simeononsecurity/Standalone-Windows-STIG-Script simeononsecurity/Standalone-Windows-STIG-Script

  • Stars
    star
    140
  • Rank 261,473 (Top 6 %)
  • Language
    PowerShell
  • License
    MIT License
  • Created about 4 years ago
  • Updated 4 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
simeononsecurity/Standalone-Windows-STIG-Script
github

simeononsecurity

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Create a compliant and secure Windows 10/11 system with our Gold Master image creation tool. Adhere to DoD STIG/SRG Requirements and NSA Cybersecurity guidance for standalone Windows systems with ease, using our ultimate STIG script.

Windows 10 and 11 STIG Script

Test script against windows docker containerVirusTotal ScanPSScriptAnalyzer

Download all the required files from the GitHub Repository

Note: This script should work for most, if not all, systems without issue. While @SimeonOnSecurity creates, reviews, and tests each repo intensively, we can not test every possible configuration nor does @SimeonOnSecurity take any responsibility for breaking your system. If something goes wrong, be prepared to submit an issue. Do not run this script if you don't understand what it does. It is your responsibility to review and test the script before running it.

Ansible:

We now offer a playbook collection for this script. Please see the following:

Docker:

We test this script using an automated docker container

Introduction:

Windows is insecure operating system out of the box and requires many changes to insure FISMA compliance. Organizations like Microsoft, Cyber.mil, the Department of Defense, and the National Security Agency have recommended and required configuration changes to lockdown, harden, and secure the operating system and ensure government compliance. These changes cover a wide range of mitigations including blocking telemetry, macros, removing bloatware, and preventing many physical attacks on a system.

Standalone systems are some of the most difficult and annoying systems to secure. When not automated, they require manual changes of each STIG/SRG. Totalling over 1000 configuration changes on a typical deployment and an average of 5 minutes per change equaling 3.5 days worth of work. This script aims to speed up that process significantly.

Notes:

  • This script is designed for operation in Enterprise environments and assumes you have hardware support for all the requirements.
  • This script is not designed to bring a system to 100% compliance, rather it should be used as a stepping stone to complete most, if not all, the configuration changes that can be scripted.
    • Minus system documentation, this collection should bring you up to about 95% compliance on all the STIGS/SRGs applied.

Requirements:

Recommended reading material:

A list of scripts and tools this collection utilizes:

Additional configurations were considered from:

STIGS/SRGs Applied:

Editing policies in Local Group Policy after the fact:

  • Import the ADMX Policy definitions from this repo into C:\windows\PolicyDefinitions on the system you're trying to modify.
  • Open gpedit.msc on on the system you're trying to modify.

How to run the script:

Automated Install:

The script may be launched from the extracted GitHub download like this:

iex ((New-Object System.Net.WebClient).DownloadString('https://simeononsecurity.ch/scripts/standalonewindows.ps1'))

Note: This installation version installs all of the configurations. If you seek to customize it, please use the Manual Install

Chocolatey Install:

Assuming you have Chocolatey installed. You may install this script via the following command:

choco install standalone-windows-stig

Or view the package on the Chocolatey Repo.

Note: The Chocolatey version of this script may lag behind this repo by multiple major versions. We update it sparingly, but stably. Additionally, this version will install all of the configurations. If you seek to customize it, please use the Manual Install

Manual Install:

If manually downloaded, the script must be launched from the directory containing all the other files from the GitHub Repository

All of the parameters in the "secure-standalone.ps1" script are optional, with a default value of $true. This means that if no value is specified for a parameter when the script is run, it will be treated as if it were set to $true.

The script takes the following parameters, all of which are optional and default to $true if not specified:

  • cleargpos: (Boolean) Clear GPOs not being used
  • installupdates: (Boolean) Install updates and reboot if necessary
  • adobe: (Boolean) STIG Adobe Reader
  • firefox: (Boolean) STIG Firefox
  • chrome: (Boolean) STIG Chrome
  • IE11: (Boolean) STIG Internet Explorer 11
  • edge: (Boolean) STIG Edge
  • dotnet: (Boolean) STIG .NET Framework
  • office: (Boolean) STIG Office
  • onedrive: (Boolean) STIG OneDrive
  • java: (Boolean) STIG Java
  • windows: (Boolean) STIG Windows
  • defender: (Boolean) STIG Windows Defender
  • firewall: (Boolean) STIG Windows Firewall
  • mitigations: (Boolean) STIG Mitigations
  • nessusPID: (Boolean) Resolve Unquoted Strings in Path
  • horizon: (Boolean) STIG VMware Horizon

An example of how to run the script with all default parameters would be:

.\secure-standalone.ps1

If you want to specify a different value for one or more of the parameters, you can include them in the command along with their desired value. For example, if you wanted to run the script and set the $firefox parameter to $false, the command would be:

.\secure-standalone.ps1 -firefox $false

You can also specify multiple parameters in the command like this:

.\secure-standalone.ps1 -firefox $false -chrome $false

Note that in this example, both the Firefox and Chrome parameters are set to $false.

 

Explore the World of Cybersecurity

  SimeonOnSecurity Logo

Links:

More Repositories

1

Windows-Optimize-Harden-Debloat

Enhance the security and privacy of your Windows 10 and Windows 11 deployments with our fully optimized, hardened, and debloated script. Adhere to industry best practices and Department of Defense STIG/SRG requirements for optimal performance and security.
PowerShell
733
star
2

Windows-Optimize-Debloat

Optimize and debloat Windows 10 and Windows 11 deployments according to best practices for maximum performance and privacy. The ultimate script for enhancing your Windows experience.
PowerShell
247
star
3

FireFox-Privacy-Script

Implement the privacy oriented configurations for FireFox
Shell
141
star
4

Blue-Team-Tools

A collection of scripts, tools. and configs for various OS'es and applications, all free and or open-source, to assist in impromptu Blue-Team defense under an active threat.
HTML
96
star
5

Standalone-Windows-Server-STIG-Script

Enhance the security and compliance of your standalone Windows servers with our STIG script, specifically designed to meet DoD STIG/SRG requirements and NSACyber guidance. Achieve ultimate Windows Server protection with our easy-to-use script.
PowerShell
59
star
6

Windows-Defender-Hardening

Take advantage of some more advanced Windows Defender settings.
PowerShell
54
star
7

Windows-Optimize-Harden-Debloat-GUI

C# Based GUI for Windows-Optimize-Harden-Debloat
C#
35
star
8

System-Wide-Windows-Ad-Blocker

Block Ads, Tracking, and Telemetry System Wide
PowerShell
32
star
9

Windows-Defender-Application-Control-Hardening

Harden Windows with Windows Defender Application Control (WDAC)
PowerShell
30
star
10

STIG-Compliant-Domain-Prep

Import all the GPOs provided by SimeonOnSecurity to assist in making your domain compliant with all applicable STIGs and SRGs.
HTML
26
star
11

Shodan_PS

A collection of PowerShell modules for interacting with the Shodan API. Includes modules for returning information about the API, client IP, DNS, exploits, honeypot scores, hosts, ports, profiles, and scans. Shodan API key required. Query and scan credits used.
PowerShell
24
star
12

Applocker-Hardening

Ultimate Applocker Hardening Configuration Script.
PowerShell
23
star
13

setup-scripts

Set up scripts for various OS'es
PowerShell
22
star
14

Windows-Hardening-CTF

A windows hardening script that makes it difficult to compromise a Windows device. Only for use during Blue-Team Competitions.
PowerShell
22
star
15

Windows-Defender-STIG-Script

Automate Windows Defender STIG to 100% Compliance
PowerShell
17
star
16

awesome-hardening

A collection of scripts and configurations for hardening various systems and applications.
17
star
17

Automate-Sysmon

Automate Sysmon Deployment and Configuration
PowerShell
16
star
18

Windows_STIG_Ansible

Ansible Playbooks for SimeonOnSecurity's STIG Scripts
Python
14
star
19

FireFox-Security-Researcher

Configure FireFox with Security and Intelligance features for OSINT and Security Investigations.
PowerShell
13
star
20

SAPS

A collection of scripts to assist System Adminsitrators
PowerShell
11
star
21

FireFox-STIG-Script

STIG FireFox the Easy Way
PowerShell
11
star
22

VirusTotal-PS

PowerShell Modules for Interacting with the VirusTotal API
PowerShell
9
star
23

Windows-Branding-Script

A simple script to assist with configuring branding on Windows 10 and Windows Server 2016/2019
PowerShell
9
star
24

.NET-STIG-Script

The only script to assist administrators in completing the .NET STIG.
PowerShell
8
star
25

Windows-Terminal-Hardening

Scripts and Documentation for Hardening Windows Command Prompt and PowerShell
PowerShell
8
star
26

discord-backdoors-and-breaches

A Discord Bot for Backdoors and Breaches. Pre-Alpha State Is Not Fully Functional
Python
8
star
27

ChocoAutomateWindowsUpdates

Automate Windows Updates with Chocolatey and PSWindowsUpdates
PowerShell
8
star
28

docker-duino-coin

Dockerized Duino-Coin Miner
Shell
7
star
29

KMS-Auto-PS

Install GLVKs for Windows Desktop, Windows Server, and Office
PowerShell
7
star
30

Apache-Web-Server-Hardening

An collection of example configurations and scripts to aid administrators in configuring a hardened Apache Web Server
Shell
7
star
31

awesome-stigs

A collection of tested automations for implementing DoD STIGs and SRGs
7
star
32

docker-rtklib-onocoy-rtkdirect

Docker Container that Takes in USB or TCP Based Serial GPS Receiver Output and Forwards the Data to Either Onocoy or RTKDirect or Both.
Shell
7
star
33

simeononsecurity

6
star
34

LazyWindowsUpdates

Easily accomplish updating all windows machines in a domain
PowerShell
6
star
35

WMI-Filters

A Collection of WMI Filters
6
star
36

Offine-PS-ActiveDirectory-Install

Install the PowerShell RSAT ActiveDirectory Module Offline
PowerShell
6
star
37

docker-ubuntu-hardened

Hardened Docker Container with arm, arm64, and amd64 support https://simeononsecurity.com
Dockerfile
6
star
38

docker-pharos-control

Dockerized TP-Link Pharos Centralized Managment Platform https://simeononsecurity.com
Dockerfile
5
star
39

docker-ffmpeg-mp4-folder

Stream From a Folder of MP4 Files to Twitch, YouTube, and/or Kick
Shell
5
star
40

Windows-Audit-Policy

Max out Windows Auditing
PowerShell
5
star
41

ansible_linux_update

This Ansible role automates Linux security patching by applying updates to supported Linux distributions. It handles various package managers such as apt, dnf, yum, and apk to ensure that Linux systems are kept up to date with the latest security patches.
5
star
42

docker-debian-hardened

Hardened Debian Docker Container with arm, arm64, and amd64 support https://simeononsecurity.com
Dockerfile
5
star
43

Windows-Defender-Application-Guard-Hardening

Implement WDAG and Harden Windows Based OS'es
4
star
44

SoS-Parrot_OS-Setup

Setup ParrotOS how I like it.
Shell
4
star
45

simeononsecurity.ch

The source code for the SimeonOnSecurity website
HTML
4
star
46

BraveADMX

Proper ADMX Templates for the Brave Browser
4
star
47

ntripserver

Ntrip Version 2.0 Command Line Server - Fork of ntripserver at https://software.rtcm-ntrip.org/browser/ntrip/trunk/ntripserver
C
4
star
48

SoS-Parrot-Docker

A Customized ParrotOS Docker Image https://simeononsecurity.com
Dockerfile
4
star
49

AnonUpload

A PowerShell Module to Upload to anonfiles.com
PowerShell
3
star
50

Oracle-JRE-8-STIG-Script

Apply the JAVA STIG to a Windows System.
PowerShell
3
star
51

SolarWinds-SunBurst-SolarFlare-SolarMarker-Countermeasures

SolarWinds SunBurst Countermeasures
PowerShell
3
star
52

ansible_shodan

A collection of shodan modules for ansible
Python
3
star
53

Windows-Spectre-Meltdown-Mitigation-Script

Simple script to implement protections against speculative execution side-channel vulnerabilities in Windows systems.
PowerShell
3
star
54

docker-mesonnetwork

Dockerized Meson Network Node https://simeononsecurity.com
Dockerfile
3
star
55

glotta

Translate Hugo markdown file content and create index bundles
JavaScript
2
star
56

WMISupport

Scrap code testing C# skills for interacting with WMI via CIMSessions
C#
2
star
57

Adobe-Reader-DC-STIG-Script

Fully implement the Adobe Reader DC STIG
PowerShell
2
star
58

docker-rocky-hardened

Prehardenend Rocky Linux Docker Container with arm64 and amd64 support https://simeononsecurity.com
Dockerfile
2
star
59

rocky-ansible

Dockerized Ansible Controller running on Rockylinux 8 https://simeononsecurity.com
Dockerfile
2
star
60

docker-rss-display-web

A docker container that publishes an rss feed to a generated webpage
HTML
2
star
61

track-openroaming-passpoint

A collection of scripts and tools that tracks the availability of hotspot 2.0, passpoint, and openroaming networks in the wild from the Wigle Dataset. Updates every 24 hours.
HTML
2
star
62

ansible_windows_update

This Ansible role automates the process of applying Windows security updates. It utilizes the `ansible.windows.win_updates` module to search for available security updates and install them on Windows hosts. By automating the patching process, you can ensure that your Windows systems stay up-to-date with the latest security patches.
2
star
63

ansible_system_update

This Ansible role automates the patching of both Linux and Windows systems, allowing you to keep your infrastructure up-to-date with the latest security updates.
2
star
64

CVE-2020-1350-Fix

A registry-based workaround can be used to help protect an affected Windows server, and it can be implemented without requiring an administrator to restart the server. Because of the volatility of this vulnerability, administrators may have to implement the workaround before they apply the security update in order to enable them to update their systems by using a standard deployment cadence.
PowerShell
2
star
65

docker-ubuntu-apache

https://simeononsecurity.com
Dockerfile
1
star
66

docker-kaspapool

Dockerfile
1
star
67

sos-landing-page

A static landing page for the purposes of backlinks generation.
HTML
1
star
68

linux-hostapd-hs20-dhcpd

Scripts and a Docker Container for Hotspot 2.0 Supported AP in Linux
Shell
1
star
69

docker-hs20server

A Full HS20 OSU Server Setup in Docker using hostapd, HS20-Server, Radius, sqllite3, and apache
PHP
1
star
70

shodanpy

A Series of Python Modules for Interacting with the Shodan API
Python
1
star
71

simeononsecurity.com-comments

Just here to use as a serverless comment host for simeononsecurity.ch
1
star
72

ChromiumADMX

Proper ADMX Template for the Chromium Browser
1
star
73

scratchpad

Notes and tidbits
1
star
74

Chocolatey-Nethor

https://simeononsecurity.ch
PowerShell
1
star
75

docker-rhel-hardened

Prehardenend RHEL Docker Container with arm64 and amd64 support https://simeononsecurity.com
Dockerfile
1
star
76

chocolateypackages

All the chocolatey packages that I maintain https://simeononsecurity.com
PowerShell
1
star
77

WeatherXM-Python

A Script That Interfaces with WeatherXM API and Pulls Weather Information from Your Weather XM Devices
Python
1
star
78

docker-tor-bridge

Quickly Spin up a Tor Node https://simeononsecurity.com/github/docker-tor-bridge
Dockerfile
1
star
79

sosfirefox

Search the SimeonOnSecurity Website Natively In Firefox - https://simeononsecurity.com
CSS
1
star
80

track-helium-mobile-wifi

A collection of scripts and tools that tracks the availability of helium mobile wifi networks in the wild from the Wigle Dataset. Updates every 24 hours.
HTML
1
star