One of our web servers just failed PCI-DSS compliance because the vulnerability scan detected the OS was Windows Server 2003 Service Pack 1 (obviously very outdated!).
My question is how did the vuln scan detect this as I can't seem to find a way to source the same information without having AD access to that box (it's on a service providers network). Even with nmap, it only provides guesses to the OS version:
Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (99%)
So how do I verify this before sending a very, very angry email to our provider? If this is accurate, then I'd say this is negligence and my email tone to them won't be very good.
I have no login access to this box.
Best Answer
That Aggressive OS guesses line is based on what nmap (or nmap-like scanner) was able to match against its fingerprint database. While it claims that it is "99%" confident, that claim means it's confident based on what it knows about other OS' fingerprints. It is possible that Win2k3 SP3 and higher have identical fingerprints because those hotfixes did not touch tcp/ip or udp/ip stack or server signature in any way.
The only sure way to know if a server is vulnerable to all the claimed CVEs is to actually try to exploit them. But doing that will probably get you into hot water :)
Since you also don't have direct access to the server itself, your best bet is to request(or even demand) that they provide you with a list of all installed hotfixes on the server. It can be easily accomplished with
C:\>wmic qfe listcommand.