This Control directly supports the implied Control(s):
Establish, implement, and maintain system hardening procedures., CC ID: 12001
This Control has the following implementation support Control(s):
Configure custom security parameters for X-Windows., CC ID: 02168
Configure custom security settings for Lotus Domino., CC ID: 02171
Configure custom security settings for the Automated Security Enhancement Tool., CC ID: 02177
Configure custom Security settings for Sun Answerbook2., CC ID: 02178
Configure custom security settings for Command (PROM) Monitor., CC ID: 02180
Configure and secure each interface for Executive Interfaces., CC ID: 02182
Reconfigure the default settings and configure the system security for Site Management Complex., CC ID: 02183
Configure the unisys executive (GENNED) GEN tags., CC ID: 02184
Reconfigure the default Console Mode privileges., CC ID: 02189
Configure custom access privileges for all mapper files., CC ID: 02194
Configure custom access privileges for the PSERVER configuration file., CC ID: 02195
Configure custom access privileges for the DEPCON configuration file., CC ID: 02196
Disable the default NetWare user web page unless absolutely necessary., CC ID: 04447
Enable and reset the primary administrator names, primary administrator passwords, root names, and root passwords., CC ID: 04448
Remove unnecessary documentation or unprotected documentation from installed applications., CC ID: 04452
Complete the NetWare eGuide configuration., CC ID: 04449
Verify the usr/aset/masters/uid_aliases file exists and contains an appropriate aliases list., CC ID: 04902
Set the low security directory list properly., CC ID: 04903
Set the medium security directory list properly., CC ID: 04904
Set the high security directory list properly., CC ID: 04905
Set the UID aliases pointer properly., CC ID: 04906
Verify users are listed in the ASET userlist file., CC ID: 04907
Verify Automated Security Enhancement Tool checks the NIS+ tables, as appropriate., CC ID: 04908
Reconfigure the encryption keys from their default setting or previous setting., CC ID: 06079
Change the default Service Set Identifier for Wireless Access Points and wireless bridges., CC ID: 06086
Revoke public execute privileges for all processes or applications that allow such privileges., CC ID: 06568
Configure the system's booting configuration., CC ID: 10656
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
The organization shall cancel the access authorizations for software purchased from vendors when the software is loaded on the system and rename or cancel all predefined special IDs for privileged access. (O18.5, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
All default usernames and passwords must be changed on network devices before they are deployed on the network. (Control: 1304, Australian Government Information Security Manual: Controls)
The organization should change all default passwords and usernames. (¶ 44(d), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
All default passwords should be changed to reduce potential vulnerabilities to the system. (§ 3.5.8, Australian Government ICT Security Manual (ACSI 33))
(§ XI.4, OECD / World Bank Technology Risk Checklist, Version 7.3)
Are default software settings changed to ensure a secure configuration? (Table Row XI.4, OECD / World Bank Technology Risk Checklist, Version 7.3)
Have all default settings, including passwords, been changed? (Table Row XIII.5, OECD / World Bank Technology Risk Checklist, Version 7.3)
§ 2.3.1 (2.3.1.080) Change the default SSID to a locally unique wireless network name that does not identify the host organization.
§ 2.3.2 (2.3.2.030) Verify that the default passwords on all WLAN client devices have been changed.
§ 2.3.2 (2.3.2.080) The default value of the WLAN NIC radio shoul… (§ 2.3.1 (2.3.1.080), § 2.3.2 (2.3.2.030), § 2.3.2 (2.3.2.080), The Center for Internet Security Wireless Networking Benchmark, 1)
The default SSID should be changed. (§ 1.2 (3.2.1.080), The Center for Internet Security Wireless Networking Benchmark, Apple Addendum, 1)
The default SSID should be changed from the default. (§ 1.2 (2.3.1.080), The Center for Internet Security Wireless Networking Benchmark, Cisco Addendum, 1)
The default SSID should be changed from the default. (§ 1.2 (2.3.1.080), The Center for Internet Security Wireless Networking Benchmark, DLINK Addendum, 1)
The organization should change the vendor default password before placing the router in a production environment.
Harden an application server after installation. Rename built-in accounts, and change the password. (§ 3-3, § 3-13, MasterCard Electronic Commerce Security Architecture Best Practices, April 2003)
Change default settings and securely configure wireless devices (4.2, Information Supplement: PCI DSS Wireless Guidelines, Version 2.0)
Are vendor-supplied defaults always changed before installing a system on the network? (2.1(a), Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance; Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced, Version 3.2)
Interview personnel and examine documentation to verify all vendor defaults are changed before a system is installed on the network. (Testing Procedures § 2.1.c Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
Examine the vendor documentation and observe the wireless configuration settings to verify any other wireless vendor defaults that are related to security have been changed. (Testing Procedures § 2.1.1.e, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
Verify the system configuration standards include procedures for changing all vendor-supplied defaults on all system components. (Testing Procedures § 2.2.d Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
For wireless environments connected to the cardholder data environment or transmitting cardholder data, change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. (§ 2.1.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
Verify the user ID of any application process is not a privileged user (root/admin). (§ A.1.2.a Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
Vendor-supplied defaults for system passwords and other security parameters must not be used. (PCI DSS Requirements § 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
Vendor-supplied defaults must be changed before installing a system on the network. (PCI DSS Requirements § 2.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. (2.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. (2.1.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. (2.1.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system a… (2.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. (2.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. (2.1.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
Do not use vendor-supplied defaults for system passwords and other security parameters (Requirement 2:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
Are vendor-supplied defaults always changed before installing a system on the network? (2.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
Do system configuration standards include all of the following:
- Changing of all vendor-supplied defaults and elimination of unnecessary default accounts?
- Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2 (d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
Do system configuration standards include all of the following:
- Changing of all vendor-supplied defaults and elimination of unnecessary default accounts?
- Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2(d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
Are vendor-supplied defaults always changed before installing a system on the network? (2.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
For wireless environments connected to the cardholder data environment or transmitting cardholder data, are ALL wireless vendor defaults changed at installations, as follows: (2.1.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
Are vendor-supplied defaults always changed before installing a system on the network? (2.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
Are other security-related wireless vendor defaults changed, if applicable? (2.1.1 (e), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
Are vendor-supplied defaults always changed before installing a system on the network? (2.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
Are other security-related wireless vendor defaults changed, if applicable? (2.1.1(e), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
Do not use vendor-supplied defaults for system passwords and other security parameters (Requirement 2:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
For wireless environments connected to the cardholder data environment or transmitting
cardholder data, are ALL wireless vendor defaults changed at installations, as follows: (2.1.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
Are other security-related wireless vendor defaults changed, if applicable? (2.1.1 (e), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
Do system configuration standards include all of the following:
- Changing of all vendor-supplied defaults and elimination of unnecessary default accounts?
- Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2 (d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
Are vendor-supplied defaults always changed before installing a system on the network? (2.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
Are other security-related wireless vendor defaults changed, if applicable? (2.1.1(e), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
Do system configuration standards include all of the following:
- Changing of all vendor-supplied defaults and elimination of unnecessary default accounts?
- Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2(d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
Do not use vendor-supplied defaults for system passwords and other security parameters (Requirement 2:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
Are vendor-supplied defaults always changed before installing a system on the network? (2.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
For wireless environments connected to the cardholder data environment or transmitting cardholder data, are ALL wireless vendor defaults changed at installations, as follows: (2.1.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
Are other security-related wireless vendor defaults changed, if applicable? (2.1.1 (e), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
Are vendor-supplied defaults always changed before installing a system on the network? (2.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.2)
Are other security-related wireless vendor defaults changed, if applicable? (2.1.1(e), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.2)
Do not use vendor-supplied defaults for system passwords and other security parameters (Requirement 2:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
For wireless environments connected to the cardholder data environment or transmitting cardholder data, are ALL wireless vendor defaults changed at installations, as follows: (2.1.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Are vendor-supplied defaults always changed before installing a system on the network? (2.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Are other security-related wireless vendor defaults changed, if applicable? (2.1.1 (e), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Do system configuration standards include all of the following:
- Changing of all vendor-supplied defaults and elimination of unnecessary default accounts?
- Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2 (d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Are vendor-supplied defaults always changed before installing a system on the network? (2.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
For wireless environments connected to the cardholder data environment or transmitting cardholder data, are ALL wireless vendor defaults changed at installations, as follows: (2.1.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Are other security-related wireless vendor defaults changed, if applicable? (2.1.1(e), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Do system configuration standards include all of the following:
- Changing of all vendor-supplied defaults and elimination of unnecessary default accounts?
- Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2(d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Are other security-related wireless vendor defaults changed, if applicable? (2.1.1 (e), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
Are other security-related wireless vendor defaults changed, if applicable? (2.1.1(e), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Do system configuration standards include all of the following:
- Changing of all vendor-supplied defaults and elimination of unnecessary default accounts?
- Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same ser… (2.2(d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Are vendor-supplied defaults always changed before installing a system on the network? (2.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Examine vendor documentation and observe wireless configuration settings to verify other security-related wireless vendor defaults were changed, if applicable. (2.1.1.e, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Examine vendor documentation and observe wireless configuration settings to verify firmware on wireless devices is updated to support strong encryption for:
- Authentication over wireless networks
- Transmission over wireless networks. (2.1.1.d, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Interview personnel and examine supporting documentation to verify that:
- All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) a… (2.1.c, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Choose a sample of system components, and attempt to log on (with system administrator help) to the devices and applications using default vendor-supplied accounts and passwords, to verify that ALL default passwords (including those on operating systems, software that provides security services, app… (2.1.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
§ 4.2.1.A Enable Wi-Fi Protected Access (WPA or WPA2) and make sure that default PSKs are changed for Access Points. Enterprise mode is recommended.
§ 4.2.1.B Disable SNMP access to remote Access Points (APs) if possible. If not, change default SNMP passwords and use SNMPv3 with authentication and… (§ 4.2.1.A, § 4.2.1.B, § 4.2.1.D, § 4.2.1.E, § 4.4.1.A, § 4.4.1.B, § 4.4.1.C, § 4.6.1.B, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline)
Any organization running a wireless application connected to an environment with cardholder data should verify all vendor defaults in the environment have been changed. (§ 6.1, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
Any other security-related wireless vendor defaults. (2.3.1 Bullet 4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
For wireless environments connected to the CDE or transmitting account data, all wireless vendor defaults are changed at installation or are confirmed to be secure, including but not limited to: (2.3.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Examine policies and procedures and interview responsible personnel to verify that processes are defined for wireless vendor defaults to either change them upon installation or to confirm them to be secure in accordance with all elements of this requirement. (2.3.1.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Examine vendor documentation and wireless configuration settings to verify other security-related wireless vendor defaults were changed, if applicable. (2.3.1.c, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Are vendor-supplied defaults always changed before installing a system on the network? (PCI DSS Question 2.1(a), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
Do system configuration standards include changing of all vendor-supplied defaults and elimination of unnecessary default accounts? (PCI DSS Question 2.2(d) Bullet 1, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
Are vendor-supplied defaults always changed before installing a system on the network? (PCI DSS Question 2.1(a), PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
For wireless environments connected to the cardholder data environment or transmitting cardholder data, are other security-related wireless vendor defaults changed, if applicable? (PCI DSS Question 2.1.1(e), PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
Are vendor-supplied defaults always changed before installing a system on the network? (PCI DSS Question 2.1(a), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
For wireless environments connected to the cardholder data environment or transmitting cardholder data, are other security-related wireless vendor defaults changed, if applicable? (PCI DSS Question 2.1.1(e), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
Do system configuration standards include changing of all vendor-supplied defaults and elimination of unnecessary default accounts? (PCI DSS Question 2.2(d) Bullet 1, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
Are vendor-supplied defaults always changed before installing a system on the network? (PCI DSS Question 2.1(a), PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
For wireless environments connected to the cardholder data environment or transmitting cardholder data, are other security-related wireless vendor defaults changed, if applicable? (PCI DSS Question 2.1.1(e), PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
Are vendor-supplied defaults always changed before installing a system on the network? (PCI DSS Question 2.1(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
For wireless environments connected to the cardholder data environment or transmitting cardholder data, are other security-related wireless vendor defaults changed, if applicable? (PCI DSS Question 2.1.1(e), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
Do system configuration standards include changing of all vendor-supplied defaults and elimination of unnecessary default accounts? (PCI DSS Question 2.2(d) Bullet 1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
Are vendor-supplied defaults always changed before installing a system on the network? (PCI DSS Question 2.1(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
For wireless environments connected to the cardholder data environment or transmitting cardholder data, are other security-related wireless vendor defaults changed, if applicable? (PCI DSS Question 2.1.1(e), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
Do system configuration standards include changing of all vendor-supplied defaults and elimination of unnecessary default accounts? (PCI DSS Question 2.2(d) Bullet 1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
For wireless environments connected to the CDE or transmitting account data, all wireless vendor defaults are changed at installation or are confirmed to be secure, including but not limited to: (2.3.1, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
Any other security-related wireless vendor defaults. (2.3.1 Bullet 4, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
For wireless environments connected to the CDE or transmitting account data, all wireless vendor defaults are changed at installation or are confirmed to be secure, including but not limited to: (2.3.1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
Any other security-related wireless vendor defaults. (2.3.1 Bullet 4, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
For wireless environments connected to the CDE or transmitting account data, all wireless vendor defaults are changed at installation or are confirmed to be secure, including but not limited to: (2.3.1, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
Any other security-related wireless vendor defaults. (2.3.1 Bullet 4, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
For wireless environments connected to the CDE or transmitting account data, all wireless vendor defaults are changed at installation or are confirmed to be secure, including but not limited to: (2.3.1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
Any other security-related wireless vendor defaults. (2.3.1 Bullet 4, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
Any other security-related wireless vendor defaults. (2.3.1 ¶ 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
For wireless environments connected to the CDE or transmitting account data, all wireless vendor defaults are changed at installation or are confirmed to be secure, including but not limited to: (2.3.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
The default administration account and personal identification number (PIN) on the private branch exchange (PBX) and the remote maintenance port (RMAT) should be immediately changed after installation to a new administration account, and the default account and PIN should be deleted. (Pg 11-V-3, Pg 11-V-5, Protection of Assets Manual, ASIS International)
Servers should be protected against unauthorized access by changing important security-related parameters (e.g., passwords) to be different from the defaults set by suppliers. (CF.07.02.05b, The Standard of Good Practice for Information Security)
Policies and procedures shall be established, and supporting business processes and technical measures implemented, to protect wireless network environments, including the following:
- Perimeter firewalls implemented and configured to restrict unauthorized traffic
- Security settings enabled with … (IVS-12, Cloud Controls Matrix, v3.0)
When new software or systems are installed, the vendor supplied passwords should be changed immediately. (§ 11.2.3, ISO 27002 Code of practice for information security management, 2005)
When encryption tools are managed and maintained for scoped data, are the default certificates furnished by vendors replaced with proprietary certificates? (§ I.6.8, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
For Oracle, the organization must, for certain version specific Oracle environments, drop the user, lock the user account, or change the default password on the default accounts. (Table F-9, CMS Business Partners Systems Security Manual, Rev. 10)
CSR 2.9.19: The organization must replace all vendor-supplied passwords immediately.
CSR 3.6.2: The organization must remove, disable, or reinitialize all vendor-supplied default logins, passwords, and security parameters. (CSR 2.9.19, CSR 3.6.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
UNIX and many software applications come with default passwords and default accounts, like bin, lib, uucp, and more. The system administrator should ensure all system default accounts, except root, are disabled by locking the password and making the default shell either /bin/false, /usr/bin/false, /… (§ 3.15, Defense Information Systems Agency UNIX Security Technical Implementation Guide Version 5 Release 1, Version 5, Release 1)
The information assurance officer must ensure that default combinations and Personal Identification Numbers used for installation are changed after installing the device on production systems. (§ 3.5.5 ¶ AC35.015, DISA Access Control STIG, Version 2, Release 3)
The manufacturer's default passwords must be changed on all devices used for remote access. (§ 6.2, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
SSIDs should be changed from the manufacturer's default value to a word consisting of upper case letters, lower case letters, numbers, and special characters that does not identify the unit or organization.
Examine device configurations to ensure the SSID has been changed to a word that does not id… (§ 3.1 (WIR0140), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2)
§ 2.2 (WIR1250) Implement wireless e-mail servers and handheld configuration settings.
§ 3.5.2 The default local machine account name generated during the installation of the Sensa Management Server should be changed. (§ 2.2 (WIR1250), § 3.5.2, DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2)
The default passwords and SNMP community strings of all management services should be changed for a MFD or printer. (MFD02.001, Multi-Function Device (MFD) and Printer Checklist for Sharing Peripherals Across the Network Security Technical Implementation Guide, Version 1 Release 1.3)
The organization must remove or change all default, factory set, and standard User IDs and passwords. (IAIA-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
The organization must remove or change all default, factory set, and standard User IDs and passwords. (IAIA-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
Default passwords on software must be changed before allowing users to gain access to the program. (§ 8-303.i, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
An agency shall change the Bluetooth device's default settings to meet the organization's security policy. (§ 5.5.7.4 ¶ 4(3), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
The default self-identifying name or discoverable name should be changed on Bluetooth devices to an anonymous unidentifiable name. (§ 5.5.7.4 ¶ 4(7), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
Ensure the reset function on APs is used only when needed and is only invoked by authorized personnel. Restore the APs to the latest security settings, when the reset functions are used, to ensure the factory default settings are not utilized. (§ 5.13.1.1 ¶ 2(7), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
Provide the ability to change and disable default application accounts upon installation. (App A Objective 6.27.c, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
(AC-3.2, SS-1.2, Federal Information System Controls Audit Manual (FISCAM), February 2009)
The organization must change default passwords immediately after system installation. (Exhibit 4 IA-5, Exhibit 8 Control 12, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
Has the default network Internet Protocol addresses for the Wireless Local Area Network access points, wireless routers, and wireless bridges been changed? (IT - WLANS Q 9g, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Require developers and installers of system components to provide unique authenticators or change default authenticators prior to delivery and installation. (IA-5(5) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
Organizational records and documents should be examined to ensure all default authenticators have been changed since the initial installation. (IA-5.3, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
The organization should change the default settings of all Bluetooth devices in accordance with the organization's security policy. The Bluetooth's self-identifying name should be changed to an unidentifiable, anonymous name. (Pg ES-1, Table 4-2 Item 7, Table 4-2 Item 13, Guide to Bluetooth Security, NIST SP 800-121, September 2008)
§ 6.3.3.1 (Configuring Administrator access) The default settings of the AP should be changed in accordance with the organization's security policy.
§ 6.3.3.2(Changing the default channel) The default settings of the AP, including the default channel, should be changed in accordance with the organ… (§ 6.3.3.1 (Configuring Administrator access), § 6.3.3.2(Changing the default channel),§ 6.3.3.2 (Changing the SSID), Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48, Revision 1)
The organization should change all factory default settings after installation and, if used, during maintenance. (SG.CM-10 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization should replace all default usernames, whenever possible. (SG.CM-10 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization should require vendors and/or manufacturers to provide unique authenticators or change the defaults before delivery. (App F § IA-5(5), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization requires developers/installers of information system components to provide unique authenticators or change default authenticators prior to delivery/installation. (IA-5(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization requires developers/installers of information system components to provide unique authenticators or change default authenticators prior to delivery/installation. (IA-5(5) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Require developers and installers of system components to provide unique authenticators or change default authenticators prior to delivery and installation. (IA-5(5) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Require developers and installers of system components to provide unique authenticators or change default authenticators prior to delivery and installation. (IA-5(5) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
The organization requires developers/installers of information system components to provide unique authenticators or change default authenticators prior to delivery/installation. (IA-5(5) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
Change root's home directory. Changing root's home directory (as well as audit's) aids in system administration and could also serve to confuse any automated script that assumes root access begins with the "/" directory. (§ 8.16, NSA Guide to the Secure Configuration of Solaris 9, Version 1.0)
