Tune Plesk to Meet PCI DSS on Windows

This section describes the steps that you should perform if you want to secure your server and achieve compliance with PCI DSS on a Microsoft Windows-based server.

Important: We highly recommend that you configure the Windows firewall in the server operating system to block all remote procedure calls (RPC) and communications to the Windows Management Instrumentation (WMI) services.

Securing Remote Desktop connections

Set up encryption of the remote desktop connections to prevent man-in-the-middle attacks. For instructions, refer to http://technet.microsoft.com/en-us/library/cc782610.aspx.

Changing Remote Desktop connections port

Some PCI scanners report a man-in-the-middle attack if you do not change the RDP port to a custom value. To do it, complete the following steps:

Run the regedit utility by clicking Start > Run, typing regedit, and then clicking OK.
Change the port value by modifying the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber

Prohibiting access to MySQL database server from external addresses

Use the firewall functions built into your Plesk.

Log in to Plesk as administrator.
Go to Tools & Settings > Firewall.
Go To the Firewall Rules tab.
Click the icon to switch the Plesk MySQL server rule. The icon will turn to .

Switching off weak SSL/TLS ciphers for Web server in Plesk for Microsoft Windows Server 2003 and 2008

Copy the following text to the clipboard:

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]

"Enabled"=dword:00000000
Log in to the server over a Remote Desktop connection.
In the server's operating system, open Notepad or any other text editor and create a file with the reg extension.
Paste the text from the clipboard into this file.
Save the file.
Double-click the file to open it.
When prompted, confirm addition of new keys to the registry.
Restart the operating system.

Note: Some applications on the server that use weak SSL/TLS ciphers and protocols may stop working.

Securing FTP connections

If you allow FTP connections to your server, you must prohibit all FTP connections except secure FTPS connections.

To allow only FTPS connections to your server:

Go to Tools & Settings > Security Policy.
Select the option Allow only secure FTPS connections for FTPS usage policy.