Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Core_PCI_Requirements_for_Windows_and_AD

VIEWS: 164 PAGES: 13

									White PaPer

Core Payment Card Industry
(PCI) Requirements for
Windows and Active Directory ®




                                 www.netpro.com
taBLe of Contents



     Core Payment Card industry (PCi) requirements for Windows and active directory®

     Why Comply? .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 3

     Core PCi dss requirements  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 4

     ensuring PCi Compliance  . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 4

              Protect stored cardholder data  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 4

              ensure proper user authentication and password management  . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 5

              do not use vendor-supplied defaults for system passwords and other security parameters  .  .  . 7

              establish a process for linking all access to system components to each individual user  .  .  .  .  . 7

              implement automated audit trails for all system components to reconstruct various events .  .  .  . 7

              ensure that all system components and software have the latest vendor-supplied
              security patches installed . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 9

              encrypt transmission of cardholder data across open, public networks  .  .  .  .  .  .  .  .  .  .  .  .  . 10

     the netPro solution .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .11

     the PCi dss auditing Checklist .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 12




  Core Payment Card industry (PCi) requirements for WindoWs and aCtive direCtory www.netpro.com                                                                                                                       
Core Payment Card industry (PCi) requirements for Windows and active
directory®
The .Payment .Card .Industry .Data .Security .Standard .(PCI .DSS) .is .a .set .of .industry .regulations .imposed .by .the .
major .credit .card .companies .to .ensure .the .safety, .security, .and .integrity .of .cardholder .data . .Consisting .of .12 .
requirements .grouped .into .six .control .objectives, .PCI .DSS .offers .service .providers .and .merchants .a .systematic .
way .to .safeguard .sensitive .cardholder .data . .
Any .business .that .processes, .stores, .and .transmits .the .Primary .Account .Number .(PAN)—within .the .
cardholder .data .environment—must .comply .with .this .complex .new .standard, .and .must .be .able .to .demonstrate .
that .compliance .through .automated .and .manual .audits .of .their .systems . .Systems .in .the .cardholder .data .
environment .include .any:
    • Network component (including, but not limited to firewalls, switches, routers, wireless access points,
      network .appliances, .and .other .security .appliances) .
       Server .(including .but .not .limited .to .web, .database, .authentication, .mail, .proxy, .network .time .protocol .
    • . .
       (NTP), .and .domain .name .server .(DNS) .
        .
    • .Application .(purchased .and .custom .applications, .including .internal .and .external .Internet .applications) .


        .                             Data .Element .                                        Storage .Permitted? .              Protection .Required?
        .                             Primary .Account .Number .(PAN) .                                 YES .                                YES
       Cardholder data . *Cardholder .Name .                                                            YES .                                YES
        .                             *Service .Code .                                                  YES .                                YES
        .                             *Expiration .Date .                                               YES .                                YES


     *These .data .elements .must .be .protected .if .stored .in .conjunction .with .the .PAN . .(From .“Payment .Card .Industry .(PCI) .Data .Security .Standard,” .
     Version .1 .1, .published .by .the .PCI .Security .Standards .Council, .September .2006 .)



In .this .paper, .we’ll .look .at .the .key .challenges .and .requirements .of .PCI .DSS .as .it .relates .to .Microsoft .Windows .
and .Active .Directory, .and .show .you .how .NetPro .solutions .can .help .with .PCI .compliance . .While .Windows .
itself .isn’t .the .beginning .or .end .of .PCI .compliance, .it .does .contribute .a .remarkable .amount .to .your .overall .
compliance .situation .when .Windows-based .computers .are .used .to .store .cardholder .information, .process .credit .
card .transactions, .or .allow .access .to .other .servers .that .do .hold .credit .card .data .


Why Comply?
If .your .organization .processes, .stores, .or .transmits .PANs .within .the .cardholder .data .environment, .PCI .
compliance .is .a .requirement, .not .an .option . .So .the .easiest .answer .is .“Because .otherwise .you .won’t .be .able .
to accept credit cards.” Less severe penalties can include increased merchant rates (reducing profit margins)
while the severest penalties can mean fines of up to $500,000 and more. Penalties are specified by each credit
card brand and issuer, and vary widely. Visa, for example, is reported to have levied fines in excess of $4.5
million .in .2006 .alone . .
There are also benefits: credit card companies, such as Visa, are setting aside millions of dollars to reward
companies who achieve early compliance. Credit card processors also receive financial incentives, which they
are .encouraged .to .pass .along .to .compliant .merchants .in .the .form .of .rewards, .lower .merchant .fees .(meaning .
increased profit margins), and so forth.



   Core Payment Card industry (PCi) requirements for WindoWs and aCtive direCtory www.netpro.com                                                                   
Plus, .it .just .makes .it .a .good .business .practice .to .keep .data .secure, .and .the .same .standards .should .be .
considered .in .regards .to .securing .all .sensitive .data . .Adhering .to .PCI .DSS .helps .companies .build .a .more .
secure and efficient IT infrastructure and can actually reduce compliance costs in the long run.


Core PCi dss requirements
PCI .DSS .represents .a .group .of .security .due .diligence .practices .that .help .ensure .the .secure .handling .of .
cardholder .data . .There .are .12 .requirements .outlined .to .achieve .PCI .compliance .which .are .grouped .into .six .
controls . .The .core .of .the .Windows-related .PCI .compliance .components, .which .revolve .around .securing .access .
to .cardholder .data, .will .be .the .focus .of .this .paper .
    • Build and maintain a secure network
      1. Install and maintain a firewall configuration to protect data. .
      2 . .Change .vendor-supplied .defaults .for .system .passwords .and .other .security .parameters . .
    • Protect cardholder data
      3 . .Protect .stored .cardholder .data . .
      4 . .Encrypt .transmissions .of .cardholder .magnetic-stripe .data .and .sensitive .information .across .public .networks . .
    • maintain a vulnerability management program
      5 . .Use .and .regularly .update .anti-virus .software . .
      6 . .Develop .and .maintain .secure .systems .and .applications . .
    • implement strong access controls
      7 . .Restrict .access .to .cardholder .data .to .a .need-to-know .basis . . .
      8 . .Assign .a .unique .ID .to .each .person .with .computer .access . .
      9 . .Restrict .physical .access .to .cardholder .data .
    • regularly monitor and test networks
      10 . .Track .and .monitor .all .access .to .network .resources .and .cardholder .data . . .
      11 . .Regularly .test .security .systems .and .processes .
    • maintain an information security policy
      12 . .Maintain .a .policy .that .addresses .information .security .
(PCI .DSS .includes .more .sub-requirements .not .listed .here . .For .the .complete .list, .visit .https://www .
pcisecuritystandards .org/pdfs/pci_dss_v1-1 .pdf .)
  .

ensuring PCi Compliance
Protect stored cardholder data.
The .goal .here .is .simple: .make .sure .that .only .authorized .individuals .have .access .to .cardholder .data . .This .
includes:
   Limiting .access .to .computing .resources .and .cardholder .information .only .to .those .individuals .whose .job .
• . .
   requires .such .access .
• Controlling the addition, deletion, and modification of user IDs, credentials, and other identifier objects.

   The Challenge: Managing Permissions on All Windows Resources
   Windows is a complex operating system with multiple types of resources: files, the registry, shared
   folders, .and .more . .PCI .requires .that .you .not .only .maintain .absolute .control .over .each .of .these, .but .also .
   on .the .mechanisms .which .control .access: .Active .Directory . .Doing .so .is .challenging .because .these .varied .
   resources .each .have .different .interfaces .for .managing .their .permissions, .making .permissions .management .
   time-consuming .and .complex . .Windows .also .provides .no .built-in .way .of .reviewing .historical .permissions .
   settings .for .a .PCI .audit .



   Core Payment Card industry (PCi) requirements for WindoWs and aCtive direCtory www.netpro.com                                      
   Auditors .need .to .see:
      • Who has access to a given file or other resource?
      • Who has had access to a given file or other resource in the past?
         What .resources .does .a .given .individual .have .access .to?
      • . .

   Meeting the Challenge with NetPro
   Easily .Manage .Permissions .on .All .Windows .Resources .
   NetPro .provides .a .centralized, .enterprise-class .system .for .managing .permissions .on .all .Windows .
   resources, including file systems, registry, and Active Directory. Permission policies are defined by top-level
   administrators .and .are .automatically .applied .across .the .designated .resources . .Role-based .management .
   directly .maps .roles .to .the .job .tasks .within .your .environment, .simplifying .permission .assignment .and .ongoing .
   change .within .your .organization .
   Keep .Your .Environment .Compliant…and .Quickly .Prove .it .
   NetPro not only helps configure your environment in a compliant fashion, but also helps keep it that way.
   A built-in alerting system notifies administrators when improper security settings are applied to network
   resources . .The .solution .also .helps .make .auditing .easier, .by .providing .built-in .reporting .to .tell .an .auditor .
   exactly who has access to a particular file. Further, NetPro can even report on historical permissions, telling
   auditors who has had access to a given resource over a specified period of time.
   Easily .Deliver .Auditing .Reports .
   NetPro .provides .reporting .through .Microsoft .SQL .Reporting .Services .(SRS), .making .PCI .compliance .
   reports .available .to .auditors .via .e-mail .or .through .a .Web .portal . .This .provides .auditors .with .self-service .
   reporting .capabilities, .removing .report-generation .overhead .from .your .shoulders .and .empowering .auditors .
   to do their jobs more efficiently.

      netPro helps demonstrate PCi compliance with:
         Centralized, .template-based .control .of .all .Windows-based .resource .permissions, .including .
      • . .
         auto-fix capabilities and alerting. PCI DSS 7.1
         Role-based .permissions .that .map .directly .to .job .tasks, .allowing .permissions .to .be .assigned .
      • . .
         on .a .need-to-know .basis .that .corresponds .with .users’ .actual .jobs . .PCI .DSS .7 .1, .7 .2
         Control .of .Active .Directory .permissions, .helping .to .ensure .that .unauthorized .user .accounts .
      • . .
         cannot .be .created, .and .restricting .the .number .of .users .who .can .assign .other .users .to .
         permissions .roles . .PCI .DSS .8 .5 .1 .
      • Simplified auditing through built-in reports designed specifically for PCI compliance. Auditors
         can instantly determine who currently has access to specific resources, and can review
         historical .permissions .to .see .who .has .had .access .to .those .resources .in .a .given .time .frame .



ensure proper user authentication and password management.
PCI requires that you control the addition, deletion, and modification of user credentials in systems like Active
Directory . .You .must .also .ensure .that .new .accounts .always .have .an .initial .password, .terminated .users .are .
immediately .revoked, .and .inactive .user .accounts .are .removed .after .no .more .than .90 .days . .Windows .makes .all .
of .these .things .possible—if .you .remember .to .do .them . .And, .of .course, .you .must .also .be .able .to .prove .you’ve .
been .keeping .up .with .these .policies .over .time .




   Core Payment Card industry (PCi) requirements for WindoWs and aCtive direCtory www.netpro.com                           
The Challenge: Controlling User Accounts
In .a .busy .environment, .it’s .easy .for .day-to-day .tasks .to .overwhelm .administrators, .leaving .details .like .
removing old user accounts unfinished. So how do you prove you’ve deleted an inactive account if the
account .is .now .missing? .That’s .what .your .PCI .audits .must .be .able .to .prove . .And .you .should .be .able .to .do .
this .not .only .for .Active .Directory, .but .also .for .member .computers’ .local .user .accounts!


Auditors .need .to .see:
        Proof .that .password .policies .and .other .directory .settings .are .correct .and .have .remained .so .over .time .
     • . .
        Proof .that .inactive .accounts .were .deleted .within .the .allowed .timeframe .
     • . .
        Proof .that .duplicate .accounts .do .not .exist .
     • . .
     • Proof that account removal, modification, and addition is performed according to policies and
       requirements .


Meeting the Challenge with NetPro
Lock Down Configuration Settings .
Group .Policy .is .the .perfect .way .to .control .not .only .the .password .policies .and .other .account-related .settings .
in .Active .Directory, .but .also .for .member .computers’ .local .accounts . .Unfortunately, .Group .Policy .objects .
(GPOs) .are .easily .changed .by .administrators . .With .NetPro, .however, .you .can .not .only .“lock .down” .sensitive .
GPOs to prevent accidental modification, you can also get instant alerts when a GPO is modified. Further,
NetPro .can .provide .historical .reports .proving .that .key .GPOs .and .directory .settings .haven’t .been .changed—
demonstrating .your .PCI .compliance .
Report .on .History .of .Directory .Changes .
NetPro .allows .you .to .report .on .nearly .any .change .in .Active .Directory, .enabling .you .to .prove .that .inactive .
accounts .were .deleted .in .a .timely .fashion, .and .to .provide .a .complete .record .of .all .changes .made .to .the .
directory .by .administrators . .What’s .more, .reports .are .delivered .through .SQL .Reporting .Services .(SRS), .
giving .auditors .direct, .Web-based .access .to .the .reports .they .need—with .no .need .for .administrators .to .
spend .time .creating .those .reports .


     netPro helps demonstrate PCi compliance with:
        Self-service .reports .to .demonstrate .your .control .over .user .adds, .moves, .and .deletes . .
     • . .
        PCI .DSS .8 .5 .1
        GPO .locking .to .prevent .changes .to .password .policies . .PCI .DSS .8 .5
     • . .
        Reports .to .prove .that .inactive .accounts .were .deleted .in .a .timely .fashion, .allowing .you .to .
     • . .
        quickly .spot .inactive .accounts .due .for .deletion . .PCI .DSS .8 .5 .5



  CUsToMeR sPoTlIghT


  When a major clothing retailer needed to show proof that no disabled accounts existed, and
  that disabled accounts were being deleted in a timely fashion, they turned to NetPro. NetPro
  also provided a solution to watch for administrators creating duplicate accounts in order to
  “hide” improper access to cardholder data. By providing irrevocable, irrefutable logs col-
  lected in real-time that covered every operation in Active Directory, the retailer was able to
  satisfy auditors with virtually no administrative overhead.


Core Payment Card industry (PCi) requirements for WindoWs and aCtive direCtory www.netpro.com                             
do not use vendor-supplied defaults for system passwords and other security parameters.
“Vendor-supplied .defaults,” .in .this .instance, .refer .to .Microsoft .defaults, .primarily .for .Active .Directory . .Newer .
versions .of .Windows .actually .provide .more .acceptable .defaults .for .many .security .parameters, .particularly .
those .related .to .Active .Directory .user .accounts . .For .example, .PCI .requires .the .following .security .settings .for .
user .accounts:
       Change .user .passwords .at .least .every .90 .days .
    • . .
       Require .a .minimum .password .length .of .at .least .seven .characters .
    • . .
       Limit .repeated .access .attempts .by .locking .out .the .user .ID .after .not .more .than .six .attempts .
    • . .
However, .many .other .security .defaults .exist .within .Windows .and .Active .Directory . .Simply .changing .those .
settings .seems .simple .on .the .surface, .yet .PCI .requires .much .more .


   The Challenge: Continually enforcing security settings
   The fact is that newer versions of Windows provide significantly more secure defaults than older versions
   did, .and .in .many .cases .those .defaults .now .meet .or .exceed .PCI .requirements . .However, .the .challenge .is .in .
   maintaining .your .desired .settings .over .time, .and .proving .that .you .have .done .so .


   Auditors .need .to .see:
            What .security .settings .are .currently .in .effect .in .your .environment .
         • . .
            Security .settings .which .are .consistently .applied .throughout .the .environment .
         • . .
            What .changes .have .been .made .to .those .security .settings .over .time .
         • . .


   Meeting the Challenge with NetPro
   Centrally Configure Security Settings .
   NetPro centrally configures hundreds of security settings in accordance with recognized industry best
   practices and industry and regulatory requirements—including PCI. Permissions in Active Directory, files,
   the .Windows .registry, .and .other .Windows .elements, .including .settings .related .to .password .security, .are .
   automatically configured.
   Automatically .Ensure .that .Security .Settings .Don’t .Change .
   Further, .NetPro .can .continually .audit .these .settings .and .alert .you .if .they’re .improperly .changed—and .
   automatically restore your desired configuration. Convenient reporting and on-screen dashboards allow
   you and auditors to review your compliance status at a glance, and to “drill deep” to review specific settings
   throughout .the .domain .
   Prove .that .Security .Settings .Have .Remained .Constant .
   Enhanced .reporting .in .NetPro .provides .auditors .with .self-service .access .to .built-in .reports .designed .
   specifically for them. Auditors can see changes to security settings over time, allowing them to instantly
   verify .your .ongoing .compliance .with .minimal .effort, .and .no .overhead .on .your .staff .


         netPro helps demonstrate PCi compliance by:
         • Centrally configuring consistent security settings across the enterprise. PCI DSS 8.5.9,
            8 .5 .10, .8 .5 .11, .8 .5 .12, .8 .5 .13, .8 .5 .14
            Ensuring .that .security .settings .remain .in .effect .at .all .times .
         • . .
            Proving .compliance .through .historical .reports .showing .changes .to .security .settings .
         • . .




   Core Payment Card industry (PCi) requirements for WindoWs and aCtive direCtory www.netpro.com                             
establish a process for linking all access to system components to each individual user.
implement automated audit trails for all system components to reconstruct various events.
In .short, .these .requirements .refer .simply .to .auditing: .the .ability .of .a .system .like .Windows .to .track .and .log .the .
use of privilege and authority. When users access files, folders, Active Directory components, and so forth,
audit events are logged to a database of some kind. Later, you need to be able to retrieve, filter, sort, search,
and .aggregate .those .audit .events .for .regulatory .audits, .forensic .research, .and .so .forth .
From .a .technical .perspective, .PCI .requires .you .to .collect .logs, .review .them .daily, .and .retain .them .for .a .year—
including .at .least .three .months .of .online .availability .


   The Challenge: obtaining the Information Auditors Need
   Windows has built-in auditing for access to files, registry keys, Active Directory, and other system
   components . .However, .this .auditing .system .is .primarily .designed .for .technical .troubleshooting, .not .
   auditing . .The .system .is .highly .distributed—meaning .auditors .must .examine .each .and .every .server’s .logs .
   individually—and .contains .highly .technical .information .that .rarely .answers .the .questions .that .an .auditor .has .


   Auditors .need .to .see:
           What .privileges .have .been .exercised .by .users, .particularly .administrative .users .
        • . .
           Information .related .to .all .individual .access .to .resources .
        • . .
           All .actions .taken .by .administrators .
        • . .
           All .access .to .auditing .information .
        • . .
           All .invalid .access .attempts .
        • . .
           All .use .of .authentication .mechanisms .such .as .Active .Directory .
        • . .
           All .initialization .(clearing) .of .audit .logs .
        • . .
           All .creation .and .deletion .of .system-level .objects .
        • . .
   And .auditors .need .to .be .able .to .see .this .information .for .the .entire .environment .as .a .whole, .not .just .
   individual .servers .and .systems .


   Meeting the Challenge with NetPro
   Securely .Consolidate .Windows .Event .Logs .
   NetPro .provides .a .tiered .approach .for .superior .auditing, .beginning .with .the .ability .to .securely .consolidate .
   Windows .auditing .logs .from .multiple .servers .into .a .secure, .centralized .database . .This .provides .the .core .
   functionality .that .allows .organizations .to .quickly .begin .working .toward .PCI .compliance . .It .also .provides .key .
   PCI-related .capabilities .such .as .correlating .logon .and .logoff .events .that .are .captured .in .Windows’ .event .
   logs. Rather than having to write home-grown scripts or other tools to filter log data, NetPro allows you to
   filter, group, sort, and search collected log data using a powerful, intuitive user interface—meaning you’ll be
   able to find the log entries you need faster and more easily.
   Logs, .however, .are .only .half .the .battle . .You .also .need .alerts .to .instantly .tell .you .when .something .is .
   misconfigured or misused in your environment. And, you need information on changes that aren’t captured
   in .the .Windows .event .logs .
   High-Performance, .Completely .Secure .Audit .Trails .
   Effortless .PCI-required .auditing .can .be .achieved .with .NetPro . .NetPro .taps .directly .into .Windows’ .internals, .
   eliminating .the .need .for .the .resource-intensive .native .Windows .auditing . .Events .are .securely .forwarded .in .
   real-time .to .a .secure, .tamperproof .database .for .long-term .archival, .reporting, .and .analysis . .Events .can .also .
   trigger instant, real-time alerts, letting you know immediately when something is misconfigrued or misused.
   Cryptic .operating .system .information .is .translated .into .plain-English .audit .messages, .which .are .correlated .

    Core Payment Card industry (PCi) requirements for WindoWs and aCtive direCtory www.netpro.com                                
   to specific user actions. Coverage is provided beyond the capability of the native auditing toolset, including
   auditing of Group Policy object changes, DNS, the registry, file systems, and even Exchange Server. Anti-
   tampering agents help keep NetPro itself secure, and built-in reports designed specifically for compliance
   auditing .and .reporting .make .it .easy .to .prove .your .compliance—or .spot .non-compliant .systems .prior .to .an .
   official audit.
   Give .Auditors .Real .Information .on .Their .Terms .
   NetPro .correlates .Windows .event .log .data, .translating .technical .data .into .meaningful .information . .And .it’s .
   built .on .Microsoft .SQL .Reporting .Services .(SRS), .giving .auditors .self-service .access .to .hundreds .of .reports .
   via .a .Web .portal . .Auditors .can .also .create .custom .reports .that .do .not .affect .the .underlying .data, .and .dozens .
   of built-in reports specifically address the needs of PCI compliance. Auditors can even report on both live
   and .historical .data, .giving .them .access .to .an .audit .trail .


      netPro helps demonstrate PCi compliance with:
         A .means .of .automatically .linking .individual .actions .with .system .components . .PCI .DSS .10 .1
      • . .
         A .fully-automated .audit .trail .for .all .activity .across .Windows-based .resources .and .the .
      • . .
         directory . .PCI .DSS .10 .2
         A .secured, .tamper-resistant .store .for .audit .trails . .PCI .DSS .10 .3
      • . .
      Along with the convenience and efficiency of self-service compliance reports for auditors.




     CUsToMeR sPoTlIghT


     grayling Tyler, Information security Team Coordinator for Food lion, uses ChangeAuditor
     from NetPro as a part of his organization’s plan for PCI compliance. he remarked that:
            Food .Lion .is .subject .to .PCI .compliance .regulations .and .our .auditors .are .not .only .looking .for .
           “ .
            assurance .that .we .have .controls .in .place, .they .want .proof,” .Tyler .said . .“With .NetPro, .we .can .
            actively .report .on .when .staff .is .added .or .removed .from .the .admin .groups .and .when .a .Group .
            Policy Object is added or modified. We can also report on system access right down to the
            file level with exception reports that highlight when users access files that are not their own.
            NetPro .puts .an .end .to .the .questions .”


ensure that all system components and software have the latest vendor-supplied security
patches installed.
Operating .systems .such .as .Windows .are .never .100% .secure . .As .new .vulnerabilities .and .weaknesses .are .
discovered, .it .is .critical .that .the .latest .operating .system .and .software .patches .be .applied .to .address .them . . .
By .default, .Windows .offers .good .support .for .deploying .patches, .either .through .the .Windows .Software .Update .
Services feature, or through add-on software such as the Microsoft System Center Configuration Manager
(SCCM, .formerly .Systems .Management .Server .or .SMS) . .However, .PCI .requires .you .to .do .more .than .just .
deploy .updates . .You .have .to .be .able .to .prove .it .


   The Challenge: Keeping Critical systems Up-to-Date
   While .Windows’ .native .tools .do .provide .the .ability .to .automatically .download .and .install .software .updates .
   such .as .service .packs, .there .are .no .built-in .means .of .inventorying .systems .to .locate .systems .which .have .

   Core Payment Card industry (PCi) requirements for WindoWs and aCtive direCtory www.netpro.com                              
   not been brought up-to-date. Numerous configuration settings and deployment problems can leave systems
   unpatched .and .non-compliant, .and .auditors .want .to .see .proof .that .patches .are .being .deployed .on-time .


   Auditors .need .to .see:
         Proof .that .all .systems .are .up-to-date .with .the .latest .service .releases .
      • . .
         Systems .that .spot .unpatched .systems .and .either .correct .the .problem .or .alert .an .administrator .to .do .so .
      • . .


   Meeting the Challenge with NetPro
   Quickly .Identify .Unpatched .Systems
   While .NetPro .does .not .reinvent .Windows’ .native .patch .deployment .capabilities, .it .does .supplement .
   Windows’ .native .patch .reporting .capabilities . .NetPro .continually .monitors .systems .to .ensure .compliance .
   with .your .security .policies, .and .that .compliance .can .include .settings .such .as .service .pack .levels . .When .a .
   new .service .pack .is .made .available, .simply .update .your .security .policies .and .you’ll .immediately .receive .
   reports .or .alerts .about .non-compliant .systems, .allowing .you .to .quickly .deploy .the .necessary .software .
   updates .within .the .PCI-mandated .one-month .window . .


      netPro helps demonstrate PCi compliance by:
      • .Ensuring .that .all .systems .have .the .latest .vendor-supplied .patches . .PCI .DSS .6 .1



encrypt transmission of cardholder data across open, public networks.
For .safety’s .sake, .you .may .choose .to .be .a .little .generous .with .the .terms .“open” .and .“public .” .While .anyone .
would .agree .that .those .terms .apply .to .the .public .Internet, .necessitating .the .now-common .use .of .the .HTTPS .
protocol .and .SSL-based .encryption .for .e-commerce .Web .sites, .many .corporate .networks .can .also .qualify .as .
“open” .and .“public” .to .security .analysts . .For .example, .if .your .company .shares .a .building .with .another .company, .
then .it .would .be .easy .for .someone .to .gain .access .to .your .network .simply .by .patching .a .network .cable .in .a .
shared .wall . .Network .access .in .lobbies .and .conference .rooms .might .also .be .a .way .for .unauthorized .personnel .
to “see” network traffic they aren’t supposed to see. In those cases, you may also wish to encrypt internal
communications .between .systems .when .those .communications .are .carrying .sensitive .information .
Windows .provides .all .the .means .to .do .so, .including .support .for .IP .Security .(IPSec) .protocols . .However, .you .
need .to .make .sure .those .protocols .are .always .in .use .on .designated .servers .


   The Challenge: ensuring secure Transmission
   IPSec policies can be configured via Group Policy, but Group Policy objects (GPOs) can be easily
   misconfigured—either by accident or malicious intent. These changes are rarely discovered simply because
   GPOs .contain .so .much .information, .and .administrators .are .rarely .browsing .in .them .looking .for .changes .
   Auditors .need .to .see:
           Proof .that .the .correct .policies .are .in .place .to .ensure .secure .transmissions .
        • . .
           Proof .that .these .policies .have .remained .in .effect .continuously .
        • . .


   Meeting the Challenge with NetPro
   Locking Configurations and Continually Monitoring for Changes  .
   NetPro .provides .alerting .and .audit .trails .for .all .changes .to .affected .systems, .including .changes .to .Group .
   Policy objects that affect IPSec configuration. Plus, you can “lock” sensitive Group Policy objects,

  Core Payment Card industry (PCi) requirements for WindoWs and aCtive direCtory www.netpro.com                            10
      preventing accidental changes and helping to prevent malicious reconfiguration. NetPro also provides
      automated .version .control .for .Group .Policy .objects .(also .helping .to .meet .requirement .6 .4), .ensuring .that .
      any changes to Group Policy can be instantly rolled back to a previous, “known good” configuration in the
      event of misconfiguration.
      And .NetPro .contributes .to .this .PCI .DSS .by .monitoring .servers .for .compliance .with .desired .IPSec .policies, .
      ensuring that they are properly configured at all times and immediately alerting administrators of non-
      compliant .systems .
      Providing .Proof .of .Compliance .
      NetPro .integrates .with .SQL .Reporting .Services .(SRS), .giving .auditors .a .self-service .solution .for .obtaining .
      the .reports—that .is, .the .evidence .of .your .compliance—that .they .need . .Using .an .intuitive .Web .interface, .
      auditors .can .quickly .check .for .changes .to .key .IPSec .policies, .review .what .changes .were .made, .and .
      determine .which .computers .were .impacted .by .the .changes .


        netPro helps demonstrate PCi compliance by:
           Ensuring .that .transmission .protection .policies .remain .in .place .at .all .times .to .protect .
        • . .
           transmitted .cardholder .data . .PCI .DSS .4 .1
           Using .policies .to .protect .cardholder .data .on .wireless .networks . .PCI .DSS .4 .1 .1
        • . .




the netPro solution
Large retailers have already seen the benefits of NetPro: a more automated, lower-cost, and reliable approach
to .PCI .compliance . .NetPro:
 .    Helps apply and maintain secure configuration settings across the enterprise, touching Active Directory,
      files, the registry, and more. Top-level security policies can be automatically applied and continuously
      enforced .
     Ensures .that .resources .are .properly .secured .at .all .times .by .using .top-level .permissions .templates .and .
 .  . .
     simple, .role-based .security .that .maps .directly .to .job .functions . .Continual .monitoring .allows .for .security .
     alerts, .including .auto-remediation .options, .and .access .reports .are .available .for .both .current .and .historical .
     data .
     Protects .Group .Policy .objects, .a .key .security .component, .by .helping .to .prevent .unauthorized .Group .Policy .
 .  . .
     changes .and .by .providing .instant-rollback .capability .through .automated .version .control .
 .    Creates a PCI-compliant audit trail through a high-efficiency event collection system and a tamperproof
      centralized .database . .Powerful .built-in .and .custom .reports .provide .at-a-glance .compliance .information .and .
      the .exact .reports .that .auditors .require .
     Collects .distributed .native .events .into .a .centralized, .secure .database .and .provides .powerful .and .intuitive .
 .  . .
     searching and filtering capabilities, giving Windows’ native logs true PCI compliance capabilities.
     Transforms .native .Windows .event .logs .into .readable, .correlated .reports .using .SQL .Server .Reporting .
 .  . .
     Services . .Reports .can .be .scheduled .for .e-mail .delivery .or .delivered .via .Web .browsers .for .access .to .a .
     variety .of .user .roles .
NetPro .offers .a .clear, .proven .suite .of .products .to .help .you .achieve, .maintain, .and .verify .PCI .compliance— .
at .a .lower .cost .
  .




      Core Payment Card industry (PCi) requirements for WindoWs and aCtive direCtory www.netpro.com                            11
the PCi dss auditing Checklist
Is .your .organization .ready .to .face .a .PCI .audit? .Use .this .PCI .auditing .checklist .to .see .if .you’re .ready .and .
to .determine .what .your .auditor .will .want .to .see .as .it .relates .to .Microsoft .Windows .and .Active .Directory . .
Remember, .you .must .be .able .to .prove .compliance .for .your .entire .enterprise, .not .just .individual .servers .
Can .you .show . . .?
      Who has access to a specified file or other resource?
      Who has had access to a given file or other resource in the past?
     .What .resources .a .given .individual .has .access .to .across .your .entire .enterprise?
   . .
     .That .password .policies .and .other .directory .settings .are .correct .and .have .remained .so .over .time?
   . .
     .That .inactive .accounts .were .deleted .within .the .allowed .timeframe?
   . .
     .That .duplicate .accounts .do .not .exist?
   . .
      That account removal, modification, and addition is performed according to policies and requirements?
     .What .security .settings .are .currently .in .effect .in .your .environment?
   . .
     .What .security .settings .have .been .in .effect .in .your .environment .in .the .past?
   . .
     .That .security .settings .are .consistently .applied .throughout .the .environment?
   . .
     .What .changes .have .been .made .to .security .settings .over .time?
   . .
     .What .privileges .have .been .exercised .by .users, .particularly .administrative .users?
   . .
     .Audit .logs .with .all .access .by .all .users .to .all .resources?
   . .
     .Audit .logs .with .all .actions .taken .by .administrators?
   . .
     .Audit .logs .with .all .access .to .auditing .information?
   . .
     .Audit .logs .with .all .invalid .access .attempts?
   . .
     .Audit .logs .with .all .use .of .authentication .mechanisms .such .as .Active .Directory?
   . .
     .Audit .logs .with .all .initialization .(clearing) .of .audit .logs?
   . .
   . .Audit .logs .with .all .creation .and .deletion .of .system-level .objects?
   . .Proof .that .all .systems .are .up-to-date .with .the .latest .service .releases?
   . .That .you .can .detect .unpatched .systems .and .either .correct .the .problem .or .alert .an .administrator .to .do .so?
   . .That .the .correct .policies .are .in .place .to .ensure .secure .transmission .of .cardholder .data?
   . .That .secure .transmission .policies .have .remained .in .effect .continuously?
Ideally, .auditors .should .be .able .to .access .these .items .through .the .self-service, .Web-based .reporting .
mechanism .found .in .NetPro . .Auditors .can .pull .the .information .they .need .to .complete .their .audit—imposing .
no .administrative .overhead .on .you .and .your .staff .
NetPro .speeds .PCI .compliance, .making .audits .easier .to .pass .and .removing .administrative .overhead .from . .
your .IT .staff .




Core Payment Card industry (PCi) requirements for WindoWs and aCtive direCtory www.netpro.com                                 1
NetPro .provides .unprecedented .control .over .your .Windows .infrastructure .with .
software .solutions .that .drive .security .and .compliance .into .your .organization .
while increasing operational efficiency and productivity. More than 6 million
users—from .such .respected .organizations .as .Coors .Brewing, .the .U .S . .Army, .and .
General .Motors—optimize .their .Windows .networks .with .NetPro .solutions .

netPro Computing inc.
 n nd street, suite 00
Phoenix, aZ 01-
+1 .800 .998 .5090
sales@netpro .com




Copyright .© .2007 .NetPro .Computing, .Inc . .All .rights .reserved . .This .paper .is .for .informational .purposes .only . .
NetPro .makes .no .warranties, .express .or .implied, .in .this .document . .NetPro .Computing, .NetPro .and .the .NetPro .
logo .are .either .registered .trademarks .or .trademarks .of .NetPro .Computing, .Inc . .in .the .United .States .and/or .
other .countries . .Microsoft, .Active .Directory, .Windows, .and .Windows .Server .are .either .registered .trademarks .
or .trademarks .of .Microsoft .Corporation . .Other .product .and .company .names .mentioned .herein .may .be .the .
trademarks .of .their .respective .owners .

								
To top