Conquering PCI DSS3 Requirement 7 Across Platforms (Unix/Linux/Windows) with Standard Edition and AD
09-21-2014 09:10 PM
Just recently to have some fun I created my own PCI DSS3 Requirement 7 (Implement Strong Access Controls) 10-minute challenge.
The idea is to enforce the rules of section 7 with Centrify Standard Edition, HZones, DZ and DZWin and accomplish this for both a CentOS7 and Windows Server 2012 R2 system.
The example uses a role called "PCI Developer" that has cross plafrom Linux (LAMP developer duties) and SQL/IIS on Windows. Both roles are only allowed to log in remotely (SSH/RDP) and they can't know the root/apache/mysql account credentials OR belong to the local Administrators (or Domain Admin) groups. Only the PCI Dev users can log in to the systems, this excludes Linux Sysadmins or Domain Admins.
The challenge is to set up a Centrify Zone, Identity, Roles, Rights, Role Assignments and join both the Centos 7 and Windows 2012R2 systems from scratch to the zone in under 10 minutes.
This demonstrates that you can solve this problem easily for both platforms with Server Suite and AD without any other active server components.
First Post: http://centrifying.blogspot.com/2014/09/security-corner-pci-dss-30-requirement.html
Second Post: http://centrifying.blogspot.com/2014/09/labs-pci-dss-30-req-7-implement-strong.html
Video Playlist (22 min total):
Section 7.1.4 - is a process; however, since the workflow is add/remove a person in a group in AD, this can be achieved easily with any workflow engine.
Section 7.4 becomes very easy because the process is "Add PCI developer to the PCI Developer group in AD"
I hope gets your creativity going.