[PCI DSS 3.0] 2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before

[READ-ONLY] Archives [RETIRED] PCI DSS v3.0 Questions and Answers Forum Build and Maintain a Secure Network and Systems (R
1

Always change vendor-supplied
defaults and remove or disable
unnecessary default accounts before
installing a system on the network.

This applies to ALL default passwords,
including but not limited to those used by
operating systems, software that
provides security services, application
and system accounts, point-of-sale
(POS) terminals, Simple Network
Management Protocol (SNMP)
community strings, etc.).

2.1.a Choose a sample of system components, and attempt to
log on (with system administrator help) to the devices and
applications using default vendor-supplied accounts and
passwords, to verify that ALL default passwords (including
those on operating systems, software that provides security
services, application and system accounts, POS terminals, and
Simple Network Management Protocol (SNMP) community
strings) have been changed. (Use vendor manuals and sources
on the Internet to find vendor-supplied accounts/passwords.)

2.1.b For the sample of system components, verify that all
unnecessary default accounts (including accounts used by
operating systems, security software, applications, systems,
POS terminals, SNMP, etc.) are removed or disabled.

2.1.c Interview personnel and examine supporting
documentation to verify that:
 All vendor defaults (including default passwords on
operating systems, software providing security services,
application and system accounts, POS terminals, Simple
Network Management Protocol (SNMP) community strings,
etc.) are changed before a system is installed on the
network.
 Unnecessary default accounts (including accounts used by
operating systems, security software, applications, systems,
POS terminals, SNMP, etc.) are removed or disabled before
a system is installed on the network.

Malicious individuals (external and internal to an
organization) often use vendor default settings,
account names, and passwords to compromise
operating system software, applications, and the
systems on which they are installed. Because
these default settings are often published and are
well known in hacker communities, changing
these settings will leave systems less vulnerable
to attack.
Even if a default account is not intended to be
used, changing the default password to a strong
unique password and then disabling the account
will prevent a malicious individual from re-enabling
the account and gaining access with the default
password.