On 1/29/2024 10:04 AM, T wrote:
Hi All,
Windows 10 and 11, Pro, 22H2
Any idea how I would implement this Payment Card Industry
requirement:
https://docs-prv.pcisecuritystandards.org/SAQ%20(Assessment)/SAQ/PCI-DSS-v4-0-SAQ-C-r1.pdf
11.5.2, pg 61: A change-detection mechanism (for example,
file integrity monitoring tools) is deployed as follows:
• To alert personnel to unauthorized modification
(including changes, additions, and deletions) of critical
files.
• To perform critical file comparisons at least once weekly.
Applicability Notes, pg 62:
For change-detection purposes, critical files are usually
those that do not regularly change, but the modification
of which could indicate a system compromise or risk of
compromise. Change-detection mechanisms such as file
integrity monitoring products usually come pre-configured
with critical files for the related operating system. Other
critical files, such as those for custom applications, must
be evaluated and defined by the entity (that is, the merchant
or service provider).
Many thanks,
-T
Rather than me designing something in C, maybe we could think
about where this requirement is coming from.
To avoid PCI compliance, you could move the payment thing to
separate equipment, on a separate network. Making it easier to
prove compliance.
You don't really want staff in the office, picking up a phone,
listening to customer request, and bringing up a CC processing
application and typing in the details. As now the computer has
to meet PCI.
WinCE may have been replaced by Win10 IoT (Win10 without standard
graphics). But that hardly seems like good material for the job.
*******
The easiest way to meet change detection, is to virtualize, and
checksum the container each time before execution.
Windows 10 Sandboxed applications, use a miniature image of the
OS stored in memory. Presumably a copy of this is made as a mini-container,
to run an application the user wants Sandboxed. I do not know whether
the container is checksummed or scanned or anything else. But this
amounts to Microsoft taking advantage of the inverted hypervisor
running on every PC.
The software that public libraries use, or the software that
Internet Cafes use, it reboots between every customer. And this
wipes out the "state", including presumably, attempts to tip over
the OS. This is not bulletproof however, because miscreants do manage
to tip over library machines. It's not like rebooting from a read-only
image, is good enough in any absolute sense.
Virtualization is not a guarantee either, as at least applications
in containers, know they're in a container. If they need to carry
out an attack, it's not like they've been "fooled about where they are".
I ran into this years ago, when evaluating a video filter, and the
filter installer said "you cannot install this software in a virtual machine". It also detected WINE when I tried it. The installer was a more clever
design, than the software the guy was actually trying to sell.
*******
In any case, Windows Defender scans critical files when Windows 10 or Windows 11
boots up. That's what the delay is, on hard drive based systems. But because this does not say on the tin "our behavior is perfect for PCI compliance",
any observation "it's doing some good things" matters not a lot when
filling out your form stating the stack on the hardware you support
really is PCI compliant.
When Windows has "Cloud Based Protection" turned on, it can do the equivalent of Virustotal and send up a hash and see if it exists or see if the
application is unique. Then, it can squash something flat, if it thinks
the "reputation" isn't good enough. I think possibly someones attempt to download a quick-turn version of BetterBird, WD quarantined the download rather than allow the user to use it.
The level of defenses people here have seen, will depend on some extent
to "how many things they switched off". I don't run any Sandbox behaviors
here, and I have Cloud Protection switched off (in the hope there will be
fewer false positives). Some of these features really aren't observable,
and I couldn't say a thing positive or negative about them.
I don't think Windows uses Tripwire as an approach, which is kind of what
PCI quoted in your post is implying. Windows has Windows Defender, which
does signature analysis, and it may not necessarily be using a Tripwire approach as such. This means you can't honestly make any bold assertions, unless some learn.microsoft.com page says explicitly "we do Tripwire while
you sleep".
If I Google PCI Compliance, all I get for answers is adverts for services
by middlemen. Without a lot of nifty observations about stuff that
just happens to accidentally meet the requirements. I wasn't able to
gain any foothold that way. Perhaps a Reddit search would pick something up.
If you have the CoPilot trial running on your desk, you can try CoPilot.
I've noticed, the last time I tried CoPilot, the I/O rate over the
network has slowed considerably, and the "fluid typing" the AI used
to do, is degraded a lot.
CoPilot answers tend to be filled with Waffles, so it's hardly all that useful.
OK, so let's try that. I will ask CoPilot
"Which version of Windows 10 is PCI Compliant?"
"According to the web search results, Windows 10 is certified as compliant under PCI DSS version 3.2
at Service Provider Level 1 (1). However, this does not automatically mean that any service or
application built or hosted on Windows 10 is also PCI compliant. Customers are responsible for
ensuring that they meet the PCI DSS requirements for their specific scenarios (1). You can use the
Security Compliance Toolkit (2) to help you manage and test your security configuration baselines
for Windows 10. You can also use Windows Defender and other Microsoft security products to enhance
your protection against malicious code and other threats (3). For more information and guidance,
you can check out the web search results 1, 2, 3, and 4.
https://learn.microsoft.com/en-us/compliance/regulatory/offering-pci-dss https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10
https://download.microsoft.com/download/C/7/7/C778B7BB-0783-42D7-93A9-B86DFB5A7BAD/Coalfire_Branded_Windows_Defender_Whitepaper_EN_US.pdf
https://www.dnsstuff.com/pci-compliance-software
The first reference (1) is Not Applicable.
The second reference (2), has nothing to do with Tripwire (hashing) as an approach.
The third reference (3) is at least focused on answering assessment questions. You could read that one for a laugh (PDF).
And the fourth one, I'm not even going to look :-/ That would be like my Google Search. Pointless.
Paul
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)