[BESAdmin-Announcements] IBM BigFix Compliance PCI Add-on: Updated Content: PCI DSS Checklists for several Windows operating systems published 2016-07-07

Announcements for BES Administrators besadmin-announcements at bigmail.bigfix.com
Thu Jul 7 10:40:20 PDT 2016


Product:
IBM BigFix Compliance PCI Add-on

Title:
Updated Security Configuration Management (SCM) PCI DSS Checklists for 
Windows 2008, Windows 2012, Windows 7, Windows Embedded POSReady 7, and 
Windows Embedded Standard 7 to comply with PCI DSS v3.2

Category:
Updated SCM checklist

Published Benchmark:
Payment Card Industry Data Security Standard v3.2

Details:
The IBM BigFix Compliance PCI Add-on team has updated the content for the 
Payment Card Industry Data Security Standard (PCI DSS) checklists for 
Windows 2008, Windows 2012, Windows 7, Windows Embedded POSReady 7, and 
Windows Embedded Standard 7 to comply with PCI DSS v3.2, as well as to 
include other enhancements. Details are as follows.
PCI DSS v3.2 support:
PCI DSS Requirements and Security Assessment Procedures v3.2 is supported 
in the identified Windows checklists. Existing checks are updated to adopt 
to the new standard and new checks are added to conform to the new 
requirements. 
The following PCI DSS v3.2 specific checks are added to the checklists:
o       “PCI DSS v3.2: Verify that Security Policy "Windows Firewall: Log 
successful connection(Private)" is set to Yes” (pcidss-10.8.b.1)
o       “PCI DSS v3.2: Verify that Security Policy "Windows Firewall: Log 
successful connection(Public)" is set to Yes” (pcidss-10.8.b.2)
o       “PCI DSS v3.2: Verify that Security Policy "Windows Firewall: Log 
successful connection(Domain)" is set to Yes” (pcidss-10.8.b.3)
o       “PCI DSS v3.2: Verify that "Audit Policy: Policy Change: MPSSVC 
Rule-Level Policy Change" is set to 'Success, Failure'” (pcidss-10.8.b.4)
o       “PCI DSS v3.2: Verify that "Audit Policy: Detailed Tracking: 
Process Termination" is set to Success” (pcidss-10.8.b.6)
o       “PCI DSS v3.2: Verify that System Directory(Program Files (x86)) 
Ownership is set to 'Administrators'” (pcidss-10.8.b.7)
o       “PCI DSS v3.2: Verify that System Directory(Program Files) 
Ownership is set to 'Administrators'” (pcidss-10.8.b.8)
o       “PCI DSS v3.2: Verify that System Directory(Windows) Ownership is 
set to 'Administrators'” (pcidss-10.8.b.9)
Note: The manual remediation steps for the last three checks listed above 
are specific to its operating system, hence, the steps for Windows 2012 
are slightly different from the other Windows platforms.
Other enhancements:
The checks related to TLS and SSL that are not compliant are removed from 
the identified Windows checklists.
Mandatory checks related to TLS and SSL are renamed to comply with the PCI 
DSS benchmark. The checks in the identified checklists include: 
o       “Verify that "Microsoft FTP Publishing Service" is set to 
Disabled” (pcidss-2.2.3.9) 
o       “Verify that ports using SSL/TLS are configured only to use TLS 
v1.2” (pcidss-4.1.g)
The check named “Turn off support for Transport Layer Security (TLS) 1.0, 
TLS 1.1, Secure Sockets Layer (SSL) 2.0, 3.0” (pcidss-4.1.g) is added in 
the identified Windows checklists.
The following checks are added to the Windows 2008, Windows 7, Windows 
Embedded POSReady 7, and Windows Embedded Standard 7 checklists to extend 
the coverage for the PCI DSS benchmark:
o        “Verify that "Interactive logon: Number of previous logons to 
cache (in case domain controller is not available)" is set to '4 or fewer 
logon(s)'” (pcidss-3.1.a)
o       “Verify that "Interactive logon: Message title for users 
attempting to log on" is configured” (pcidss-2.2.4.c.15)
The following checks are updated for the Windows Embedded Standard 7 and 
Windows Embedded POSReady 7 checklists to resolve APAR IV85006 - Long 
Evaluation Cycle Time: 
o       “Verify that Administrator account is renamed on the system” 
(pcidss-2.1.b_1)
o       “Verify that Guest account is renamed on the system” 
(pcidss-2.1.b_2)
o       “Verify that Administrator account on the system is set to 
Disabled” (pcidss-2.1.b_3) 
o       “Verify that Guest account on the system is set to Disabled” 
(pcidss-2.1.b_4)

Published Site:
PCI DSS Checklist for Windows 2008, version 8
PCI DSS Checklist for Windows 2012, version 8
PCI DSS Checklist for Windows 7, version 6
PCI DSS Checklist for Windows Embedded POSReady 7, version 5
PCI DSS Checklist for Windows Embedded Standard 7, version 3
*The site version is provided for air-gap customers.

Actions to Take:
If you use custom sites, update your custom sites accordingly to use the 
latest content. You can synchronize your content by using the Synchronize 
Custom Checks wizard. For more information, see https://ibm.biz/Bd4LBt.
If you have not subscribed to the site above, you can use the License 
Overview dashboard to enable and gather the sites. Note that you must be 
entitled to the new content and you are using IBM BigFix version 9.0 and 
later.
If you were involved in the Early Access Program for IBM BigFix Compliance 
PCI Add-on, unsubscribe from the beta sites to avoid any conflicting 
issues with the production sites. If you do not unsubscribe from the beta 
sites, the content in the production sites will fail.


More information:
Please note that PCI DSS v3.2 support for the existing PCI checklists for 
other supported platforms will be available soon. Stay tuned for future 
announcements.

To know more information about the IBM BigFix Compliance SCM checklists, 
see:

IBM BigFix Compliance PCI Add-on User's Guide in the BigFix developerWorks 
wiki: https://ibm.biz/BdrBtk

IBM developerWorks: https://ibm.biz/BdFiGQ

SCM Checklist Deployment: https://ibm.biz/BdrBtU

IBM Blog for Checklist Release Announcement: https://ibm.biz/BdrBt5

BigFix forums: https://forum.bigfix.com/


We hope you find this latest release of SCM content useful and effective. 
Thank you!

 -- The IBM BigFix Compliance PCI Add-on team

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20160708/cd0231a7/attachment.html>


More information about the Besadmin-announcements mailing list