2.3 Encrypt all non-console
administrative access using strong
cryptography. Use technologies such as
SSH, VPN, or SSL/TLS for web-based
management and other non-console
administrative access.
2.3 Select a sample of system components and verify that non-
console administrative access is encrypted by performing the
following:
2.3.a Observe an administrator log on to each system and
examine system configurations to verify that a strong
encryption method is invoked before the administrator’s
password is requested.
2.3.b Review services and parameter files on systems to
determine that Telnet and other insecure remote-login
commands are not available for non-console access.
2.3.c Observe an administrator log on to each system to
verify that administrator access to any web-based
management interfaces is encrypted with strong
cryptography.
2.3.d Examine vendor documentation and interview
personnel to verify that strong cryptography for the
technology in use is implemented according to industry best
practices and/or vendor recommendations.
If non-console (including remote) administration
does not use secure authentication and encrypted
communications, sensitive administrative or
operational level information (like administrator’s
IDs and passwords) can be revealed to an
eavesdropper. A malicious individual could use
this information to access the network, become
administrator, and steal data.
Clear-text protocols (such as HTTP, telnet, etc.)
do not encrypt traffic or logon details, making it
easy for an eavesdropper to intercept this
information.
To be considered “strong cryptography,” industry-
recognized protocols with appropriate key
strengths and key management should be in
place as applicable for the type of technology in
use. (Refer to "strong cryptography” in the PCI
DSS and PA-DSS Glossary of Terms,
Abbreviations, and Acronyms.)