Product:
BigFix Compliance
Title:
Updated DISA STIG Checklist for Windows 2016 to support a more recent version of the benchmark.
Security Benchmark:
Microsoft Windows Server 2016 STIG SCAP Benchmark, V2R10
Published Sites:
DISA STIG Checklist for Windows 2016, site version 22
(The site version is provided for air-gap customers.)
Details:
Total New Fixlets: 1
Total New Task: 1
Total Updated Fixlets:39
Total Deleted Fixlets: 0
Total Fixlets in Site: 218
ADDED
Windows Server 2016 must be configured for name-based strong mappings for certificates.
‘Deploy and Run’ task has been implemented to validate compliance for the following rules:
UPDATED - (L1) Ensure ‘Network access: Allow anonymous SID/Name translation’ is set to ‘Disabled’
UPDATED - (L1) Ensure ‘Password must meet complexity requirements’ is set to ‘Enabled’
UPDATED - (L1) Ensure ‘Store passwords using reversible encryption’ is set to ‘Disabled’
Note: This task has to be run periodically.
UPDATED
Windows Server 2016 must be configured to audit Logon/Logoff - Logoff successes.
Windows Server 2016 must be configured to audit Logon/Logoff - Group Membership successes.
Windows Server 2016 must be configured to audit Detailed Tracking - Process Creation successes.
Windows Server 2016 must be configured to audit DS Access - Directory Service Access failures.
Windows Server 2016 must be configured to audit Account Management - Computer Account Management successes.
Windows Server 2016 must be configured to audit Account Logon - Credential Validation successes.
Windows Server 2016 must be configured to audit DS Access - Directory Service Access successes.
Windows Server 2016 must be configured to audit Account Management - Other Account Management Events successes.
Windows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use failures.
Windows Server 2016 must be configured to audit Logon/Logoff - Special Logon successes.
Windows Server 2016 must be configured to audit Policy Change - Audit Policy Change successes.
Windows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use successes.
Windows Server 2016 must be configured to audit Logon/Logoff - Account Lockout failures.
Windows Server 2016 must be configured to audit System - IPsec Driver successes.
Windows Server 2016 must be configured to audit Account Logon - Credential Validation failures.
Windows Server 2016 must be configured to audit System - Security State Change successes.
Windows Server 2016 must be configured to audit Account Management - Security Group Management successes.
Windows Server 2016 must be configured to audit Detailed Tracking - Plug and Play Events successes.
Windows Server 2016 must be configured to audit System - System Integrity successes.
Windows Server 2016 must be configured to audit Logon/Logoff - Logon successes.
Windows Server 2016 must be configured to audit Object Access - Removable Storage failures.
Windows Server 2016 must be configured to audit Policy Change - Audit Policy Change failures.
Windows Server 2016 must be configured to audit System - Other System Events successes.
Windows Server 2016 must be configured to audit Policy Change - Authorization Policy Change successes.
Windows Server 2016 must be configured to audit Policy Change - Authentication Policy Change successes.
Windows Server 2016 must be configured to audit System - System Integrity failures.
Windows Server 2016 must be configured to audit Object Access - Removable Storage successes.
Windows Server 2016 must be configured to audit System - IPsec Driver failures.
Windows Server 2016 must be configured to audit Account Management - User Account Management failures.
Windows Server 2016 must be configured to audit System - Security System Extension successes.
Windows Server 2016 must be configured to audit Account Management - User Account Management successes.
Windows Server 2016 must be configured to audit System - Other System Events failures.
Windows Server 2016 must be configured to audit DS Access - Directory Service Changes successes.
Windows Server 2016 must be configured to audit Logon/Logoff - Logon failures.
Windows 2016 must be configured to audit Object Access - Other Object Access Events successes.
Windows 2016 must be configured to audit Object Access - Other Object Access Events failures.
Both analysis and remediation checks are included
Some of the checks allow you to use the parameterized setting to enable customization for compliance evaluation. Note that parameterization and remediation actions require the creation of a custom site.
Actions to take:
To subscribe to the above site, you can use the License Overview Dashboard to enable and gather the site. Note that you must be entitled to the BigFix Compliance product, and you must be using BigFix version 10 and later.
If you use custom sites, update your custom sites accordingly to use the latest content. You can synchronize your content by using the Synchronize Custom Checks wizard. For more information, see
More information:
To know more about the BigFix Compliance SCM checklists, please see the following resources:
BigFix Forum:
https://forum.bigfix.com/c/release-announcements/compliance
BigFix Compliance SCM Checklists:
https://bigfix-wiki.hcltechsw.com/wikis/home?lang=enus#!/wiki/BigFix%20Wiki/page/SCM%20Checklists
We hope you find this latest release of SCM content useful and effective. Thank you!
– The BigFix Compliance team