The next stop on our PCI DSS Compliance tour is disabling weak SSL versions and encryption ciphers. If your site is handling credit card payments, it is undoubtedly using HTTPS for at least the pages that collect payment information. I thought I had already taken care of this item, but I was apparently mistaken. Fortunately, this is pretty easy to fix and if you're on Windows I've even cooked up a quick and easy registry file for you to use.
A lot of you have web servers that double as mail servers to relay out mail from your ColdFusion applications. Even if you have a separate server that handles your mail relay, this post should still be helpful. The more and more that spam proliferates on the Internet, the more antsy ISPs get about blocking mail. There are a litany of reasons an ISP might reject mail from your server. GoDaddy has been one of the most annoying companies to deal with. There are two things I had to fix on my mail server before they would accept mail from my server. Reverse DNS and Helo host name.
Some time ago GoDaddy manged to get the IP address of my VPS in their little black book and began refusing to receive any mail which originated from it. Unfortunately for me, I use GoDaddy for my E-mail hosting and that meant I stopped getting all E-mails that were sent from my server. A couple weeks ago I got around to calling them to see just what was going on. I would rather mud-wrestle a large sea-sick crocodile before repeating this tedious conversation with their bumbling excuse for tech support. Here are the details of my correspondence with them.
When you think of your production servers, you need to imagine them as your car sporting a new stereo in a parking lot with a bunch of would-be burglars milling around outside constantly checking each window and door to make sure you locked it tightly the last time you had it open. Every door, window, or keyless entry system is a potential point of invasion that can fail you. Why do you think those brinks trucks have no windows and the only way in the back is a single, beefy, padlocked door. A Brinks truck may not be convenient to access, but that isn't their goal. You need to control the ways into your server with the same gusto.
If you are using Windows, chances are you find yourself remoting into one server or another on a regular basis to start and stop services or to take a gander at the event logs to figure out why the box mysteriously rebooted the other day at 2 am. You may not realize it, but you can access anything in the Computer Management console for your servers without ever remoting into them. This includes, users/groups, IIS, SQL Server, and device manager.
I am not just a programmer, but to some extent a sys admin. Because of that responsibility (and the fact I have had servers compromised before) I am always interested in security. I think to stop crackers; you've got to think like them. When was the last time you tried to hack into your own server? If you don't know what your vulnerabilities are, how can you close them?
So, I assume you've heard the latest buzz about DNS Cache Poisoning and the subsequently released patches. It's rather interesting, and a bit unnerving that the "patch" for now simply makes the exploit harder to pull off-- not impossible. I guess that's basically because the patch simply makes name server requests more randomized. Anything more would require an overhaul to the DNS protocol itself.