Guide to System Hardening | PCI DSS Compliance

A Guide to System Hardening:

The topic will address suggested system settings for complying with the PCI DSS v2.0 for a Microsoft Windows Server 2008 with a Domain Controller role. Take note that the following guideline is only a start for hardening the in-scope server.

Ultimately, all services, ports, protocols, daemons, etc that are not specifically required for the functioning of the server should be disabled.

The following PCI DSS requirements are mapped:

Requirement 2: Do not use vendor-supplied Defaults for System Passwords and other Security Parameters.

2.1 Change Vendor-supplied defaults.

2.1.0 Change non-wireless Vendor defaults

Accounts: Guest account status: Disabled
Built-in Guest account renamed
Built-in Administrator account renamed

2.2 Develop configuration standards for all system components.

2.2.2 Disable unnecessary services and protocols

Telnet service: Disabled
FTP Publising service: Disabled
other unnecessary services (8 specific items)*

2.2.3 System Security configuration

Configure IPSec exemptions for various types of network traffic
Digitally encrypt secure channel Data: Enabled
Disable Remote Desktop sharing: Enabled
Do Not Allow Clipboard redirection: Enabled
other system security configuration (66 specific items)*

2.2.4 Remove all unnecessary functionality

Allow Floppy copy and access to all drives and folders in the recovery console: Disabled
Allow Auto Administrative Logon: Disabled
Everyone permissions applied to anonymous users: Disabled
Disable machine account password changes: Disabled
other unnecessary functionality (88 specific items)*

2.3 Encrypt non-console administrative access.

Digitally sign sever communications: Enabled
MS Client to Digitally sign communications: Enabled
Digitally sign secure channel data: Enabled
Encrypting or signing of secure channel traffic

Requirement 3: Protect Stored Cardholder Data

3.5 Protect encryption keys.

3.5.2 Storage

Force strong key protection: User must enter a password each time they use a key.

Requirement 4: Encrypt transmission of Cardholder data across open, public networks.

4.1 Use strong cryptography and security protocols

4.1.0 Using strong cryptography and security protocols over non-wireless

LAN manager authentication level: NTLMv2, refuse LM and NTLM
LDAP signing requirements (Domain Controller)
LDAP client signing: Negotiate Signing
other settings (8 specific items)*

Requirement 6: Develop and maintain secure systems and applications.

6.1 Up-to-date security patches

Configure Automatic Updates: Enabled: 3 – Auto Download and Notify for install
Do not display ‘Install Updates and Shut Down’ option in shut down windows dialog box: Disabled
Reschedule Automatic updates scheduled installations: Enabled
Service Pack for Windows Server 2008 is greater than or equal to 2 (RTM/R2 with latest security patches)

Requirement 7: Restrict access to Cardholder data by business need to know.

7.1 Access restrictions

7.1.1 Enforce Least Privilege

Allow Anonymous SID/Name Translation: Disabled
Check for use of NTFS partition
Do not allow anonymous enumeration of SAM accounts: Enabled
other settings (33 specific items)*

7.1.2 Role-based privilege Assignment

Allowed to Format and eject removable media: Administrators
Deny access to this computer from the Network: Guests
Deny Log on Locally: Guests
Logon Locally: Administrators
other settings (34 specific items)*

7.2 Access Control System

7.2.3 Default ‘deny-all’ setting

Act as Part of the Operating System: No One
Log on as a Batch Job: No One
Debug Programs: No One
other settings (10 specific items)*

Requirement 8: Assign a Unique ID to each person with computer access.

8.2 Authentication Method

Always Use classic Logon: Enabled
CAC Logon required
Do not require CTRL+ALT+DEL: Disabled
other settings (7 specific items)*

8.4 Passwords rendered Unreadable for Transmission and Storage

Do not store Credentials or .NET passports: Enabled
Do not store Lan Manager Password Hash: Enabled
Password reversible encryption: Disabled
Send Unencrypted password to connect to SMB: Disabled

8.5 Credential Management

8.5.9 Password Aging

Maximum password Age is greater than 0 and less than or equal to 90

8.5.10 Password Length

Minimum password length is greater than or equal to 7

8.5.11 Password Complexity

Password complexity: Enabled

8.5.12 Password History

Password History memory is greater than or equal to 4

8.5.13 Account Lockout threshold

Account Lockout Threshold is less than or equal to 6

8.5.14 Account Lockout duration

Account Lockout Duration is greater or equal to 30 or equal to 0

8.5.15 Idle Session Timeout threshold

Disconnect Idle session is less than or equal to 15 minutes

Requirement 10: Track and monitor all access to network resources and Cardholder data.

10.2 Audit Trail automation

10.2.0 Enable Audit

Logoff: Success
Logon: Success and Failure
other settings (4 specific items)*

10.2.1 Individual Access

Logoff: Success
Logon: Success and Failure
Special Logon: Success

10.2.2 Privileged User Action

Audit policy change: Success and Failure
Authentication policy change: Success
other settings (12 specific items)*

10.2.4 Invalid Access Attempts

Logon: Success and Failure

10.2.5 Identification and Authentication Mechanisms

Credential validation: Success and Failure
Authentication policy change: Success

10.2.6 Audit Log Initialization

Application Log Size: Greater than or Equal to 32 MB
Security Event Log Size: Greater than or Equal to 80 MB
other settings (5 specific items)*

10.2.7 Object Creation and Deletion

Directory Service Access: Success and Failure
Directory Service Changes: Success and Failure
other settings (9 specific items)*

10.4 Time Synchronization

10.4.1 Correct System Time

Configure Windows NTP client

10.4.2 Protection of Time Data

Change the Time Zone
Change the System Time (Domain Controllers): Administrators, LOCAL SERVICE (Server Operators: Optional)

10.5 Secure Audit Trails

10.5.2 Audit Trail modification protection

Verify permissions on Application.evtx
other settings (3 specific items)*

10.7 Audit Trail Retention

Application Log size: Greater than or Equal to 32 MB
Security Event Log Size: Greater than or Equal to 80 MB
other settings (5 specific items)*

Requirement 12: Maintain a policy that addresses Information Security for all personnel.

12.3 Develop Technology usage policies

12.3.8 Automatic Session Disconnect

Disconnect Idle Session is less than or equal to 15 minutes
Terminal Services – Set time limit for Disconnected sessions
Terminal Services – Set time limit for Idle sessions

Here is a good reference for PCI DSS recommended hardening guide:

*Halock Security Labs has experts on hand that can help your organization develop a strategy to deploy a ‘Microsoft Windows Server 2008 Domain Controller‘ in a secure, compliant, and cost-effective manner. Please feel free to reach out to us today with any questions that you may have.

Oscar Bravo Jr.
CISSP, CISA, CCDP, CCNP, CCSE, CCSE, MCSE, MCITP, RSASE

PCI DSS Requirements

PCI DSS Requirement 5.4.1: Anti-spoofing controls such as DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) can help stop phishers from spoofing the entity’s domain and impersonating personnel.

Clarification on eCommerce Outsourcing PCI DSS requirements 6.4.3 and 11.6.1

Unpacking the New PCI DSS Password Standards

Is Your Organization Prepared for PCI DSS Automation – Requirement 10.4.1.1?

What is the PCI DSS v4 Authenticated Scanning Mandate – Requirement 11.3.1.2?

What is the PCI DSS v4.0.1 Requirement for PoLP – Requirement 7.2.5?

PCI SSC Updates SAQ A: Removal of Key eCommerce Security and New Eligibility Criteria – Requirements 6.4.3, 11.6.1, 12.3.1

The New PCI DSS v4.0.1 Software Catalog Mandate – Requirement 6.3.2

How PCI DSS 4.0.1 Tackles Service Account Vulnerabilities – Requirements 8.6.1, 7.2.5.1, 8.6.2, 8.6.3, 10.2.1.2

Are You Keeping an Inventory of Cipher Suites and Certificates for the New PCI DSS – Requirements 12.3.3, 4.2.1.1?

How to Analyze An Attestation of Compliance (AOC)

PCI Compliance New Requirements and Targeted Risk Analysis (TRA)