Tagged: Compliance Toggle Comment Threads | Keyboard Shortcuts

  • markparris 9:49 am on June 6, 2011 Permalink | Reply
    Tags: , Compliance, , , , ,   

    Threats and Countermeasures Guide: Security Settings in Windows 7 and Windows Server 2008 R2 


    If you are looking to understand what the security policies in Windows 7 and 2008 R2 mean and how they can impact your environment, then this guide is a must read.

    Threats and Countermeasures Guide: Security Settings in Windows 7 and Windows Server 2008 R2

    The document is covers the following categories in some depth:

    Account Policies

    This section discusses the Group Policy settings that are applied at the domain level: password policies, account lockout policies, and Kerberos protocol authentication policies.

    Advanced Security Audit Policy

    This section discusses the use of advanced audit policy settings, which are now integrated with Group Policy to monitor and enforce your security measures. It describes the various settings, and it provides examples of how audit information is modified when the settings are changed.

    User Rights

    This section discusses the various logon rights and privileges that are provided by the Windows 7 and Windows Server 2008 R2 operating systems, and it provides guidance about which accounts should be assigned these rights.

    Security Options

    This section provides guidance about security settings for digital data signatures, Administrator and Guest account names, drive access, driver installation behaviour, and logon prompts.

    Event Log

    This section provides guidance about how to configure the settings that relate to the various event logs on computers running Windows Server 2008 R2 or Windows 7.

    System Services

    Windows Server 2008 R2 and Windows 7 include a variety of system services. Many of these services are configured to run by default, but others are not present unless you install specific components. This section describes the various services included with the operating systems so that you can best decide which ones to leave enabled and which ones can be safely disabled.

    Software Restriction Policies

    This section provides a brief overview of the Software Restriction Policy feature that is available in Windows Server 2008 R2 and Windows 7. It provides links to additional resources about how to design and use policy settings to control which applications can be used in your organization.

    Application Control Policies

    This section provides a brief overview of the AppLocker™ feature that is available in Windows Server 2008 R2 and Windows 7. It provides links to additional resources about how to design and use policy settings to control which applications can be used in your organization.

    External Storage Devices

    This section describes Group Policy settings that can be used to limit, prevent, or allow the use of external storage devices in networked computers.

    Additional Resources

    This section provides links to additional information sources about Windows security topics from Microsoft that you may find useful.

    Threats and Countermeasures Guide: Security Settings in Windows 7 and Windows Server 2008 R2

  • markparris 10:00 am on April 20, 2010 Permalink | Reply
    Tags: , Compliance, , , ,   

    Slipping in under the Office 2010 Radar – System Center Essentials 2010 and Data Protection Manager 2010 – RTM 

    Slipping in under the Office 2010 RTM radar,  Microsoft Released To Manufacturing (RTM’d) yesterday (19/4/10)

    Microsoft System Center Essentials 2010 and System Centre Data Protection Manager (DPM) 2010.

    Microsoft System Center Essentials 2010

    System Center Essentials 2010 (SCE 2010) provides IT professionals in mid-sized organizations with a unified physical and virtual management experience. It enables you to better secure, update, monitor, and troubleshoot from a single console, so you can efficiently and proactively manage your IT environment. The main addition to this second System Center Essentials release is the seamless integration of Virtual Machine Manager 2008 R2 technology, making it quick and easy for midsize business to begin realizing the cost-cutting benefits of server consolidation using virtualization. SCE 2010 will enable you to rapidly move from a physical to virtual server environment while maintaining the control and simple management you have come to expect from the product.

    System Centre Data Protection Manager (DPM) 2010

    Data Protection Manager (DPM) 2010 is part of the System Center family of management products from Microsoft. It delivers unified data protection for Windows servers such as SQL Server, Exchange, SharePoint, Virtualization and file servers — as well as Windows desktops and laptops.

    DPM seamlessly uses disk, tape, and cloud-based repositories to deliver an easy-to-use and best-of-breed backup and recovery solution for Windows environments from Microsoft. Windows customers of all sizes can rely on Microsoft to provide a scalable and manageable protection solution that is cost-effective, secure, and reliable.

  • markparris 8:22 am on April 8, 2010 Permalink | Reply
    Tags: act, , Compliance, dcm, , , Hardening, , , , , ,   

    Security Compliance Manager (Guidance on how to harden your Windows environments). 

    The Security Compliance Manager is a free Solution Accelerator from Microsoft which has been designed to enable organisations  to take advantage of the experience of Microsoft security professionals and reduce the time and cost required to harden Windows infrastructure.

    The Security Compliance Manager provides access to the complete database of Microsoft recommended security settings; using this information you can configure and customise security baselines; these can then be exported to multiple formats,  including Excel, Group Policy objects (GPOs), Desired Configuration Management (DCM) packs or the Security Content Automation Protocol (SCAP), for analysis or implementation.

    Download the Security Compliance Manager

    Learn more about the Security Compliance Manager

    Solution Accelerator’s are tools and guidance that help you solve your deployment, planning and operational IT problems. Solution Accelerator’s are free and fully supported.  Want to learn more about Microsoft Solution Accelerator’s, Click Here.

  • markparris 3:14 pm on March 17, 2010 Permalink | Reply
    Tags: Compliance, , end of life, , , , , , ,   

    Windows XP SP2 – The end is nigh. 

    This year there are a few versions of  Windows which will go out of support. If you continue to use these version  of Windows beware;  it is effectively be the same as driving a Ford Capri around town; it works, everyone of a certain age knows what it is, but good luck if it goes wrong.

    Windows 2000 Professional and Windows 2000 Server were both launched over 10 years ago and both products regardless of service pack will go out of support on July 13th, 2010.

    Windows XP with Service Pack 2 will go out of support on July 13th, 2010; but support for Windows XP with Service Pack 3 will continue.  This means that from July 13th onwards, Microsoft will no longer support or provide free security updates for Windows XP with Service Pack 2.

    To ensure you still receive security updates, Windows XP should be upgraded to Windows XP Service Pack 3; this is available for free via the Windows Update website or from http://www.microsoft.com/downloads/details.aspx?FamilyID=68C48DAD-BC34-40BE-8D85-6BB4F56F5110&displaylang=en

    Windows Vista with no Service Packs installed will go out of support on April 13th 2010.
    To ensure you still receive security updates,Windows Vista should be upgraded to Windows Vista Service Pack 2; this is available for free via the Windows Update website or from: http://www.microsoft.com/windows/windows-vista/default.aspx

    For more information and for further clarity, I recommend checking out:

  • markparris 10:51 am on February 11, 2010 Permalink | Reply
    Tags: , , Compliance, , , , ,   

    Microsoft Security Compliance Manager (BETA) 

    This week see’s the beta of  “Microsoft Security Compliance Manager (SCM)” released, the tool will enable you to view, update, and export security baselines for the following Microsoft products.

    Internet Explorer 8
    Microsoft Office 2007 SP2
    Windows 7
    Windows Server 2003 SP2
    Windows Server 2008 SP2
    Windows Vista SP2
    Windows XP SP3

    I have not had a chance to experiment with the product too much as of yet, but it looks as if it may add some value.   If you are interested in joining the beta the URL to sign up is: 


  • markparris 3:14 pm on January 12, 2010 Permalink | Reply
    Tags: Compliance, , PCI-DSS   

    PCI-DSS – It’s not rocket science. 

    PCI-DSS – It’s not rocket science.


    For nearly two years, I worked on a PCI-DSS project for one of the worlds most recognisable brands.

    What is PCI-DSS?

    PCI-DSS is a mandatory compliance standard for all companies, who process, store or transmit payment card information.

    There is a sliding scale of compliance and reporting of compliance is primarily based on the number of credit card transactions completed in a year.

    See https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml for further details.

    My Experience

    Within days of starting the PCI-DSS project it soon became apparent to me and the rest of the project team, that what the standard was asking for was indeed not rocket science – but a series of best practices that in reality – you should be doing anyway.


    Before you go off and spend thousands of £’s $’s or €’s to become compliant – take a step back and look at your scope of compliance, what do I mean by that?

    If you have 10000 PC’s in your environment, but only 500 process credit card information – then that’s your target for compliance – making 500 PC’s compliant not 10000 as this would potentially have huge cost implications and huge management overheads.

    The rule that our QSA gave us to work with for our audit was:

    Any PC or server that processes card holder data; stores card holder data; or can access (or influence access) to card holder data is in scope.

    If the network is encrypted then that is out of scope – if no encryption is present then the network is in scope.

    Once you have the scope – speak to your QSA and have the scope ratified, agreed and signed off.

    It is worth noting that at this stage – be totally honest with your QSA and do not try to hide anything under the carpet; as if there is a payment card security breach within your organisation, the kept secret may just be the cause of the breach and the ultimate punishment for a breach is that the ability to process payment cards of any type can is withdrawn.

    Translating the rules into plain English and from an infrastructure prospective (summarised and not exhaustive)

    Requirement 1: Install and maintain a firewall configuration to protect cardholder data

    Document all firewall rules
    Diagram all network flows
    Remove any legacy rules
    Justify all rules in the firewall
    Review all firewall rules every six months
    Segment the network (if possible)
    Secure all router configuration files
    All firewalls must be stateful packet inspection firewalls
    Implement or confirm a rigid change control process for any new rules or when modifying existing rules

    There are other considerations but it depends where your cardholder data is located.

    Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

    Reset all vendor supplied defaults including passwords on all servers, applications, operating systems, networking equipment (SNMP) etc
    Implement configuration hardening standards (such as CIS – Center for Internet Security)
    Implement only one primary function per server (excludes virtualisation and Active Directory integrated DNS)

    Requirement 3: Protect stored cardholder data

    Encrypt all stored card holder data
    Permission data so that access is only given to people or applications that need access
    Develop data retention standards
    Do NOT store sensitive authentication data after authorisation (even if encrypted)
    Mask PAN when the number is displayed

    Requirement 4: Encrypt transmission of cardholder data across open, public networks

    Encrypt the network or encrypt the data as it ‘travels’ over the network
    Wireless networks have been banned from transmitting credit card data over WEP encrypted networks since 31st March 2009

    Requirement 5: Use and regularly update anti-virus software

    Have a valid anti-virus application installed on all systems in scope
    Ensure the anti-virus can be updated on demand
    Ensure the anti-virus can provide audit logs
    Ensure your anti-virus also include a HIPS firewall   

    Requirement 6: Develop and maintain secure systems and applications

    Apply all security patches regularly and within 3 months of release (on a priority basis)
    Establish a process to identify all new vulnerabilities
    Test all vulnerability patched before application

    Requirement 7: Restrict access to cardholder data by business need-to-know

    Ensure only personnel who need to access the data can. Through for example file permissioning or two factor authentication
    Ensure the default access to credit card holder data is set to “deny all”

    Requirement 8: Assign a unique ID to each person with computer access

    Remove all generic logons, ensuring all personnel use names or personably identifiable accounts
    Ensure that two factor authentication is utilised for remote access
    Ensure you have a compliant password policy
    Ensure you have a compliant leavers and joiners policy

    Requirement 9: Restrict physical access to cardholder data

    Implement or validate security cameras on all servers in scope
    Implement a guest register in the equipment rooms in scope
    Ensure no PC’s in scope are in an area accessible to the general public
    Restrict access to publicly accessible network points
    Ensure all visitors to locations with equipment in scope are easily identifiable from employees
    Securely store all backups, offsite if possible
    Classify all backup media – so card holder data can be identified as confidential

    Requirement 10: Track and monitor all access to network resources and cardholder data

    Implement audit logging to a secured and centralised log server so that all systems can be analysed in the event of a security breach
    Ensure the required minimum is actually logged
    Synchronise time across all systems
    Use file integrity monitoring or change detection software on all systems in scope

    Requirement 11: Regularly test security systems and processes

    Scan for wireless networks regularly
    Run internal and external vulnerability scans at least quarterly and after significant network changes or application modifications
    Run internal and external penetration tests at least once a year and after significant network changes or application modifications
    Use IPS or IDS to monitor all traffic in the cardholder data environment
    Use file integrity monitoring or change detection software on all systems in scope

    Requirement 12: Maintain a policy that addresses information security

    Maintain and publish an Information Security policy for your organisation – Review at least annually or after significant network changes or application modifications
    Maintain and publish an acceptable use policy and ensure all personnel are aware of the policy and have signed up to it
    Develop daily operational procedures to review log files, IDS/IPS out put on a daily basis
    Label all equipment
    Develop a software catalogue of approved applications
    Develop an incident response team to respond to a system breach and test annually
    Develop a program to monitor your service providers PCI-DSS status (if they are not compliant, you are not compliant)

    In a nutshell, that’s it  – if you complete or have completed these tasks, you will be well on the road to PCI-DSS compliance, of course this is only the beginning, as once you are compliant you have to stay compliant and that’s when the fun really starts.

    • websiteverification 8:16 pm on June 22, 2010 Permalink | Reply

      Thanks for sharing your experience and the guidelines. Very informative.


    • Travis Austin 6:02 pm on September 16, 2012 Permalink | Reply

      There you have it. An internally inconsistent grab bag of tech buzzwords being called a standard, and a bunch of “certified” assessors using their “common sense” to interpret it.

      Where is the appendix to the DSS with the formal proof that it even works, if somehow implemented?

      The elephant in the room is that compliance by pros is impossible due to its complexity and its susceptibility to simple human error, compliance by mainstream companies is impossible due to the technical level of knowledge required to motivate compliance and the labor shortage. Compliance by individual companies is impossible due to the simple shortage of hours in the day.

      If RSA, Sony, Twitter, LinkedIn, and many other large companies specializing in technology and security can’t successfully protect their networks, what kind of arrogance leads PCI to think its rule dissemination provides even a shred of security to the credit card holder?

      I suggest stepping back yet another step and asking “why should merchants ever have, process, or store any key authorizing access to customer assets?”

      Ordinary humans should be able to lock their doors without calling a locksmith. So, as far as I’m concerned, the credit card issuers and the Congress that gave them a total ‘bye need to go all the way back to the drawing board.


Compose new post
Next post/Next comment
Previous post/Previous comment
Show/Hide comments
Go to top
Go to login
Show/Hide help
shift + esc

Get every new post delivered to your Inbox.

Join 1,483 other followers

%d bloggers like this: