Windows 10 stig script For personal systems please see this GitHub Repository ⁠ This script is not designed to bring a system to 100% compliance, rather it should be used as a stepping stone to complete For people who deal with STIGs, have you found a way to automate the process? By this I mean a python script that will compare a config file to the checklist and fill it out for you? Just wondering if there is an easier way to do STIGs than by manually doing checks. View Next Version Enhance the security and privacy of your Windows 10 and Windows 11 deployments with our fully optimized, hardened, and debloated script. Why Use Ansible for STIG Automation? When it comes to STIG compliance, Ansible shines due to its: Scalability: Automate configurations for hundreds of systems simultaneously. You're still going to need a tool to assess compliance after applying the benchmarks to find errors and failures and remediate. Newly Released STIGs:Sort By: Feb 17, 2025 · As a Cybersecurity Support Analyst Intern, I developed custom PowerShell remediation scripts to address Windows 10 vulnerabilities using Defense Information Systems Agency Security Technical Dec 29, 2022 · The PowerStig module provides a set of PowerShell classes to access DISA STIG settings extracted from the xccdf. Feb 11, 2023 · Discover a collection of STIG scripts to automate security compliance for Windows and popular applications, including . Jun 27, 2022 · The PowerStig module provides a set of PowerShell classes to access DISA STIG settings extracted from the xccdf. Newly Released STIGs:Sort By: STIG releases always contain changes, it is highly recommended to review the new references and available variables. May 23, 2025 · Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows PowerShell >> "Turn on PowerShell Transcription" to "Enabled". NET Framework STIG with this PowerShell script, modifying the machine. Sep 8, 2020 · Make your Windows Domain compliant with STIGs and SRGs using SimeonOnSecurity's GPOs, and enhance security with NSACyber, Whonix, CERT, and Dirteam configurations. Requisitos: Windows 10 Apr 29, 2025 · DISA Windows 10 STIG v3r2 Warning! Audit Deprecated This audit file has been deprecated and will be removed in a future update. stig_spt@mail. However, I used a simple metric to cutdown the number of choices: Did I have the software/hardware in use on a system I used? This was because I wanted to implement the STIGs across all the systems I used and maintained. The module provides a unified way to access the parsed STIG data by enabling the concepts of: 1. - Ansible Lockdown The Firefox V4R29 isn't the easiest of STIGs to apply. View Next Version Automate your hardening efforts for STIG using Group Policy Objects (GPOs) for Microsoft Windows and Bash shell scripts for Unix and Linux environments. Exceptions (overriding and auto-documenting) 2. MIT LicenseActive Looking for Contributors Stars 148 Committers 1 View Code on GitHub Visit Website View on X Ecosystems Create a compliant and secure Windows 10/11 system with our Gold Master image creation tool. In particular I'm configuring the DISA STIGs (Security Technical Implementation Guides (STIGs) – DoD Cyber Exchange) for Windows 10 and 11. x and STIG-SRG Applicability Guide. 1. With it only being 3 months old for the Windows 11 STIGs I'd say there probably isn't a ton of readily available scripts for it. Enhance the security and privacy of your Windows 10 and Windows 11 deployments with our fully optimized, hardened, and debloated script. inf) files, Registry Policy (registry. View Next Version Dec 7, 2023 · Microsoft’s Local Group Policy Object (LGPO) utility is a standalone command-line executable that assists administrators in automating the management of a computer’s local security policy. pol) files, and Audit Policy (audit. Automate Windows Defender STIG to 100% Compliance. This reduced the options to 4: Windows 10 Windows 11 Firefox Windows Create your own Gold Master image. INTRODUCTION STIG Viewer Version 3. Fix: F-22401r554577_fix Use Windows 10 Enterprise 64-bit version for domain-joined systems. Online STIG viewerMicrosoft Windows 10 STIG V2R9View as one page Jun 4, 2025 · SRG / STIG Library Compilations The SRG/STIG Library Compilation comprises all DOD Security Requirements Guides (SRGs) and DOD Security Technical Implementation Guides (STIGs) housed on Cyber Exchange. The intent of this User Guide is to assist in navigating version 3. NET, Adobe Reader DC, and Oracle JRE 8. You may also notice that I set the data type to String instead of Bool for some of these. Windows 10 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest. The DoD department DISA has recently allowed public view to some newer Windows STIGs (Security Technical Implementation Guidelines). Standalone systems are some of the most difficult and annoying systems to secure. Feb 11, 2023 · Discover a collection of scripts and configurations to optimize and harden your systems, making them STIG compliant and hacking resistant. Security Technical Implementation Guides (STIGs) "Due to the delay caused by the recent Federal government furlough, we are executing an out-of-cycle release update for this October quarterly release cycle for the stigs and automation content. io, Microsoft, Cyber. PowerShell • 125 stars awesome-stigs May 14, 2025 · The Windows 11 STIG Hardening script provides a robust security foundation for MAC 3 Public compliance, ensuring protection against vulnerabilities while maintaining usability. Apr 6, 2023 · How to Harden your Windows 11 using STIG and OpenSCAP Introduction: First of all, what is a STIG? STIG, or Security Technical Implementation Guide, is a guide maintained by the Defense Information … Jan 20, 2019 · PowerShell based STIG Scanner. This article gives an overview of DISA STIG compliance tools. If data at rest is unencrypted, it is vulnerable to disclosure. View Select any old version/release of this STIG to view the previous requirements Nov 15, 2020 · Enhance your security with the Windows Defender STIG PowerShell script, which automates compliance with the Windows Defender Antivirus V1R9 STIG guidelines. This project demonstrates how to identify and remediate a Windows 10 DISA STIG finding using Tenable Vulnerability Management and PowerShell scripting. Hardening a server with a one size fits all script is impossible anyhow. Create a compliant and secure Windows 10/11 system with our Gold Master image creation tool. The finding in question, WN10-SO-000100, relates to enforcing SMB packet signing on the Windows SMB client to prevent man-in-the-middle attacks. Each script is named after the STIG ID it remediates and follows structured formatting for clarity, auditability, and automation. Aug 26, 2020 · GitHub Repository Este script não foi projetado para levar um sistema a 100% de conformidade, mas deve ser usado como um trampolim para concluir a maioria, se não todas, as alterações de configuração que podem ser roteirizadas. To find out if your web browser supports JavaScript or to enable JavaScript, see web browser help. x is a replacement for the previous DISA tools STIG Viewer 2. config file and applying required registry changes for FIPS and other controls. Adhere to DoD STIG/SRG Requirements and NSA Cybersecurity guidance for standalone Windows systems with e Windows 11 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest. Oct 25, 2025 · You can't clearly harden a Windows server with a script that's meant for a Windows client. Jul 23, 2020 · Evaluation Let’s recap what was done in our example: the Windows 10 STIG XCCDF file was dropped into the STIG Repository, and then a template script was created so that an applicability test and checks could be added for that STIG into the Test Repository. Scripts were created in response to Tenable scan findings and validated th Update PowerSTIG to Parse/Apply Microsoft Windows 10 STIG - Ver 2, Rel 9 #1342 Update PowerSTIG to Parse/Apply Microsoft Windows Server 2016 STIG - Ver 2, Rel 8 #1340 This repository contains PowerShell scripts developed to implement specific Windows 11 security controls, based on guidance from STIGAVIEW, which references DISA STIGs (Security Technical Implementation Guides). Download CIS Build Kits Nov 15, 2024 · The Microsoft Windows 11 STIG Profile uses the InSpec open-source compliance validation language to support automation of the required compliance, security and policy testing for Assessment and Authorization (A&A) and Authority to Operate (ATO) decisions and Continuous Authority to Operate (cATO) processes. The purpose of STIG Viewer is to provide an intuitive graphical user interface that allows ease of access to the STIG content, along with additional search and sort functionality. PowerShell includes a command-line shell, object-oriented scripting language, and a set of tools for executing scripts/cmdlets and managing modules. This document is meant for use in conjunction with other applicable STIGs, such as, but not limited to, Browsers, Antivirus, and other desktop applications. Windows 10 and Windows 11 are invasive and insecure operating system out of the box. Organizations like PrivacyTools. Jul 29, 2025 · Windows 11 STIG Compliance Automation A comprehensive collection of PowerShell scripts to automate Windows 11 STIG (Security Technical Implementation Guide) compliance remediation. This script will bring you up to 100% compliance minus 2 checks Nov 27, 2023 · Enhance the security and compliance of your standalone Windows servers with our STIG script, specifically designed to meet DoD STIG/SRG requirements and NSACyber guidance. csv) files to apply desired configuration settings to targeted Aug 29, 2025 · This document is meant for use in conjunction with other STIGs, such as the Windows Defender Antivirus STIG, Microsoft Edge STIG, MS OneDrive STIG, and appropriate operating system STIGs. Organizational settings to address STIG rules that have allowable ranges In particular I'm configuring the DISA STIGs (Security Technical Implementation Guides (STIGs) – DoD Cyber Exchange) for Windows 10 and 11. Enhance the security and compliance of your standalone Windows servers with our STIG script, specifically designed to meet DoD STIG/SRG requirements and NSACyber guidance. 5 days worth of work. The ultimate Windows 10 security and compliance script! - BlogPope To find out if your web browser supports JavaScript or to enable JavaScript, see web browser help. Achieve ultimate Windows Apr 26, 2022 · Streamline your security compliance with Ansible STIG Playbooks for Windows systems. Completely STIG Standalone Windows Systems to DoD STIG/SRG Requirements and NSACyber Guidance. Menos a documentação do sistema, esta coleção deve trazer até cerca de 95% de conformidade em todos os STIGS/SRGs aplicados. When not automated, they require manual changes of each STIG/SRG. These scripts facilitate the automation of STIG compliance for Windows environments The Windows 10 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Sep 9, 2020 · Learn how to automate STIGing Windows Server 2012, 2016, and 2019 with the Windows STIG Script, ensuring compliance with various organizations' recommendations and requirements. This has changed significantly since the initial release of ansible-lockdown. Jan 26, 2025 · Remediation: PowerShell scripts Security Baselines: Windows 10 DISA STIG Template 📌 Why These Tools? Nessus + DISA STIG ensures industry-grade compliance scanning. StigRepo identifies the systems in your Active Directory and/or Azure environment, identifies which software needs Feb 2, 2023 · Discover how to create a secure and compliant Windows system with the easy-to-use Standalone-Windows-STIG-Script, an informative article with step-by-step instructions and detailed parameter explanations. Lockdown is a security baseline automation project sponsored by Tyto Athene. Mar 31, 2025 · Picking a STIG Given the number of STIGs, one might be overwhelmed and get into decision paralysis. Nov 26, 2024 · Unlike traditional scripts, Ansible uses a declarative language in its playbooks, making it accessible even to beginners. Apr 23, 2020 · The Microsoft Windows 10 STIG Profile uses the InSpec open-source compliance validation language to support automation of the required compliance, security and policy testing for Assessment and Authorization (A&A) and Authority to Operate (ATO) decisions and Continuous Authority to Operate (cATO) processes. The tool uses a combination of Group Policy Template (GptTmpl. trueIf your org has access to the CIS build kit you can grab the GPO files then utilize LGPO from the Security and Compliance tool kit to apply the CIS benchmarks similar to how you would with STIGS. Standalone-Windows-Server-STIG-Script : A script for implementing STIG configurations on standalone Windows servers. mil, the Department of Defense, and the National Security Agency have recommended configuration changes to lockdown, harden, and secure the operating system. Contribute to michalzobec/PS-STIG-Scanner development by creating an account on GitHub. Totalling over 1000 configuration changes on a typical deployment and an average of 5 minutes per change equaling 3. PowerShell is a cross-platform (Windows, Linux, and macOS) automation tool and configuration framework optimized for dealing with structured data (e. Adhere to industry best practices and Department of Defense STIG/SRG requirements for optimal performance and security. Excluded are Security Readiness Review (SRR) Tools (scripts and OVAL Benchmarks), Group Policy Objects, and draft SRGs and STIGs. These tools allow for customization and use a STIG-centric approach. This repository provides ready-to-use scripts for addressing 40 common security configuration failures identified by vulnerability scanners like Tenable. This does come with pre-requisites which it configures the system accordingly. Enabling PowerShell script block logging will record detailed information from the processing of PowerShell commands and scripts. Contribute to simeononsecurity/Windows-Defender-STIG-Script development by creating an account on GitHub. STIG ID: WN10-CC-000326 | SRG: SRG-OS-000042-GPOS-00020 | Severity: medium | CCI: CCI-000135 | Vulnerability Id: V-220860 Mar 1, 2023 · NIST Windows 10 STIG (Security Technical Implementation Guide) Checklist is a tool created to improve the security of USA Department of Defense (DoD) information systems. This is now compatible with python3 if it is found to be the default interpreter. Jun 19, 2023 · In this blog post, we will explore the latest CIS Benchmark and STIG (Security Technical Implementation Guide) as authoritative references for creating a comprehensive security baseline for Windows 10. This script will bring you up to 100% compliance minus 2 checks To find out if your web browser supports JavaScript or to enable JavaScript, see web browser help. Jun 27, 2023 · The PowerStig module provides a set of PowerShell classes to access DISA STIG settings extracted from the xccdf. md at master · Virtual0ps/standalone-windows-stig-script Feb 25, 2025 · Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. This will show which STIGs are mapped and which are not and more detail about each GPO. Aug 20, 2020 · Easily implement the . This script is not designed to bring a system to 100% compliance, rather it should be used as a stepping stone to complete most, if not all, the configuration changes that can be scripted. ), REST APIs, and object models. Fix Recommendation Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows PowerShell >> "Turn on PowerShell Script Block Logging" to "Enabled". For Testing Purposes Only Github ⁠ Documentation ⁠ Windows 10 and 11 STIG Script This script is designed for operation in Enterprise environments and assumes you have hardware support for all the requirements. 17 votes, 38 comments. Aug 6, 2025 · STIG Content for Configuration Management Tools This content leverages Configuration Management tools to enforce STIG requirements. We created these guides to highlight the help that STIGs can be in… Fix Recommendation Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> BitLocker Drive Encryption >> Operating System Drives "Require additional authentication at startup" to "Enabled" with "Configure TPM Startup PIN:" set to "Require startup PIN with TPM" or with "Configure TPM startup key and PIN:" set to "Require startup key and PIN windows checklist security registry cis powershell audit windows-10 windows-server compliance hardening defense stig sisyphus blueteam bsi windows-11 security-baseline windows-hardening Updated 2 days ago PowerShell Oct 8, 2023 · PowerShell • 20 stars Standalone-Windows-STIG-Script Create a compliant and secure Windows 10/11 system with our Gold Master image creation tool. Each script focuses on a single control, uses a modular structure, and includes optional toggles for lab testing or demonstration Enhance the security and compliance of your standalone Windows servers with our STIG script, specifically designed to meet DoD STIG/SRG requirements and NSACyber guidance. The StigRepo module accelerates cloud readiness and system hardening through building a repository to automate and customize configurations that are compliant with Security Technical Implementation Guides (STIGs) owned and released by the Defense Information Systems Agency (DISA). Windows Hardening and Debloating Scripts and Tools Create your own Gold Master image. If you're using plaintext WinRM this collection will break your communication with your windows hosts. The ultimate Windows 10 security and compliance script! - GitHub - Feb 25, 2025 · Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows PowerShell >> "Turn on PowerShell Script Block Logging" to "Enabled". Organizational settings to address STIG rules that have allowable ranges To find out if your web browser supports JavaScript or to enable JavaScript, see web browser help. Nov 15, 2024 · The Microsoft Windows 11 STIG Profile uses the InSpec open-source compliance validation language to support automation of the required compliance, security and policy testing for Assessment and Authorization (A&A) and Authority to Operate (ATO) decisions and Continuous Authority to Operate (cATO) processes. - standalone-windows-stig-script/README. 40MB) Published: 05 Dec, 2024 This repository contains PowerShell scripts developed by Pukar Kafley to remediate specific DISA STIG vulnerabilities for Windows 10 systems. This in mind, this collection enforces changes that enforce WinRM over HTTPs. By implementing the recommendations outlined in these benchmarks, organizations can enhance their Windows 10 security posture effectively. However windows security is not a easy quick task and can be extremely time consuming. Overview This repository demonstrates the full remediation of Windows 10 DISA STIG vulnerabilities using custom-developed PowerShell scripts, with remediation steps executed and validated in a dedicated Windows 10 virtual machine. Organizational settings to address STIG rules that have allowable ranges . Even if the operating system enforces permissions on data access, an adversary can rem Aug 26, 2020 · Learn how to automate the STIGing process of Windows 10 systems with the Standalone Windows STIG Script, saving time and improving efficiency for securing standalone systems in enterprise environments. Comments or proposed revisions to the content below should be sent via email to the following address: disa. For DoD systems, the Defense Information Systems Agency (DISA) imposes another layer of requirements, known as the "Security Technical Implementation Guide," or STIG. STIG ID: WN11-00-000030 | SRG: SRG-OS-000404-GPOS-00183 | Severity: high | CCI: CCI-002475 | Vulnerability Id: V-253259 Aug 13, 2023 · Optimize, Harden, and Debloat Windows 10 and Windows 11 Deployments windows-optimize-harden-debloat test docker container Introduction:Windows 10 and Windows Dec 5, 2024 · Using PowerShell and Other Command Line Tools for Windows 11 STIG Compliance (PDF, 0. Achieve ultimate Windows Server protection with our easy-to-use script. Checklist Summary: The Windows 10 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Further details can be seen in the Changelog Dec 29, 2022 · The PowerStig module provides a set of PowerShell classes to access DISA STIG settings extracted from the xccdf. Though there definitely is some 3rd party stuff ready to go. Organizational settings to address STIG rules that have allowable ranges Windows 10 and 11 STIG Script Download all the required files from the GitHub Repository Note: This script should work for most, if not all, systems without issue. Jun 10, 2021 · We will select the second STIG, DoD Windows 10 STIG Computer v2r2, by clicking on the blue 87% under MDM Support. This script aims to speed up that process significantly. Mar 11, 2025 · Security Technical Implementation Guides (STIGs) are configuration standards developed by the Defense Information Systems Agency (DISA) to ensure the security of Department of Defense (DoD) information systems. x and describe functionalities from a user perspective. STIG Viewer 3 integrates the capabilities of two previous DISA tools: STIG Viewer 2 and the STIG-SRG Applicability Guide. Read the following for more information: Ansible - Setting up a Windows STIG releases always contain changes, it is highly recommended to review the new references and available variables. pdf (123kb, pdf) If you encounter any issues downloading these files, contact us. JSON, CSV, XML, etc. Adhere to DoD STIG/SRG Requirements and NSA Cybersecurity guidance for standalone Windows systems with ease, using our ultimate STIG script. Nov 15, 2020 · Learn how to enhance Windows 10 security with a PowerShell script that hardens Windows Defender Antivirus, implementing all the requirements of the Windows Defender Antivirus STIG V2R1. Windows 11 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest. Apr 7, 2022 · Many IT teams are familiar with federal government compliance standards, such as the NIST reference guides, FISMA, SOX, HIPAA, PCI, and others. Specify the Transcript output directory to point to a Central Log Server or another secure location to prevent user access. Get an email when there's a new version of Standalone-Windows-STIG-Script This project contains PowerShell scripts developed to bring Windows 10 systems into alignment with the DISA STIG baseline. STIG ID: WN11-00-000030 | SRG: SRG-OS-000404-GPOS-00183 | Severity: high | CCI: | Vulnerability Id: V- 253259 Nov 5, 2018 · Since Windows is a commonly used insecure OS even when not in the cloud having a instance of it in the cloud is risky. Requires you have secure WinRM over HTTPS already configured on your Windows Systems STIGs mandate you have WinRM over HTTPs if you use WinRM. Hey Everyone, We finished the crosswalk for CMMC to STIGs for Windows 10. Ignoring a single or entire class of rules (auto-documenting) 3. Apr 29, 2025 · DISA Windows 11 STIG v2r2 Warning! Audit Deprecated This audit file has been deprecated and will be removed in a future update. Apr 29, 2025 · DISA Windows 10 STIG v3r2 Warning! Audit Deprecated This audit file has been deprecated and will be removed in a future update. This can provide additional detail when malware has run on a system. mil Feb 25, 2025 · Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows PowerShell >> "Turn on PowerShell Transcription" to "Enabled". Adhere to industry best practices and Department of Defense Dec 29, 2020 · This comprehensive guide provides step-by-step instructions on how to optimize, harden, and debloat your Windows system for improved performance, security, and privacy. Reason I ask is our network is about to grow and we are going from one router, one firewall, 3 core switches to about 5-10 Sep 16, 2025 · SCAP Content Repository Last Updated: 9/17/2025 0735EST NIWC Repository Statistics niwc-content-repository-stats_09-16-2025. g. KNOWN ISSUES ------------ Windows 10 10 Admnistrative Template Device Configuration Profile - DoD Windows 10 STIG vXrX Admnistrative Templates STIG ID WN10-CC-000052 Windows 10 must be configured to prioritize ECC Curve with longer key lengths first setting has been removed from JSON file. Download our step-by-step checklist to secure your platform: An objective, consensus-driven security guideline for Microsoft Windows Desktop. On your Windows 10 system that you want to evaluate, run this: PS> Import-Module Online STIG viewerPowerShell script block logging must be enabled on Windows 10. Standalone-Windows-STIG-Script Create a compliant and secure Windows 10/11 system with our Gold Master image creation tool.