I am working on a deployment and in order to get the ports opened to the outside world the InfoSec team runs a scan against the Edge servers. They have come back with the following issue. Has anyone run across this and how do you work around it?
.2.5. Database Open Access (database-open-access)
Description:
The database allows any remote system the ability to connect to it. It is recommended to limit direct access to trusted systems because
databases may contain sensitive data, and new vulnerabilities and exploits are discovered routinely for them. For this reason, it is a
violation of PCI DSS section 1.3.7 to have databases listening on ports accessible from the Internet, even when protected with secure
authentication mechanisms.
Affected Nodes:
Affected Nodes: Additional Information:
69.197.x.x:1434 Running Microsoft SQL Monitor service
Page 17
Audit Report
Affected Nodes: Additional Information:
69.197.x.x:52591 Running TDS service
69.197.x.x:1434 Running Microsoft SQL Monitor service
69.197.x.x:51773 Running TDS service
References:
Source Reference
URLhttps://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf
Vulnerability Solution:
Configure the database server to only allow access to trusted systems. For example, the PCI DSS standard requires you to place the
database in an internal network zone, segregated from the DMZ