LMS 4.2 PCI - DSS update

Similar Messages

• RV042G PCI DSS SSL Issues

  Looks like the RV042G needs another firmware updates as the units we have in the field are now not passing PCI DSS Scans.  Dealing with the compliance scanning companies, they are telling me that the firmware is the way to fix this.  Here are the errors reported:
  Cross-site scripting vulnerability in portalname parameter to /cgibin/userLogin.cgi - FAIL
  Description: Several types of web servers and CGI programs include the user's request in their response. For example, a request for the page http://server/nonexistent_page.html may cause server to respond: The page nonexistent_page.html does not exist on this server.
  Response splitting vulnerability in portalname parameter to /cgibin/userLogin.cgi - FAIL
  Description: Some programs on web servers place user- supplied parameters into certain HTTP headers.
  I am using port 443 for remote access to the devices.  Moving the port simply changes the reported failure to that port.  Any suggestions or has anyone heard for a firmware update coming soon for this device?
  Thanks.  John

  Hi dwyerja01,
  Unfortunately I do not think Cisco is going to do anything about this.  I have emailed my sales support contact (no response), called tech support (clueless on when or if there will be a firmware update - the only way to fix this) and posted here (no response from Cisco).
  With that said, we have begun a transition away from Cisco Small Business gear.  While this is disappointing for us, supporting their router platform is just not a priority for them (or so it seems).
  If we get lucky, maybe a new firmware will drop.  Fingers crossed!
  If I find or get more information I will post back here (please do the same).
  John

• PCI DSS Compliance - Requirements 5 & 6

  We are currently applying for PCI Compliance, and are required to answer the following questions. Since our solution is hosted on Windows Azure, are these questions relevant? Can anyone please suggest where we might establish the answers to these, with respect
  to our Azure environment?
  Requirement 5: Use and regularly update anti-virus software or programs
  5.1:         Is anti-virus software deployed on all systems commonly affected by malicious software?
  5.1.1:     Are all anti-virus programs capable of detecting, removing and protecting against all known types of malicious software (for example, viruses, Trojans, worms, spyware, adware, and rootkits)?
  5.2:         Is all anti-virus software current, actively running, and generating audit logs, as follows:
  (a)          Does the anti-virus policy require updating of anti-virus software and definitions?
  (b)          Is the master installation of the software enabled for automatic updates and scans?
  (c)           Are automatic updates and periodic scans enabled?
  (d)          Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7?
  Requirement 6: Develop and maintain secure systems and applications
  6.1:
  (a) Are all system components and software protected from known vulnerabilities by having the latest vendor-supplied security patches installed?
  (b) Are critical security patches installed within one month of release?

  Have a look at Microsoft Endpoint Protection for Windows Azure.
  http://blogs.msdn.com/b/windowsazure/archive/2012/03/26/microsoft-endpoint-protection-for-windows-azure-customer-technology-preview-now-available-for-free-download.aspx
  http://blog.maartenballiauw.be/post/2012/03/27/Protecting-Windows-Azure-Web-and-Worker-roles-from-malware.aspx

• What is PCI DSS(),how it can be implemented, it can be on Portal

  Hi Frndz,
  This is Rajesh am actualy EP Consultant,we have a requirment to implemet PCI DSS, n this is the first time am hearing this word.
  Can anybody give me the story about PCI DSS and tell me how to implment it.
  And kindly let me know it can be implement on portal(WDP java, j2ee).,if not tell me how and on what techlogies needed to implement.
  Regards
  Rajesh

  Did you ever find a solution?!?
  Thank you
  Heiko
  mawa-solutions GmbH

• Data Security Standard PCI-DSS - SAP Datacenter

  Hello,
  one of our prospect asked the following question: Does the SAP Datacenter in Germany fullfill the requirements of PCI-DSS?
  It seems that this Standard is related to the Payment Card Processing.
  I checked all certifiates but I don´t find any infomation about that Standard.
  Best Regards
  Andreas Czech

  Hi Gina,
  Did you find good information about PCI-DSS compliance topics with SAP from this forum?  In particular we are looking at options to comply with requirement 11, File Integrity Monitoring.
  We would appreciate any guidance.
  Thank you, TMM

• PCI DSS  - Payment Card Industry / Data Security Standard

  Hello Guru's;
  Has anyone implemented the necessary security around credit cards according to the latest PCI DSS?  If so - I'd like to chat about that.  It's no longer just encrypting the credit card information, it's much more...  Would love to hear good and bad.
  Thanks!
  Gina

  Hi Gina,
  Did you find good information about PCI-DSS compliance topics with SAP from this forum?  In particular we are looking at options to comply with requirement 11, File Integrity Monitoring.
  We would appreciate any guidance.
  Thank you, TMM

• Achieving PCI DSS compliance of BPEL/ESB components ?

  Hi all,
  I'd like to get some input on achieving compliance with the Payment Card Industry Data Security Standard (PCI DSS). Issues arise in particular with dehydration and audit trails vs. requirements 3.3 and 3.4.
  Has anyone looked at this and if so, how did you approach it ?
  Regards,
  Diego

  Have a look at Microsoft Endpoint Protection for Windows Azure.
  http://blogs.msdn.com/b/windowsazure/archive/2012/03/26/microsoft-endpoint-protection-for-windows-azure-customer-technology-preview-now-available-for-free-download.aspx
  http://blog.maartenballiauw.be/post/2012/03/27/Protecting-Windows-Azure-Web-and-Worker-roles-from-malware.aspx

• PCI DSS 1.0 and PCI DSS 1.1

  I was looking at the spec sheets and was wondering what are the differences between PCI DSS 1.0 and PCI DSS 1.1?

  here is a high summary of what is different, and a link to the full details of the differences:
  Section 6.6 ? Added requirement for application code review or application firewall to be used
  Section 11.1 Clarified that wireless analyzers should be used periodically, even if wireless is not currently deployed.
  Section 12 - Added requirement for a policy to manage connected entities, including maintaining a list, implementing appropriate due diligence, ensuring connected entities are PCI DSS compliant, and having an established process to connect and disconnect entities.
  https://www.pcisecuritystandards.org/pdfs/pci_summary_of_pci_dss_changes_v1-1.pdf

• PCI DSS 3.0 Section 11.5

  PCI DSS 3.0 Section 11.5 says this: "Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly."
  Has anyone figured out a solution for this?  I submitted a VMware support ticket asking and they said they have no tool/app today that does this nor could they recommend any.  I find it rather surprising this standard has been effective since Jan 1, 2015 and there is hardly any info on what people are doing to fulfil this (and 11.5.1) requirement.  Thanks!

  Hello,
  Then you really want to look into HyTrust CloudCOntrol and/or Catbird vSecurity as it will monitor changes to a host for you. The reporting is to monitor for change drift or unauthorized changes. How you do that depends on how you feel you should do it. If I monitor the contents of a file for change, it does not mean I need to monitor the entire file for change. Contents is really what is important not the actual file itself.
  If your QSA is really stuck on you must have a file integrity monitor, then they are sticking to the letter of the law, so to speak, instead of the intent. I would fire them and get one that truly understands the intent. Also, if you control access to the management console, that is also a compensating control and that is captured as well. You need to think how those files would change in the first place and if I can control said change, log said change, etc. then I have a compensating control that is sufficient.
  I can also use the hardening guide to monitor critical files for change as well by monitoring the critical settings within those files. I have a tool that does just that as do many others.
  Best regards,
  Edward L. Haletky
  VMware Communities User Moderator, VMware vExpert 2009-2015
  Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
  Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

• LMS 4.1 Device Package Update

  Hi,
  I'm having problems updating packages for my new install of LMS Prime 4.1 and hoped someone here could help in diagnosing why. I've attached the psu.log file.
  Thanks in advance.

  Yeah, for Inventory Config And Image Management (the traditional RME functions, in LMS 3.x lingo), you have to perform a separate "Software Update" (vis-a-vis Device Update, which is apparently for CiscoView). That's described in the same aforementioned URL, a little further up, Admin -> System -> Software Center -> Software Update:
  http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.1/user/guide/admin/swcenter.html#wp1096852
  The following page describes, in not-so-clear terms, whether it's Software Update or Device Update that's needed to get newer hw/sw recognized by the various pieces of LMS 4.1.
  http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.1/device_support/table/lms41sdt.html

• CiscoWorks LMS 3.2 unable to update device packages

  Chaps,
  This is a new install of LMS 3.2 with the Campus Manager patched to 5.2.1.
  I'm unable to install any new device updates, if I use the GUI and Check for Updates then it says that none are available.  The Device Count Type for Campus Manager is 0 although and my 3750X stacks are not supported.
  Any ideas?
  Jim

  Try to install the update manually. Open CLI on the server, navigate to $NMSRoot\bin directory and execute the commands:
  1. PSUCli.bat -p cm -dst  -download CMDeviceUpdates ,     On providing cisco.com credentials CMDeviceUpdates.zip will be
  downloaded to "\cm" location. For example if  is
  C:\psu_download then package will be under C:\psu_download\cm.
  2. Install the package by executing below command:
  PSUCli.bat -p cm -install -src\cm CMDeviceUpdates

• LMS 3.2 RME Device Update failed

  Hello experts,
  I got a new error on my LMS 3.2 with RME 4.3.1
  I can´t install any of the RME Device updates.
  e.g. : "Installation failed for product [Resource Manager Essentials] with message : com.cisco.nm.xms.psu.packagemgmt.InstallerException: Repository in use. Another Package Support Updater client session may be modifying device support."
  I looked up for a .lock file in my CW dir but there is no one.
  NMSROOT/Psu.Lock and NMSROOT/www/classpath/com/cisco/nm/xms/psu/Psu.Lock does not exist.
  There are no other .lock files in the CW dir and subdirs.
  I attatched a psu.log file. Maybe u will see the failure.
  What I tried:
  - Restart daemon
  - install from cisco.com
  - install from local dir
  ... everytime the package installation failed.
  Bye,
  Patrick

  You will need an identical server (RME 4.3.1) with an updated/healthy package repository.  If you have that, you can follow these steps to regenerate maps:
  1. Shutdown daemons:
  net stop crmdmgtd
  2. On the bad server, delete all .zip files under the two RME package repositories:
  NMSROOT\www\classpath\com\cisco\nm\xms\psu\pkgs\rme
  NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\lib\pkgs
  3. Copy all of the packages under one of the above locations on the good server to both of these locations on the bad server.
  4. Delete your bad rme*.map files under NMSROOT/www/classpath/com/cisco/nm/xms/psu/maps/ and replace them with the good ones.
  5. Restart daemons:
  net start crmdmgtd

• LMS 4.0.1 - Device update problem for CiscoView

  Hello,
  I would like to update all CiscoView packages for my customer.
  When I do :
  Admin> System> Software Center> Device Update
  I have a list of several updates to do :
  Showing 1-15 of 15 records
  Package Name
  Type
  Product Name
  Installed Version
  Available Version
  Readme
  Posted Date
  size
  1.
  ASR1000
  DevicePackage
  CiscoView
  3.0
  4.0
  ASR1000.cv50.v4-0.readme
  NA
  NA
  2.
  Cat3560
  DevicePackage
  CiscoView
  9.0
  11.0
  Cat3560.cv50.v11-0.readme
  NA
  NA
  3.
  Cat3750
  DevicePackage
  CiscoView
  12.0
  13.0
  Cat3750.cv50.v13-0.readme
  NA
  NA
  4.
  Cat6000IOS
  DevicePackage
  CiscoView
  31.0
  31.2
  Cat6000IOS.cv50.v31-2.readme
  NA
  NA
  5.
  CVGenericPackage
  DevicePackage
  CiscoView
  1.4
  1.5
  CVGenericPackage.cv50.v1-5.readme
  NA
  NA
  6.
  Cisco3400ME
  DevicePackage
  CiscoView
  4.0
  5.0
  Cisco3400ME.cv50.v5-0.readme
  NA
  NA
  7.
  MetroEthernet
  DevicePackage
  CiscoView
  2.0
  MetroEthernet.cv50.v2-0.readme
  NA
  NA
  8.
  Nexus5000
  DevicePackage
  CiscoView
  1.0
  Nexus5000.cv50.v1-0.readme
  NA
  NA
  9.
  Nexus7000
  DevicePackage
  CiscoView
  2.0
  3.0
  Nexus7000.cv50.v3-0.readme
  NA
  NA
  10.
  Rtr3900
  DevicePackage
  CiscoView
  4.0
  5.0
  Rtr3900.cv50.v5-0.readme
  NA
  NA
  11.
  Rtr1900
  DevicePackage
  CiscoView
  2.0
  3.0
  Rtr1900.cv50.v3-0.readme
  NA
  NA
  12.
  Rtr1800
  DevicePackage
  CiscoView
  9.0
  10.0
  Rtr1800.cv50.v10-0.readme
  NA
  NA
  13.
  NGMARShare
  DevicePackage
  CiscoView
  1.15
  1.17
  NGMARShare.cv50.v1-17.readme
  NA
  NA
  14.
  Rtr800
  DevicePackage
  CiscoView
  16.0
  18.0
  Rtr800.cv50.v18-0.readme
  NA
  NA
  15.
  SwitchAddlets
  DevicePackage
  CiscoView
  1.28
  1.31
  NA
  NA
  But when I try to do these update, it always fails and I can see in the Event logs, this message :
  Number of Packages Selected for Install : 1
  For Product(s) : CiscoView
  Install Invoked by user : admin
  The Package(s) Selected for Install :
  CVGenericPackage
  WARNING :  CVGenericPackage(1.5):Consistency check failed for base package SwitchAddletsWhat can I do to update my CiscoWorks please ?
  No package(s) to install for : CiscoView
  Thank you.
  Regards,
  Stephane.

  And for each individual device package I'm trying to update, I receive this error message :
  Error
  The installation of device package(s) failed.
  Check Software Center > Activity Log > Event Log for details.
  And the Event log show me this (for example, for the Cat3560 package) :
  Number of Packages Selected for Install : 1
  For Product(s) : CiscoView
  Install Invoked by user : admin
  The Package(s) Selected for Install :
  Cat3560
  No package(s) to install for : CiscoView
  But when I do Device Update again (even if I Stop and Restart the Deamon Manager), I still see the same device packages list.
  This problem is very annoying.
  Do you want me to upload any other log ?

• LMS 4.1 Device Packages Update Installation

  Hello, i used the software center to download latest device packages, all downloaded to PSU_Downloads folder , i want to know how to install them with GUI if possible , as i tried to use CLI but it seems that i'm using bad syntax.
  Best Regards.

  The cli syntax can be a bit tricky. If you have already downloaded the updates, you can perform the updates using the downloaded copies as your source. Please see step 2 of the procedure listed here, specifically:
  To check for updates from a server, select the Enter Server Path radio button and enter the path or browse to the location using the Browse tab.

• W2003 DNS cache snooping vulnerability for PCI-DSS compliance.

  Hi everyone.
  How can I solve this security vulnerability reported by Nessus(security software) with W2003's DNS ?
  DNS Server Cache Snooping Remote Information Disclosure
  Synopsis:
  The remote DNS server is vulnerable to cache snooping attacks.
  Description:
  The remote DNS server responds to queries for third-party domains that do not have the recursion bit set. This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently
  visited. For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attack to build a statistical model regarding company usage of that financial institution.
  Of course, the attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more. Note: If this is an internal DNS server not accessable to outside networks, attacks would be limited to the internal network. This may include
  employees, consultants and potentially users on a guest network or WiFi connection if supported.
  Risk factor:
  Medium
  CVSS Base Score:5.0
  CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
  See also:
  http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf
  Solution:
  Contact the vendor of the DNS software for a fix.
  Plugin output:
  Nessus sent a non-recursive query for example.com and received 1 answer : 192.0.43.10
  I have been searching for a solution at the web...but I was unabled to find one..that could let me to use "recursion" at our DNS server.
  We have an internal DNS server for Active Directory, with a forwarding to resolve external internet domains as is a requirement by our application..but now the only way to fix this is to disable "recursion" and we are working with external IP address instead
  of internet DNS names..but this is not a good solution for us.
  I found something about spliting DNS functions, but my point is that we have all the servers internal and DMZ, inside the same AD domain..so we need to use the same DNS server AD integrated, notwithstanding we must resolve external DNS records for our application...How
  can I do this without getting the same vulnerability again ? I don´t know how to do it disabling "recursion"..If I disable recursion I will be unable to resolve external DNS names.
  Any suggestion will be really appreciated!!
  thx!!

  That's basically for your internet facing DNS. I wouldn't worry about it too much for internal DNS, since that's only hosting your internal AD zone.
  Other than setting the "Secure cache against polution" setting, you can also opt to disable caching of all records so each and every query is a fresh query. This actually fixes CNAME vs A record TTL mismatch issues, too, not that you're probably seeing them
  or not, but just wanted to add that:
  Description of DNS registry entries in Windows 2000 Server, part 2 of 3 (applies to 2003, 2008 & 2008 R2)
  http://support.microsoft.com/kb/813964
  Cannot resolve names in certain top level domains like .co.uk.
  http://blogs.technet.com/b/sbs/archive/2009/01/29/cannot-resolve-names-in-certain-top-level-domains-like-co-uk.aspx
  ============
  To turn off or disable local cache: (WIndows 2000 notes, but they apply to all current OS's)
  Set the MaxCacheTtl to 0 in the registry or use Dnscmd
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters
     Value:     MaxCacheTtl
     Type:     DWORD
     Default:  NoKey (Cache for up to one day)
     Function: Set maximum caching TTL.
  MaxCacheTtl
  Type: DWORD
  Default value: 0x15180 (86,400 seconds = 1 day)
  Function: Determines how long the DNS server can save a record of a
  recursive name query.
  You can use the MaxCacheTtl registry entry to specify how long the DNS
  server can save a record of a recursive name query.
  If the value of the MaxCacheTtl entry is 0x0, the DNS server does not save
  any records.
  The DNS server saves the records of recursive name queries in a memory cache
  so that it can respond quickly to new queries for the same name. Records are
  deleted from the cache periodically to keep the cache content current. The
  interval when the records remain in the cache typically is determined by the
  value of the Time to Live (TTL) field in the record. The MaxCacheTtl entry
  establishes the maximum time that records can remain in the cache. The DNS
  server deletes records from the cache when the value of this entry expires,
  even if the value of the TTL field in the record is greater.
  Change method
  To change the value of the MaxCacheTtl entry, use Dnscmd.exe, a tool that is
  included with the Windows 2000 Support Tools. The change is effective
  immediately so that you do not have to restart the DNS server.
  Start method
  DNS reads its registry entries only when it starts. If you change the value
  of the MaxCacheTtl entry by editing the registry, the changes are not
  effective until you restart the DNS server.
  Note the following items: . Windows 2000 does not add the MaxCacheTtl entry
  to the registry. You can add it by editing the registry or by using a
  program that edits the registry.
  The MaxCacheTtl entry does not affect Windows Internet Name Service
  (WINS) data that is saved in the DNS memory cache. WINS data is saved until
  the Cache Timeout Value on the WINS record expires. To view or change the
  Cache Timeout Value on the WINS record, use the DNS snap-in. Right-click a
  zone name, click Properties, click the WINS tab, and then click Advanced.
  ===============================
  Ace
  Ace Fekay
  MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.