TickYouOff
Back
🔒

Windows Server 2019 STIG Implementation Checklist

Hard 21 items · 4 hours
testuser's avatar
testuser Published 4 months ago

This checklist helps IT teams implement the DISA Windows Server 2019 STIG (Ver 3, Rel 7) to improve system security and compliance. It’s designed for system administrators and security engineers managing domain controllers, member servers, and standalone Windows Server 2019 systems.

Source: https://ncp.nist.gov/checklist/914

Progress
0 / 21
  1. Inventory target servers and roles — List domain controllers, member servers, standalone systems, and their OS builds.
  2. Download official STIG resources from DISA — Obtain authoritative files before making changes.
  3. Download SCAP 1.3 content (STIG SCAP Benchmark Ver 3, Rel 7) — Get the SCAP 1.3 package used for automated scanning.
  4. Download Standalone XCCDF files (Chef/XCCDF releases) — Grab XCCDF artifacts for manual or tool-based assessment.
  5. Download GPO package and latest GPO updates — Retrieve Group Policy Objects provided by DISA for deployment.
  6. Verify SHA checksums for downloaded resources — Confirm file integrity before use.
  7. Apply latest Windows updates and security patches — Install OS and security updates before hardening.
  8. Baseline systems using a SCAP-capable scanner — Run SCAP scans with the downloaded content to identify deviations.
  9. Review SCAP/XCCDF scan findings and map to STIG IDs — Triage findings by severity and STIG identifier.
  10. Remediate high-severity vulnerabilities — Prioritize fixes for critical findings first.
  11. Implement STIG Group Policy Objects on domain or local GPOs — Apply DISA-provided GPOs or map STIG settings to existing policies.
  12. Test GPOs in a non-production lab — Validate effects and user impact before wide deployment.
  13. Deploy GPOs to a pilot OU and monitor — Roll out to a small group, verify logs and functionality.
  14. Configure account and authentication policies per STIG — Set password, lockout, and MFA recommendations where applicable.
  15. Enable and configure Windows Firewall and network protections — Enforce inbound/outbound rules and secure RDP/management ports.
  16. Harden audit and logging settings and forward logs to SIEM — Ensure audit policies capture needed events and centralize logs.
  17. Create backups of GPOs and system configurations — Export GPOs and snapshot configurations before changes.
  18. Document changes and record resource versions and SHA — Track applied fixes, GPO versions, SCAP/SHA values, and dates.
  19. Subscribe to DISA STIG updates and review change history monthly — Monitor DISA releases, SHA updates, and GPO revisions.
  20. Schedule regular rescans and compliance checks — Plan periodic scans to detect regressions or drift.
  21. Train administrators on STIG requirements and change procedures — Ensure staff know how to test, deploy, and roll back changes.
Sign in to save
📝 My Notes