A Guide to System Hardening:
The topic will address suggested system settings for complying with the PCI DSS v2.0 for a Microsoft Windows Server 2008 with a Domain Controller role. Take note that the following guideline is only a start for hardening the in-scope server. Ultimately, all services, ports, protocols, daemons, etc that are not specifically required for the functioning of the server should be disabled.
The following PCI DSS requirements are mapped:
Requirement 2: Do not use vendor-supplied Defaults for System Passwords and other Security Parameters.
2.1 Change Vendor-supplied defaults.
2.1.0 Change non-wireless Vendor defaults
- Accounts: Guest account status: Disabled
- Built-in Guest account renamed
- Built-in Administrator account renamed
2.2 Develop configuration standards for all system components.
2.2.2 Disable unnecessary services and protocols
- Telnet service: Disabled
- FTP Publising service: Disabled
- other unnecessary services (8 specific items)*
2.2.3 System Security configuration
- Configure IPSec exemptions for various types of network traffic
- Digitally encrypt secure channel Data: Enabled
- Disable Remote Desktop sharing: Enabled
- Do Not Allow Clipboard redirection: Enabled
- other system security configuration (66 specific items)*
2.2.4 Remove all unnecessary functionality
- Allow Floppy copy and access to all drives and folders in the recovery console: Disabled
- Allow Auto Administrative Logon: Disabled
- Everyone permissions applied to anonymous users: Disabled
- Disable machine account password changes: Disabled
- other unnecessary functionality (88 specific items)*
2.3 Encrypt non-console administrative access.
- Digitally sign sever communications: Enabled
- MS Client to Digitally sign communications: Enabled
- Digitally sign secure channel data: Enabled
- Encrypting or signing of secure channel traffic
Requirement 3: Protect Stored Cardholder Data
3.5 Protect encryption keys.
3.5.2 Storage
- Force strong key protection: User must enter a password each time they use a key.
Requirement 4: Encrypt transmission of Cardholder data across open, public networks.
4.1 Use strong cryptography and security protocols
4.1.0 Using strong cryptography and security protocols over non-wireless
- LAN manager authentication level: NTLMv2, refuse LM and NTLM
- LDAP signing requirements (Domain Controller)
- LDAP client signing: Negotiate Signing
- other settings (8 specific items)*
Requirement 6: Develop and maintain secure systems and applications.
6.1 Up-to-date security patches
- Configure Automatic Updates: Enabled: 3 – Auto Download and Notify for install
- Do not display ‘Install Updates and Shut Down’ option in shut down windows dialog box: Disabled
- Reschedule Automatic updates scheduled installations: Enabled
- Service Pack for Windows Server 2008 is greater than or equal to 2 (RTM/R2 with latest security patches)
Requirement 7: Restrict access to Cardholder data by business need to know.
7.1 Access restrictions
7.1.1 Enforce Least Privilege
- Allow Anonymous SID/Name Translation: Disabled
- Check for use of NTFS partition
- Do not allow anonymous enumeration of SAM accounts: Enabled
- other settings (33 specific items)*
7.1.2 Role-based privilege Assignment
- Allowed to Format and eject removable media: Administrators
- Deny access to this computer from the Network: Guests
- Deny Log on Locally: Guests
- Logon Locally: Administrators
- other settings (34 specific items)*
7.2 Access Control System
7.2.3 Default ‘deny-all’ setting
- Act as Part of the Operating System: No One
- Log on as a Batch Job: No One
- Debug Programs: No One
- other settings (10 specific items)*
Requirement 8: Assign a Unique ID to each person with computer access.
8.2 Authentication Method
- Always Use classic Logon: Enabled
- CAC Logon required
- Do not require CTRL+ALT+DEL: Disabled
- other settings (7 specific items)*
8.4 Passwords rendered Unreadable for Transmission and Storage
- Do not store Credentials or .NET passports: Enabled
- Do not store Lan Manager Password Hash: Enabled
- Password reversible encryption: Disabled
- Send Unencrypted password to connect to SMB: Disabled
8.5 Credential Management
8.5.9 Password Aging
- Maximum password Age is greater than 0 and less than or equal to 90
8.5.10 Password Length
- Minimum password length is greater than or equal to 7
8.5.11 Password Complexity
- Password complexity: Enabled
8.5.12 Password History
- Password History memory is greater than or equal to 4
8.5.13 Account Lockout threshold
- Account Lockout Threshold is less than or equal to 6
8.5.14 Account Lockout duration
- Account Lockout Duration is greater or equal to 30 or equal to 0
8.5.15 Idle Session Timeout threshold
- Disconnect Idle session is less than or equal to 15 minutes
Requirement 10: Track and monitor all access to network resources and Cardholder data.
10.2 Audit Trail automation
10.2.0 Enable Audit
- Logoff: Success
- Logon: Success and Failure
- other settings (4 specific items)*
10.2.1 Individual Access
- Logoff: Success
- Logon: Success and Failure
- Special Logon: Success
10.2.2 Privileged User Action
- Audit policy change: Success and Failure
- Authentication policy change: Success
- other settings (12 specific items)*
10.2.4 Invalid Access Attempts
- Logon: Success and Failure
10.2.5 Identification and Authentication Mechanisms
- Credential validation: Success and Failure
- Authentication policy change: Success
10.2.6 Audit Log Initialization
- Application Log Size: Greater than or Equal to 32 MB
- Security Event Log Size: Greater than or Equal to 80 MB
- other settings (5 specific items)*
10.2.7 Object Creation and Deletion
- Directory Service Access: Success and Failure
- Directory Service Changes: Success and Failure
- other settings (9 specific items)*
10.4 Time Synchronization
10.4.1 Correct System Time
- Configure Windows NTP client
10.4.2 Protection of Time Data
- Change the Time Zone
- Change the System Time (Domain Controllers): Administrators, LOCAL SERVICE (Server Operators: Optional)
10.5 Secure Audit Trails
10.5.2 Audit Trail modification protection
- Verify permissions on Application.evtx
- other settings (3 specific items)*
10.7 Audit Trail Retention
- Application Log size: Greater than or Equal to 32 MB
- Security Event Log Size: Greater than or Equal to 80 MB
- other settings (5 specific items)*
Requirement 12: Maintain a policy that addresses Information Security for all personnel.
12.3 Develop Technology usage policies
12.3.8 Automatic Session Disconnect
- Disconnect Idle Session is less than or equal to 15 minutes
- Terminal Services – Set time limit for Disconnected sessions
- Terminal Services – Set time limit for Idle sessions
Here is a good reference for PCI DSS recommended hardening guide:
*Halock Security Labs has experts on hand that can help your organization develop a strategy to deploy a ‘Microsoft Windows Server 2008 Domain Controller‘ in a secure, compliant, and cost-effective manner. Please feel free to reach out to us today with any questions that you may have.
Oscar Bravo Jr.
CISSP, CISA, CCDP, CCNP, CCSE, CCSE, MCSE, MCITP, RSASE