[BESAdmin-Announcements] IBM BigFix Compliance PCI Add-on: Updated Content: PCI DSS Checklists for several Windows operating systems published 2016-07-07
Announcements for BES Administrators
besadmin-announcements at bigmail.bigfix.com
Thu Jul 7 10:40:20 PDT 2016
Product:
IBM BigFix Compliance PCI Add-on
Title:
Updated Security Configuration Management (SCM) PCI DSS Checklists for
Windows 2008, Windows 2012, Windows 7, Windows Embedded POSReady 7, and
Windows Embedded Standard 7 to comply with PCI DSS v3.2
Category:
Updated SCM checklist
Published Benchmark:
Payment Card Industry Data Security Standard v3.2
Details:
The IBM BigFix Compliance PCI Add-on team has updated the content for the
Payment Card Industry Data Security Standard (PCI DSS) checklists for
Windows 2008, Windows 2012, Windows 7, Windows Embedded POSReady 7, and
Windows Embedded Standard 7 to comply with PCI DSS v3.2, as well as to
include other enhancements. Details are as follows.
PCI DSS v3.2 support:
PCI DSS Requirements and Security Assessment Procedures v3.2 is supported
in the identified Windows checklists. Existing checks are updated to adopt
to the new standard and new checks are added to conform to the new
requirements.
The following PCI DSS v3.2 specific checks are added to the checklists:
o “PCI DSS v3.2: Verify that Security Policy "Windows Firewall: Log
successful connection(Private)" is set to Yes” (pcidss-10.8.b.1)
o “PCI DSS v3.2: Verify that Security Policy "Windows Firewall: Log
successful connection(Public)" is set to Yes” (pcidss-10.8.b.2)
o “PCI DSS v3.2: Verify that Security Policy "Windows Firewall: Log
successful connection(Domain)" is set to Yes” (pcidss-10.8.b.3)
o “PCI DSS v3.2: Verify that "Audit Policy: Policy Change: MPSSVC
Rule-Level Policy Change" is set to 'Success, Failure'” (pcidss-10.8.b.4)
o “PCI DSS v3.2: Verify that "Audit Policy: Detailed Tracking:
Process Termination" is set to Success” (pcidss-10.8.b.6)
o “PCI DSS v3.2: Verify that System Directory(Program Files (x86))
Ownership is set to 'Administrators'” (pcidss-10.8.b.7)
o “PCI DSS v3.2: Verify that System Directory(Program Files)
Ownership is set to 'Administrators'” (pcidss-10.8.b.8)
o “PCI DSS v3.2: Verify that System Directory(Windows) Ownership is
set to 'Administrators'” (pcidss-10.8.b.9)
Note: The manual remediation steps for the last three checks listed above
are specific to its operating system, hence, the steps for Windows 2012
are slightly different from the other Windows platforms.
Other enhancements:
The checks related to TLS and SSL that are not compliant are removed from
the identified Windows checklists.
Mandatory checks related to TLS and SSL are renamed to comply with the PCI
DSS benchmark. The checks in the identified checklists include:
o “Verify that "Microsoft FTP Publishing Service" is set to
Disabled” (pcidss-2.2.3.9)
o “Verify that ports using SSL/TLS are configured only to use TLS
v1.2” (pcidss-4.1.g)
The check named “Turn off support for Transport Layer Security (TLS) 1.0,
TLS 1.1, Secure Sockets Layer (SSL) 2.0, 3.0” (pcidss-4.1.g) is added in
the identified Windows checklists.
The following checks are added to the Windows 2008, Windows 7, Windows
Embedded POSReady 7, and Windows Embedded Standard 7 checklists to extend
the coverage for the PCI DSS benchmark:
o “Verify that "Interactive logon: Number of previous logons to
cache (in case domain controller is not available)" is set to '4 or fewer
logon(s)'” (pcidss-3.1.a)
o “Verify that "Interactive logon: Message title for users
attempting to log on" is configured” (pcidss-2.2.4.c.15)
The following checks are updated for the Windows Embedded Standard 7 and
Windows Embedded POSReady 7 checklists to resolve APAR IV85006 - Long
Evaluation Cycle Time:
o “Verify that Administrator account is renamed on the system”
(pcidss-2.1.b_1)
o “Verify that Guest account is renamed on the system”
(pcidss-2.1.b_2)
o “Verify that Administrator account on the system is set to
Disabled” (pcidss-2.1.b_3)
o “Verify that Guest account on the system is set to Disabled”
(pcidss-2.1.b_4)
Published Site:
PCI DSS Checklist for Windows 2008, version 8
PCI DSS Checklist for Windows 2012, version 8
PCI DSS Checklist for Windows 7, version 6
PCI DSS Checklist for Windows Embedded POSReady 7, version 5
PCI DSS Checklist for Windows Embedded Standard 7, version 3
*The site version is provided for air-gap customers.
Actions to Take:
If you use custom sites, update your custom sites accordingly to use the
latest content. You can synchronize your content by using the Synchronize
Custom Checks wizard. For more information, see https://ibm.biz/Bd4LBt.
If you have not subscribed to the site above, you can use the License
Overview dashboard to enable and gather the sites. Note that you must be
entitled to the new content and you are using IBM BigFix version 9.0 and
later.
If you were involved in the Early Access Program for IBM BigFix Compliance
PCI Add-on, unsubscribe from the beta sites to avoid any conflicting
issues with the production sites. If you do not unsubscribe from the beta
sites, the content in the production sites will fail.
More information:
Please note that PCI DSS v3.2 support for the existing PCI checklists for
other supported platforms will be available soon. Stay tuned for future
announcements.
To know more information about the IBM BigFix Compliance SCM checklists,
see:
IBM BigFix Compliance PCI Add-on User's Guide in the BigFix developerWorks
wiki: https://ibm.biz/BdrBtk
IBM developerWorks: https://ibm.biz/BdFiGQ
SCM Checklist Deployment: https://ibm.biz/BdrBtU
IBM Blog for Checklist Release Announcement: https://ibm.biz/BdrBt5
BigFix forums: https://forum.bigfix.com/
We hope you find this latest release of SCM content useful and effective.
Thank you!
-- The IBM BigFix Compliance PCI Add-on team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20160708/cd0231a7/attachment.html>
More information about the Besadmin-announcements
mailing list