NNT PCI DSS Microsoft Windows Server 2012 R2 Benchmark 12/17/ :37

Transcription

1 NNT PCI DSS Microsoft Windows Server 2012 R2 Benchmark 12/17/ :37 Compliance Score : 89.81% 370 of 412 rules passed 0 of 412 rules partially passed 42 of 412 rules failed Detailed PCI DSS v3.1 Requirements and Security Assessment Procedures: NNT PCI DSS Microsoft Windows Server 2012 R2. To obtain the latest version of this guide, please visit If you have questions, comments, or have identified ways to improve this guide, please write us at support@nntws.com 1 Build and Maintain a Secure Network and Systems: Requirement 1: Install and maintain a firewall 1.1 Requirement 1: Install and maintain a firewall configuration to protect cardholder data: Corporate Firewall and In-Scope Devices Internal Firewall Requirement 1: Firewall configuration standards: Track and Approve Config Changes A formal process for approving and testing all network connections and changes to the firewall and router configurations 1.2 Requirement 1: Install and maintain a firewall configuration to protect cardholder data: Windows Server Firewall Requirement 1: Firewall configuration standards: Windows Firewall With Advanced Security - Domain Set 'Windows Firewall: Domain: Firewall state' to 'On (recommended)' Set 'Windows Firewall: Domain: Inbound connections' to 'Block (default)' Set 'Windows Firewall: Domain: Outbound connections' to 'Allow (default)' Set 'Windows Firewall: Domain: Display a notification' to 'Yes (default)' Set 'Windows Firewall: Domain: Allow unicast response' to 'No' Set 'Windows Firewall: Domain: Apply local firewall rules' to 'Yes (default)' Set 'Windows Firewall: Domain: Apply local connection security rules' to 'Yes (default)' Set 'Windows Firewall: Domain: Logging: Name' to '%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log' Set 'Windows Firewall: Domain: Logging: Size limit (KB)' to '16,384 KB or greater ' Set 'Windows Firewall: Domain: Logging: Log dropped packets' to 'Yes' Set 'Windows Firewall: Domain: Logging: Log successful connections' to 'Yes' Requirement 1: Firewall configuration standards: Windows Firewall With Advanced Security - Private Profile Set 'Windows Firewall: Private: Firewall state' to 'On (recommended)' Set 'Windows Firewall: Private: Inbound connections' to 'Block (default)' Set 'Windows Firewall: Private: Outbound connections' to 'Allow (default)' Set 'Windows Firewall: Private: Display a notification' to 'Yes (default)' Set 'Windows Firewall: Private: Allow unicast response' to 'No' Set 'Windows Firewall: Private: Apply local firewall rules' to 'Yes (default)' Set 'Windows Firewall: Private: Apply local connection security rules' to 'Yes (default)' Set 'Windows Firewall: Private: Logging: Name' to '%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log' Page 1

2 Set 'Windows Firewall: Private: Logging: Size limit (KB)' to '16,384 KB or greater' Set 'Windows Firewall: Private: Logging: Log dropped packets' to 'Yes' Set 'Windows Firewall: Private: Logging: Log successful connections' to 'Yes' Requirement 1: Firewall configuration standards: Windows Firewall With Advanced Security - Public Profile Set 'Windows Firewall: Public: Firewall state' to 'On (recommended)' Set 'Windows Firewall: Public: Inbound connections' to 'Block (default)' Set 'Windows Firewall: Public: Outbound connections' to 'Allow (default)' Set 'Windows Firewall: Public: Display a notification' to 'Yes' Set 'Windows Firewall: Public: Allow unicast response' to 'No' Set 'Windows Firewall: Public: Apply local firewall rules' to 'Yes (default)' Set 'Windows Firewall: Public: Apply local connection security rules' to 'No' Set 'Windows Firewall: Public: Logging: Name' to '%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log' Set 'Windows Firewall: Public: Logging: Size limit (KB)' to '16,384 KB or greater' Set 'Windows Firewall: Public: Logging: Log dropped packets' to 'Yes' Set 'Windows Firewall: Public: Logging: Log successful connections' to 'Yes' 2 Build and Maintain a Secure Network and Systems: Requirement 2: Do not use vendor-supplied defaults 2.1 Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters: Develop configuration standards for all system components Requirement 2: System Hardening - Default User Accounts Set 'Accounts: Guest account status' to 'Disabled' Configure 'Accounts: Rename administrator account' Configure 'Accounts: Rename guest account' Requirement 2: System Hardening - Personalization Rules Set 'Enable screen saver' to 'Enabled' Set 'Force specific screen saver: Screen saver executable name' to 'Enabled:scrnsave.scr' Set 'Password protect the screen saver' to 'Enabled' Requirement 2: System Hardening - Attachment Manager Rules Set 'Do not preserve zone information in file attachments' to 'Disabled' 2.2 Requirement 2: System Hardening: Non-Default Services List - Verify that system configuration standards include the following procedures for all types of system components: - Changi Requirement 2: System Hardening: Check for any Non-Default Services Check for any Non-Default Services 2.3 Requirement 2: System Hardening: Mandatory Services List - Verify that system configuration standards include the following procedures for all types of system components: - Changin Page 2

3 2.3.1 Requirement 2: System Hardening: Mandatory Services List App Readiness Service Application Experience Service Application Host Helper Service Application Identity Service Application Information Service Application Layer Gateway Service Application Management Service AppX Deployment Service (AppXSVC) Service ASP.NET State Service (aspnet_state) Service Background Intelligent Transfer Service Background Tasks Infrastructure (BrokerInfrastructure) Service Base Filtering Engine Service Certificate Propagation Service CNG Key Isolation Service COM+ Event System Service COM+ System Application Service Computer Browser Service Credential Manager Service Cryptographic Services Service DCOM Server Process Launcher Service Device Association (deviceassociationservice) Service Device Install (deviceinstall) Service Device Setup (dsmsvc) Service DHCP Client Service Diagnostic Policy Service Diagnostic Service Host Service Diagnostic System Host Service Distributed Link Tracking Client Service Distributed Transaction Coordinator Service DNS Client Service The Enhanced Mitigation Experience Toolkit (EMET) Service Encrypting File System (EFS) Service Extensible Authentication Protocol Service Function Discovery Provider Host Service Function Discovery Resource Publication Service Group Policy Client Service Health Key and Certificate Management Service Human Interface Device Access Service Hyper-V Data Exchange Service (vmickvpexchange) Service Hyper-V Guest Service Interface (vmicguestinterface) Service Page 3

4 Hyper-V Guest Shutdown Service (vmicshutdown) Service Hyper-V Heartbeat Service (vmicheartbeat) Service Hyper-V Remote Desktop Virtualization Service (vmicrdv) Service Hyper-V Time Synchronization Service (vmictimesync) Service Hyper-V Volume Shadow Copy Requestor (vmicvss) Service IKE and AuthIP IPsec Keying Modules Service Interactive Services Detection Service Internet Connection Sharing (ICS) Service Internet Explorer ETW Collector Service IP Helper Service IPsec Policy Agent Service KDC Proxy Server service (kpssvc) Service KtmRm for Distributed Transaction Coordinator Service Link-Layer Topology Discovery Mapper Service Microsoft iscsi Initiator Service Microsoft Software Shadow Copy Provider Service Microsoft Storage Spaces SMP (smphost) Service Multimedia Class Scheduler Service Net.Tcp Port Sharing Service Netlogon Service Network Access Protection Agent Service Network Connections Service Network Connectivity Assistant (ncasvc) Service Network List Service Network Location Awareness Service Network Store Interface Service Optimize Drives (defragsvc) Service Performance Counter DLL Host (perfhost) Service Performance Logs and Alerts Service Plug and Play Service Portable Device Enumerator Service Power Service Print Spooler Service Printer Extensions and Notifications Service Problem Reports and Solutions Control Panel Support Service Remote Access Auto Connection Manager Service Remote Access Connection Manager Service Remote Desktop Configuration Service Remote Desktop Services Service Remote Desktop Services UserMode Port Redirector Remote Procedure Call (RPC) Service Remote Procedure Call (RPC) Locator Service Page 4

5 Remote Registry Service Resultant Set of Policy Provider Service Routing and Remote Access Service RPC Endpoint Mapper Service Secondary Logon Service Secure Socket Tunneling Protocol Service Security Accounts Manager Service Server Service Shell Hardware Detection Service Smart Card Service Smart Card Device Enumeration Service Smart Card Removal Policy Service SNMP Trap Service Software Protection Service Special Administration Console Helper Service Spot Verifier Service SSDP Discovery Service Storage Tiers Management Service Superfetch Service System Event Notification Service System Events Broker Service Task Scheduler Service TCP/IP NetBIOS Helper Service Telephony Service Themes Service Thread Ordering Server Service UPnP Device Host Service User Access Logging Service User Profile Service Virtual Disk Service Volume Shadow Copy Service Windows Audio Service Windows Audio Endpoint Builder Service Windows Color System Service Windows Connection Manager (wcmsvc) Service Windows Driver Foundation - User-mode Driver Framework Service Windows Encryption Provider Host Service Windows Error Reporting Service Windows Event Collector Service Windows Event Log Service Windows Firewall Service Windows Font Cache (fontcache) Service Page 5

6 Windows Installer Service Windows Management Instrumentation Service Windows Modules Installer Service Windows Presentation Foundation Font Cache (fontcache ) Service Windows Process Activation Service Service Windows Remote Management (WS-Management) Service Windows Store Service (WSService) Windows Time Service Windows Update Service WinHTTP Web Proxy Auto-Discovery Service Wired AutoConfig Service WMI Performance Adapter Service Workstation Service 2.4 Requirement 2: System Hardening: Optional Services List - - Verify that system configuration standards include the following procedures for all types of system components: - Changing Requirement 2: System Hardening: Optional Services List Optional Services List: NNT Agent Service (NNTAgentService) Optional Services List: NNT Proxy Agent Service (NNTAgentProxyService) Optional Services List: NNT Change Tracker Gen 7 MongoDB Service Optional Services List: NNT Change Tracker Gen 7 Redis Service Optional Services List: ASP.NET State Service (aspnet_state) Service Optional Services List: World Wide Web Publishing Service Optional Services List: W3C Logging Service 2.5 Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters: Develop configuration standards for all system components Requirement 2: System Hardening: Group Policy Rules Set 'Configure registry policy processing: Do not apply during periodic background processing' to 'False' Set 'Configure registry policy processing: Process even if the Group Policy objects have not changed' to 'True' Requirement 2: System Hardening: Internet Communication settings Rules Set 'Turn off downloading of print drivers over HTTP' to 'Enabled' Set 'Turn off Internet download for Web publishing and online ordering wizards' to 'Enabled' Set 'Turn off printing over HTTP' to 'Enabled' Set 'Turn off Search Companion content file updates' to 'Enabled' Set 'Turn off the "Publish to Web" task for files and folders' to 'Enabled' Set 'Turn off the Windows Messenger Customer Experience Improvement Program' to 'Enabled' Requirement 2: System Hardening: Personalization Rules Set 'Prevent enabling lock screen camera' to 'Enabled' Page 6

7 Set 'Prevent enabling lock screen slide show' to 'Enabled' Requirement 2: System Hardening: Search Rules Set 'Allow indexing of encrypted files' to 'Disabled' Requirement 2: System Hardening: Windows Installer Rules Set 'Always install with elevated privileges' to 'Disabled' Requirement 2: System Hardening - Additonal Measues: Administrative Templates (Computer) Rules Set 'Apply UAC restrictions to local accounts on network logons' to 'Enabled' Set 'WDigest Authentication' to 'Disabled' Requirement 2: System Hardening - Additonal Measues: App runtime Rules Set 'Allow Microsoft accounts to be optional' to 'Enabled' Requirement 2: System Hardening - Additonal Measues: User Account Control Rules Set 'User Account Control: Admin Approval Mode for the Built-in Administrator account' to 'Enabled' Set 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' to 'Disabled' Set 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' to 'Prompt for consent on the secure desktop' Set 'User Account Control: Behavior of the elevation prompt for standard users' to 'Automatically deny elevation requests' Set 'User Account Control: Detect application installations and prompt for elevation' to 'Enabled' Set 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' to 'Enabled' Set 'User Account Control: Run all administrators in Admin Approval Mode' to 'Enabled' Set 'User Account Control: Switch to the secure desktop when prompting for elevation' to 'Enabled' Set 'User Account Control: Virtualize file and registry write failures to per-user locations' to 'Enabled' Requirement 2: System Hardening - Additonal Measues: AutoPlay Policies Rules Set 'Turn off Autoplay' to 'Enabled:All drives' Requirement 2: System Hardening - Additonal Measues: EMET Rules Ensure EMET is installed Set 'Default Protections for Internet Explorer' to 'Enabled' Set 'Default Protections for Popular Software' to 'Enabled' Set 'Default Protections for Recommended Software' to 'Enabled' Set 'System ASLR' to 'Enabled:Application Opt-In' Set 'System DEP' to 'Enabled:Application Opt-Out' Page 7

8 Set 'System SEHOP' to 'Enabled:Application Opt-Out' Requirement 2: System Hardening - Security parameters to prevent misuse: Account Policies - User Rights Assignment Set 'Access Credential Manager as a trusted caller' to 'No One' Set 'Access this computer from the network' Set 'Act as part of the operating system' to 'No One' Set 'Adjust memory quotas for a process' to 'Administrators, LOCAL SERVICE, NETWORK SERVICE' Set 'Allow log on locally' to 'Administrators' Configure 'Allow log on through Remote Desktop Services' Set 'Back up files and directories' to 'Administrators' Set 'Change the system time' to 'Administrators, LOCAL SERVICE' Set 'Change the time zone' to 'Administrators, LOCAL SERVICE' Set 'Create a pagefile' to 'Administrators' Set 'Create a token object' to 'No One' Set 'Create global objects' to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' Set 'Create permanent shared objects' to 'No One' Set 'Create symbolic links' to 'Administrators' Set 'Debug programs' to 'Administrators' Set 'Enable computer and user accounts to be trusted for delegation' Set 'Force shutdown from a remote system' to 'Administrators' Set 'Impersonate a client after authentication' to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' Set 'Increase scheduling priority' to 'Administrators' Set 'Load and unload device drivers' to 'Administrators' Set 'Lock pages in memory' to 'No One' Set 'Modify an object label' to 'No One' Set 'Modify firmware environment values' to 'Administrators' Set 'Perform volume maintenance tasks' to 'Administrators' Set 'Profile single process' to 'Administrators' Set 'Profile system performance' to 'Administrators, NT SERVICE\WdiServiceHost' Set 'Replace a process level token' to 'LOCAL SERVICE, NETWORK SERVICE' Set 'Restore files and directories' to 'Administrators' Set 'Shut down the system' to 'Administrators' Set 'Take ownership of files or other objects' to 'Administrators' Requirement 2: System Hardening - Security parameters to prevent misuse: Account Policies - Security Options Set 'Accounts: Block Microsoft accounts' to 'Users can't add or log on with Microsoft accounts' Set 'Accounts: Guest account status' to 'Disabled' Set 'Accounts: Limit local account use of blank passwords to console logon only' to 'Enabled' Configure 'Accounts: Rename administrator account' Configure 'Accounts: Rename guest account' Page 8

9 Requirement 2: System Hardening - Security parameters to prevent misuse: Account Policies - Devices Rules Set 'Devices: Allowed to format and eject removable media' to 'Administrators' Set 'Devices: Prevent users from installing printer drivers' to 'Enabled' Requirement 2: System Hardening - Security parameters to prevent misuse: Account Policies - Domain member Rules Set 'Domain member: Digitally encrypt or sign secure channel data (always)' to 'Enabled' Set 'Domain member: Digitally encrypt secure channel data (when possible)' to 'Enabled' Set 'Domain member: Digitally sign secure channel data (when possible)' to 'Enabled' Set 'Domain member: Disable machine account password changes' to 'Disabled' Set 'Domain member: Maximum machine account password age' to 30 or fewer days, but not Set 'Domain member: Require strong (Windows 2000 or later) session key' to 'Enabled' Requirement 2: System Hardening - Security parameters to prevent misuse: Account Policies - Interactive logon Rules Set 'Interactive logon: Do not display last user name' to 'Enabled' Set 'Interactive logon: Do not require CTRL+ALT+DEL' to 'Disabled' Configure 'Interactive logon: Message text for users attempting to log on' Configure 'Interactive logon: Message title for users attempting to log on' Set 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' to '4 or fewer logon(s)' Set 'Interactive logon: Prompt user to change password before expiration' to 'between 5 and 14 days' Set 'Interactive logon: Smart card removal behavior' to 'Lock Workstation' Requirement 2: System Hardening - Security parameters to prevent misuse: Account Policies - Microsoft network client Rules Set 'Microsoft network client: Digitally sign communications (always)' to 'Enabled' Set 'Microsoft network client: Digitally sign communications (if server agrees)' to 'Enabled' Set 'Microsoft network client: Send unencrypted password to third-party SMB servers' to 'Disabled' Requirement 2: System Hardening - Security parameters to prevent misuse: Account Policies - Microsoft network server Rules Set 'Microsoft network server: Digitally sign communications (always)' to 'Enabled' Set 'Microsoft network server: Digitally sign communications (if client agrees)' to 'Enabled' Set 'Microsoft network server: Server SPN target name validation level' to 'Accept if provided by client' Requirement 2: System Hardening - Security parameters to prevent misuse: Account Policies - MSS Rules Set 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' to 'Disabled' Set 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' to 'Highest protection, source routing 1 is completely Pass disabled' Set 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' to 'Highest protection, source routing 1 is completely disabled' Pass Set 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' to 'Enabled' Page 9

10 Set 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' to '90% or less' Requirement 2: System Hardening - Security parameters to prevent misuse: Account Policies - Recovery console Rules Set 'Recovery console: Allow automatic administrative logon' to 'Disabled' Set 'Recovery console: Allow floppy copy and access to all drives and all folders' to 'Disabled' Requirement 2: System Hardening - Security parameters to prevent misuse: Account Policies - Shutdown Rules Set 'Shutdown: Allow system to be shut down without having to log on' to 'Disabled' Requirement 2: System Hardening - Security parameters to prevent misuse: Account Policies - System objects Rules Set 'System objects: Require case insensitivity for non-windows subsystems' to 'Enabled' Set 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' to 'Enabled' 3 Protect Cardholder Data: Requirement 3: Protect stored cardholder data 3.1 Requirement 3: Protect stored cardholder data: Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) Requirement 3: Protect stored cardholder data: Render stored PANs unreadable Verify that Cardholder Data Encryption and Tokenization measures are in place (Rule not automatically assessed) 4.1 Requirement 4: Use strong cryptography and security protocols (for example, TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public netw 4 Protect Cardholder Data: Requirement 4: Encrypt transmission of cardholder data across open networks Requirement 4: Encrypt transmission of cardholder data: Use strong cryptography and security protocols Configure 'System cryptography: Force strong key protection for user keys stored on the computer' Set 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' to 'Enabled' Set 'Network security: LAN Manager authentication level' to 'Send NTLMv2 response only. Refuse LM & NTLM' Set 'Network security: LDAP client signing requirements' to 'Negotiate signing' or higher Set 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' to 'Require NTLMv2 session security,require bit encryption' Pass Set 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' to 'Require NTLMv2 session security,require bit encryption' Pass Set 'Domain member: Require strong (Windows 2000 or later) session key' to 'Enabled' 5 Maintain a Vulnerability Management Program: Requirement 5: Protect all systems against malware 5.1 Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs Requirement 5: Anti-Virus Protection Check Verify Virus Protection is enabled and updated Requirement 5: Protect all systems against malware: Early Launch Antimalware Rules Set 'Boot-Start Driver Initialization Policy' to 'Enabled: Good, unknown and bad but critical' Page 10

11 5.1.3 Requirement 5: Protect all systems against malware: Attachment Rules Set 'Notify antivirus programs when opening attachments' to 'Enabled' 6 Maintain a Vulnerability Management Program: Requirement 6: Develop and maintain secure systems and applications 6.1 Requirement 6: Develop and maintain secure systems and applications Requirement 6: Develop and maintain secure systems and applications - Windows Update Rules Set 'Configure Automatic Updates' to 'Enabled' Set 'Configure Automatic Updates: Scheduled install day' to '0 - Every day' Set 'Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box' to 'Disabled' Set 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' to 'Disabled' Set 'No auto-restart with logged on users for scheduled automatic updates installations' to 'Disabled' Set 'Reschedule Automatic Updates scheduled installations' to 'Enabled:1 minute' 7.1 Requirement 7: Requirement 7: Restrict access to cardholder data by business need to know: Restriction of access to privileged user IDs to least privileges necessary to perform job res 7 Implement Strong Access Control Measures: Requirement 7: Restrict access to cardholder data by business need to know Requirement 7: Restrict access to cardholder data by business need to know - Network Access Rules Set 'Network access: Allow anonymous SID/Name translation' to 'Disabled' Set 'Network access: Do not allow anonymous enumeration of SAM accounts' to 'Enabled' Set 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' to 'Enabled' Set 'Network access: Let Everyone permissions apply to anonymous users' to 'Disabled' Configure 'Network Access: Named Pipes that can be accessed anonymously' Set 'Network access: Remotely accessible registry paths' Set 'Network access: Remotely accessible registry paths and sub-paths' Set 'Network access: Restrict anonymous access to Named Pipes and Shares' to 'Enabled' Set 'Network access: Shares that can be accessed anonymously' to 'None' Set 'Network access: Sharing and security model for local accounts' to 'Classic - local users authenticate as themselves' Requirement 7: Restrict access to cardholder data by business need to know - Network Security Rules Set 'Do not display network selection UI' to 'Enabled' Set 'Configure Offer Remote Assistance' to 'Disabled' Set 'Configure Solicited Remote Assistance' to 'Disabled' Set 'Network security: Allow Local System to use computer identity for NTLM' to 'Enabled' Set 'Network security: Allow LocalSystem NULL session fallback' to 'Disabled' Set 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' to 'Disabled' Set 'Network Security: Configure encryption types allowed for Kerberos' to 'RC4\AES128\AES256\Future types' Set 'Network security: Do not store LAN Manager hash value on next password change' to 'Enabled' Set 'Deny access to this computer from the network' Set 'Deny log on as a batch job' to include 'Guests' Set 'Deny log on as a service' to include 'Guests' Page 11

12 Set 'Deny log on locally' to include 'Guests' Set 'Deny log on through Remote Desktop Services' to include 'Guests, Local account' 8.1 Requirement 8: Identify and authenticate access to system components: Restrict access to cardholder data by business need to know: 8.1 Define and implement policies and procedure 8 Implement Strong Access Control Measures: Requirement 8: Identify and authenticate access to system components Requirement 8: Identify and authenticate access to system components - Account Lockout Rules Set 'Account lockout threshold' to 6 or fewer invalid logon attempt(s), but not Set 'Account lockout duration' to '30 or more minute(s)' Set 'Reset account lockout counter after' to '30 or more minute(s)' Set 'Network security: Force logoff when logon hours expire' to 'Enabled' Set 'Microsoft network server: Disconnect clients when logon hours expire' to 'Enabled' Set 'Interactive logon: Machine inactivity limit' to 15 minutes or fewer second(s), but not Set 'Microsoft network server: Amount of idle time required before suspending session' to '15 or fewer minute(s)' Set 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires must be set to zero seconds Requirement 8: Identify and authenticate access to system components - Password Policy Set 'Enforce password history' to '24 or more password(s)' Set 'Maximum password age' to 60 or fewer days, but not Set 'Minimum password age' to '1 or more day(s)' Set 'Minimum password length' to '14 or more character(s)' Set 'Password must meet complexity requirements' to 'Enabled' Set 'Store passwords using reversible encryption' to 'Disabled' Requirement 8: Identify and authenticate access to system components - Windows Logon Options Rules Set 'Sign-in last interactive user automatically after a system-initiated restart' to 'Disabled' Requirement 8: Identify and authenticate access to system components - Windows Remote Management (WinRM)-WinRM Client Rules Set 'Allow Basic authentication' to 'Disabled' Set 'Allow unencrypted traffic' to 'Disabled' Set 'Disallow Digest authentication' to 'Enabled' Requirement 8: Identify and authenticate access to system components - Remote Desktop Rules Set 'Do not allow passwords to be saved' to 'Enabled' Set 'Do not allow drive redirection' to 'Enabled' Set 'Always prompt for password upon connection' to 'Enabled' Set 'Set client connection encryption level: Encryption Level' to 'Enabled: High Level' 9 Maintain a Vulnerability Management Program: Requirement 9: Restrict physical access to cardholder data Page 12

13 9.1 Requirement 9: Restrict physical access to cardholder data: Physical Protection procedures and measures Requirement 9: Restrict physical access to cardholder data: Physical Protection procedures and measures Verify PCI DSS Requirement 9 requirements are being operated (Rule not automatically assessed) 10 Regularly Monitor and Test Networks: Requirement 10: Track and monitor all access to network resources and cardholder data 10.1 Requirement 10: Track access to network/cardholder data: Retain and Review System Audit Trails Requirement 10: Track access to network/cardholder data: Account Policies - Audit Rules Set 'Manage auditing and security log' to 'Administrators' Set 'Generate security audits' to 'LOCAL SERVICE, NETWORK SERVICE' Set 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' to 'Enabled' Set 'Audit: Shut down system immediately if unable to log security audits' to 'Disabled' Requirement 10: Track access to network/cardholder data: Windows Components - Event Log Rules Set 'Maximum Log Size (KB)' to 'Enabled:32768' Set 'Retain old events' to 'Disabled' Set 'Retain old events' to 'Disabled' Set 'Maximum Log Size (KB)' to 'Enabled:81920' Set 'Maximum Log Size (KB)' to 'Enabled:32768' Set 'Retain old events' to 'Disabled' Requirement 10: Track access to network/cardholder data: Advanced Audit Policy Configuration - System Rules Set 'Audit Policy: System: System Integrity' to 'Success and Failure' Set 'Audit Policy: System: Security System Extension' to 'Success and Failure' Set 'Audit Policy: System: Security State Change' to 'Success and Failure' Set 'Audit Policy: System: IPsec Driver' to 'Success and Failure' Set 'Audit Policy: System: Other System Events' to 'No Auditing' Requirement 10: Track access to network/cardholder data: Advanced Audit Policy Configuration - Object Access Rules Set 'Audit Policy: Object Access: Handle Manipulation' to 'No Auditing' Set 'Audit Policy: Object Access: Other Object Access Events' to 'No Auditing' Set 'Audit Policy: Object Access: File Share' to 'No Auditing' Set 'Audit Policy: Object Access: File System' to 'No Auditing' Set 'Audit Policy: Object Access: SAM' to 'No Auditing' Set 'Audit Policy: Object Access: Kernel Object' to 'No Auditing' Set 'Audit Policy: Object Access: Filtering Platform Packet Drop' to 'No Auditing' Set 'Audit Policy: Object Access: Registry' to 'No Auditing' Set 'Audit Policy: Object Access: Certification Services' to 'No Auditing' Set 'Audit Policy: Object Access: Application Generated' to 'No Auditing' Page 13

14 Set 'Audit Policy: Object Access: Detailed File Share' to 'No Auditing' Set 'Audit Policy: Object Access: Filtering Platform Connection' to 'No Auditing' Requirement 10: Track access to network/cardholder data: Advanced Audit Policy Configuration - Logon-Logoff Rules Set 'Audit Policy: Logon-Logoff: Other Logon/Logoff Events' to 'No Auditing' Set 'Audit Policy: Logon-Logoff: Special Logon' to 'Success' Set 'Audit Policy: Logon-Logoff: IPsec Main Mode' to 'No Auditing' Set 'Audit Policy: Logon-Logoff: Account Lockout' to 'No Auditing' Set 'Audit Policy: Logon-Logoff: IPsec Extended Mode' to 'No Auditing' Set 'Audit Policy: Logon-Logoff: IPsec Quick Mode' to 'No Auditing' Set 'Audit Policy: Logon-Logoff: Logoff' to 'Success' Set 'Audit Policy: Logon-Logoff: Network Policy Server' to 'No Auditing' Set 'Audit Policy: Logon-Logoff: Logon' to 'Success and Failure' Requirement 10: Track access to network/cardholder data: Advanced Audit Policy Configuration - DS Access Rules Set 'Audit Policy: DS Access: Directory Service Replication' to 'No Auditing' Set 'Audit Policy: DS Access: Detailed Directory Service Replication' to 'No Auditing' Set 'Audit Policy: DS Access: Directory Service Changes' to 'No Auditing' Set 'Audit Policy: DS Access: Directory Service Access' to 'No Auditing' Requirement 10: Track access to network/cardholder data: Advanced Audit Policy Configuration - Detailed Tracking Rules Set 'Audit Policy: Detailed Tracking: DPAPI Activity' to 'No Auditing' Set 'Audit Policy: Detailed Tracking: Process Termination' to 'No Auditing' Set 'Audit Policy: Detailed Tracking: Process Creation' to 'Success' Set 'Audit Policy: Detailed Tracking: RPC Events' to 'No Auditing' Requirement 10: Track access to network/cardholder data: Advanced Audit Policy Configuration - Policy Change Rules Set 'Audit Policy: Policy Change: MPSSVC Rule-Level Policy Change' to 'No Auditing' Set 'Audit Policy: Policy Change: Filtering Platform Policy Change' to 'No Auditing' Set 'Audit Policy: Policy Change: Authorization Policy Change' to 'No Auditing' Set 'Audit Policy: Policy Change: Audit Policy Change' to 'Success and Failure' Set 'Audit Policy: Policy Change: Other Policy Change Events' to 'No Auditing' Set 'Audit Policy: Policy Change: Authentication Policy Change' to 'Success' Requirement 10: Track access to network/cardholder data: Advanced Audit Policy Configuration - Account Management Rules Set 'Audit Policy: Account Management: Distribution Group Management' to 'No Auditing' Set 'Audit Policy: Account Management: Computer Account Management' to 'Success' Set 'Audit Policy: Account Management: User Account Management' to 'Success and Failure' Page 14

15 Set 'Audit Policy: Account Management: Security Group Management' to 'Success and Failure' Set 'Audit Policy: Account Management: Other Account Management Events' to 'Success and Failure' Set 'Audit Policy: Account Management: Application Group Management' to 'No Auditing' Requirement 10: Track access to network/cardholder data: Advanced Audit Policy Configuration - Account Logon Rules Set 'Audit Policy: Account Logon: Kerberos Authentication Service' to 'No Auditing' Set 'Audit Policy: Account Logon: Other Account Logon Events' to 'No Auditing' Set 'Audit Policy: Account Logon: Kerberos Service Ticket Operations' to 'No Auditing' Set 'Audit Policy: Account Logon: Credential Validation' to 'Success and Failure' Requirement 10: Track access to network/cardholder data: Advanced Audit Policy Configuration - Privilege Use Rules Set 'Audit Policy: Privilege Use: Other Privilege Use Events' to 'No Auditing' Set 'Audit Policy: Privilege Use: Non Sensitive Privilege Use' to 'No Auditing' Set 'Audit Policy: Privilege Use: Sensitive Privilege Use' to 'Success and Failure' Requirement 11: Regularly test security systems and processes: 11.5 Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauth 11 Regularly Monitor and Test Networks: Requirement 11: Regularly test security systems and processes 11.1 Requirement 11: Regularly test security systems and processes Implement File Integrity Monitoring: Verify the use of a change-detection mechanism within the cardholder data environment by observing system 1 settings and monitored Pass files, as w 12 Maintain an Information Security Policy: Requirement 12: Maintain a policy that addresses information security for all personnel 12.1 Requirement 12: Maintain a policy that addresses information security for all personnel Requirement 12: Maintain a policy that addresses information security for all personnel: Policy and Procedure Documentation Verify PCI DSS Requirement 12 requirements are being operated Page 15