IBM BigFix Compliance PCI Add-on: Updated PCI DSS Checklists for several Windows operating systems published 2016-07-07

Product:
IBM BigFix Compliance PCI Add-on

Title:
Updated Security Configuration Management (SCM) PCI DSS Checklists for Windows 2008, Windows 2012, Windows 7, Windows Embedded POSReady 7, and Windows Embedded Standard 7 to comply with PCI DSS v3.2

Category:
Updated SCM checklist

Published Benchmark:
Payment Card Industry Data Security Standard v3.2

Details:
The IBM BigFix Compliance PCI Add-on team has updated the content for the Payment Card Industry Data Security Standard (PCI DSS) checklists for Windows 2008, Windows 2012, Windows 7, Windows Embedded POSReady 7, and Windows Embedded Standard 7 to comply with PCI DSS v3.2, as well as to include other enhancements. Details are as follows.

PCI DSS v3.2 support:

• PCI DSS Requirements and Security Assessment Procedures v3.2 is supported in the identified Windows checklists. Existing checks are updated to adopt to the new standard and new checks are added to conform to the new requirements.
• The following PCI DSS v3.2 specific checks are added to the checklists:
• “PCI DSS v3.2: Verify that Security Policy "Windows Firewall: Log successful connection(Private)" is set to Yes” (pcidss-10.8.b.1)
• “PCI DSS v3.2: Verify that Security Policy “Windows Firewall: Log successful connection(Public)” is set to Yes” (pcidss-10.8.b.2)
• “PCI DSS v3.2: Verify that Security Policy “Windows Firewall: Log successful connection(Domain)” is set to Yes” (pcidss-10.8.b.3)
• “PCI DSS v3.2: Verify that “Audit Policy: Policy Change: MPSSVC Rule-Level Policy Change” is set to ‘Success, Failure’” (pcidss-10.8.b.4)
• “PCI DSS v3.2: Verify that “Audit Policy: Detailed Tracking: Process Termination” is set to Success” (pcidss-10.8.b.6)
• “PCI DSS v3.2: Verify that System Directory(Program Files (x86)) Ownership is set to ‘Administrators’” (pcidss-10.8.b.7)
• “PCI DSS v3.2: Verify that System Directory(Program Files) Ownership is set to ‘Administrators’” (pcidss-10.8.b.8)
• “PCI DSS v3.2: Verify that System Directory(Windows) Ownership is set to ‘Administrators’” (pcidss-10.8.b.9)

Note: The manual remediation steps for the last three checks listed above are specific to its operating system, hence, the steps for Windows 2012 are slightly different from the other Windows platforms.

Other enhancements:

• The checks related to TLS and SSL that are not compliant are removed from the identified Windows checklists.

• Mandatory checks related to TLS and SSL are renamed to comply with the PCI DSS benchmark. The checks in the identified checklists include:

• “Verify that “Microsoft FTP Publishing Service” is set to Disabled” (pcidss-2.2.3.9)

• “Verify that ports using SSL/TLS are configured only to use TLS v1.2” (pcidss-4.1.g)

• The check named “Turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, Secure Sockets Layer (SSL) 2.0, 3.0” (pcidss-4.1.g) is added in the identified Windows checklists.

• The following checks are added to the Windows 2008, Windows 7, Windows Embedded POSReady 7, and Windows Embedded Standard 7 checklists to extend the coverage for the PCI DSS benchmark:

• “Verify that “Interactive logon: Number of previous logons to cache (in case domain controller is not available)” is set to ‘4 or fewer logon(s)’” (pcidss-3.1.a)

• “Verify that “Interactive logon: Message title for users attempting to log on” is configured” (pcidss-2.2.4.c.15)

• The following checks are updated for the Windows Embedded Standard 7 and Windows Embedded POSReady 7 checklists to resolve APAR IV85006 - Long Evaluation Cycle Time:

• “Verify that Administrator account is renamed on the system” (pcidss-2.1.b_1)

• “Verify that Guest account is renamed on the system” (pcidss-2.1.b_2)

• “Verify that Administrator account on the system is set to Disabled” (pcidss-2.1.b_3)

• “Verify that Guest account on the system is set to Disabled” (pcidss-2.1.b_4)

Published Site:
PCI DSS Checklist for Windows 2008, version 8
PCI DSS Checklist for Windows 2012, version 8
PCI DSS Checklist for Windows 7, version 6
PCI DSS Checklist for Windows Embedded POSReady 7, version 5
PCI DSS Checklist for Windows Embedded Standard 7, version 3
*The site version is provided for air-gap customers.

Actions to Take:

• If you use custom sites, update your custom sites accordingly to use the latest content. You can synchronize your content by using the Synchronize Custom Checks wizard. For more information, see https://ibm.biz/Bd4LBt.

• If you have not subscribed to the site above, you can use the License Overview dashboard to enable and gather the sites. Note that you must be entitled to the new content and you are using IBM BigFix version 9.0 and later.

• If you were involved in the Early Access Program for IBM BigFix Compliance PCI Add-on, unsubscribe from the beta sites to avoid any conflicting issues with the production sites. If you do not unsubscribe from the beta sites, the content in the production sites will fail.

More information:
Please note that PCI DSS v3.2 support for the existing PCI checklists for other supported platforms will be available soon. Stay tuned for future announcements.

To know more information about the IBM BigFix Compliance SCM checklists, see:

• IBM BigFix Compliance PCI Add-on User’s Guide in the BigFix developerWorks wiki: https://ibm.biz/BdrBtk

• IBM developerWorks: https://ibm.biz/BdFiGQ

• SCM Checklist Deployment: https://ibm.biz/BdrBtU

• IBM Blog for Checklist Release Announcement: https://ibm.biz/BdrBt5

• BigFix forums: https://forum.bigfix.com/

We hope you find this latest release of SCM content useful and effective. Thank you!

– The IBM BigFix Compliance PCI Add-on team