VMWARE PCI COMPLIANCE for VROPS

As part of the VMware Compliance Reference Architecture Framework, this set of documents define how VMware is addressing the issues of compliance and cybersecurity for the The Payment Card Industry Data Security Standard (PCI DSS).

WHAT IS PCI?

The Payment Card Industry (PCI) Data Security Standards (DSS) are international, technical, and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect credit card data. To learn more, visit their website: https://www.pcisecuritystandards.org/.

This is applicable to all types environments that store, process, or transmit card holder data. This includes information such as Personal Account Numbers (PAN), as well as any other information that has been defined as Card Holder Data by the PCI DSS.

Cloud computing is no exception to the PCI DSS audit process, and many of the Cloud’s advantages over earlier paradigms — sharing of resources, workload mobility, consolidated management plane, etc. – themselves necessitate that adequate controls are adopted to help meet the PCI DSS audit.

PCI considerations are essential for assessors to help to understand what they might need to know about an environment in order to be able to determine whether a PCI DSS requirement has been met. If payment card data is stored, processed or transmitted in a cloud environment, PCI DSS will apply to that environment, and will typically involve validation of both the infrastructure and the applications running in that environment.

Many enterprise computing environments in various vertical industries are subject to PCI DSS compliance, and generally those that deal in any kind of financial transaction for exchanging goods and services rely on VMware and VMware Technology Partner solutions to deliver those enterprise computing environments. As such, these enterprises seek ways to reduce overall IT budget while maintaining an appropriate overall risk posture for the in-scope environment. One of the greatest challenges in hosting the next generation enterprise computing environment is consolidating many modes of trust required such as those required for a Cardholder Data Environment (CDE) and a Non-Cardholder Data Environment.

VROPS ESXi Host PCI Hardening Rules for vSphere

1. PCI 10.4 NTP time synchronization server is not configured
2. PCI 2.1.1.b SNMP service is running
3. PCI 2.2.4 Active directory is not configured for Local Authentication
4. PCI 10.5.4 Remote logging is not configured for host
5. PCI 7.1 DCUI access is not set for trusted users to override lockdown mode
6. PCI 8.2.3 Policy is not set for password complexity
7. PCI 10.4 NTP firewall rule is not configured
8. PCI 10.4 NTP time Synchronization service is not configured to start automatically
9. PCI 10.5.4 Persistent logging is not enabled for host
10. PCI 7.1 Managed Object Browser (MOB) is enabled
11. PCI 2.2.4 Enable Bidirectional CHAP authentication for iSCSI is not enabled
12. PCI 8.1.7 Time after which a locked account is automatically unlocked is not configured
13. PCI 8.1.6 Count of maximum failed login attempts is not configured
14. PCI 8.1.8 DCUI idle session timeout is not configured
15. PCI 8.1.8 Idle session timeout is not configured
16. PCI 8.1.8 Idle session timeout for ESXi Shell and SSH services is not configured
17. PCI 2.2.4 The default setting for intra-VM TPS is not correct
18. PCI 6.2 Security Patches – Image Profile and VIB Acceptance Levels are not configured at acceptable level
19. PCI 2.2.4 Configure system security parameters – BPDU filter on the ESXi host to prevent being locked out of physical switch ports with Portfast and BPDU Guard is not enabled
20. PCI 2.2.4 Configure system security parameters – Users and processes without privileges can make use of dvfilter network APIs
21. PCI 8.2.1 Unreadable authentication credentials – vSphere Authentication Proxy not used for password protection when adding ESXi hosts to active directory
22. PCI 1.1.4 Requirements for a firewall – Firewall is not configured to restrict few or all services running on ESXi host

VROPS Virtual Machine PCI Hardening Rules for vSphere

1. PCI 2.2.4 Configure system security parameters – Access to VMs are not controlled through dvfilter network APIs
2. PCI 2.2.4 Configure system security parameters – Copy/paste operations are enabled for gui
3. PCI 2.2.4 Configure system security parameters – Copy/paste operations are enabled for copy
4. PCI 2.2.4 Configure system security parameters – Copy/paste operations are enabled for drag-n-drop
5. PCI 2.2.4 Configure system security parameters – Virtual disk shrinking is enabled
6. PCI 2.2.4 Configure system security parameters – Copy/paste operations are enabled for paste
7. PCI 2.2.4 Configure system security parameters – Virtual disk shrinking wiper is enabled
8. PCI 2.2.4 Configure system security parameters – HGFS file transfers are enabled
9. PCI 2.2.4 Configure system security parameters – Independent nonpersistent disks are being used
10. PCI 2.2.4 Configure system security parameters – Autologon feature is enabled
11. PCI 2.2.4 Configure system security parameters – Biosbbs feature is enabled
12. PCI 2.2.4 Configure system security parameters – Getcreds feature is enabled
13. PCI 2.2.4 Configure system security parameters – Launchmenu feature is enabled
14. PCI 2.2.4 Configure system security parameters – Memsfss feature is enabled
15. PCI 2.2.4 Configure system security parameters – Protocolhandler feature is enabled
16. PCI 2.2.4 Configure system security parameters – Shellaction feature is enabled
17. PCI 2.2.4 Configure system security parameters – Toporequest feature is enabled
18. PCI 2.2.4 Configure system security parameters – Trashfolderstate feature is enabled
19. PCI 2.2.4 Configure system security parameters – Trayicon feature is enabled
20. PCI 2.2.4 Configure system security parameters – Unity feature is enabled
21. PCI 2.2.4 Configure system security parameters – Unity-interlock feature is enabled
22. PCI 2.2.4 Configure system security parameters – Unitypush feature is enabled
23. PCI 2.2.4 Configure system security parameters – Taskbar feature is enabled
24. PCI 2.2.4 Configure system security parameters – Unityactive feature is enabled
25. PCI 2.2.4 Configure system security parameters – Windowcontents feature is enabled
26. PCI 2.2.4 Configure system security parameters – Versionget feature is enabled
27. PCI 2.2.4 Configure system security parameters – Versionset feature is enabled
28. PCI 2.2.4 Configure system security parameters – VIX messages from VM are enabled
29. PCI 2.2.4 Configure system security parameters – Auto install of tools is enabled
30. PCI 2.2.4 Configure system security parameters – Sending of Informational messages from VM to the VMX file are enabled
31. PCI 2.2.4 Configure system security parameters – Access to VM console via VNC protocol is not configured
32. PCI 2.2.4 Configure system security parameters – Access to Connect and disconnect of devices in not configured
33. PCI 2.2.4 Configure system security parameters – Access to modify devices in not configured
34. PCI 2.2.4 Configure system security parameters – Host information is being sent to guests
35. PCI 2.2.4 Configure system security parameters – Intra VM Transparent Page Sharing is Enabled
36. PCI 2.2.4 Configure system security parameters – PCI pass through device is configured on the virtual machine

Leave a Reply

Your email address will not be published. Required fields are marked *