> but aren't they scanning the interface from a public network? If so, > you should have a very small number of listening ports. Maybe just > two: TCP/80 and TCP/443. There is no reason why you'd expose > TCP/135 to a public network (especially if you're running Windows).
Good advice; in my experience the scan vendors require you to open your firewall to their scanner IPs so they can get a more complete picture of vulnerabilities that may be lurking behind it. One of my clients ran into problems with this a while back because while 80/443 were the only things open to the public, they had an older version of Veritas Backup Exec running on the network which had known vulnerabilities that the QSA complained about. PCI is a pain in the arse. I generally refer people to use Stripe or Braintree Payments for processing for just these reasons. The extra per-transaction costs are usually less than the costs of dealing with all the network/server security and maintenance required to satisfy the compliance requirements. -Justin ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355219 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm