![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 22%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEA%3C/text%3E%3C/svg%3E)
32 questions
Hello Erick Apol,
The core issue here is that your RDP port (62458) and others (443, 64987) are using either expired or self-signed certificates, which PCI scans will always flag as insecure. You're connecting to your VM via jemco-az001.cloudapp.net, which is an Azure-assigned DNS name. Here's the catch- public SSL certificate authorities will not issue certificates for these default .cloudapp.net domains, which is why your attempt to create an App Service Certificate failed.
To fix this, you’ll need to buy a domain name (if you don’t already have one). Create a DNS record like rdp.jemcohosting.com and point it to your VM’s public IP. Purchase an SSL certificate for that domain and install it on the VM and bind it to your RDP service using PowerShell
$thumb = "<your_cert_thumbprint>"
$guid = (Get-WmiObject -Namespace root\cimv2\TerminalServices -Class Win32_TSGeneralSetting).__PATH
Set-ItemProperty -Path $guid -Name SSLCertificateSHA1Hash -Value $thumb
Restart-Service -Name TermService -Force
This should ensure the RDP connection is encrypted with a publicly trusted certificate, which should clear that PCI finding.
You’re running IIS 8.5, which is part of Windows Server 2012 R2 and that OS version is now out of extended support. Unfortunately, there’s no upgrade path for IIS itself, so the only real solution is to deploy a new Azure VM using Windows Server 2019 or 2022 (which include IIS 10.x). Migrate your website content and configurations over and retire the old server. Hopefully it should resolve the “obsolete software” finding from the PCI scan.
Regarding the security headers missing on port 443, it usually refers to headers like Strict-Transport-Security, X-Frame-Options, and X-Content-Type-Options. These are essential for securing HTTPS responses. Would request you to once open your site in IIS Manager > go to HTTP Response Headers and add the following-
Name: Strict-Transport-Security
Value: max-age=31536000
Name: X-Content-Type-Options
Value: nosniff
Name: X-Frame-Options
Value: DENY
Alternatively, you can add them via web.config inside your site’s root folder.
The PCI scan mentioned access to https://www.dublinjerky.com/content/files/
If this directory contains sensitive or unlisted files then remove directory browsing in IIS for that folder and move any non-public files outside of your web root.
You can even add a web.config with something like this inside
<configuration>
<system.webServer>
<security>
<requestFiltering>
<hiddenSegments>
<add segment="files" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
Checkout these documents-
-https://learn.microsoft.com/en-us/lifecycle/announcements/windows-server-2012-r2-end-of-support
-https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httpprotocol/customheaders/
-https://learn.microsoft.com/en-us/iis/configuration/system.webserver/directorybrowse
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)