IBM BigFix Compliance PCI Add-on: Updated PCI DSS Checklists for various Windows operating systems published 2017-04-20

Product:
IBM BigFix Compliance PCI Add-on

Title:
Updated PCI DSS Checklists for Windows 2008, Windows 2012, Windows 10, Windows 7, Windows Embedded POSReady 7, and Windows Embedded Standard 7 sites to resolve issues with some checks

Category:
Updated PCI DSS checklist

Published Benchmark:
Payment Card Industry Data Security Standard v3.2

Details:
The IBM BigFix Compliance PCI Add-on team has updated the following Windows checklists:
PCI DSS Checklist for Windows 2012

• The check Verify that “Prevent users from sharing files within their profile” is set to Enabled (pcidss-7.2.2.52) is updated to resolve the relevance false positive for APAR IV95039.
• The check Verify that “Trend Micro Common Firewall” is Enabled (pcidss-1.4.b.22) is updated to resolve an issue with reading incorrect registry keys.
• The check Verify that “Interactive logon: Number of previous logons to cache (in case domain controller is not available)” is set to ‘4 or fewer logon(s)’ (pcidss-3.1.a) is updated to reflect the correct relevance.
• The check Verify that “Local Policy: Enable computer and user accounts to be trusted for delegation” is not set to any user (pcidss-7.2.3.1) is updated to reflect the correct relevance.
• The check Verify that “MS Antivirus Software” service is active and running (pcidss-5.3.a_2) is updated to fix the remediation action to start the MpsSvc service.

PCI DSS Checklist for Windows 2008

• The check Verify that “Prevent users from sharing files within their profile” is set to Enabled (pcidss-7.2.2.52) is updated to resolve the relevance false positive for APAR IV95039.
• The check Verify that “Trend Micro Common Firewall” is Enabled (pcidss-1.4.b.22) is updated to resolve an issue with reading incorrect registry keys.
• The check Verify that “Interactive logon: Number of previous logons to cache (in case domain controller is not available)” is set to ‘4 or fewer logon(s)’ (pcidss-3.1.a) is updated to reflect the correct relevance.
• The check Verify that “MS Antivirus Software” service is active and running (pcidss-5.3.a_2) is updated to fix the remediation action to start the MpsSvc service.

PCI DSS Checklist for Windows 10

• The check Verify that “Prevent users from sharing files within their profile” is set to Enabled (pcidss-7.2.2.52) is updated to resolve the relevance false positive for APAR IV95039.
• The following checks are updated to include appropriate applicability relevance:
• Verify that “Outbound connections” for the domain profile is set to ‘Allow (default)’ (pcidss-1.4.b_7.10)
• Verify that “Outbound connections” for the public profile is set to 'Allow (default)’ (pcidss-1.4.b.24.1)

PCI DSS Checklist for Windows 7, PCI DSS Checklist for Windows POSReady 7, and PCI DSS Checklist for Windows Embedded Standard 7

• The check Verify that “Prevent users from sharing files within their profile” is set to Enabled (pcidss-7.2.2.52) is updated to resolve the relevance false positive for APAR IV95039.
• The checks Verify that “Trend Micro Common Firewall” is Enabled (pcidss-1.4.b.22) and Verify that Generic Firewall is set to Enabled (pcidss-1.4.b_23) are updated to resolve an issue with reading incorrect registry keys.
• The check Verify that “Interactive logon: Number of previous logons to cache (in case domain controller is not available)” is set to ‘4 or fewer logon(s)’ (pcidss-3.1.a) is updated to reflect the correct relevance.
• The check Verify that “MS Antivirus Software” service is active and running (pcidss-5.3.a_2) is updated to fix the remediation action to start the MpsSvc service.

Published Sites:
PCI DSS Checklist for Windows 2012 site, version 11
PCI DSS Checklist for Windows 2008 site, version 11
PCI DSS Checklist for Windows 10 site, version 4
PCI DSS Checklist for Windows 7 site, version 8
PCI DSS Checklist for Windows Embedded POSReady 7 site, version 7
PCI DSS Checklist for Windows Embedded Standard 7 site, version 5
*The site version is provided for air-gap customers

Actions to Take:
If you use custom sites, update your custom sites accordingly to use the latest content. You can synchronize your content by using the Synchronize Custom Checks wizard. For more information, see https://ibm.biz/Bd4LBt.

More information:
To know more information about the IBM BigFix Compliance PCI DSS checklists, see:

• IBM BigFix Compliance PCI Add-on User’s Guide in Knowledge Center: https://ibm.biz/BdrWCq
• IBM BigFix Wiki: https://ibm.biz/BdrBtk
• Release Announcements in the IBM BigFix Forum: https://ibm.biz/Bdsspw

We hope you find this latest release of PCI DSS content useful and effective.

Thank you!

– The IBM BigFix Compliance PCI Add-on team