Home
 
Products
SCM SCM Modules Compliance Toolkits Compliance Checkers CAM RSCA SCM Tour
 

Analyst Quote

"Organizations must develop procedures and implement software tools to ensure that their environment remains compliant on a nearly continuous basis, not just at audit time. Utilities like Configuresoft Compliance Checker for PCI can help make it easier for IT organizations to assess and maintain an on-going program of PCI compliance."

- Dave Taylor, Founder

PCI Knowledge Base
 

Compliance Checker for PCI DSS v1.2 User's Guide

Compliance Checker for PCI DSS v1.2 uses the WMI and RPC protocols to assess up to five remote Windows machines at one time. In order to successfully perform these assessments, you must meet the following prerequisites.

Windows Workstation

The machine on which you are installing Compliance Checker for PCI DSS v1.2 must have:

In addition to these requirements, you should ensure that the machine you are installing this application on is trusted, all administrators on the machine are trusted, and that you have equipped the machine with the latest patch levels and anti-virus definitions.

Windows Target Machines

The Windows target machines are those machines on which you plan to assess compliance. The Compliance Checker can run an assessment on the following Windows operating systems:

  • Windows XP
  • Windows 2000
  • Windows 2003
  • Windows 2008
  • Windows Vista

To run an assessment, the user specified in the User ID field must have local administrator rights on the target machine and read/write permissions to the file share specified in the Share Name field.

Compliance Checker requires Windows Installer 3.1 or higher to be installed on the Windows Target machine. It can be obtained from http://www.microsoft.com/downloads/details.aspx?FamilyID=889482FC-5F56-4A38-B838-DE776FD4138C&displaylang=en

Use the following procedure to install and start Compliance Checker for PCI DSS v1.2:

  1. Download PCIComplianceChecker.msi to a Windows machine with Microsoft .NET 2.0 SP1 installed.
    Download .NET Framework here
  2. To start the installation, browse to the download location and double-click PCIComplianceChecker.msi. The Setup Wizard appears. Click Next.
  3. Accept the license agreement, and then click Next.
  4. Browse to select the location where you want to install Compliance Checker, and then click Next.
  5. Click Install to begin the installation.
  6. Click Finish to complete the installation.
  7. Click Start | All Programs | Compliance Checker for PCI DSS v1.2 to launch the program.

Before running an assessment of your Windows machines, ensure the user name specified in the User ID field has local administrator rights on the target machine and read/write permissions to the file share specified in the Share Name field.

Note: If two separate instances of the Compliance Checker attempt to assess the same hosts at the same time, the assessment results will be unpredictable.

To run an assessment:

  1. Complete the fields in the Machine and Account Configuration area as follows:
    • IP Address or Hostname: Type the IP Address or Hostname of the Windows machine that you want to assess.
    • Share Name: Type the name of the file share on the target machine to which the user specified in the User ID field has read/write permissions.
    • User ID and Password: Type the User ID and Password of the account that you are using to access that machine. The user must have local administrator rights on the target machine and read/write rights to the file share.

      If you are using the same administrative account for all the machines that you intend to assess, select the option Use the same Share Name, User ID and Password for all machines. When this option is selected, only the first User ID and Password fields are editable. Compliance Checker automatically uses the credentials in these fields to access the remaining Windows machines.

      Note: If you are assessing the machine on which you are also running the Compliance Checker application, the Compliance Checker ignores the provided user name and password and runs the assessment using the currently logged in user's user name and password. The current user must have administrative permission on the machine.
    • Include in Assessment: Select the check box beside each machine name to include the Windows machines in the assessment process. Compliance Checker retains the machine and account information between sessions, enabling you to enter machine information once, and then decide each time you launch the application which of those machines that you want to assess during that session.
  2. Click Assess Compliance to begin evaluating your Windows machines against the PCI DSS v1.2 Benchmark. Your results will appear in the Compliance Checker Summary screen in a separate web browser window. See View Results for information about this view.

    Note: Due to the extent of this collection and the depth of this analysis, assessment could take a few minutes per Windows machine.

Compliance Checker retains the results of your last assessment only. To view a summary of these results, click View Most Recent Results. The results from your most recent assessment will appear in the Compliance Checker Summary screen. See View Results for more information about this view.

The Compliance Checker Results page displays both a Summary and a Details view of the benchmarks against which your Windows machines were assessed. See the following sections for more information about each view.

Compliance Assessment Summary

The Compliance Assessment Summary view displays the compliance status of your Windows machines against the PCI DSS v1.2 Benchmark. Results are grouped into categories by color (see graphic below). Unknown results indicate that Compliance Checker could not collect the data required to assess compliance for that rule.

  • Policy View Summary Bars: The summary bars on the left display the percentage of the rules across the benchmark with which the assessed Windows machines were compliant. Use this view to quickly assess your overall compliance.
  • Machine View Summary Bars: The summary bars on the right side of the view display the names of the assessed machines, and the percentage of the rules in each guideline that each of these individual machines passed. Use this view to quickly determine which Windows machines require immediate remediation.
Compliance Assessment Summary Bars

Hover the mouse over the summary bar to view the percentage of the rules where your Windows machines are compliant, unknown, or non-compliant.

Compliance Assessment Details

The Compliance Assessment Details view in the lower portion of the screen presents a view of rules that the Windows machines were assessed against, and the pass/fail results of that evaluation.

Within this view, you can perform the following actions:

  • View the Data: Hover over a test result icon to view the Windows machine name.
  • Remediate: Click the rule name or test result icon to view more information and remediation procedures on the Configuresoft website. The information opens in a new browser window and will not erase your other results.
  • Print: Click Printable Version in the Compliance Assessment Summary title bar to print the results of your assessment.
Assessment Result Details Grid

The icons displayed in the Details view indicate whether the rule passed, failed, or the result is unknown because Compliance Checker could not collect enough data to evaluate that rule.

Compliance Assessment Details Icons

Icon Definition Description
Passed Check Passed Check The machine met the requirements of the listed rule.
Failed Check Failed Check The machine failed to meet the requirements of the listed rule.
Unknown Status Unknown Status Compliance Checker could not collect enough data to determine a definitive "Passed" or "Failed" result. This is likely because the appropriate privileges were not provided.
Machine Not Found N/A or Machine Not Found The rule was not applicable to the machine. For example, some PCI rules apply only to specific operating systems. If all the rules for a machine display this icon, the machine could not be contacted.

Refer to the following table for solutions to problems that you may experience while using Compliance Checker. For additional technical questions not described here, contact us at: compliancechecker@configuresoft.com.

Symptom Possible Cause Solution
When I see Machine Not Found results. The account you are using does not have access to the Windows machines that you are attempting to assess. Obtain an account with permission to access these machines.
A file share does not exist on the target machine or the permissions are incorrect. Create a file share on the target machine. Grant read/write permissions to the share for the user specified in the Machine and Account Configuration area.
The User ID that you are using does not exist or is not valid. Obtain a valid User ID.
The password that you are using is not valid for the User ID. Obtain the correct password for that User ID.
Network problems are preventing your machine from communicating with the Windows machines that you are attempting to assess. Troubleshoot your network and verify that you have connectivity before attempting another assessment.
Troubleshoot your network and verify that you have connectivity before attempting another assessment. Verify that the machines exist on your network prior to attempting another assessment.
The application will not install on my machine. Insufficent disk space. Verify that you have 70MB of available disk space prior to installing Compliance Checker.
The application will not run on my machine. Required software is not present. Verify that you have Microsoft .NET 2.0 SP1 installed on your machine prior to installing Compliance Checker.
Browser settings are not configured properly.

Verify that Java Script is enabled in your web browser.

In Internet Explorer:

  1. Click Tools | Internet Options
  2. Select the Security tab.
  3. Click Custom Level.
  4. Under Scripting, select the Enable button for Active Scripting.
  5. Click OK.

In Firefox:

  1. Click Tools | Options
  2. Select the Contents tab.
  3. Select the Enable JavaScript checkbox.
  4. Click OK.
Insufficient disk space. Verify that you have 70MB of available disk space prior to installing Compliance Checker.
The Summary Results View does not display correctly, or at all. Required software is not present. Verify that you are using either Internet Explorer 7 or Firefox 2.x with JavaScript enabled prior to using Compliance Checker.
I was able to verify my connections, but when I click Assess Compliance, I get an error message. Insufficient privileges on your Windows machines. Verify that you have an administrative account with full permissions on the machines that you are attempting to evaluate. Verify that you are using a valid ID and password for that account.
My reports are not printing correctly. Print settings are set incorrectly.

If you are using Internet Explorer:

  1. Click Tools | Internet Options.
  2. Select the Advanced tab.
  3. Under Printing, check the Print background colors and images box.

If you are using Firefox 2.x:

  1. Click File | Page Setup.
  2. Select the Format & Options tab.
  3. Under Options, check the Print Background (colors & images) box.
I am receiving an error message about Internet Explorer restricting the webpage from running scripts or ActiveX controls that could access my computer. Internet Explorer is not configured to allow the content to run.

Click on the error message, and then select the Allow Blocked Content... option. You must select this option each time you run the tool.

Alternatively, you can make the following configuration change, so that you do not have to allow blocked content each time you run the tool.

  1. Click Tools | Internet Options.
  2. Select the Advanced tab.
  3. Under Security, check the option Allow active content to run in files on My Computer.
  4. Click OK.
I receive an error message that the RPC server is unavailable.

(Error: Unable to write shared directory ADMIN$. Please check that share permissions for user homegreg are set up with Full Control permissions. Full error message: IWbemLocator::ConnectServer() Failed - Resource:\10.100.50.5 ootcimv2 HRESULT 0x800706ba = The RPC server is unavailable.;)		 The Windows Firewall for Windows XP or Windows Vista may not be properly configured. In the case of Windows XP or Vista, this may require additional steps if the firewall is enabled. See http://msdn.microsoft.com/en-us/library/aa389286(VS.85).aspx for more information.
 
     
 

Copyright © VMware, Inc. All rights reserved.