From LedHed's Wiki
Jump to: navigation, search
 
(7 intermediate revisions by the same user not shown)
Line 3: Line 3:
  
 
== Settings ==
 
== Settings ==
The only 8.1 requirements that can be set via group policy are Sections: 8.1.6 and 8.1.7. See the image below.
+
The only 8.1 requirements that can be set via group policy are Sections: 8.1.6, 8.1.7, 8.1.8. See the images below.<br>
[[File:PCIDSS AccountLockout.png]]
+
 
 +
8.1.6 & 8.1.7 <br>
 +
[[File:PCIDSS AccountLockout.png]]<br>
 +
''Note: When you enable "Account lockout duration" Group Policy requires "Reset account lockout counter after" be enabled, this is not a PCI requirement, but rather a dependency imposed by Microsoft.''
 +
 
 +
8.1.8<br>
 +
[[File:PCIDSS ScreenSaver.png]]<br>
 +
''Note: All of the setting in the above image must be set to be 8.1.8 compliant.''
 +
 
 +
* Prevent changing screen saver: This needs to be set to prevent users from setting the screen saver to 'None' which would not be PCI compliant.
 +
* Password protect the screensaver: This must be set in order to make the user re-authenticate.
 +
* Screen saver timeout: This should be set to 900 seconds (900/60 = 15 minutes).
 +
* Force specific screensaver: Because we prevent the user from selecting a screen saver, we must set one for them, without this setting the screen will not lock.
  
  

Latest revision as of 23:19, 13 March 2014

Overview

This article illustrates how to implement PCI DSS v3 Section 8.1 via Windows Group Policy.

Settings

The only 8.1 requirements that can be set via group policy are Sections: 8.1.6, 8.1.7, 8.1.8. See the images below.

8.1.6 & 8.1.7
PCIDSS AccountLockout.png
Note: When you enable "Account lockout duration" Group Policy requires "Reset account lockout counter after" be enabled, this is not a PCI requirement, but rather a dependency imposed by Microsoft.

8.1.8
PCIDSS ScreenSaver.png
Note: All of the setting in the above image must be set to be 8.1.8 compliant.

  • Prevent changing screen saver: This needs to be set to prevent users from setting the screen saver to 'None' which would not be PCI compliant.
  • Password protect the screensaver: This must be set in order to make the user re-authenticate.
  • Screen saver timeout: This should be set to 900 seconds (900/60 = 15 minutes).
  • Force specific screensaver: Because we prevent the user from selecting a screen saver, we must set one for them, without this setting the screen will not lock.


Reference

PCI DSS Quick Reference

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf