PCI-DSS requirement 2.2 hardening standards

Default operating systems and applications configurations are not built for purposes of security; but for ease of deploying a system for ease of use. Such system, when used as supplied, makes your entire infrastructure vulnerable to attacks. Hardening the servers (OS and applications) is a basic requirement in an enterprise security posture. The process of hardening servers involves both IT ops. and security teams and require changes to the default configuration according to industry benchmarks.

PCI-DSS requirement 2.2 guide organizations to: “develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with security accepted system hardening standards.”

Recommended standards are the common used CIS benchmarks or other standards such as:

• National Institute of Standards and Technology (NIST)
• International Organization for Standardization (ISO)
• SysAdmin, Audit, Network, and Security (SANS) Institute

Although finding a baseline and approving it is a relatively easy task, enforcing and managing a baseline such as CIS is labor intensive and error prone for IT teams. Enforcing baseline configuration changes on production servers might create system outages and application malfunction. Configuration changes must be carefully tested in lab environments before deployed in production, and yet after tested, services will break as the ability to simulate the production dependencies in a lab is impossible.

The challenges of managing a hardening process often reflects as IT audit points for lack of configuration hardening and fines from the PCI-DSS council.

PCI-DSS requirement 2.2 in PCI-DSS V3.2: