Windows 10 STIG Script

Download all the required files from the GitHub Repository

Note: This script should work for most, if not all, systems without issue. While @SimeonOnSecurity creates, reviews, and tests each repo intensively, we can not test every possible configuration nor does @SimeonOnSecurity take any responsibility for breaking your system. If something goes wrong, be prepared to submit an issue. Do not run this script if you don't understand what it does. It is your responsibility to review and test the script before running it.

Ansible:

We now offer a playbook collection for this script. Please see the following:

• Github Repo
• Ansible Galaxy

Introduction:

Windows 10 is insecure operating system out of the box and requires many changes to insure FISMA compliance. Organizations like Microsoft, Cyber.mil, the Department of Defense, and the National Security Agency have recommended and required configuration changes to lockdown, harden, and secure the operating system and ensure government compliance. These changes cover a wide range of mitigations including blocking telemetry, macros, removing bloatware, and preventing many physical attacks on a system.

Standalone systems are some of the most difficult and annoying systems to secure. When not automated, they require manual changes of each STIG/SRG. Totalling over 1000 configuration changes on a typical deployment and an average of 5 minutes per change equaling 3.5 days worth of work. This script aims to speed up that process significantly.

Notes:

• This script is designed for operation in Enterprise environments and assumes you have hardware support for all the requirements.
  • For personal systems please see this GitHub Repository
• This script is not designed to bring a system to 100% compliance, rather it should be used as a stepping stone to complete most, if not all, the configuration changes that can be scripted.
  • Minus system documentation, this collection should bring you up to about 95% compliance on all the STIGS/SRGs applied.

Requirements:

• [X] Windows 10 Enterprise is required per STIG.
• [X] Standards for a highly secure Windows 10 device
• [X] System is fully up to date
  • Run the Windows 10 Upgrade Assistant to update and verify latest major release.
• [X] Bitlocker must be suspended or turned off prior to implementing this script, it can be enabled again after rebooting.
  • Follow-up runs of this script can be run without disabling bitlocker.
• [X] Hardware Requirements
  • Hardware Requirements for Memory Integrity
  • Hardware Requirements for Virtualization-Based Security
  • Hardware Requirements for Windows Defender Application Guard
  • Hardware Requirements for Windows Defender Credential Guard

Recommended reading material:

• System Guard Secure Launch
• System Guard Root of Trust
• Hardware-based Isolation
• Memory integrity
• Windows Defender Application Guard
• Windows Defender Credential Guard

A list of scripts and tools this collection utilizes:

• Cyber.mil - Group Policy Objects
• Microsoft Security Compliance Toolkit 1.0

Additional configurations were considered from:

• Microsoft - Recommended block rules
• Microsoft - Recommended driver block rules
• Microsoft - Windows Defender Application Control
• NSACyber - Application Whitelisting Using Microsoft AppLocker
• NSACyber - Hardware-and-Firmware-Security-Guidance
• NSACyber - Windows Secure Host Baseline

STIGS/SRGs Applied:

• Adobe Acrobat Pro DC Continuous V2R1
• Adobe Acrobat Reader DC Continuous V2R1
• Firefox V5R2
• Google Chrome V2R4
• Internet Explorer 11 V1R19
• Microsoft Edge V1R2
• Microsoft .Net Framework 4 V1R9
• Microsoft Office 2013 V2R1
• Microsoft Office 2016 V2R1
• Microsoft Office 2019/Office 365 Pro Plus V2R3
• Microsoft OneDrive STIG V2R1
• Oracle JRE 8 V1R5
• Windows 10 V2R2
• Windows Firewall V1R7

How to run the script

Manual Install:

If manually downloaded, the script must be launched from the directory containing all the other files from the GitHub Repository

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
Get-ChildItem -Recurse *.ps1 | Unblock-File
.\secure-standalone.ps1 

Automated Install:

The script may be launched from the extracted GitHub download like this:

iex ((New-Object System.Net.WebClient).DownloadString('https://simeononsecurity.ch/scripts/standalonewindows.ps1'))

Editing policies in Local Group Policy after the fact:

• Import the ADMX Policy definitions from this repo into C:\windows\PolicyDefinitions on the system you're trying to modify.
• Open gpedit.msc on on the system you're trying to modify.