PCI DSS in a VMware / Windows environment

jibbajabbajibbajabba Member Posts: 4,317 ■■■■■■■■□□
Has anyone hardened their environment in order to obtain PCI-DSS ?

Are there any idiot proof guides out there how to (manually) harden VMware and Windows systems ?

I am googling all day now and the more I try to read up on it, the more pops up.

VMware provides a tool to check it (can't be installed in our environment right now), Configuration Manager of VMware is currently not an option, Microsoft's documentation is a nightmare ...

Any pointers would be appreciated.
My own knowledge base made public: http://open902.com :p

Comments

  • meadITmeadIT Member Posts: 581 ■■■■□□□□□□
    Have you taken a look at the whitepapers on this page?: Compliance Center Resources

    I'm assuming the VMware tool that you can't install is the PCI compliance checker? https://my.vmware.com/web/vmware/evalcenter?p=compliance-chk

    Other than that, it's going to be a pretty manual process of going through the vSphere Hardening Guide.

    Edit: Here's another whitepaper I came across.
    Edit 2: The link would help, wouldn't it? http://www.vmware.com/files/pdf/Coalfire-PCI-DSS-Compliance-and-VMware-WP.pdf
    CERTS: VCDX #110 / VCAP-DCA #500 (v5 & 4) / VCAP-DCD #10(v5 & 4) / VCP 5 & 4 / EMCISA / MCSE 2003 / MCTS: Vista / CCNA / CCENT / Security+ / Network+ / Project+ / CIW Database Design Specialist, Professional, Associate
  • bdubbdub Member Posts: 154
    We are PCI compliant. Pretty sure most of our hardening guides are based off of the DISA STIG's. Not sure about any idiot proof guides or a "PCI for dummies" kind of thing which seems to be what your looking for.

    Good luck! PCI sure is a blast!
  • higherhohigherho Member Posts: 882
    I've automated / manually harden Window systems, Red hat Enterprise, IIS, DNS, DC's, switches ,etc. A lot of the checks are from the DISA STIG's. I have yet to go through the VMware / ESXi STIG (I will most likely go through that this week and I will let you know how it goes).

    Most of the stuff is pretty basic and doesn't break the system unless you don't read the STIG's accordingly and understand your environment a little bit.
  • jibbajabbajibbajabba Member Posts: 4,317 ■■■■■■■■□□
    Thanks guys. The whole process seem overwhelming at first but yea - seem to be pretty basic. It seems that the hardest bit will be the policies, and their enforcement ...

    I suppose PCI DSS has the same standard across the globe ? Wondering how relevant the DISA STIG's are for us in Europe ..
    My own knowledge base made public: http://open902.com :p
Sign In or Register to comment.