Tune Plesk to Meet PCI DSS on Windows¶
This section describes the steps that you should perform if you want to secure your server and achieve compliance with PCI DSS on a Microsoft Windows-based server.
Warning
We highly recommend that you configure the Windows firewall in the server operating system to block all remote procedure calls (RPC) and communications to the Windows Management Instrumentation (WMI) services.
Securing Remote Desktop connections¶
Set up encryption of the remote desktop connections to prevent man-in-the-middle attacks. For instructions, refer to http://technet.microsoft.com/en-us/library/cc782610.aspx.
Changing Remote Desktop connections port¶
Some PCI scanners report a man-in-the-middle attack if you do not change the RDP port to a custom value. To do it, complete the following steps:
Run the
regeditutility by clicking Start > Run, typing regedit, and then clicking OK.Change the port value by modifying the following registry key:
HKEY_LOCAL_MACHINESystemCurrentControlSetControlTerminalServerWinStationsRDP-TcpPortNumber
Prohibiting access to MySQL database server from external addresses¶
Use the firewall functions built into your Plesk.
Log in to Plesk as administrator.
Go to Tools & Settings > Firewall.
Go To the Firewall Rules tab.
Click the
icon to switch the Plesk MySQL server rule.
The icon will turn to 
.
Switching off weak SSL/TLS ciphers for Web server in Plesk for Microsoft Windows Server 2003 and 2008¶
Copy the following text to the clipboard:
REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5] "Enabled"=dword:00000000
Log in to the server over a Remote Desktop connection.
In the server’s operating system, open Notepad or any other text editor and create a file with the
regextension.Paste the text from the clipboard into this file.
Save the file.
Double-click the file to open it.
When prompted, confirm addition of new keys to the registry.
Restart the operating system.
Note
Some applications on the server that use weak SSL/TLS ciphers and protocols may stop working.
Securing FTP connections¶
If you allow FTP connections to your server, you must prohibit all FTP connections except secure FTPS connections.
To allow only FTPS connections to your server:
Go to Tools & Settings > Security Policy.
Select the option Allow only secure FTPS connections for FTPS usage policy.
