Sub-Requirement 2.2.2and 2.2.3 (Update: v3.0 11/2013)

• 2.2.2 Disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the devices’ specified function)
• 2.2.3 Implement additional security features for any required services, protocols, or daemons that are considered to be insecure-for example, use secured technologies such as SSH, S-FTP, SSL, or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc. (Maps to prior Requirement 12.2)

Illustrative Controls and the TIBCO LogLogic Solution

Unnecessary services may include risky services such as FTP (21/tcp), Telnet (23/tcp), Rlogin (513/tcp), Rsh (514/tcp), Netbios (137-139/tcp,udp), and others. If these types of risky services are detected at the firewall, it may be a signal that hosts and devices have not been adequately secured according to the standards mandated in PCI requirement 2.2.

Administrators can utilize the following custom reports to help identify risky services and protocols. To add additional services that are considered risky to the organization, administrators can modify the advanced options in these custom reports.

Administrators should also configure network policy alerts to receive notification when any of these risky services are permitted. To add additional unnecessary services to the network policy alerts, administrators can edit the network policy configured for the following alerts. Administrators can also configure a network policy for ONLY allowed services, and be alerted on any services that are not in the allowed list.

Reports and Alerts

Use the following link/reference to see the 2.2.2 and 2.2.3 reports and alerts: 2.2.2 and 2.2.3 on page 94.