[PCI DSS 1.x] 2.3 Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or S

[PCI-DSS] 2.3 Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.

2.3 For a sample of system components, verify that non-console administrative access is encrypted by:

[li] Observing an administrator log on to each system to verify that a strong encryption method is invoked before the administrator’s password is requested;[/li][li] Reviewing services and parameter files on systems to determine that Telnet and other remote log-in commands are not available for use internally; and[/li][li] Verifying that administrator access to the web-based management interfaces is encrypted with strong cryptography[/li][/ul]

I seem to have a problem interpreting this one. We have various types of conenctions to servers in CDEs. We typically require SSH , and anything else such as RDP, etc. must be tunnelled through SSH. However, in one CDE, RDP is used, without SSH. Does using only RDP go against the intent of 2.3? I don;t really consiuder RDP an enrypted connection as the keys are on every box in a well known location as we know.
Also, their are backended mgmt conenctions for NetIQ , etc, that through another firewall and then hit a second i/f on each box in the CDE (used strictly to automate management/updating/patching, etc.). Are these considered “non-console” (by definiton I think they are?) and do they require encryption as well, even thoguh they are filtered through yet another fw before reaching the CDE servers?

If you are confused, let me simplify…all servers have two i/fs, one for human interaction over SSH, the other for managing the box using non-SSH connections, each however is filtered by firewalls.

Any help appreciated.



I would like to know if self-signed certificates may be considered as valid to administrate servers or network appliances through web tools in a PCI DSS area ?

The use of an internal but official Public Key Infrastructure with a recognized Certificate Authority would let us offer a higher security level. But could it be mandatory ? What would be a QSA reaction on that point ?

Help on this subject would be appreciated.