PCI DSS in a VMware / Windows environment

jibbajabba

Has anyone hardened their environment in order to obtain PCI-DSS ?

Are there any idiot proof guides out there how to (manually) harden VMware and Windows systems ?

I am googling all day now and the more I try to read up on it, the more pops up.

VMware provides a tool to check it (can't be installed in our environment right now), Configuration Manager of VMware is currently not an option, Microsoft's documentation is a nightmare ...

Any pointers would be appreciated.

meadIT

Have you taken a look at the whitepapers on this page?: Compliance Center Resources

I'm assuming the VMware tool that you can't install is the PCI compliance checker? https://my.vmware.com/web/vmware/evalcenter?p=compliance-chk

Other than that, it's going to be a pretty manual process of going through the vSphere Hardening Guide.

Edit: Here's another whitepaper I came across.
Edit 2: The link would help, wouldn't it? http://www.vmware.com/files/pdf/Coalfire-PCI-DSS-Compliance-and-VMware-WP.pdf

bdub

We are PCI compliant. Pretty sure most of our hardening guides are based off of the DISA STIG's. Not sure about any idiot proof guides or a "PCI for dummies" kind of thing which seems to be what your looking for.

Good luck! PCI sure is a blast!

higherho

I've automated / manually harden Window systems, Red hat Enterprise, IIS, DNS, DC's, switches ,etc. A lot of the checks are from the DISA STIG's. I have yet to go through the VMware / ESXi STIG (I will most likely go through that this week and I will let you know how it goes).

Most of the stuff is pretty basic and doesn't break the system unless you don't read the STIG's accordingly and understand your environment a little bit.

jibbajabba

Thanks guys. The whole process seem overwhelming at first but yea - seem to be pretty basic. It seems that the hardest bit will be the policies, and their enforcement ...

I suppose PCI DSS has the same standard across the globe ? Wondering how relevant the DISA STIG's are for us in Europe ..