7

I am just wondering if anyone knows of any reason why using psexec would cause the failure of a PCI DSS audit.

I have never been able to find information, though have always been told that it can't be used by administrators on anything in the CDE, or surrounding environment.

I am wondering if the FUD is to do with the MetaSpolit script of the same name? Not sure what that does, but I've heard that it may have caused confusion.

Could anyone shed any light on whether this can be used legitimately or whether it is highly frowned upon/banned?

To put it into perspective, psexec gets treated the same as telnet being enabled on devices, such as printers, etc.

Thanks

89okl
  • 73
  • 2

1 Answers1

9

psexec has multiple issues which make it inappropriate for use in a reasonably secure environment:

  1. It's not encrypted.
  2. It requires administrative shares to be made available.
  3. It has a mode which can trivially expose a backdoor administrative command prompt to the world.

And probably other issues I can't think of right now.

If your environment is sufficiently modern (everything is 2008 or later), you can use PowerShell remoting in its place. This runs over WinRM with HTTPS transport by default and doesn't require you to reduce your security.

Community
  • 1
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Thanks for the answer. I thought that as much, though, do you know of anything specific in the standard, or what a QSA would specify? – 89okl Feb 04 '14 at 21:46
  • Directly from the standard: "2.3 Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access." – Michael Hampton Feb 06 '14 at 17:05