From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation
Jump to search
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
- Hackers (external and internal to a company) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known in hacker communities and easily determined via public information.
- PCI-2.1 Always change the vendor-supplied defaults before you install a system on the network (e.g., passwords, SNMP community strings, and elimination of unnecessary accounts).
- PCI-2.1.1 For wireless environments, change wireless vendor defaults, including but not limited to, WEP keys, default SSID, passwords, and SNMP community strings, and disabling of SSID broadcasts. Enable Wi-Fi Protected Access (WPA) technology for encryption and authentication when WPA-capable.
- PCI-2.2 Develop configuration standards for all system components. Make sure these standards address all known security vulnerabilities and industry best practices.
- PCI-2.2.1 Implement only one primary function per server (e.g., web servers, database servers, and DNS should be implemented on separate servers).
- PCI-2.2.2 Disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the devices’ specified function).
- PCI-2.2.3 Configure system security parameters to prevent misuse.
- PCI-2.2.4 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems (e.g., unnecessary web servers).
- PCI-2.3 Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.
--Mdpeters 08:33, 26 June 2006 (EDT)