?
Solved

Need help in system hardening/configuration for Windows OS for compliance (PCI DSS).

Posted on 2010-09-23
5
Medium Priority
?
2,019 Views
Last Modified: 2012-05-10

PCI DSS requirement is...have configuration standards that...   must be consistent with industry-accepted hardening standards as defined, for example, by  (SANS), (NIST), and (CIS)


(SMB, we haven't had to do this for any other regulatory compliance before.)

Types of tools I have been looking at are products that can scan a system and show what configuration changes need to made, (some can remedy some of the settings so the system is compliant).

So far I found NetIQ, Ionix (VMware) SCM, and Tripwire.

How are you going about or gone about solving this, making configuration changes that meet your compliance requirements, what products tools are you using if any?





0
Comment
Question by:UDF
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 15

Assisted Solution

by:mcp_jon
mcp_jon earned 400 total points
ID: 33754842
Have you considered SCOM ?

Kind regards.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 600 total points
ID: 33754964
OSSEC. Requires a linux central server, but has agents for all the other OS's including windows. Hardening can be done in a variety of ways, I recommend you start here:
http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml (scroll down for various windows hardening guides and tips)
-rich
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 100 total points
ID: 33768540
1) Download PCI DSS pdf
2) Check if you formally have firewall, SSL secured admin interfaces, encrypted database and no extra services running
3) Make sure you have latest OS patches (track record of a critical/security patches installed)

It is more like baseline/checklist, very practical to have a staging server to approve production changes (easy with vmware)
0
 

Author Closing Comment

by:UDF
ID: 33831526
I just wanted to see how others were approaching the problem.  At this point I think anyone who is going to comment has.

OSSEC looks like option to check out, not sure if how complicated is is to setup, but I will play around with it.  Looks like it also may help in other requirements

I did look at SCOM at one point, but I didn't see anything allowing for PCI DSS or SOX type configurations you could load. It look like it was MS security guidelines that you could load similar to using the security baseline analyzer, but centralized.

Gheist.  Not sure, but from our auditors that we have talked to, there is a bit more to it  for the system configuration requirement.  Since it based off of NIST and CIST guidelines there are several changes that need to be made to say a Windows 2003 server.  I wish this was case for us, PCI is really up to the QSA or your level (I would hold onto the one you have). You did answer with your approach.

Thanks
0
 
LVL 62

Expert Comment

by:gheist
ID: 33831625
Requirements are quite blurry....
Formally they are satisfied easily, but there is a lot of room for interpretation after.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses
Course of the Month7 days, 21 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question