Untill a about 3 weeks ago, we have been PCI compliant. Now the Qualys PCI compliant scanner says ur FTP server not complaint (FTP server does not support the AUTH command). Nothing has changed with the FTP server, Qualys have said the scanner has been updated. Our web server is running Microsoft IIS6.
Can I make the FTP on IIS6 complaint? If so, how?!
QID: 27356 CVSS Base: 4.8
Category: File Transfer Protocol CVSS Temporal: 4.5
Port/Service: 21 / File Transfer Protocol (tcp) False Positive: N/A
Bugtraq ID: -
CVE ID: -
Vendor Reference: -
Last Update: 05/02/2012 at 01:17:31
The remote FTP server does not support the AUTH command, which makes FTP clients send credentials in clear text.
If this vulnerability is successfully exploited, attackers can intercept the credentials by eavesdropping on the connection.
Upgrade/migrate to a FTP server that supports the AUTH command.
500 'AUTH GSSAPI': command not understood
When you hear "need AUTH for your FTP Server", that means "FTP over SSL" (a.k.a. "FTPS") as defined by RFC 2228 (http://www.ietf.org/rfc/rfc2228.txt).
You essentially have two options for your situation:
1) Upgrade IIS FTP from version 6 to version 7, since version 7 supports a simple version of FTPS (e.g., http://learn.iis.net/page.aspx/304/using-ftp-over-ssl-in-iis-7/)
2) Switch FTP servers, especially if your auditors have been pushing you to a multi-tier architecture to separate Internet-facing and data-handling components. (Personally, I like Serv-U - http://www.serv-u.com/solutions/pci.asp - for this, but there are other options too.)
Additionally, depending on the usage of this FTP function, you may be able to submit this as a PCI False Positive / Exception request.
For example; if their is no sensitive data stored or passed through this FTP function, their would essentialy be No Risk to the Cardholder Data Enviornment, and so this could likely be approved as a False Positive / Exception.