Security Configuration Scenarios

BigFix provides the capability to follow the NIST security standards by configuring an enhanced security option.

This setting enables SHA-256 as the hashing algorithm for digital signatures as well as content verification. It also enables the TLS 1.2 communication among the BigFix components.

You can set the enhanced security option only after you install or upgrade all the BigFix components.

Note: When you set this option you configure a very restricted security environment and the product performance might get worse. You can enable or disable this security setting at any time by editing the masthead file. For additional information see Editing the Masthead on Windows systems and Editing the Masthead on Linux systems.

In addition to the enhanced security setting, you can set a check for verifying the file download integrity using the SHA-256 algorithm. If you do not set this option, the file download integrity check is run using the SHA-1 algorithm. This option can be set only if you set the enhanced security option and, therefore, only if all the BigFix components are V10 or above.

In a complex environment, you can enable the enhanced security option, only after all the DSA servers are upgraded to BigFix V10 or above and have got a new license.

Important: When needed, you can run a disaster recovery regardless of the enhanced security option setting. For additional information see Running backup and restore.