Windows Policies That Policy Check Verifies

Similar documents
Secure Web Gateway 11.7 Upgrade Release Notes

Secure Web Gateway Version 11.7 High Availability

Trustwave SEG Cloud Customer Guide

Symantec Enterprise Vault

Enterprise Self Service Quick start Guide

Track and Trace. Administration Guide

DCOM Configuration for Windows NT4, Windows 2000, Windows XP, and Windows XP Service Pack 2

Dell Statistica Statistica Enterprise Installation Instructions

StarWind iscsi SAN Software: Installing StarWind on Windows Server 2008 R2 Server Core

Secure Web Gateway 11.5 Release Notes

.Trustwave.com Updated October 9, Secure Web Gateway Version 11.0 Amazon EC2 Platform Set-up Guide

BlackBerry Web Desktop Manager. Version: 5.0 Service Pack: 4. User Guide

AT&T Business Messaging Account Management

Using Premium Automatic Call Distribution for Call Centers

Installing Sage ACT! 2013 for New Users

Configuring Microsoft Internet Information Service (IIS6 & IIS7)

Symantec Backup Exec Management Plug-in for VMware User's Guide

Security, Audit, and e-signature Administrator Console v1.2.x

Spambrella SaaS Encryption Enablement for Customers, Domains and Users Quick Start Guide

Nexxis User Management

4.0. Offline Folder Wizard. User Guide

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

Objectives. At the end of this chapter students should be able to:

AIR FORCE ASSOCIATION S CYBERPATRIOT NATIONAL YOUTH CYBER EDUCATION PROGRAM UNIT FIVE. Microsoft Windows Security.

Building the SAP Business One Cloud Landscape Part of the SAP Business One Cloud Landscape Workshop

SolarWinds Migrating SolarWinds NPM Technical Reference

VMware Mirage Web Manager Guide

Strong Authentication for Microsoft TS Web / RD Web

Symantec AntiVirus Corporate Edition Patch Update

Polycom RSS 4000 / RealPresence Capture Server 1.6 and RealPresence Media Manager 6.6

DameWare Server. Administrator Guide

Securing Remote Desktop for Windows XP

Administration guide. Océ LF Systems. Connectivity information for Scan-to-File

Secure Web Gateway Version 11.0 User Guide

Strong Authentication for Juniper Networks

Security Analytics Engine 1.0. Help Desk User Guide

Strong Authentication for Juniper Networks SSL VPN

Installing Act! for New Users

Symantec LiveUpdate Administrator. Getting Started Guide

Symantec Enterprise Vault

Front-Office Server 2.7

Web Remote Access. User Guide

Password Management. Password Management Guide HMS 9700

Dell Statistica Document Management System (SDMS) Installation Instructions

NCD ThinPATH Load Balancing Startup Guide versions and 2.8.1

Blackbaud Sphere & The Raiser s Edge Integration Guide

Administration and Business Collaboration. User Manual

Lepide Software. LepideAuditor for File Server [CONFIGURATION GUIDE] This guide informs How to configure settings for first time usage of the software

StarWind iscsi SAN Software: Tape Drives Using StarWind and Symantec Backup Exec

AccelPro SSL VPN v3.1.9 AccelPro SSL VPN. End User Installation Guide for Director General Of Hydro Carbon Users

Symantec Enterprise Vault

Introduction. Activating the CFR Module License. CFR Configuration

Symantec Enterprise Vault

CA Nimsoft Monitor. Probe Guide for E2E Application Response Monitoring. e2e_appmon v2.2 series

Resource Online User Guide JUNE 2013

Orientation Course - Lab Manual

Symantec Enterprise Vault

ACT! by Sage. Premium for Workgroups 2007 (9.0) Administrator s Guide to the ACT! Reader Utility

Projetex 9 Workstation Setup Quick Start Guide 2012 Advanced International Translations

uh6 efolder BDR Guide for Veeam Page 1 of 36

User Bulletin Cellular Detection System Analysis Software v4.0. Introduction. 21 CFR Part 11 Software Console - Administrators Guide

Dell Enterprise Reporter 2.5. Configuration Manager User Guide

ATT8367-Novell GroupWise 2014 and the Directory Labs

By the Citrix Publications Department. Citrix Systems, Inc.

SyAM Software* Server Monitor Local/Central* on a Microsoft* Windows* Operating System

Document Exchange Server 2.5

Fleet Manager II. Operator Manual

Integrate Cisco IronPort Security Appliance (ESA)

FOR WINDOWS FILE SERVERS

Contents Notice to Users

Installing the BlackBerry Enterprise Server Management Software on an administrator or remote computer

SecureW2 Client for Windows User Guide. Version 3.1

523 Non-ThinManager Components

How To Set Up Total Recall Web On A Microsoft Memorybook (For A Microtron)

Secure Web Service - Hybrid. Policy Server Setup. Release Manual Version 1.01

Microsoft Dynamics GP. Engineering Data Management Integration Administrator s Guide

Dell Recovery Manager for Active Directory 8.6. Quick Start Guide

ALTIRIS Software Delivery Solution for Windows 6.1 SP3 Product Guide

TRUSTWAVE VULNERABILITY MANAGEMENT USER GUIDE

Active Directory Change Notifier Quick Start Guide

Strong Authentication for Cisco ASA 5500 Series

SolarWinds Technical Reference

SOLARWINDS ORION. Patch Manager Evaluation Guide for ConfigMgr 2012

Universal Management Service 2015

Symantec Backup Exec TM 11d for Windows Servers. Quick Installation Guide

Strong Authentication for Microsoft SharePoint

HP IMC Firewall Manager

KofaxExpress. Installation Guide

Exchange 2003 Standard Journaling Guide

NETWRIX ACCOUNT LOCKOUT EXAMINER

Symantec Endpoint Protection (SEP) 11.0 Configuring the SEP Client for Self-Protection

Symantec Enterprise Vault

WatchDox Administrator's Guide. Application Version 3.7.5

Self Help Guides. Create a New User in a Domain

MANUFACTURER RamSoft Incorporated 243 College St, Suite 100 Toronto, ON M5T 1R5 CANADA

Administrators Help Manual

Job Aid: Creating Additional Remote Access Logins

hp digital home networking wireless USB network adapter hn210w quick start guide

Dell InTrust Preparing for Auditing and Monitoring Microsoft IIS

Dell Spotlight on Active Directory Server Health Wizard Configuration Guide

Transcription:

Windows Policies That Check Verifies - September 26, 2014 Windows Policies That Check Verifies September 2014 The Scanner is a PCI module which verifies whether certain settings on a computer comply with PCI Digital Security Standards (PCI ). Scanner verifies that user and password, system configuration, and system auditing policies on the agent s host comply with PCI. The module runs the following checks on user and password policies, system configuration policies, and system audit policies.. Policies with an asterisk (*) in their PCI column help customers to fulfill that standard but may not fulfill the standard on its own. User and Policies Correct Value(s) Where and How to Verify Description PCI Default Accounts Disabled In the Group Object Editor window, open Local Computer /Computer Settings/Local Policies/Security Options. In the right-hand frame, Account: Guest Account Status policy lists its setting. Scans the setting to ensure that a guest account is disabled. 2.1 Account Lockout Duration >=30 or 0 In the Group Object Editor window, open Local Computer /Computer Settings/Account Policies/Account Lockout. In the right-hand frame, the Account lockout duration policy lists its setting. Scans the setting to verify that when an account is locked, it is locked for at least 30 minutes or until reset by an administrator. If the latter, the setting is 0. Use the command net accounts to check this value. 8.5.14 Accounts Lockout =<6 In the Group Object Editor window, open Local Computer /Computer Configuration/Security Settings/Account Policies/Account Lockout. In the right-hand frame, the Account lockout threshold policy lists its setting. to verify that an account is locked after no more than six attempts to login. Setting the policy to '0' disables the policy. Use the command net accounts to check this value. 8.5.13 Copyright 2014 Trustwave Holdings, Inc. All rights reserved. 1

Windows Policies That Check Verifies - September 26, 2014 Correct Value(s) Where and How to Verify Description PCI Administrat or Not checked In Administrative Tools, open the Computer Management tool. Select System Tools\Local Users and Groups \Users. In the middle pane, double click Administrator to see the never expires setting in the Administrator Properties window. to verify that the Never Expires checkbox is not checked for an administrator user. 8.5.9* Expiry 1<maximu m age<90 In the Group Object Editor window, open Local Computer /Computer Settings/Account Policies/. In the right-hand frame, the Maximum password age lists its setting. to verify that the maximum time a password can be used is between 1 and 90 days. Use the command net accounts to check this value. 8.5.9 History >=4 In the Group Object Editor window, open Local Computer /Computer Settings/Account Policies/. In the right-hand frame, the Enforce password history lists its setting. to verify that at least four new passwords must be used before a password can be repeated. Use the command net accounts to check this value. 8.5.12 Length >=7 In the Group Object Editor window, open Local Computer /Computer Settings/Account Policies/. In the right-hand frame, the Minimum password length policy lists its setting. Scans the Length setting to verify that each password is at least seven characters long. Use the command net accounts to check this value. 8.5.10 System Configuration Policies Correct Value(s) Where and How to Verify Description PCI Anti-Virus Status Anti-virus installed Search the list in the Add or Remove Programs or Programs and Features utility of the operating system to see if an anti-virus program is installed. to verify that an antivirus program is installed on the host. There is a known issue with server operating systems and Windows 2000. 5.1, 5.2 Windows Policies That Check Verifies Copyright 2014 Trustwave Holdings, Inc. All rights reserved. 2

Windows Policies That Check Verifies - September 26, 2014 Correct Value(s) Where and How to Verify Description PCI Null Session For Windows 2000, everyoneincludesanony mous = 1 and restrictanonymous = 2. For all other Windows versions, enable Network Access: Do not allow anonymous enumeration of SAM accounts and Network Access: Do not allow anonymous enumeration of SAM accounts and shares. For Windows 2000, see the registry settings in HKEY_LOCAL_MACHINE/ System/CurrentControlSet/ Control/LSA. For all other Windows versions, run gpedit.msc and open Local Computer Computer Configuration Windows Settings Security Settings Local Policies Security Options. Check that the following are set to Enable: Network Access: Do not allow anonymous enumeration of SAM accounts Network Access: Do not allow anonymous enumeration of SAM accounts and shares to verify that anonymous connections to the interprocess communication share (IPC$) are controlled by setting the registry settings to everyoneincludesanon ymous or restrictanonymous. The purpose is to prevent anonymous users from remoting into the host, i,e. creating a null session. 1.2.1* Screensaver Idle Timeout 10 minutes =< Wait =<15 minutes In Windows XP, right click on the desktop and choose Properties. In the Display Properties, open the Screen Saver tab. In Windows 7, right click on the desktop and choose Personalize. In the Change the visuals and sounds on your computer window, click the Screen Saver icon in the bottom right. The Screen Saver Settings open. to verify that the screensaver idle timeout is enabled and set in the range of 600-900 seconds. 8.5.15 Screensaver In XP, enable On resume, display Welcome screen. In Windows 7, enable On resume, display logon screen. In Windows XP, right click on the desktop and choose Properties. in the Display Properties, open the Screen Saver tab. In Windows 7, right click on the desktop and choose Personalize. In the Change the visuals and sounds on your computer window, click the Screen Saver icon in the bottom right. The Screen Saver Settings open. to verify that the host s screensaver is password protected. 8.5.15 Windows Policies That Check Verifies Copyright 2014 Trustwave Holdings, Inc. All rights reserved. 3

Windows Policies That Check Verifies - September 26, 2014 Correct Value(s) Where and How to Verify Description PCI SNMP Disabled Open the Services utility to see if SNMP is installed and running. to verify that the default SNMP strings are not used. 2.1 Parameters\Type = NTP Config\AnnounceFlags=5 TimeProviders\NtpServer=1 Parameters= <NTP peers or IP address of such from which time can be received> TimeProviders\NtpClient\SpecialPollInterval=<period> Synchronize System Clock See the registry settings in HKEY_LOCAL_MACHINE\SY STEM\CurrentControlSet\Ser vices\w32time\. to verify that the system clock synchronizes with a NTP server. 10.4 RDP Encryption RDP encryption level = High or Client Compatible In the Group Object Computer \Computer Configuration\Policies\Admi nistrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security. In the righthand frame, double click on Set Client Connection Encryption Level. In the window that opens, choose Enabled and set the dropdown list in the Options section. Or on Windows 2003, run tscc.msc. On the Terminal Services Configuration/ Connections console in the Connections folder, double click RDP-Tcp. In the RDP-Tcp Properties window, open the General tab. Check the Encryption Level dropdown list in the Security section. to verify that RDP encryption level is set to High (128-bit encryption) or Client Compatible (highest level permitted by the client). 8.4* Windows Policies That Check Verifies Copyright 2014 Trustwave Holdings, Inc. All rights reserved. 4

Windows Policies That Check Verifies - September 26, 2014 Correct Value(s) Where and How to Verify Description PCI RDP Idle Timeout timeout < 30 minutes In the Group Object Computer \Computer Configuration\Policies\Admi nistrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits. In the right-hand frame, double click on Set time limit for active by idle Remote Desktop Services sessions. In the window that opens, choose Enabled and set the dropdown list in the Options section. Or on Windows 2003, run tscc.msc. On the Terminal Services Configuration/ Connections console in the Connections folder, double click RDP-Tcp. In the RDP-Tcp Properties window, open the Sessions tab. If the Override User Settings box is enabled, the Idle session limit is unlocked. to verify that the RDP idle session timeout is shorter than 30 minutes. 8.5.14 Windows Firewall Turned On Mark Turn on Windows Firewall On Windows XP in the Security Center, click Recommendations. Choose Enable Now and then Close. Click OK. On Windows 7, in the Control Panel, open System and Security and then Windows Firewall. In the left hand panel, select Turn Windows Firewall on or off. Under each location choose Turn on Windows Firewall. Click OK. A firewall should protect the host. The host may use Windows firewall or another brand. 1.4 Windows Policies That Check Verifies Copyright 2014 Trustwave Holdings, Inc. All rights reserved. 5

Windows Policies That Check Verifies - September 26, 2014 Correct Value(s) Where and How to Verify Description PCI Windows Update Turned On Enabled On Windows XP, run sysdm.cpl. In the Automatic Updates tab, select Automatic (recommended) Automatically download recommended updates for my computer and install them and click OK. On Windows 7, in the Control Panel, open System and Security. Choose Turn automatic updating on or off. Select Give me recommended updates the same way I receive important updates and click OK. Microsoft Windows should be allowed to automatically update the host's operating system. 6.1 System Audit Policies Correct Value(s) Where and How to Verify Description PCI Audit Administrator Activity Both Success and Failure are enabled. In the Group Object Computer / Computer Configuration/ Windows Settings/ Security Settings/Local Policies/ Audit Policies. In the right-hand frame, the Audit privilege use policy lists which of its two settings are enabled. to verify that administrator activity is audited. 10.1*, 10.2*, 10.3* Audit Invalid Access Attempts Both Success and Failure are enabled. In the Group Object Computer / Computer Configuration/ Windows Settings/ Security Settings/Local Policies/Audit Policies. In the right-hand frame, the Audit privilege use, Audit account management, and Audit policy change policies list which of their two (each) settings are enabled. to verify that invalid access attempts are logged. 10.2.4 Windows Policies That Check Verifies Copyright 2014 Trustwave Holdings, Inc. All rights reserved. 6

Windows Policies That Check Verifies - September 26, 2014 Correct Value(s) Where and How to Verify Description PCI Audit Logon Logoff Both Success and Failure are enabled. In the Group Object Computer / Computer Configuration/ Windows Settings/ Security Settings/Local Policies/Audit Policies. In the right-hand frame, the Audit logon events policy lists which of its two settings are enabled. to verify that audit logon/ logoff is enabled and logged. 10.2.5 Record event scope for all audit events Record event source for all audit events Record event type for all audit events Record result for all audit events Record user ID for all audit events Record date & time for all audit events Pending 10.3.6* Pending 10.3.5 Pending 10.3.2 Pending 10.3.4 Pending 10.3.1 Pending 10.3.3 Opening the Group Policies tool 1. From the Start menu, enter Run. 2. In the Run dialogue box, enter gpedit.msc to open the Group Object Editor window. Legal Notice Copyright 2014 Trustwave Holdings, Inc. All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Trustwave. No part of this document may be reproduced in any form or by any means without the prior written authorization of Trustwave. While every precaution has been taken in the preparation of this document, Trustwave assumes no responsibility Windows Policies That Check Verifies Copyright 2014 Trustwave Holdings, Inc. All rights reserved. 7

Windows Policies That Check Verifies - September 26, 2014 for errors or omissions. This publication and features described herein are subject to change without notice. While the authors have used their best efforts in preparing this document, they make no representation or warranties with respect to the accuracy or completeness of the contents of this document and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the author nor Trustwave shall be liable for any loss of profit or any commercial damages, including but not limited to direct, indirect, special, incidental, consequential, or other damages. The most current version of this document may be obtained by contacting: Trustwave Technical Support: Phone: +1.800.363.1621 Email: tac@trustwave.com Trademarks Trustwave and the Trustwave logo are trademarks of Trustwave. Such trademarks shall not be used, copied, or disseminated in any manner without the prior written permission of Trustwave. About Trustwave Trustwave is a leading provider of compliance, Web, application, network and data security solutions delivered through the cloud, managed security services, software and appliances. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its TrustKeeper portal and other proprietary security solutions. Trustwave has helped hundreds of thousands of organizations ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers manage compliance and secure their network infrastructures, data communications and critical information assets. Trustwave is headquartered in Chicago with offices worldwide. For more information, visit https://www.trustwave.com. Windows Policies That Check Verifies Copyright 2014 Trustwave Holdings, Inc. All rights reserved. 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information