Monday 20 October 2014

SharePoint 2010 on SBS 2011 failing Trustwave PCI scan (aka WSS_Search SPSearchDatabase Database is too old)

[ bonus points - that's got to be the biggest post title yet :-) ]

An SBS 2011 server, all patched up with the latest Microsoft Update fixes failed a Trustwave PCI security scan. When we looked at the detail most of the fail points were around SharePoint vulnerabilities.

Looking at the SharePoint Central Administration console, the Health Analyzer was throwing up warnings about out of date databases and upgrades required. they're no entirely straightforward because there's a difference between content databases and other databases.

With SharePoint updates you do need to run the upgrade tool sometimes after Microsoft Updates have been loaded, to get the database to upgrade too.

Start a Command Shell with administrative rights (or the SharePoint PowerShell) and run this command;
PSConfig.exe -cmd upgrade -inplace b2b -force -cmd applicationcontent -install -cmd installfeatures

That cleared all but one of the Health Analyzer warnings for us. The remaining one was the "WSS_Search SPSearchDatabase Database is too old" or more strictly, WSS_Search_servername. We had trouble tracking down that database GUID to issue a PS upgrade, as mentioned on the Technet forum.

Restarting services and rebooting didn't seem to clear either. The only info we could Google was the upgrade command above. In the end, having run the command repeatedly, the database upgraded and the warning cleared. It appeared to take 2-3 repeats of that command before WSS_Search was up to date.

Let you know about the PCI re-scan, I've just requested it ...


redleg said...

Also had to disable port 987 to block internet access to SharePoint, which wasn't used on that site.

The reported version number of looked a bit screwy against the PCI database, which was expecting a version higher than 14.0.6108.5000

Unknown said...

Trustwave's detection is flawed. They simply mis-detected our version number.

Their scan process is also flawed. They're scanning a server behind the same NAT. That server doesn't need to be PCI compliant.

Unfortunately, their support is flawed too. They don't understand networks or technology, and won't escalate technical issues.

I'm disgusted that they're selling "trust" -- more like fear. No wonder CC compromises are so common these days.

Trust 1&1 Internet for your domain name registration, from only £1.99/year!. Check now!