IBM BigFix Compliance PCI Add-on
Security Configuration Management (SCM)
The IBM BigFix Compliance team has updated the content for the Payment Card Industry Data Security Standard (PCI DSS) checklist for Windows 2008, Windows 2012, and Windows 7. See details below.
Updated Site:
PCI DSS Checklist for Windows 7, version 5
PCI DSS Checklist for Windows 2012, version 7
PCI DSS Checklist for Windows 2008, version 7
*The site version is provided for air-gap customers.
Changelist:
For Windows 7:
-
The following checks are updated to resolve APAR IV85006 - Long Evaluation Cycle Time:
o “Verify that Administrator account is renamed on the system” (pcidss-2.1.b_1)
o “Verify that Guest account is renamed on the system” (pcidss-2.1.b_2)
o “Verify that Administrator account on the system is set to Disabled” (pcidss-2.1.b_3)
o “Verify that Guest account on the system is set to Disabled” (pcidss-2.1.b_4) -
The check named “Verify that “Interactive Logon: Do not require CTRL+ALT+DEL” is set to Disabled” (pcidss-8.2_0.5) is updated due to the incorrect desired value.
-
The source ID for the following checks are renumbered:
o “Verify that “Local Policy: Debug programs” is set to Administrators”
Source ID pcidss-7.2.3_5 is updated to pcidss-7.2.2_59.
o “Verify that “Local Policy: Deny log on locally” is set to Guests”
Source ID pcidss-7.2.3_6 is updated to pcidss-7.2.2_60.
For Windows 2012:
-
The following checks are updated to resolve APAR IV85006 - Long Evaluation Cycle Time:
o “Verify that Administrator account is renamed on the system” (pcidss-2.1.b_1)
o “Verify that Guest account is renamed on the system” (pcidss-2.1.b_2)
o “Verify that Administrator account on the system is set to Disabled” (pcidss-2.1.b_3)
o “Verify that Guest account on the system is set to Disabled” (pcidss-2.1.b_4) -
The check named “Verify that “Audit Policy: DS Access: Directory Service Changes” for Enterprise Domain Controller is set to Success” (pcidss-10.2.2_6.1) is removed because Domain Controller is not supported.
-
Relevance of "Verify that remote-login command should be restricted through non console access for IIS HTTP Server" (pcidss-2.3.b.3) is updated with proper version of IIS.
For Windows 2008:
- The following checks are updated to resolve APAR IV85006 - Long Evaluation Cycle Time:
o “Verify that Administrator account is renamed on the system” (pcidss-2.1.b_1)
o “Verify that Guest account is renamed on the system” (pcidss-2.1.b_2)
Actions to Take:
-
If you use custom sites, update your custom sites accordingly to use the latest content. You can synchronize your content by using the Synchronize Custom Checks wizard. For more information, see https://ibm.biz/Bd4LBt.
-
If you have not subscribed to the site above, you can use the License Overview dashboard to enable and gather the sites. Note that you must be entitled to the new content and you are using IBM BigFix version 9.0 and later.
-
If you were involved in the Early Access Program for IBM BigFix Compliance PCI Add-on, unsubscribe from the beta sites to avoid any conflicting issues with the production sites. If you do not unsubscribe from the beta sites, the content in the production sites will fail.
Documentation Resources:
To know more about IBM BigFix Compliance PCI Add-on, see the IBM BigFix Compliance PCI Add-on User’s Guide.
We hope you find this latest release of SCM content useful and effective. Thank you!
– The IBM BigFix Compliance team