Important

   

This space contains documentation for TrueSight Server Automation 8.9.03 and the later service packs for 8.9. For earlier releases, see BMC Server Automation 8.9.

Updating PCI for Windows 2016 to newer benchmarks

This document provides information about the hotfix containing Payment Card Industry (PCI) version 3.2.1 templates for Windows Server 2016, with implementation for 162 rules that can be installed on  TrueSight Server Automation 8.9.00 onwards. This template is created based on the recommended settings defined by Microsoft Windows Server 2016 Security Configuration Benchmark Version 3.2.1, published on May 2018.


Before you begin

Before you install this hotfix, ensure that all compliance content provided by BMC in your environment is at least updated to version 8.9.

Step 1: Downloading and installing the files

  1. Login to ftp.bmc.com host using SFTP protocol. Download the PCI - Windows Server 2016.zip and extended_objects.zip package from the following location:

     Click here to expand checksum related infromation

    Verify the downloaded content by using the following check sums.

    File Name

    MD5SUM

    PCI - Windows Server 2016.zip

    45C4D0E7983C9A27201DC451B1740CC3

    extended_objects.zip29A6A22CFBDEF53174663F227AEB702A

    Verify the extended objects present on the application. If the md5sums match, go ahead and replace them. If these md5sums do not match, you must manually merge the fixes.

    Extended Objects shipped with this template (part of extended_objects.zip)

    File Name

    MD5SUM

    inactive_users.nsh

    40AA447B4D0777293A5294804B4D758A

    Get-Dormant-Accounts.vbsBFA47F0045660A810DBC912FF54AFC8A


  2. Move the PCI - Windows Server 2016.zip package to your RCP client server.

Step 2: Replacing the extended object scripts on the file server 

  1. Navigate to the extended objects script files on your file server:
    <File_Server_Root>/extended_objects/ 
  2. Replace the Extended Object script files on your file server, with the extracted Extended Object script files stored in the temporary location:
    <temporary_location_on_file_server>/extended_objects/

Step 3: Importing the Compliance Content 

  1. Log on to the Console.
  2. Right-click Component Templates and select Import

    The Import Wizard starts.
  3. Select the Import (Version-neutral) option.
  4. Select the PCI - Windows Server 2016.zip package from the temporary location and click Next.

  5. The PCI template for PCI - Windows Server 2016 is available in the PCI - Windows Server 2016.zip package. To import the templates, select the zip file and click Next.

    Note

    Ensure that you select the Update objects according to the imported package and Preserve template group path options before you click Next.


  6. Navigate to the last screen of the wizard and then click Finish.
    The templates are imported successfully.

Rules within the templates

The following are the details of the 162 rules provided in the zip package. It contains the following types of rules:

  • Rules that check for compliance and provides remediation - 111
  • Rules that check for compliance but do not provide remediation - 2
  • Rules that must be manually checked - 49

The following table lists the number of rules for each section: 

Section Wise

Total number of rules

Section 2

91

Section 5

3

Section 6

2

Section 7

7

Section 8

19

Section 10

40


Note

Ensure that you have gone through the following points before you run the compliance checks or perform remediation: 

  • While running compliance jobs on domain controller targets, set the target server's DOMAIN property to DC. 
  • Leave DOMAIN property blank for member servers and standalone systems

Rule IDs that must be checked manually 

Comments

10.1 , 10.2.3 , 10.2.4 , 10.2.5 , 10.2.6 , 10.2.7 , 10.3.1 , 10.3.2 , 10.3.3 , 10.3.4 , 10.3.5 , 10.3.6 , 10.4 , 10.4.1 , 10.4.2 , 10.4.3 , 10.5.1 , 10.5.2 , 10.5.3 , 10.5.4 , 10.7


8.1.1 , 8.1.2 , 8.1.3 , 8.1.5 , 8.2.1 , 8.2.2 , 8.2.6 , 8.4 , 8.5.1 , 8.6 , 8.7


7.1.1 , 7.1.2 , 7.1.3 , 7.1.4 , 7.2.1 , 7.2.2 , 7.2.3


6.1 , 6.2


5.1 , 5.2 , 5.3


2.1 , 2.2.1 , 2.2.2 , 2.2.3 , 2.3


TARGET/LOCAL PROPERTY

RULE IS WHICH PROPERTY IS USED

PROPERTY NAME

DEFAULT VALUES

DELIMITER

LOCAL

2.2.4.44

FORCE_KEY_PROTECTION

2

 

LOCAL

2.2.4.66

DENY_LOG_ON_THROUGH_REMOTE_DESKTOP_SERVICE

BUILTIN\Guests

,

LOCAL

8.2.3.1

MIN_PASSWD_LENGTH

7

 

LOCAL

8.1.4EXEMPT_ACCOUNTSBLANK,
Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Matthias Weidinger

    The URL ftp://ftp.bmc.com/pub/CE-BSA/Hotfix/Compliance_Content/PCI -Win2016-v3.20/ is not working.

    May 28, 2019 04:01