[PCI DSS 3.0] [PCI DSS 3.0] 2.2 Develop configuration standards for all system components. Assure that these standards address a

pcinetwork

PCINetwork.org Admin
#1
2.2 Develop configuration standards for
all system components. Assure that
these standards address all known
security vulnerabilities and are consistent
with industry-accepted system hardening
standards.
Sources of industry-accepted system
hardening standards may include, but
are not limited to:
 Center for Internet Security (CIS)
 International Organization for
Standardization (ISO)
 SysAdmin Audit Network Security
(SANS) Institute
 National Institute of Standards
Technology (NIST).

2.2.a Examine the organization’s system configuration
standards for all types of system components and verify the
system configuration standards are consistent with industry-
accepted hardening standards.
2.2.b Examine policies and interview personnel to verify that
system configuration standards are updated as new
vulnerability issues are identified, as defined in Requirement
6.1.
2.2.c Examine policies and interview personnel to verify that
system configuration standards are applied when new systems
are configured and verified as being in place before a system is
installed on the network.
2.2.d Verify that system configuration standards include the
following procedures for all types of system components:
 Changing of all vendor-supplied defaults and elimination of
unnecessary default accounts
 Implementing only one primary function per server to
prevent functions that require different security levels from
co-existing on the same server
 Enabling only necessary services, protocols, daemons, etc.,
as required for the function of the system
 Implementing additional security features for any required
services, protocols or daemons that are considered to be
insecure
 Configuring system security parameters to prevent misuse
 Removing all unnecessary functionality, such as scripts,
drivers, features, subsystems, file systems, and
unnecessary web servers.

There are known weaknesses with many
operating systems, databases, and enterprise
applications, and there are also known ways to
configure these systems to fix security
vulnerabilities. To help those that are not security
experts, a number of security organizations have
established system-hardening guidelines and
recommendations, which advise how to correct
these weaknesses.
Examples of sources for guidance on
configuration standards include, but are not
limited to: www.nist.gov, www.sans.org, and
www.cisecurity.org, www.iso.org, and product
vendors.
System configuration standards must be kept up
to date to ensure that newly identified
weaknesses are corrected prior to a system being
installed on the network.
 
Top