The DMZ (NGINX Server)

The NGINX server is the only part of the Theatre Manager system placed within the DMZ per the network diagram.

Note that card holder data should never be stored or placed on the NGINX server for any reason. Theatre Manager does not require it. PCI requirement 1.3.7

Best Practices for setting up the NGINX Server

  • NGINX should be on a standalone machine in the DMZ
  • NGINX must be protected by the main firewall rules. You should turn on the built-in firewall on the machine (OS X or Windows) and should only need to open ports 80 and 443
  • NGINX is a service so it will automatically start as a service upon reboot.
    • This means nobody needs login at all.
    • Do not allow anybody to access this machine except under controlled circumstances
    • However, configure the screen saver to require a password after it is activated.
  • Turn off Windows Update or OS X Software Update
    • Instead, perform regular maintenance at a time of your choosing (every second Monday for example, more often if the news reports critical viruses) to download and install updates.
    • For 24/7 web sales service, it is important that the NGINX server run constantly and only be maintained at a time of your choosing.
  • Remove access to Outlook and/or other mail clients on the machine
  • Make sure that accessing the internet through Internet Explorer or another browser on that machine is limited to certain URLs
  • Virus protection should be implemented on this machine:
    • This machine is only responding to requests from the internet via NGINX, it is not actively accessing anything on the internet using a browser or reading email - so the risk if is acquiring viruses is very minimal.
    • If you put a virus scanner on it, set it to scan the hard drive once or twice a day, preferably early morning or at a time of day when online sales is expected to be at its minimum. Some antivirus software applications are CPU-intensive and have the potential to severely slow down the NGINX response time to web requests.
    • Don't scan incoming requests from the internet to NGINX on port 80 or 443 - because those are the working ports for NGINX.
Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and file servers) PCI requirement 5.1