[BESAdmin-Announcements] BigFix Compliance: Updated DISA STIG Checklist for Windows 2016, published 2025-06-11

Announcements for BES Administrators besadmin-announcements at bigmail.bigfix.com
Thu Jun 12 07:47:09 PDT 2025 

*Product:*
BigFix Compliance

*Title:*
Updated *DISA STIG Checklist for Windows 2016* to support a more recent
version of the benchmark.

*Security Benchmark:*
Microsoft Windows Server 2016 STIG SCAP Benchmark, V2R10

*Published Sites:*
DISA STIG Checklist for Windows 2016, site version 22
(The site version is provided for air-gap customers.)


*Details:*

●       Total New Fixlets: 1

●       Total New Task: 1

●       Total Updated Fixlets:39

●       Total Deleted Fixlets: 0

●       Total Fixlets in Site: 218

●      *ADDED*

o       Windows Server 2016 must be configured for name-based strong
mappings for certificates.

o       ‘Deploy and Run’ task has been implemented to validate compliance
for the following rules:

●       UPDATED - (L1) Ensure ‘Network access: Allow anonymous SID/Name
translation’ is set to ‘Disabled’

●       UPDATED - (L1) Ensure ‘Password must meet complexity requirements’
is set to ‘Enabled’

●       UPDATED - (L1) Ensure ‘Store passwords using reversible encryption’
is set to ‘Disabled’

*Note: *This task has to be run periodically.

●       *UPDATED*

o       Windows Server 2016 must be configured to audit Logon/Logoff -
Logoff successes.

o       Windows Server 2016 must be configured to audit Logon/Logoff -
Group Membership successes.

o       Windows Server 2016 must be configured to audit Detailed Tracking -
Process Creation successes.

o       Windows Server 2016 must be configured to audit DS Access -
Directory Service Access failures.

o       Windows Server 2016 must be configured to audit Account Management
- Computer Account Management successes.

o       Windows Server 2016 must be configured to audit Account Logon -
Credential Validation successes.

o       Windows Server 2016 must be configured to audit DS Access -
Directory Service Access successes.

o       Windows Server 2016 must be configured to audit Account Management
- Other Account Management Events successes.

o       Windows Server 2016 must be configured to audit Privilege Use -
Sensitive Privilege Use failures.

o       Windows Server 2016 must be configured to audit Logon/Logoff -
Special Logon successes.

o       Windows Server 2016 must be configured to audit Policy Change -
Audit Policy Change successes.

o       Windows Server 2016 must be configured to audit Privilege Use -
Sensitive Privilege Use successes.

o       Windows Server 2016 must be configured to audit Logon/Logoff -
Account Lockout failures.

o       Windows Server 2016 must be configured to audit System - IPsec
Driver successes.

o       Windows Server 2016 must be configured to audit Account Logon -
Credential Validation failures.

o       Windows Server 2016 must be configured to audit System - Security
State Change successes.

o       Windows Server 2016 must be configured to audit Account Management
- Security Group Management successes.

o       Windows Server 2016 must be configured to audit Detailed Tracking -
Plug and Play Events successes.

o       Windows Server 2016 must be configured to audit System - System
Integrity successes.

o       Windows Server 2016 must be configured to audit Logon/Logoff -
Logon successes.

o       Windows Server 2016 must be configured to audit Object Access -
Removable Storage failures.

o       Windows Server 2016 must be configured to audit Policy Change -
Audit Policy Change failures.

o       Windows Server 2016 must be configured to audit System - Other
System Events successes.

o       Windows Server 2016 must be configured to audit Policy Change -
Authorization Policy Change successes.

o       Windows Server 2016 must be configured to audit Policy Change -
Authentication Policy Change successes.

o       Windows Server 2016 must be configured to audit System - System
Integrity failures.

o       Windows Server 2016 must be configured to audit Object Access -
Removable Storage successes.

o       Windows Server 2016 must be configured to audit System - IPsec
Driver failures.

o       Windows Server 2016 must be configured to audit Account Management
- User Account Management failures.

o       Windows Server 2016 must be configured to audit System - Security
System Extension successes.

o       Windows Server 2016 must be configured to audit Account Management
- User Account Management successes.

o       Windows Server 2016 must be configured to audit System - Other
System Events failures.

o       Windows Server 2016 must be configured to audit DS Access -
Directory Service Changes successes.

o       Windows Server 2016 must be configured to audit Logon/Logoff -
Logon failures.

o       Windows 2016 must be configured to audit Object Access - Other
Object Access Events successes.

o       Windows 2016 must be configured to audit Object Access - Other
Object Access Events failures.

●       Both analysis and remediation checks are included

●       Some of the checks allow you to use the parameterized setting to
enable customization for compliance evaluation. Note that parameterization
and remediation actions require the creation of a custom site.



*Actions to take:*

●      To subscribe to the above site, you can use the License Overview
Dashboard to enable and gather the site. Note that you must be entitled to
the BigFix Compliance product, and you must be using BigFix version 10 and
later.

●       If you use custom sites, update your custom sites accordingly to
use the latest content. You can synchronize your content by using the
Synchronize Custom Checks wizard. For more information, see

https://help.hcltechsw.com/bigfix/11.0/compliance/Compliance/SCM_Users_Guide/c_using_synchronize_custom_checks_wiz.html

*More information:*
To know more about the BigFix Compliance SCM checklists, please see the
following resources:

●       BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fforum.bigfix.com%2Fc%2Frelease-announcements%2Fcompliance&data=05%7C01%7CBigFix-Scrum-Earth%40hcl.com%7C850b19aead5a47f24eb308da841ed642%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637967565224681222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=UYYRYb3SofshREYync5mCc2d5MUGb53t7OjOCBg%2BoJg%3D&reserved=0>

●       BigFix Compliance SCM Checklists:
https://bigfix-wiki.hcltechsw.com/wikis/home?lang=enus#!/wiki/BigFix%20Wiki/page/SCM%20Checklists
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbigfix-wiki.hcltechsw.com%2Fwikis%2Fhome%3Flang%3Denus%23!%2Fwiki%2FBigFix%2520Wiki%2Fpage%2FSCM%2520Checklists&data=05%7C01%7CBigFix-Scrum-Earth%40hcl.com%7C850b19aead5a47f24eb308da841ed642%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637967565224681222%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=sJEji05sRie522iksNIya8RoKSDGBtgSCKlAzsF0N%2Fo%3D&reserved=0>

We hope you find this latest release of SCM content useful and effective.
Thank you!

*– The BigFix Compliance team*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20250612/c4b5a947/attachment.html>

More information about the Besadmin-announcements mailing list