Tuesday, 21 October 2014

Another obscure Trustwave PCI scan fail - SBS 2011 fails CVE-2010-3332 / MS10-070, vulnerability in ASP.NET Could Allow Information Disclosure

After clearing up the SharePoint issues, there was just one remaining failure issue in the Trustwave PCI scan of an SBS 2011 server.

The fix turned out to be running the .NET Framework Cleanup Tool from Aaron Stebner at Microsoft, and removing .NET 1.0 and 1.1.

There's some more detailed discussion over at Technet

Monday, 20 October 2014

SharePoint 2010 on SBS 2011 failing Trustwave PCI scan (aka WSS_Search SPSearchDatabase Database is too old)

[ bonus points - that's got to be the biggest post title yet :-) ]

An SBS 2011 server, all patched up with the latest Microsoft Update fixes failed a Trustwave PCI security scan. When we looked at the detail most of the fail points were around SharePoint vulnerabilities.

Looking at the SharePoint Central Administration console, the Health Analyzer was throwing up warnings about out of date databases and upgrades required. they're no entirely straightforward because there's a difference between content databases and other databases.

With SharePoint updates you do need to run the upgrade tool sometimes after Microsoft Updates have been loaded, to get the database to upgrade too.

Start a Command Shell with administrative rights (or the SharePoint PowerShell) and run this command;
PSConfig.exe -cmd upgrade -inplace b2b -force -cmd applicationcontent -install -cmd installfeatures

That cleared all but one of the Health Analyzer warnings for us. The remaining one was the "WSS_Search SPSearchDatabase Database is too old" or more strictly, WSS_Search_servername. We had trouble tracking down that database GUID to issue a PS upgrade, as mentioned on the Technet forum.

Restarting services and rebooting didn't seem to clear either. The only info we could Google was the upgrade command above. In the end, having run the command repeatedly, the database upgraded and the warning cleared. It appeared to take 2-3 repeats of that command before WSS_Search was up to date.

Let you know about the PCI re-scan, I've just requested it ...

Trust 1&1 Internet for your domain name registration, from only £1.99/year!. Check now!