A Guide to System Hardening:
The topic will address suggested system settings for complying with the PCI DSS v2.0 for a Microsoft Windows Server 2008 with a Domain Controller role. Take note that the following guideline is only a start for hardening the in-scope server. Ultimately, all services, ports, protocols, daemons, etc that are not specifically required for the functioning of the server should be disabled.
The following PCI DSS requirements are mapped:
Requirement 2: Do not use vendor-supplied Defaults for System Passwords and other Security Parameters.
2.1 Change Vendor-supplied defaults.
2.1.0 Change non-wireless Vendor defaults
- Accounts: Guest account status: Disabled
- Built-in Guest account renamed
- Built-in Administrator account renamed
2.2 Develop configuration standards for all system components.
2.2.2 Disable unnecessary services and protocols
- Telnet service: Disabled
- FTP Publising service: Disabled
- other unnecessary services (8 specific items)*
2.2.3 System Security configuration
- Configure IPSec exemptions for various types of network traffic
- Digitally encrypt secure channel Data: Enabled
- Disable Remote Desktop sharing: Enabled
- Do Not Allow Clipboard redirection: Enabled
- other system security configuration (66 specific items)*
2.2.4 Remove all unnecessary functionality
- Allow Floppy copy and access to all drives and folders in the recovery console: Disabled
- Allow Auto Administrative Logon: Disabled
- Everyone permissions applied to anonymous users: Disabled
- Disable machine account password changes: Disabled
- other unnecessary functionality (88 specific items)*
2.3 Encrypt non-console administrative access.
- Digitally sign sever communications: Enabled
- MS Client to Digitally sign communications: Enabled
- Digitally sign secure channel data: Enabled
- Encrypting or signing of secure channel traffic
Requirement 3: Protect Stored Cardholder Data
3.5 Protect encryption keys.
3.5.2 Storage
- Force strong key protection: User must enter a password each time they use a key.
Requirement 4: Encrypt transmission of Cardholder data across open, public networks.
4.1 Use strong cryptography and security protocols
4.1.0 Using strong cryptography and security protocols over non-wireless
- LAN manager authentication level: NTLMv2, refuse LM and NTLM
- LDAP signing requirements (Domain Controller)
- LDAP client signing: Negotiate Signing
- other settings (8 specific items)*
Requirement 6: Develop and maintain secure systems and applications.
6.1 Up-to-date security patches
- Configure Automatic Updates: Enabled: 3 – Auto Download and Notify for install
- Do not display ‘Install Updates and Shut Down’ option in shut down windows dialog box: Disabled
- Reschedule Automatic updates scheduled installations: Enabled
- Service Pack for Windows Server 2008 is greater than or equal to 2 (RTM/R2 with latest security patches)
Requirement 7: Restrict access to Cardholder data by business need to know.
7.1 Access restrictions
7.1.1 Enforce Least Privilege
- Allow Anonymous SID/Name Translation: Disabled
- Check for use of NTFS partition
- Do not allow anonymous enumeration of SAM accounts: Enabled
- other settings (33 specific items)*
7.1.2 Role-based privilege Assignment
- Allowed to Format and eject removable media: Administrators
- Deny access to this computer from the Network: Guests
- Deny Log on Locally: Guests
- Logon Locally: Administrators
- other settings (34 specific items)*
7.2 Access Control System
7.2.3 Default ‘deny-all’ setting
- Act as Part of the Operating System: No One
- Log on as a Batch Job: No One
- Debug Programs: No One
- other settings (10 specific items)*
Requirement 8: Assign a Unique ID to each person with computer access.
8.2 Authentication Method
- Always Use classic Logon: Enabled
- CAC Logon required
- Do not require CTRL+ALT+DEL: Disabled
- other settings (7 specific items)*
8.4 Passwords rendered Unreadable for Transmission and Storage
- Do not store Credentials or .NET passports: Enabled
- Do not store Lan Manager Password Hash: Enabled
- Password reversible encryption: Disabled
- Send Unencrypted password to connect to SMB: Disabled
8.5 Credential Management
8.5.9 Password Aging
- Maximum password Age is greater than 0 and less than or equal to 90
8.5.10 Password Length
- Minimum password length is greater than or equal to 7
8.5.11 Password Complexity
- Password complexity: Enabled
8.5.12 Password History
- Password History memory is greater than or equal to 4
8.5.13 Account Lockout threshold
- Account Lockout Threshold is less than or equal to 6
8.5.14 Account Lockout duration
- Account Lockout Duration is greater or equal to 30 or equal to 0
8.5.15 Idle Session Timeout threshold
- Disconnect Idle session is less than or equal to 15 minutes
Requirement 10: Track and monitor all access to network resources and Cardholder data.
10.2 Audit Trail automation
10.2.0 Enable Audit
- Logoff: Success
- Logon: Success and Failure
- other settings (4 specific items)*
10.2.1 Individual Access
- Logoff: Success
- Logon: Success and Failure
- Special Logon: Success
10.2.2 Privileged User Action
- Audit policy change: Success and Failure
- Authentication policy change: Success
- other settings (12 specific items)*
10.2.4 Invalid Access Attempts
- Logon: Success and Failure
10.2.5 Identification and Authentication Mechanisms
- Credential validation: Success and Failure
- Authentication policy change: Success
10.2.6 Audit Log Initialization
- Application Log Size: Greater than or Equal to 32 MB
- Security Event Log Size: Greater than or Equal to 80 MB
- other settings (5 specific items)*
10.2.7 Object Creation and Deletion
- Directory Service Access: Success and Failure
- Directory Service Changes: Success and Failure
- other settings (9 specific items)*
10.4 Time Synchronization
10.4.1 Correct System Time
- Configure Windows NTP client
10.4.2 Protection of Time Data
- Change the Time Zone
- Change the System Time (Domain Controllers): Administrators, LOCAL SERVICE (Server Operators: Optional)
10.5 Secure Audit Trails
10.5.2 Audit Trail modification protection
- Verify permissions on Application.evtx
- other settings (3 specific items)*
10.7 Audit Trail Retention
- Application Log size: Greater than or Equal to 32 MB
- Security Event Log Size: Greater than or Equal to 80 MB
- other settings (5 specific items)*
Requirement 12: Maintain a policy that addresses Information Security for all personnel.
12.3 Develop Technology usage policies
12.3.8 Automatic Session Disconnect
- Disconnect Idle Session is less than or equal to 15 minutes
- Terminal Services – Set time limit for Disconnected sessions
- Terminal Services – Set time limit for Idle sessions
Here is a good reference for PCI DSS recommended hardening guide:
*Halock Security Labs has experts on hand that can help your organization develop a strategy to deploy a ‘Microsoft Windows Server 2008 Domain Controller‘ in a secure, compliant, and cost-effective manner. Please feel free to reach out to us today with any questions that you may have.
Oscar Bravo Jr.
CISSP, CISA, CCDP, CCNP, CCSE, CCSE, MCSE, MCITP, RSASE
PCI WEBINAR SERIES
Preparing for Your Transition to PCI DSS v4.0 Webinar
PCI DSS v3.2.1 expires on March 31, 2024. With 64 new requirements in PCI DSS v4.0, companies have a lot to consider in preparation for the coming deadline. In our 5-part PCI Webinar Series, from April 27-June 1, 2023, learn about the general changes to 4.0, new requirements, best practices, and how an increased focus on risk evaluations in this new version will be a driving force for security and compliance.
Viviana Wesley, CISM, PCI QSA, ISO 27001 Auditor and HALOCK Principal Consultant reviews key updates and next steps to support your transition to PCI DSS v4.0.