The VMware Center for Policy & Compliance (CP&C) team is pleased to announce the release of PCI DSS 3.1 compliance toolkits for VMware vSphere 6.0 and other platforms – Windows, *NIX, and VMware vSphere 5.5, 5.1 and 5.0 in VMware vCenter Configuration Manager (VCM). The toolkits consists of automated compliance rules to assess your environment against PCI DSS 3.1 requirements.
PCI Security Standards Council (PCI SSC) council quickly updated the standards from 3.0 to 3.1 in wake of SSL vulnerability on 15 Apr 2015. As per the announcement by the PCI council, the revision includes minor updates and clarifications, and addresses vulnerabilities within the Secure Sockets Layer (SSL) encryption protocol that can put payment data at risk. PCI DSS Version 3.1 is effective immediately following the publication, 15 Apr 2015. PCI DSS Version 3.0 will be retired on 30 June 2015.
Today, I show you how you can ensure you comply to DISA recommendations to have only needed roles and features enabled on various Windows machines using VMware vCenter Configuration Manager (VCM), a key component in the VMware vCenter Operations Suite (vC Ops).
For this example, DISA STIG for Windows 7 Version:1 Release:16 released on 25 Jul 2014 is taken.
Below are the DISA recommendations:
- 5.016 – IIS or its subcomponents must not be installed on a workstation
- 5.260 – Games must not be installed on the system
- 5.260 – Simple TCPIP Services must not be installed on the system
- 5.260 – Telnet Server must not be installed on the system
- 5.260 – The Telnet Client must not be installed on the system
- 5.260 – The TFTP Client must not be installed on the system
- 5.260 – Windows Media Center must not be installed on the system
The VMware Center for Policy & Compliance (CP&C) is pleased to announce the updated DISA STIG compliance toolkit for UNIX and Linux based environments in VMware vCenter Configuration Manager (VCM), a key component in the VMware vCenter Operations Suite (vC Ops). This is a major update release to prior released DISA Compliance Toolkits for UNIX and Linux based environments. The compliance toolkit product data sheet can be found here.
This toolkit contains below DISA STIGs:
- DISA AIX 6.1 V1R2
- DISA HP-UX V1R4
- DISA RH-5 V1R6
- DISA RH-6 V1R3
- DISA Solaris 10 V1R6
For this month’s Patch Tuesday Microsoft released 12 bulletins of which five were rated as Critical and seven as Important updates, addressing a total of 57 vulnerabilities across Internet Explorer, .NET Framework, Office, Windows and Exchange Server.
For those who need to prioritize deployments, there are 3 security bulletins that will need to be addressed right away.
MS13-009 addresses 13 issues across all supported versions of Internet Explorer and MS13-010 addresses issues in the Vector Markup Language (VML) which is used by all versions of Internet Explorer. Both of these issues could allow Remote Code Execution if a user viewed a specially crafted webpage using Internet Explorer.
MS13-020 affecting Windows XP resolves an issue in Microsoft Windows Object Linking and Embedding (OLE) Automation which could allow Remote Code Execution if a user opens a malicious RTF file with an embedded ActiveX control in either Word or WordPad.
In addition to the above mentioned bulletins, for the second time in less than a week, both Microsoft and Adobe released Critical-class bulletins (KB2805940 and APSB13-05) to update Flash Players. These updates address at least 16 distinct vulnerabilities including buffer overflow and use-after-free vulnerabilities that could lead to Code Execution.
All the above mentioned bulletins are now available for deployment via VMware vCenter Configuration Manager (VCM).
Sr. Member of Technical Staff, VMware Center for Policy & Compliance