Windows Policies That Check Verifies - September 26, 2014 Windows Policies That Check Verifies September 2014 The Scanner is a PCI module which verifies whether certain settings on a computer comply with PCI Digital Security Standards (PCI ). Scanner verifies that user and password, system configuration, and system auditing policies on the agent s host comply with PCI. The module runs the following checks on user and password policies, system configuration policies, and system audit policies.. Policies with an asterisk (*) in their PCI column help customers to fulfill that standard but may not fulfill the standard on its own. User and Policies Correct Value(s) Where and How to Verify Description PCI Default Accounts Disabled In the Group Object Editor window, open Local Computer /Computer Settings/Local Policies/Security Options. In the right-hand frame, Account: Guest Account Status policy lists its setting. Scans the setting to ensure that a guest account is disabled. 2.1 Account Lockout Duration >=30 or 0 In the Group Object Editor window, open Local Computer /Computer Settings/Account Policies/Account Lockout. In the right-hand frame, the Account lockout duration policy lists its setting. Scans the setting to verify that when an account is locked, it is locked for at least 30 minutes or until reset by an administrator. If the latter, the setting is 0. Use the command net accounts to check this value. 8.5.14 Accounts Lockout =<6 In the Group Object Editor window, open Local Computer /Computer Configuration/Security Settings/Account Policies/Account Lockout. In the right-hand frame, the Account lockout threshold policy lists its setting. to verify that an account is locked after no more than six attempts to login. Setting the policy to '0' disables the policy. Use the command net accounts to check this value. 8.5.13 Copyright 2014 Trustwave Holdings, Inc. All rights reserved. 1
Windows Policies That Check Verifies - September 26, 2014 Correct Value(s) Where and How to Verify Description PCI Administrat or Not checked In Administrative Tools, open the Computer Management tool. Select System Tools\Local Users and Groups \Users. In the middle pane, double click Administrator to see the never expires setting in the Administrator Properties window. to verify that the Never Expires checkbox is not checked for an administrator user. 8.5.9* Expiry 1<maximu m age<90 In the Group Object Editor window, open Local Computer /Computer Settings/Account Policies/. In the right-hand frame, the Maximum password age lists its setting. to verify that the maximum time a password can be used is between 1 and 90 days. Use the command net accounts to check this value. 8.5.9 History >=4 In the Group Object Editor window, open Local Computer /Computer Settings/Account Policies/. In the right-hand frame, the Enforce password history lists its setting. to verify that at least four new passwords must be used before a password can be repeated. Use the command net accounts to check this value. 8.5.12 Length >=7 In the Group Object Editor window, open Local Computer /Computer Settings/Account Policies/. In the right-hand frame, the Minimum password length policy lists its setting. Scans the Length setting to verify that each password is at least seven characters long. Use the command net accounts to check this value. 8.5.10 System Configuration Policies Correct Value(s) Where and How to Verify Description PCI Anti-Virus Status Anti-virus installed Search the list in the Add or Remove Programs or Programs and Features utility of the operating system to see if an anti-virus program is installed. to verify that an antivirus program is installed on the host. There is a known issue with server operating systems and Windows 2000. 5.1, 5.2 Windows Policies That Check Verifies Copyright 2014 Trustwave Holdings, Inc. All rights reserved. 2
Windows Policies That Check Verifies - September 26, 2014 Correct Value(s) Where and How to Verify Description PCI Null Session For Windows 2000, everyoneincludesanony mous = 1 and restrictanonymous = 2. For all other Windows versions, enable Network Access: Do not allow anonymous enumeration of SAM accounts and Network Access: Do not allow anonymous enumeration of SAM accounts and shares. For Windows 2000, see the registry settings in HKEY_LOCAL_MACHINE/ System/CurrentControlSet/ Control/LSA. For all other Windows versions, run gpedit.msc and open Local Computer Computer Configuration Windows Settings Security Settings Local Policies Security Options. Check that the following are set to Enable: Network Access: Do not allow anonymous enumeration of SAM accounts Network Access: Do not allow anonymous enumeration of SAM accounts and shares to verify that anonymous connections to the interprocess communication share (IPC$) are controlled by setting the registry settings to everyoneincludesanon ymous or restrictanonymous. The purpose is to prevent anonymous users from remoting into the host, i,e. creating a null session. 1.2.1* Screensaver Idle Timeout 10 minutes =< Wait =<15 minutes In Windows XP, right click on the desktop and choose Properties. In the Display Properties, open the Screen Saver tab. In Windows 7, right click on the desktop and choose Personalize. In the Change the visuals and sounds on your computer window, click the Screen Saver icon in the bottom right. The Screen Saver Settings open. to verify that the screensaver idle timeout is enabled and set in the range of 600-900 seconds. 8.5.15 Screensaver In XP, enable On resume, display Welcome screen. In Windows 7, enable On resume, display logon screen. In Windows XP, right click on the desktop and choose Properties. in the Display Properties, open the Screen Saver tab. In Windows 7, right click on the desktop and choose Personalize. In the Change the visuals and sounds on your computer window, click the Screen Saver icon in the bottom right. The Screen Saver Settings open. to verify that the host s screensaver is password protected. 8.5.15 Windows Policies That Check Verifies Copyright 2014 Trustwave Holdings, Inc. All rights reserved. 3
Windows Policies That Check Verifies - September 26, 2014 Correct Value(s) Where and How to Verify Description PCI SNMP Disabled Open the Services utility to see if SNMP is installed and running. to verify that the default SNMP strings are not used. 2.1 Parameters\Type = NTP Config\AnnounceFlags=5 TimeProviders\NtpServer=1 Parameters= <NTP peers or IP address of such from which time can be received> TimeProviders\NtpClient\SpecialPollInterval=<period> Synchronize System Clock See the registry settings in HKEY_LOCAL_MACHINE\SY STEM\CurrentControlSet\Ser vices\w32time\. to verify that the system clock synchronizes with a NTP server. 10.4 RDP Encryption RDP encryption level = High or Client Compatible In the Group Object Computer \Computer Configuration\Policies\Admi nistrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security. In the righthand frame, double click on Set Client Connection Encryption Level. In the window that opens, choose Enabled and set the dropdown list in the Options section. Or on Windows 2003, run tscc.msc. On the Terminal Services Configuration/ Connections console in the Connections folder, double click RDP-Tcp. In the RDP-Tcp Properties window, open the General tab. Check the Encryption Level dropdown list in the Security section. to verify that RDP encryption level is set to High (128-bit encryption) or Client Compatible (highest level permitted by the client). 8.4* Windows Policies That Check Verifies Copyright 2014 Trustwave Holdings, Inc. All rights reserved. 4
Windows Policies That Check Verifies - September 26, 2014 Correct Value(s) Where and How to Verify Description PCI RDP Idle Timeout timeout < 30 minutes In the Group Object Computer \Computer Configuration\Policies\Admi nistrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits. In the right-hand frame, double click on Set time limit for active by idle Remote Desktop Services sessions. In the window that opens, choose Enabled and set the dropdown list in the Options section. Or on Windows 2003, run tscc.msc. On the Terminal Services Configuration/ Connections console in the Connections folder, double click RDP-Tcp. In the RDP-Tcp Properties window, open the Sessions tab. If the Override User Settings box is enabled, the Idle session limit is unlocked. to verify that the RDP idle session timeout is shorter than 30 minutes. 8.5.14 Windows Firewall Turned On Mark Turn on Windows Firewall On Windows XP in the Security Center, click Recommendations. Choose Enable Now and then Close. Click OK. On Windows 7, in the Control Panel, open System and Security and then Windows Firewall. In the left hand panel, select Turn Windows Firewall on or off. Under each location choose Turn on Windows Firewall. Click OK. A firewall should protect the host. The host may use Windows firewall or another brand. 1.4 Windows Policies That Check Verifies Copyright 2014 Trustwave Holdings, Inc. All rights reserved. 5
Windows Policies That Check Verifies - September 26, 2014 Correct Value(s) Where and How to Verify Description PCI Windows Update Turned On Enabled On Windows XP, run sysdm.cpl. In the Automatic Updates tab, select Automatic (recommended) Automatically download recommended updates for my computer and install them and click OK. On Windows 7, in the Control Panel, open System and Security. Choose Turn automatic updating on or off. Select Give me recommended updates the same way I receive important updates and click OK. Microsoft Windows should be allowed to automatically update the host's operating system. 6.1 System Audit Policies Correct Value(s) Where and How to Verify Description PCI Audit Administrator Activity Both Success and Failure are enabled. In the Group Object Computer / Computer Configuration/ Windows Settings/ Security Settings/Local Policies/ Audit Policies. In the right-hand frame, the Audit privilege use policy lists which of its two settings are enabled. to verify that administrator activity is audited. 10.1*, 10.2*, 10.3* Audit Invalid Access Attempts Both Success and Failure are enabled. In the Group Object Computer / Computer Configuration/ Windows Settings/ Security Settings/Local Policies/Audit Policies. In the right-hand frame, the Audit privilege use, Audit account management, and Audit policy change policies list which of their two (each) settings are enabled. to verify that invalid access attempts are logged. 10.2.4 Windows Policies That Check Verifies Copyright 2014 Trustwave Holdings, Inc. All rights reserved. 6
Windows Policies That Check Verifies - September 26, 2014 Correct Value(s) Where and How to Verify Description PCI Audit Logon Logoff Both Success and Failure are enabled. In the Group Object Computer / Computer Configuration/ Windows Settings/ Security Settings/Local Policies/Audit Policies. In the right-hand frame, the Audit logon events policy lists which of its two settings are enabled. to verify that audit logon/ logoff is enabled and logged. 10.2.5 Record event scope for all audit events Record event source for all audit events Record event type for all audit events Record result for all audit events Record user ID for all audit events Record date & time for all audit events Pending 10.3.6* Pending 10.3.5 Pending 10.3.2 Pending 10.3.4 Pending 10.3.1 Pending 10.3.3 Opening the Group Policies tool 1. From the Start menu, enter Run. 2. In the Run dialogue box, enter gpedit.msc to open the Group Object Editor window. Legal Notice Copyright 2014 Trustwave Holdings, Inc. All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. No part of this document may be reproduced in any form or by any means without the prior written authorization of Trustwave. While every precaution has been taken in the preparation of this document, Trustwave assumes no responsibility Windows Policies That Check Verifies Copyright 2014 Trustwave Holdings, Inc. All rights reserved. 7
Windows Policies That Check Verifies - September 26, 2014 for errors or omissions. This publication and features described herein are subject to change without notice. While the authors have used their best efforts in preparing this document, they make no representation or warranties with respect to the accuracy or completeness of the contents of this document and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the author nor Trustwave shall be liable for any loss of profit or any commercial damages, including but not limited to direct, indirect, special, incidental, consequential, or other damages. The most current version of this document may be obtained by contacting: Trustwave Technical Support: Phone: +1.800.363.1621 Email: tac@trustwave.com Trademarks Trustwave and the Trustwave logo are trademarks of Trustwave. Such trademarks shall not be used, copied, or disseminated in any manner without the prior written permission of Trustwave. About Trustwave Trustwave is a leading provider of compliance, Web, application, network and data security solutions delivered through the cloud, managed security services, software and appliances. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its TrustKeeper portal and other proprietary security solutions. Trustwave has helped hundreds of thousands of organizations ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers manage compliance and secure their network infrastructures, data communications and critical information assets. Trustwave is headquartered in Chicago with offices worldwide. For more information, visit https://www.trustwave.com. Windows Policies That Check Verifies Copyright 2014 Trustwave Holdings, Inc. All rights reserved. 8