Tuesday, September 27, 2011

A Guide to PCI Compliance

Most of you have heard the term “PCI Compliance” or “PCI DSS,” but what does this mean for you and your business? What are the steps necessary to obtain and maintain compliance?


The PCI Data Security Standard (DSS) is a set of requirements created by major credit card companies that applies to any organization that stores, processes or transmits credit card information. If any credit card information travels through either your website or your hosting environment, you will need to make sure that you maintain Payment Card Industry (PCI) compliance. Violations of the standard or any breach of credit card information can result in very serious fines, as well as more strict requirements for your solution. As everyone knows, stricter requirements almost always translates to more costs for you, and the financial and reputation repercussions can be catastrophic for many of small business owners. If you are new to this topic it may seem overwhelming and difficult to understand at first, but the long-term side effects of not taking the necessary steps towards compliance could possibly land you in the ever-growing unemployment line. The good news is achieving PCI compliance is not as difficult as it may appear.

  1. Divide your front-end and back-end servers into independent solutions
  2. The initial step to becoming compliant is to split your front-end (web) and back-end (database) servers into independent solutions. The reasoning behind this approach is that if there was ever a breach of your public-facing web server, the intruder would not have direct access to the information located and/or processed with your database server.
  3. Enable firewall policies
  4. After you have split into a minimum of two servers, you will want to have your hosting provider enable multiple layers of firewall policies restricting access to and from your now independent solutions. The first requirement regarding firewall policies is to restrict all access except port 80 and port 443.
  5. Remove all public access to your database server
  6. After the necessary firewall policies are implemented, you will connect to your public web server via a secure SSL/VPN connection. To connect to your private database server, you will first login to your web server and then establish a connection to your database server via the specified SQL port.
  7. Hire an Approved Scanning Vendor (ASV)
  8. After you have segregated your web and database server and implemented the necessary firewall policies, you will need to sign up with a third-party ASV of your choice for quarterly scans of your solution. To maintain compliance, you are required to pass a network vulnerability assessment scan every 90 days. The PCI Security Standards Council has a list of over 100 approved vendors that can perform vulnerability audits and help you automate this process. Prices for scanning and other compliance services vary significantly, so we suggest contacting multiple vendors to ensure you are receiving the best available pricing. You will find the Approved Scanning Vendors list at: https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php

Can I avoid being PCI compliant?

If you transfer the risk entirely to someone else who meets the PCI standard, such as PayPal, you can avoid having to being PCI compliant. However, your clients will have to interact directly with PayPal and their credit card information can never pass through your servers. If your website integrates with PayPal via an API, you are still liable for PCI compliance since your servers capture and transmit the credit card data.

What if my application does not store any credit card information?

PCI DSS applies to the handling of data while it is processed over your network, not just the storage of credit card information.

Is the PCI DSS a requirement or a recommendation?

If your business processes, stores or transmits any information listed on a credit or debit card, then you must comply with the PCI DSS Standard. If you are found negligent in the event of a breach, you are likely to face significant fines, higher costs through increased compliance requirements, larger merchant fees and/or potential suspension or cancellation from your credit card merchants.

If I pass the quarterly ASV scan, does that mean I am compliant?

ASVs are only a piece of the PCI puzzle. All merchants and service providers are required to complete a self-assessment questionnaire (SAQ) that serves as a statement of compliance. The questionnaire states that your organization has implemented the required controls described in the PCI Standard. You can download these SAQs from the PCI Security Standards Council's website
at: https://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs

Does PCI compliance require a dedicated server environment?

A common misconception is that you are required to have a dedicated server to become PCI compliant. However, PCI compliance is obtainable in a virtual environment where the operating system is isolated and able to be secured according to the standard’s requirements.

Do you provide the required quarterly network scans?

The required scans will need to be completed by a third-party Approved Scanning Vendor (ASV), who will provide you with an independent, non-biased view of your network. We have partnered with Alert Logic (http://www.alertlogic.com/) to provide this service, but you are free to select from any of the approved vendors. If you choose Alert Logic as your ASV, tell them you are a HyperFive Web Hosting customer to ensure you receive the best available pricing.

Do you guarantee a PCI compliant solution?

We guarantee to provide you with a PCI-compliant solution for your hosting services. We also guarantee that if any issues are found by your selected ASV, we will work directly with you and your ASV to achieve compliance.

Tuesday, June 7, 2011

The Benefits of VPS Hosting

Web hosting providers offer many different types of plans for various business and personal hosting requirements, each with their own advantages and disadvantages. Most people start out with a basic shared hosting plan that lets them build a small website, but many outgrow this kind of limited hosting setup, especially when operating an online business. Many small business owners require more options and control over their hosting environment, but may not be ready to shoulder the commitment and expense of a dedicated server.

Between shared and dedicated hosting is virtual private server (VPS) hosting, which is significantly less expensive than a dedicated server and provides many more options for growing online businesses than shared hosting. Although they are sharing hardware, each VPS hosting account is assigned their own operating system so users can individually configure their server without disrupting the others.


There are five primary advantages to using a VPS account rather than a shared host:

Unlimited Websites

VPS hosting provides the ability to manage an unlimited number of websites. Common hardware sharing issues are eliminated since each is utilizing its own software.

Flexibility

Virtual private servers have the same functionality as a dedicated server including custom firewall configurations, the opening and closing of ports, root access, customizable services and the freedom to reboot at any time. Also, with administrator privileges users are able to install software and configure permissions to fit their needs and custom applications.

Security

Shared hosting is difficult to completely secure. If one account is hacked, all accounts on that server are open to damage. Since VPS accounts are isolated from one another, a security vulnerability within an account will not affect other accounts on the server.

Performance

Shared servers depend on the performance of other accounts. If one owner sends out mass-mails, this could overload the server negatively affecting all other accounts. On the other hand, since VPS accounts are independent they only use the resources dedicated to their account. A bad VPS neighbor only affects their own account.

Scalability

Virtual private servers were created to support high-traffic websites, extensive database applications and resource hungry sites. At any time, users can upgrade or downgrade their service with minimal downtime. Overall, VPS accounts have become popular due to the amount of money saved over time as opposed to the other options available on the market.

Still not sure if VPS is right for you?
HyperFive Web Hosting offers a free trial so you can experience the performance and control of VPS hosting, risk-free. Get started today!

Friday, May 20, 2011

Intro to DNS

The Domain Name System (DNS) is a hierarchical naming system used to organize and identify domains, similar to a phone book. Essentially, DNS translates meaningful domains names to IP addresses for the purpose of locating and addressing networking devices worldwide. For instance, the domain name www.example.com might translate to 198.168.10.65. This makes it much easier to remember URLs and email addresses.

A Records


A records (also known as host records) link a domain, or subdomain, to an IP address.

A records do not necessarily match IP addresses on a one-to-one basis. Many A records correspond to a single IP address where one machine serves many web sites. Alternatively, a single A record may correspond to many IP addresses to facilitate fault tolerance and load distribution.

An A record includes the following fields:
  • Host Name:

    The domain name.

  • IP Address:

    The IP address of the web server hosting the domain.

  • TTL:

    "Time to Live." How long it will take to update the record. This is measured in seconds. A TTL of 3600 seconds means records will take an hour to update. A TTL of 86400 means records will take a day to update. A higher TTL value means less traffic load for the DNS server, but it also means that changing the MX records will take longer.


CNAME Records


Canonical name (CNAME) records specify that a domain name is an alias of another domain name.

This helps when running multiple services from a single IP address. For example, an FTP and a web server may be located at a single IP address but running on different ports. Each service would then have its own entry in DNS, such as ftp.example.com and www.example.com.

A CNAME record includes the following fields:
  • Host Name or Alias:

    The domain name that is being setup to point to another location.

  • URL or Alias For:

    The domain name to which the alias points.

  • TTL:

    "Time to Live." How long it will take to update the record.

When a DNS resolver encounters a CNAME record while looking for a regular resource record, it will restart the query using the canonical name instead of the original name. The canonical name that a CNAME record points to can be anywhere in the DNS, whether local or on a remote server in a different DNS zone.

For example, if your blog was available at example.blogger.com, you could setup a CNAME to point your domain blog.example.com to the Blogger URL. Your readers would then visit blog.example.com to view your blog.
blog.example.com   CNAME   example.blogger.com
This example record may be read as blog.example.com is an alias for the canonical name (CNAME) example.blogger.com.


MX Records


Mail Exchange (MX) records direct email a domain's mail flow.

Most domains have multiple MX records arranged in order of priority. When someone sends an email message to the domain, the first available server in the priority list handles the message.

An MX record includes the following fields:

  • Name:

    The name of your domain.

  • Class:

    This is always set to IN, which stands for Internet.

  • Type:

    For MX records, this is always set to MX.

  • TTL:

    "Time to Live." How long it will take to update the record.

  • Preference or Priority:

    The order of preference for mail delivery. Sending servers should try the lowest preference number first, then the next lowest, and so on.
    Data: The host name of the mail server that handles mail for that domain.

For instance, if your domain is example.com, your MX records might look like this:
example.com IN MX 86400 1 smtp1a.example.com
example.com IN MX 86400 2 smtp1b.example.com
example.com IN MX 86400 3 smtp2a.example.com
example.com IN MX 86400 4 smtp2b.example.com

TXT Records


A TXT-record provides the ability to associate some arbitrary and unformatted text with a host or other name. They are often used to establish SPF records, which are explained in-depth in another blog post [link].



NS Records


Name server records determine which servers will communicate DNS information for a domain. Two NS records must be defined for each domain. Generally, you will have a primary and a secondary name server record. NS records are updated with your domain registrar and will take 24-72 hours to take effect.

Wednesday, May 18, 2011

SPF Records Explained

Email spoofing, forging an e-mail header to make it appear as if it came from somewhere or someone other than the actual source, has become a world-wide problem. Though it can be legitimate, it is usually fraudulent and often used in spam and phishing emails to hide the origin of the message. We've all received scams via email that appear to be from our bank or from some other well-known sender but obviously aren't. Because core SMTP doesn't provide any authentication, it is easy to impersonate and forge emails.

Sender Policy Framework (SPF) is used as one of the standard methods for fighting spam by helping email systems verify the identity of a message sender. This protocol works by defining TXT records in a domain's DNS zone which can be used to validate legitimate email sources from a domain. The string placed within the TXT record specifies a list of authorized host names and IP addresses that mail can originate from for a given domain name.

More and more email systems are adopting SPF and we've repeatedly seen an increase in email deliverability among our customers who have implemented SPF. If your domain does not have an SPF record, some recipient domains may reject messages from your users because they cannot validate that the messages come from an authorized mail server.

How SPF Works


SPF records are added the same way as a regular A, MX, or CNAME record. The domain administrator publishes a DNS TXT record with a specific syntax that lists all SMTP servers that are valid to send email messages for your domain name. Then, when an email system that has implemented SPF receives a message, it checks the FROM line of the email message. It queries public DNS to find the appropriate TXT record and parses the appropriate SPF information.


If the message was sent from an authorized SMTP server, the message is stamped with an SPF x-header that indicates the message "passed" the SPF check and the message is delivered. If the message was sent from an SMTP server that is NOT authorized, the message is typically rejected. If the domain owner has not specified an SPF record, the message will be stamped with an SPF x-header that indicates it is “unknown" whether or not the message should be trusted.

Publishing Your Own SPF Record


First and foremost, you have to determine all the servers that send mail for your domain name. This is the most time consuming part of creating an SPF record. The more precise your list of sending servers, the more authoritative your SPF record will be.

Once this entry is placed within the DNS zone, no further configuration is necessary to take advantage of servers that incorporate SPF checking into their anti-spam systems.

Here's a sample SPF Record and explanation of each mechanism used:

v=spf1
This declares that this entry is an SPF version 1 record.

mx
This declares that any servers that have valid mx records associated with your domain.com are valid sending servers.

IP4:
This declares mail can originate from this IP address or network range. You may specify a network range by appending slash notation subnet.

-all
This mechanism typically goes at the end of the SPF record and designates the IP addresses you list are the only acceptable sending IP addresses and that all others are prohibited.

Other Resources


To learn more about using SPF records for more advanced configurations, visit the SPF Project's page on SPF Record Syntax.

If you're looking for shortcuts, there are many online tools help you create an SPF record quickly and easily, such as the Microsoft SPF Record Wizard.

Monday, May 16, 2011

Our Industry Watchdog

Every industry needs a watchdog, someone who keeps a close eye on things. The hosting industry is fortunate to have Data Center Knowledge doing just that. The articles are well written and straight forward.

If you've ever wanted to know what really happened to cause the Amazon Cloud to dry up or how a car crash was able to take down Rackspace or why the Planet (now Softlayer) caught fire then you'll want to put Data Center Knowledge on your must read list of Web sites.

Wednesday, May 11, 2011

Connect to SQL Server 2008 Remotely

There may be times when being able to connect to SQL Server using Studio Manager remotely rather logging in with Remote Desktop is preferred. Here's how to configure SQL Server 2008 to allow remote connections.

Please note that you should check with your hosting provider to determine the best TCP Port to use for your specific security configuration.

First, configure SQL Server 2008 to allow remote connections.

  1. Click Start, point to All Programs, point to Microsoft SQL Server 2008 R2, point to Configuration Tools, and then click SQL Server Configuration Manager.
  2. Click SQL Server Services, make confirm SQL Server (SQLEXPRESS) and SQL Server Browser running. 
  3. If SQL Server Browser is stopped, then select its properties and point to Service tab, change the Start Mode Disabled to Automatic, click the apply button, then click start option using right mouse click over SQL Server Browser.
  4. Click SQL Server Network Configuration, point to Protocols for SQLEXPRESS, point to TCP/IP, make sure TCP/IP status is Enabled.
  5. Open TCP/IP Properties form using right mouse click over TCP/IP, point to IP Address tab, point to TCP Port in Last section, change TCP Port to 1433, and click Apply button.
  6. Restart the SQL Server(SQLEXPRESS) using right mouse click over SQL Server(SQLEXPRESS).

Next, create an exception in Windows Firewall.

  1. Click Start, point to Control Panel, point to Windows Firewall Settings
  2. Click Change settings link, point to Exceptions tab
  3. Click Add port... button, do the following:
  4.  Collapse
  5. Name: 1433
  6. Port number: 1433
  7. Protocol: TCP
  8. Click OK, and click apply.

Lastly, here's an alternative process to create exceptions in Windows Firewall.

  1. Click Start, point to Administrative Tools, open Windows Firewall with Advanced Security.
  2. Click Inbound Rules, Click New Rule link at the top of right section.
  3. Select Port radio button, click next.
  4. Select TCP radio button, Enter port number in Specific local ports section such as:
  5.  Collapse
  6. Specific local ports: 1433
  7. Click next
  8. Select Allow the connection, click next button, again click next button
  9. Enter Name Ex. 1433
  10. Click Finish button

Tuesday, May 10, 2011

SQL Server IP Address and Port

You will need the IP Address and Port that SQL Server has been configured to use before you can access your databases remotely.

This can be done through the SQL Server Configuration Manager. See 'SQL Server Network Configuration' in the left pane, and then select 'Protocols for '. Double-click the 'TCP/IP' protocol name in the right pane, and this will open a 'TCP/IP Properties' dialog. Select the 'IP Addresses' tab, and you will see the TCP Port. See here:



Also, a very quick method to confirm the TCP Port that SQL Server is listening on:

DECLARE @tcp_port NVARCHAR(5)
EXEC xp_regread
@rootkey = 'HKEY_LOCAL_MACHINE',
@key = 'SOFTWARE\MICROSOFT\MSSQLSERVER\MSSQLSERVER\SUPERSOCKETNETLIB\TCP',
@value_name = 'TcpPort',
@value = @tcp_port OUTPUT

SELECT @tcp_port [Port]

You can also use xp_cmdshell to return the IP Address of the SQL Server you are connected to, like this:

EXEC master.dbo.xp_cmdshell 'ipconfig'

That will return all of the other media and state details specfic to the network, such as DNS, Subnet Mask, Default Gateway, etc. Try this if you ONLY want to return the SQL Server IP Address:

CREATE TABLE #ipconfig(
captured_line VARCHAR(255)
)
INSERT #ipconfig
EXECUTE xp_cmdshell 'ipconfig /all';


SELECT
LTRIM(RTRIM(CAST(PARSENAME(SUBSTRING(captured_line,40,15),4) AS VARCHAR(4))))+'.'+
LTRIM(RTRIM(CAST(PARSENAME(SUBSTRING(captured_line,40,15),3) AS VARCHAR(3))))+'.'+
LTRIM(RTRIM(CAST(PARSENAME(SUBSTRING(captured_line,40,15),2) AS VARCHAR(3))))+'.'+
LTRIM(RTRIM(CAST(PARSENAME(SUBSTRING(captured_line,40,15),1) AS VARCHAR(3)))) [IP Address]
FROM
#ipconfig
WHERE
captured_line like '%IPv4 Address%';


DROP TABLE #ipconfig

Thursday, May 5, 2011

Client Printing with Terminal Services

Starting with Windows 2008, you no longer have to install printer drivers on the server and that's because Microsoft added the Terminal Services Easy Print printer driver to Windows 2008 to make client printing, well easy. Still, you may find you are having a problem with client printers showing up on the server. If so, here's a checklist you can follow to ensure client printing is properly configured.

1. Check the Spooler Service is set to automatic start and is running.

  1. Go to Start -> Administrative Tools -> Services ->  Print Spooler

2. Check that Windows Printer mapping is allowed on the server.

  1. Go to Start -> Administrative Tools -> Terminal Services -> Terminal Services Configuration Right click RDP-Tcp and click properties
  2. Right click RDP-Tcp and click properties
  3. Click on Client Settings and make sure Windows Printer is NOT checked

3. Check that the Group Policy is not preventing client printer redirection.

  1. Go to Start -> Run -> Type in gpedit.msc
  2. Go to Administrative Templates -> Windows Components -> Terminal Services -> Terminal Server -> Printer Redirection
  3. Each setting should be set to 'Not configured'

4. Check the Terminal Services UserMode Port Redirector service is started.

  1. Go to Start -> Administrative Tools -> Services ->  Remote Desktop Services UserMode Port Redirector