STIGing Standalone Windows Systems
Table of Contents
STIGing Standalone Windows 10 Systems
Download all the required files from the GitHub Repository
We are seeking help with the following .Net issue
Introduction:
Windows 10 is insecure operating system out of the box and requires many changes to insure FISMA compliance. Organizations like Microsoft, Cyber.mil, the Department of Defense, and the National Security Agency have recommended and required configuration changes to lockdown, harden, and secure the operating system and ensure government compliance. These changes cover a wide range of mitigations including blocking telemetry, macros, removing bloatware, and preventing many physical attacks on a system.
Standalone systems are some of the most difficult and annoying systems to secure. When not automated, they require manual changes of each STIG/SRG. Totalling over 1000 configuration changes on a typical deployment and an average of 5 minutes per change equaling 3.5 days worth of work. This script aims to speed up that process significantly.
Notes:
- This script is designed for operation in Enterprise environments and assumes you have hardware support for all the requirements.
- For personal systems please see this GitHub Repository
- This script is not designed to bring a system to 100% compliance, rather it should be used as a stepping stone to complete most, if not all, the configuration changes that can be scripted.
- Minus system documentation, this collection should bring you up to about 95% compliance on all the STIGS/SRGs applied.
Requirements:
- Windows 10 Enterprise is Required per STIG.
- Standards for a highly secure Windows 10 device
- System is fully up to date
- Currently Windows 10 v1909 or v2004.
- Run the Windows 10 Upgrade Assistant to be update and verify latest major release.
- Hardware Requirements
Recommended reading material:
- System Guard Secure Launch
- System Guard Root of Trust
- Hardware-based Isolation
- Memory integrity
- Windows Defender Application Guard
- Windows Defender Credential Guard
A list of scripts and tools this collection utilizes:
Additional configurations were considered from:
STIGS/SRGs Applied:
Microsoft .Net Framework 4 V1R9 - Work in Progress
How to run the script
The script may be lauched from the extracted GitHub download like this:
.\secure-standalone.ps1
The script we will be using must be launched from the directory containing all the other files from the GitHub Repository