We all know Windows Active Directory is a great solution to centrally manage users and computers.
But how do you manage devices that sit behind a network firewall? Active Directory can still be the solution but firewall rules have to be locked down to limit the necessary ports.
PCI Requirement 1.2.1 states: Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment.
Well, how do you lock down RPC traffic (TCP 1024-65535) that which is necessary for domain replication?
Microsoft has published an article showing how you can restrict RPC traffic to a single port:
http://support.microsoft.com/kb/224196
PCI compliance does not have to hinder business operations…with a bit of research, systems and security administrators can both win!