Requirement 2: Do Not Use Vendor-Supplied Defaults

Requirement 2: Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters

From the PCI DSS:

Malicious individuals (external and internal to a company) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known by hacker communities and are easily determined via public information.

PCI DSS Requirement		How Requirement is Addressed with EFT Server
2.1 Change Vendor Defaults		EFT Server determines whether any default values are specified for Admin login port (1100), DMZ Gateway port (44500), FTP banner message, or SFTP banner message, and will prompt you to change them.
	2.1.1 For wireless environments, change wireless vendor defaults, including but not limited to, wireless equivalent privacy (WEP) keys, default service set identifier (SSID) passwords, and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when SPA-capable	External to EFT Server
2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards as defined, for example, by SysAdmin Audit Network Security Network (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS).		Refer to the specific sub-requirements below.
	2.2.1 Implement only one primary function per server (for example, web servers, database servers, and DNS should be implemented on separate servers)	External to EFT Server. EFT Server's only function is to transfer files securely. It is up to the administrator to segregate servers.
	2.2.2 Disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the devices’ specified function)	EFT Server PCI DSS HS will determine and prompt you to disable any unsecure protocols such as plaintext FTP or HTTP. If you decide to continue using plaintext protocols, EFT Server will request that you provide ample justification including compensation controls used, per PCI DSS requirement 1.1.6.
	2.2.3 Security parameters set to prevent misuse	EFT Server PCI DSS HS monitors, warns, or enforces multiple security parameters such as: User login credentials not-persisted in memory beyond the absolute minimum time necessary Flood and DoS prevention settings set too low Disk quota not set or set too high
	2.2.4 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.	External to EFT Server
2.3 Encrypt non-console administrative access		EFT Server PCI DSS HS detects and warns on plaintext remote administration. During normal operations, EFT Server monitors the status of remote administration settings, including SSL parameters, warns if SSL is not enabled, and prompts you to disable remote administration, enable SSL, or continue as is with ample justification provided.
2.4 Hosting providers must protect each entity's hosted environment data. These providers must meet specific requirements.		EFT Server suite of software products is not a hosting provider.

Did this topic solve your problem/answer your question?

- For the most up-to-date information regarding EFT Server and its modules;

- To view version history, updates, and activation instructions;

- To download a PDF of this user guide;

- And to search the Knowledge Base and User Forum,

Visit the GlobalSCAPE Support Center, http://www.globalscape.com/support .

Refer to Copyright Information for copyright information.

Last modified: October 14, 2009