist of sorts in that I have an opportunity to work with a number of different platforms and technologies. "Knower of many, master of none" is a likely grammatically incorrect phrase I often like to use to describe what I do in that I have a very broad skill set that ranges among a number of different IT systems but I don't ever really get to deep dive into any one area. Jumping around all the time will do this to you and they haven't developed a flash acceleration solution for brains yet but I'm keeping my eyes open! That being said I have not gone after a certification since I obtained my VCP5-DCV and I wanted to tackle something new and improve in an area that I felt was a bit lacking which was the networking realm.

My networking experience started a few years ago basically like this:

Sound familiar to anyone? This was basically how I started at my current position when it comes to networking and I had to pick things up and learn as I went. Admittedly this is a fantastic way to learn but certainly not the most practical or stress-free way to go about it. When I started almost everything we had was Dell networking gear and we have since transitioned a lot of that over to be Cisco equipment. I've learned a lot through those migrations and working with some great partners who were willing to help me learn some new stuff. (Side note: Shoutout to anyone who has worked with Dell and Cisco gear and has dealt with all the fun little surprises that come along with that mess.)

So I learned about STP and VLANs and routing protocols and all that fun stuff and I decided I was ready to expand my knowledge and go for a cert. The CCNA Datacenter track seemed like a better fit for me than the Route/Switch path since I spend a lot of my time in the datacenter and I work with a lot of the technologies on this path everyday including the Nexus platform as well as Cisco UCS. The CCNA DC requires two exams for certification: Intro to Cisco Data Center Networking (640-911) and Intro to Cisco Data Center Technologies (640-916). Today I am happy to say that I took and passed the 640-911 exam and I'm halfway to my cert! This was the first Cisco exam I had ever taken so I was pretty nervous this past week or so as I was preparing but thankfully all of the work paid off and I did very well.

There's a number of great resources out there for the 640-911 exam but I wanted to share a few of the ones that really helped me out:

Chris Wahl's Intro to Data Center Networking on Pluralsight: I go back and forth on video training courses because let's be honest - some of them are about as fun as watching paint dry - but this one is very good and I highly recommend anyone looking at the CCNA DC check this out. Chris knows the material very well and does a good job to keep the course interesting complete with Voltron references and some hilarious mnemonic devices thrown in to help you remember stuff. I know that I will never throw sausage pizza away after watching these videos.

CCNA 640-911 Study Guide by Todd Lammle and John Swartz: This book is a fantastic tool that helped me out a lot. In addition to having great material that is very easy to read and follow along with you'll also get a number of practice labs and exercises to help test your knowledge. This book also includes a very basic Nexus simulator that will help you perform the labs which is great if you don't have access to real Nexus gear. Giant IT books can be daunting but this one is definitely worth the price!

Subnettingquestions.com: Everyone going for a CCNA will absolutely need to know how to subnet. I stumbled across this website while I was looking for some additional subnetting practice and it was a great help. Thanks to Kim Nobav for putting this together.

Outside of those resources there are a few other notes I'd like to share for anyone looking to tackle these exams:

• On these exams when you click Next your answer is FINAL: Coming from mostly a VMware exam background I was not used to this at all. On the VCP exams you have the opportunity to mark questions for review and then if you have time left over at the end of your exam you can go back through the questions that you marked. This is not the case for Cisco - when you click next to move to the next question your answer is final. It made me spend a little bit more time than I normally would on each question but you have to be aware of your time remaining or you can get yourself into trouble.
• Practice practice practice!: I really learn things in IT by doing so the fact that I had worked on some of these technologies for some time really helped me out but it's still good to practice! Not everyone has access to Nexus gear or lab environments so this can be a challenge - obtaining Cisco gear is not the cheapest of propositions. The Nexus simulator included with the book I referenced is a good starting point if you have nothing else and there are also articles out there for Creating a Nexus 1000v lab in VMware Workstation/Fusion if you have the resources to do that.
• Formulate your plan and then do it!: Everyone is different but I knew that doing a bunch of cramming the night before the exam would likely not help me. I had been studying for several weeks leading up to my exam so the night before I did my mostly normal routine and got a good night's sleep. Figure out what works best for you ahead of time and then stick to your plan - it will help you be less stressed and more confident going into the exam.

So next up is the 640-916 after I take a little break to recharge. I'm going on vacation at the end of the month so that'll slow me down a little bit but I hope to tackle this in the next couple of months. Stay tuned for part 2 - hopefully with CCNA DC certification in hand!