From LedHed's Wiki
(9 intermediate revisions by the same user not shown) | |||
Line 3: | Line 3: | ||
== Settings == | == Settings == | ||
+ | The only 8.1 requirements that can be set via group policy are Sections: 8.1.6, 8.1.7, 8.1.8. See the images below.<br> | ||
+ | |||
+ | 8.1.6 & 8.1.7 <br> | ||
+ | [[File:PCIDSS AccountLockout.png]]<br> | ||
+ | ''Note: When you enable "Account lockout duration" Group Policy requires "Reset account lockout counter after" be enabled, this is not a PCI requirement, but rather a dependency imposed by Microsoft.'' | ||
+ | |||
+ | 8.1.8<br> | ||
+ | [[File:PCIDSS ScreenSaver.png]]<br> | ||
+ | ''Note: All of the setting in the above image must be set to be 8.1.8 compliant.'' | ||
+ | |||
+ | * Prevent changing screen saver: This needs to be set to prevent users from setting the screen saver to 'None' which would not be PCI compliant. | ||
+ | * Password protect the screensaver: This must be set in order to make the user re-authenticate. | ||
+ | * Screen saver timeout: This should be set to 900 seconds (900/60 = 15 minutes). | ||
+ | * Force specific screensaver: Because we prevent the user from selecting a screen saver, we must set one for them, without this setting the screen will not lock. | ||
Latest revision as of 23:19, 13 March 2014
Overview
This article illustrates how to implement PCI DSS v3 Section 8.1 via Windows Group Policy.
Settings
The only 8.1 requirements that can be set via group policy are Sections: 8.1.6, 8.1.7, 8.1.8. See the images below.
8.1.6 & 8.1.7
Note: When you enable "Account lockout duration" Group Policy requires "Reset account lockout counter after" be enabled, this is not a PCI requirement, but rather a dependency imposed by Microsoft.
8.1.8
Note: All of the setting in the above image must be set to be 8.1.8 compliant.
- Prevent changing screen saver: This needs to be set to prevent users from setting the screen saver to 'None' which would not be PCI compliant.
- Password protect the screensaver: This must be set in order to make the user re-authenticate.
- Screen saver timeout: This should be set to 900 seconds (900/60 = 15 minutes).
- Force specific screensaver: Because we prevent the user from selecting a screen saver, we must set one for them, without this setting the screen will not lock.
Reference
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf