I am working toward my PCI compliance and I have a question about the below requirement.
All non-console administrative access is encrypted.
A console is a keyboard or screen that is directly connected to your network hub (like a server or mainframe computer), and is used by administrators.
Passwords that are entered on any computer keyboard with Internet access (both laptop and desktop) other than your console must be encrypted. Examples of this scenario include: database administration interface, web server interface, payment gateway interface, wireless access point (WAP) interface and router interface. The best way to determine if these connections are secure is to look for the https protocol in your web browser address bar.
How to verify you are fulfilling this requirement
- For a sample of system components, verify that non-console administrative access is encrypted by:
- an administrator log on to each system to verify that a strong encryption method is invoked before the administrator’s password is requested;
- services and parameter files on systems to determine that Telnet and other remote log-in commands are not available for use internally; and
- that administrator access to the web-based management interfaces is encrypted with strong cryptography.
The organization must ensure all non-console administrative access is encrypted. Technologies such as SSH, VPN, or SSL/TLS should be used.Verify that non-console administrative access is encrypted by reviewing system service and parameter files to ensure Telnet and other remote login commands are not available and by verifying the web-based management interface access uses strong encryption.
I use RDP internally all the time. When I use it externally, I use a VPN. However, this sounds like when I use RDP at all, it needs to be encrypted, including internal access. How do I tell if all my RDP sessions are encrypted now or not? Also, if they are not, how do I make all RDP sessions encrypted so that I can complete this requirement?