Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Hackers (external and internal to a company) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known in hacker communities and easily determined via public information.

2.1 Always change vendor-supplied defaults before installing a system on the network (for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts).

All passwords are generated by the local IT Department.

2.1.1 For wireless environments, change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords, and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.

Our Wirless enviornments do not broadcast SSIDs, all passwords, keys, and SNMP strings our generated by the IT Department.

2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards as defined, for example, by SysAdmin Audit Network Security Network (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS).

2.2.1 Implement only one primary function per server (for example, web servers, database servers, and DNS should be implemented on separate servers)

All mission critical servers perform only one primary function.

 

2.2.2 Disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the devices' specified function)

2.2.3 Configure system security parameters to prevent misuse

Systems are configured to allow only
the necessary items needed to run their applications

 

2.2.4 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.

Unnecessary items that are not required are uninstalled or
disable to prevent misuse.

 

2.3 Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS transport layer security) for web-based management and other non-console administrative access.

Non-console access is permitted only when encryption used.

2.4 Hosting providers must protect each entity's hosted environment and data. These providers must meet specific requirements as detailed in Appendix A: "PCI DSS Applicability for Hosting roviders."

 

Please see Appendix A for documentation.