Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Attackers (external and internal to a company) often use vendor default passwords and other vendor default settings to compromise systems. The following table lists the specific subrequirements in Requirement 2 that are addressed by LogLogic Compliance Suite - PCI Edition.
| Requirement 2 | Do not use vendor-supplied defaults for system passwords and other security parameters |
|---|---|
| 2.2.2 | Disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the devices’ specified function) |
| 2.2.3 | Implement additional security features for any required services, protocols, or daemons that are considered to be insecure-for example, use secured technologies such as SSH, S-FTP, SSL, or IPsec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, and FTP.
Update: v3.0 November 2013 |
| 2.3 | Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access |
| 2.5 | Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.
Update: v3.0 November 2013 |
Subtopics