PSTools psexec and PCI

89okl asked:

I am just wondering if anyone knows of any reason why using psexec would cause the failure of a PCI DSS audit.

I have never been able to find information, though have always been told that it can’t be used by administrators on anything in the CDE, or surrounding environment.

I am wondering if the FUD is to do with the MetaSpolit script of the same name? Not sure what that does, but I’ve heard that it may have caused confusion.

Could anyone shed any light on whether this can be used legitimately or whether it is highly frowned upon/banned?

To put it into perspective, psexec gets treated the same as telnet being enabled on devices, such as printers, etc.


My answer:

psexec has multiple issues which make it inappropriate for use in a reasonably secure environment:

  1. It’s not encrypted.
  2. It requires administrative shares to be made available.
  3. It has a mode which can trivially expose a backdoor administrative command prompt to the world.

And probably other issues I can’t think of right now.

If your environment is sufficiently modern (everything is 2008 or later), you can use PowerShell remoting in its place. This runs over WinRM with HTTPS transport by default and doesn’t require you to reduce your security.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.