[BESAdmin-Announcements] Security Configuration Management - New Content Available!
Announcements for BES Administrators
besadmin-announcements at bigmail.bigfix.com
Thu Apr 16 06:50:28 PDT 2009
BigFix is pleased to announce the availability of several new content
sites that are available within the Security Configuration Management v3
solution module.
BigFix SCM has extended the product content to include new checklists
for the following platforms / standards:
* SCM Checklist for FDCC on Windows Vista
* SCM Checklist for FDCC on Windows Vista Firewall
* SCM Checklist for DISA STIG on Red Hat 5
The product has also achieved another level of certification from the
National Institute of Standards of Technology as an SCAP validated
product for support of FDCC, Patch and Vulnerability, and
Mis-configuration remediation on the Microsoft Vista platform. The
details of this certification can be found on the NIST web site:
http://nvd.nist.gov/validation_bigfix.cfm.
Any customers that currently own the SCMv3 solution module, Security
Configuration and Vulnerability Management (SCVM) solution module, or
SLM+SCVM solution module have access to this new content. New mastheads
are required for these new sites. They can be obtained by contacting
your sales representative or licensing at bigfix.com.
In addition to the new content, BigFix is also updating the Windows 2003
content with a maintenance release. This content update fixes a number
of known issues and bugs within the content. The specific bugs fixed
include:
* [BZ22528] Fixlets 3003, 3007, 3024, 3053, 3055, and 3058 -
seemed to cause the BES Client to hang on Domain Controllers which were
not also Global Catalogs because many WMI calls were generated to Global
Catalogs when relevance using 'local user' or 'local users' was
evaluated.
* [BZ25046] Fixlet 3024 'Right to "Deny logon as a batch job"' -
false positive when enforced by GPO
* [BZ25049] Fixlet 3047 - inconsistent behavior when checking
local policy and GPO
* [BZ24341] Fixlet 3048 - Relevance for "Reset account lockout
counter after" returned true instead of false for more secure setting of
61.
* [BZ24358] Fixlet 3051 "Network security: Force Logoff when
Logon Hours Expire" - relevance returned True instead of False for
recommended value, enabled.
* [BZ24930] Fixlet 3051 'Force logoff when logon hours expire' -
relevance returned True instead of False when recommended value is set.
* [BZ24931] Fixlet 3052 'Enforce password history' - relevance
returned true instead of false for more secure values greater than
recommended setting of 5.
* [BZ24935] Fixlet 3056 'Account lockout threshold' - relevance
returned True instead of False for more secure values.
* [BZ24938] Fixlet 3066 'Smart Card Removal Behavior' -
relevance did not return True for non-recommended settings "1) No
Action" and "2) Disconnect if a remote Terminal Services session" and
did not return False as it should for recommended setting " 3) Force
Logoff"
* [BZ24942] Fixlet 3120 'Optional Subsystems' - the relevance
checks for the existence of the key, not that the key exists and has a
null value.
* [BZ24943] Fixlet 3118 'Do not allow anonymous enumeration of
SAM accounts' - relevance was returning False instead of True for
non-recommended values.
* [BZ25041] Fixlet 3003 'Right to "Deny access to this computer
from the network"' - relevance returned True instead of false for
recommended settings when enforced by GPO.
* [BZ25048] Fixlet 3044 ' Minimum password age' - relevance
returned results that are inconsistent when enforced by local policy
versus GPO.
* [BZ25057] Fixlet 3048 ' Reset account lockout counter after
defined period' - relevance returned True instead of False for
recommended values and False instead of True for non-recommended values.
* [BZ24338] Fixlet 3046 - Relevance for "anonymous SID/Name
Translation" returned False instead of True for non-recommended value of
enabled.
* [BZ24370] Fixlet 3076 'Restrict null session access setting' -
relevance returned False instead of True for values which are not
recommended.
* [BZ24932] Fixlet 3254 'Minimum password length' - relevance
returned True instead of False for more secure values greater than
minimum recommended value.
* [BZ24936] Fixlet 3058 'Rename Guest account' - relevance
returned True when it should be returning False, and False when it
should be returning True.
* [BZ24946] Fixlet 3181 'System Log Retention Method' -
relevance returned True instead of False when set to recommended value.
* [BZ25050] Fixlet 3182 'System Log maximum size' - relevance
returned True instead of False for recommended values when enforced
through the GPO.
* [BZ25051] Fixlet 3179 'Security Log maximum size' - relevance
returned True instead of False for recommended values when enforced
through the GPO.
* [BZ24327] Fixlet 3044 - 'minimum password age' - relevance
returned True instead of False for more secure recommended values.
* [BZ24332] Fixlet 3045 - 'Account lockout duration' - relevance
returned True instead of False for more secure recommended values.
* [BZ24340] Fixlet 3047 - "passwords must meet complexity
requirements" - relevance returned true instead of false when set to
recommended value enabled.
* [BZ24354] Fixlet 3050 "maximum password age" - relevance
returned true instead of false when set to more secure values under
recommended 60 days.
* [BZ24359] Fixlet 3052 'Enforce password history' - returned
True instead of False for values higher and more secure than the
recommended 6 days.
* [BZ24363] Fixlet 3054 "Minimum password length" - relevance
returned True instead of False for more secure values over recommended
value of 9 characters.
* [BZ24368] Fixlet 3074 "Devices: Unsigned driver installation
behavior" - relevance returned True instead of False for more secure
value of 2 (do not allow installation).
* [BZ24391] Services Fixlets 3183-3267 - relevance returned
False instead of True when service startup type is set to other than
recommend value, disabled (4).
* [BZ24405] Services Fixlets 3183-3267 - relevance checks and
action script remediates the SACL when there is no requirement for it.
* [BZ25058] Fixlet 3050 'Maximum password age' - relevance
returned False instead of True when non-recommended value 'disabled' is
enforced by GPO.
* [BZ18642] SCM W2K3 content - The "Source" field of each Fixlet
is defined as "DISA" when it should be "Windows Server 2003 Checklist
6.1.2"
* [BZ18532] SCM Windows 2003 DISA STIG site, - in the Control
Parameterization tasks that have the Upper Bound, Lower Bound, etc
values, there is a typo: "Default Operator" should be "Default Operator"
* [BZ18545] SCM content - false positives for NullSessionShares,
NullSessionPipes. The relevance would return true if an empty string
value exists in the registry for NullSessionShares
* [BZ18546] Bug in SCM content - Fixlet 3181, 3232, 3234, 3233,
3235, 3198, 3200,. . . have 'MACHINE' instead of 'HKEY_LOCAL_MACHINE'.
* [BZ18547] SCM content 3198, 3200, 3168, 3190, 3218, etc. -
description has registry value as part of registry key name key name.
BES administrators are encouraged to verify open actions and synchronize
baselines that contain the modified content. Instructions for
synchronizing baselines can be found here:
http://support.bigfix.com/cgi-bin/kbdirect.pl?id=401. Please contact
BigFix Technical Support if you have any questions regarding this
change.
If you are using custom sites, you will need to update the content in
those sites with the content in the BigFix out of the box sites.
Regards,
Jim
--------------------------------------------------
Jim Hansen
Sr. Product Manager - Security, Compliance, Mobile
BigFix, Inc.
[O] 510.740.0309
[M] 510.415.1527
[E] <mailto:jim_hansen at bigfix.com> jim_hansen at bigfix.com
BigFix - IT Just Works
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20090416/18ac4c26/attachment.htm
More information about the Besadmin-announcements
mailing list