PCI DSS Compliance – System Hardening – Microsoft Windows Server 2008 Domain Controller

July 2, 2012

A Guide to System Hardening:

The topic will address suggested system settings for complying with the PCI DSS v2.0 for a Microsoft Windows Server 2008 with a Domain Controller role. Take note that the following guideline is only a start for hardening the in-scope server.  Ultimately, all services, ports, protocols, daemons, etc that are not specifically required for the functioning of the server should be disabled.

The following PCI DSS requirements are mapped:

Requirement 2: Do not use vendor-supplied Defaults for System Passwords and other Security Parameters.

2.1 Change Vendor-supplied defaults.

2.1.0 Change non-wireless Vendor defaults

  • Accounts: Guest account status: Disabled
  • Built-in Guest account renamed
  • Built-in Administrator account renamed

2.2 Develop configuration standards for all system components.

2.2.2 Disable unnecessary services and protocols

  • Telnet service: Disabled
  • FTP Publising service: Disabled
  • other unnecessary services (8 specific items)*

2.2.3 System Security configuration

  • Configure IPSec exemptions for various types of network traffic
  • Digitally encrypt secure channel Data: Enabled
  • Disable Remote Desktop sharing: Enabled
  • Do Not Allow Clipboard redirection: Enabled
  • other system security configuration (66 specific items)*

2.2.4 Remove all unnecessary functionality

  • Allow Floppy copy and access to all drives and folders in the recovery console: Disabled
  • Allow Auto Administrative Logon: Disabled
  • Everyone permissions applied to anonymous users: Disabled
  • Disable machine account password changes: Disabled
  • other unnecessary functionality (88 specific items)*

2.3 Encrypt non-console administrative access.

  • Digitally sign sever communications: Enabled
  • MS Client to Digitally sign communications: Enabled
  • Digitally sign secure channel data: Enabled
  • Encrypting or signing of secure channel traffic

 

Requirement 3: Protect Stored Cardholder Data

3.5 Protect encryption keys.

3.5.2 Storage

  • Force strong key protection: User must enter a password each time they use a key.

Requirement 4: Encrypt transmission of Cardholder data across open, public networks.

4.1 Use strong cryptography and security protocols

4.1.0 Using strong cryptography and security protocols over non-wireless

  • LAN manager authentication level: NTLMv2, refuse LM and NTLM
  • LDAP signing requirements (Domain Controller)
  • LDAP client signing: Negotiate Signing
  • other settings (8 specific items)*

Requirement 6: Develop and maintain secure systems and applications.

6.1 Up-to-date security patches

  • Configure Automatic Updates: Enabled: 3 – Auto Download and Notify for install
  • Do not display ‘Install Updates and Shut Down’ option in shut down windows dialog box: Disabled
  • Reschedule Automatic updates scheduled installations: Enabled
  • Service Pack for Windows Server 2008 is greater than or equal to 2 (RTM/R2 with latest security patches)

Requirement 7: Restrict access to Cardholder data by business need to know.

7.1 Access restrictions

7.1.1 Enforce Least Privilege

  • Allow Anonymous SID/Name Translation: Disabled
  • Check for use of NTFS partition
  • Do not allow anonymous enumeration of SAM accounts: Enabled
  • other settings (33 specific items)*

7.1.2 Role-based privilege Assignment

  • Allowed to Format and eject removable media: Administrators
  • Deny access to this computer from the Network: Guests
  • Deny Log on Locally: Guests
  • Logon Locally: Administrators
  • other settings (34 specific items)*

7.2 Access Control System

7.2.3 Default ‘deny-all’ setting

  • Act as Part of the Operating System: No One
  • Log on as a Batch Job: No One
  • Debug Programs: No One
  • other settings (10 specific items)*

Requirement 8: Assign a Unique ID to each person with computer access.

8.2 Authentication Method

  • Always Use classic Logon: Enabled
  • CAC Logon required
  • Do not require CTRL+ALT+DEL: Disabled
  • other settings (7 specific items)*

8.4 Passwords rendered Unreadable for Transmission and Storage

  • Do not store Credentials or .NET passports: Enabled
  • Do not store Lan Manager Password Hash: Enabled
  • Password reversible encryption: Disabled
  • Send Unencrypted password to connect to SMB: Disabled

8.5 Credential Management

8.5.9 Password Aging

  • Maximum password Age is greater than 0 and less than or equal to 90

8.5.10 Password Length

  • Minimum password length is greater than or equal to 7

8.5.11 Password Complexity

  • Password complexity: Enabled

8.5.12 Password History

  • Password History memory is greater than or equal to 4

8.5.13 Account Lockout threshold

  • Account Lockout Threshold is less than or equal to 6

8.5.14 Account Lockout duration

  • Account Lockout Duration is greater or equal to 30 or equal to 0

8.5.15 Idle Session Timeout threshold

  • Disconnect Idle session is less than or equal to 15 minutes

Requirement 10: Track and monitor all access to network resources and Cardholder data.

10.2 Audit Trail automation

10.2.0 Enable Audit

  • Logoff: Success
  • Logon: Success and Failure
  • other settings (4 specific items)*

10.2.1 Individual Access

  • Logoff: Success
  • Logon: Success and Failure
  • Special Logon: Success

10.2.2 Privileged User Action

  • Audit policy change: Success and Failure
  • Authentication policy change: Success
  • other settings (12 specific items)*

10.2.4 Invalid Access Attempts

  • Logon: Success and Failure

10.2.5 Identification and Authentication Mechanisms

  • Credential validation: Success and Failure
  • Authentication policy change: Success

10.2.6 Audit Log Initialization

  • Application Log Size: Greater than or Equal to 32 MB
  • Security Event Log Size: Greater than or Equal to 80 MB
  • other settings (5 specific items)*

10.2.7 Object Creation and Deletion

  • Directory Service Access: Success and Failure
  • Directory Service Changes: Success and Failure
  • other settings (9 specific items)*

10.4 Time Synchronization

10.4.1 Correct System Time

  • Configure Windows NTP client

10.4.2 Protection of Time Data

  • Change the Time Zone
  • Change the System Time (Domain Controllers): Administrators, LOCAL SERVICE (Server Operators: Optional)

10.5 Secure Audit Trails

10.5.2 Audit Trail modification protection

  • Verify permissions on Application.evtx
  • other settings (3 specific items)*

10.7 Audit Trail Retention

  • Application Log size: Greater than or Equal to 32 MB
  • Security Event Log Size: Greater than or Equal to 80 MB
  • other settings (5 specific items)*

Requirement 12: Maintain a policy that addresses Information Security for all personnel.

12.3 Develop Technology usage policies

12.3.8 Automatic Session Disconnect

  • Disconnect Idle Session is less than or equal to 15 minutes
  • Terminal Services – Set time limit for Disconnected sessions
  • Terminal Services – Set time limit for Idle sessions

Here is a good reference for PCI DSS recommended hardening guide:

 

*Halock Security Labs has experts on hand that can help your organization develop a strategy to deploy a ‘Microsoft Windows Server 2008 Domain Controller‘ in a secure, compliant, and cost-effective manner.  Please feel free to reach out to us today with any questions that you may have.

 

Oscar Bravo Jr. 
CISSP, CISA, CCDP, CCNP, CCSE, CCSE, MCSE, MCITP, RSASE

Leave a Reply

Your email address will not be published. Required fields are marked *