From the PCI DSS:
Hackers (external and internal to a company) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known in hacker communities and easily determined via public information.
PCI DSS Requirement |
How Requirement is Addressed with EFT Server | |
2.1 Change Vendor Defaults |
EFT Server determines whether any default values are specified for Admin login port (1100), DMZ Gateway port (44500), FTP banner message, or SFTP banner message, and will prompt you to change them. | |
|
2.1.1 For wireless environments, change wireless vendor defaults, including but not limited to, wireless equivalent privacy (WEP) keys, default service set identifier (SSID) passwords, and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when SPA-capable |
External to EFT Server |
2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards as defined, for example, by SysAdmin Audit Network Security Network (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS). |
Refer to the specific sub-requirements below. | |
|
2.2.1 Implement only one primary function per server (for example, web servers, database servers, and DNS should be implemented on separate servers) |
External to EFT Server. EFT Server's only function is to securely transfer files. It is up to the administrator to segregate servers. |
|
2.2.2 Disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the devices’ specified function) |
EFT Server PCI DSS HS will determine and prompt you to disable any unsecure protocols such as plaintext FTP or HTTP. If you decide to continue using plaintext protocols, EFT Server will request that you provide ample justification including compensation controls used, per PCI DSS requirement 1.1.6. |
|
2.2.3 Security parameters set to prevent misuse |
EFT Server PCI DSS HS monitors, warns, or enforces multiple security parameters such as:
|
|
2.2.4 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers. |
External to EFT Server |
2.3 Encrypt non-console administrative access |
EFT Server PCI DSS HS detects and warns on plaintext remote administration. During normal operations, EFT Server monitors the status of remote administration settings, including SSL parameters, warns if SSL is not enabled, and prompts you to disable remote administration, enable SSL, or continue as is with ample justification provided. | |
2.4 Hosting providers must protect each entity's hosted environment data. These providers must meet specific requirements. |
The EFT Server suite of software products is not a hosting provider. |