Sunday, September 21, 2014

Labs: PCI DSS 3.0 Req # 7 - Implement Strong Access Controls 10-minute Challenge

Challenge Accepted!

In a previous post, we outlined the PCI DSS3 Requirement 7 10-minute challenge.
This entry is to outline current environment, high level steps and verification protocol.

Here's the current environment as of today (excluding the 2-node Hadoop cluster):

Here's what we're adding for the challenge:


The cast of characters
  • J. Peterman and Elaine Benes are the PCI Developers
    • On Windows - PCI Developers shall perform developer tasks like:
      • Opening SQL Server Studio
      • Resetting IIS websites
      • Control System Services
    • On Linux -  PCI Developers shall perform LAMP functions like:
      • Control the httpd service
      • Elevate to the mysql account (without knowing the credentials)
      • Edit the httpd daemon config file /etc/httpd/conf/httpd.conf
  • Jerry Seinfeld is a Domain Admin
  • George Constanza is the UNIX Sysadmin

Steps to the Challenge - 10 minutes

Planning
- Will use a new zone to prove this concept (may be needed for separation of duties) - name: PCI
- Will reuse the existing ZPA service (provisioning has nothing to do with PCI, will control access with Roles)
- A Combined UNIX/Windows role will be created with the following access:

  • Role Properties
    • Available 24x7
    • Password Login and SSO enabled
    • Non-Restricted Shell
  • Access Rights
    • PAM SSH
    • Remote (Windows)
  • UNIX Commands
    • systemctl (start|stop|restart)*httpd  as root (authenticated)
    • su - mysql  as root (authenticated)
    • vi /etc/httpd/conf/httpd.conf
  • Windows Applications
    • iisreset.exe  as local administrator
    • services.msc as local administrator
    • SQL Management studio as local administrator

- PCI Developers group will be called - PCI Developers

Implementation

On the management station:
  1. In ADUC create the PCI Developers role
  2. In access manager set up the new zone.
  3. Set up the Unix identity properties
  4. Set up the UNIX commands
  5. Set up the Windows Applications
  6. Create the PCI Developers role, set up properties, add the rights
  7. Perform the role assignment at the zone level.
On CEN2
  1. Unpack the Centrify agent bits
  2. Run adcheck
  3. Join the zone
  4. Run adquery user and dzinfo
On APP2
  1. Install the Centrify Agent
  2. Join the Zone and Reboot

Test Plan (Check) - 5 minutes

  • We'll verify that PCI developers can:
    • Only log in via SSH (Linux) and RDP (Windows)
    • Perform administrative tasks on APP2 (Win Server 2012 R2)
      Not a member of Local Administrators or Domain Admins
    • Perform LAMP admin duties on CEN2 (CentOS 7)
      They shall not know the root account.
  • Windows Domain admins should not be allowed to log in to the PCI systems (Jerry)
  • Enterprise UNIX admins - should not be allowed to log in to the PCI systems (George)
  • Any other users can't access the systems (Soup Nazi)
  • The model should work for both Unix/Linux and Windows.

First Video - Challenge Explained (5:03)


Second Video - Implementation (9:40)


Third Video - Verification (6:49)


No comments:

Post a Comment