Skip to main content

Non-Console Administrative Access

Now that PCI-DSS 3.2 is live, we have been pondering how hard it will be to implement the new multi-factor authentication requirements.  First some definitions from the PCI Glossary:

Non-Console Administrative Access:
Refers to logical administrative access to a system component that occurs over a network interface rather than via a direct, physical connection to the system component. Non-console administrative access includes access from within local/internal networks as well as access from external, or remote, networks.

Acronym for “cardholder data environment.” The people, processes and technology that store, process, or transmit cardholder data or sensitive authentication data.

It appears that not only will you have to use two-factor for your servers, but also your routers and VPNs.  Luckily, this is not hard. 

First, most enterprise-class routers and VPNs support radius for authentication of administrators.   Previously, we have shown how to add two-factor authentication for non-console acces to both Cisco and Checkpoint devices.  You really should do this for all of your networking infrastructure to avoid attacks like SYNful.

Linux servers are easy too.  Disable root login via SSH and require two-factor authentication for sudo via pam-radius. 

Windows servers are harder because Microsoft, after spending all that money winning the battle of directories against Novell, wants you to use Active Directory all the time for everything.   Even their radius plugin, NPS, wouldn't allow proxying to third-party authentication servers until Server 2008.  At WiKID, we have figured out an elegant way to use one-time passwords for AD users.  It doesn't require any software on the Windows side, just an admin capable of changing passwords.  Not even a group policy. It does require that you have certificate for SSL connections, so you need to set up AD Certificate Server if you haven't.  We do recommend that you have admin users and not just users that are admins. 

We have a complete tutorial on setting up two-factor auth for Windows and LInux Admins with WiKID.

The best thing about implementing the new PCI requirements is that they should actually be very impactful.   As noted in the 2016 Verizon DBIR, 63% of attacks use credentials to infiltrate or escalate their attacks.  Preventing pass-the-hash attacks alone will make escalation much harder if not impossible. And it will make detection much easier. 

Remember, WiKID is free for 5 users.  Download today and lock down your network!






Current rating: 3

Recent Posts







RSS / Atom