TickYouOff
Back
🔒

Microsoft Windows Server 2016 STIG — Version 2, Release 10 Implementation Checklist

Medium 19 items · 4 hours
testuser's avatar
testuser Published 4 months ago

This checklist helps administrators implement the Microsoft Windows Server 2016 STIG (v2r10) on domain controllers and member servers. It’s aimed at system administrators, auditors, and IT teams responsible for hardening and maintaining DoD-aligned security baselines.

Source: https://ncp.nist.gov/checklist/753

Progress
0 / 19
  1. Download STIG content and resources — Get SCAP, XCCDF, GPO, SCC files and official resources from DISA.
  2. Verify checksums (SHA) for downloaded files — Confirm file integrity matches DISA-provided SHA values.
  3. Review STIG version and change history — Ensure Version 2, Release 10 applies and note recent updates.
  4. Inventory servers and map roles (DC vs member) — List hostnames, FQDNs, and whether each is DC, member server, or standalone.
  5. Backup system state and critical data — Create full backups and system state snapshots before changes.
  6. Import DISA GPOs into Active Directory — Import provided GPO packages and confirm successful import.
  7. Apply STIG baseline to domain controllers (DC) — Deploy DC-targeted baseline policies and scripts from the STIG.
  8. Enable DC-specific policies — Enable policies whose STIG IDs include 'DC'.
  9. Harden LDAP and Kerberos settings on DCs — Apply secure LDAP, Kerberos token lifetimes, and encryption policies.
  10. Verify DC auditing and logging — Ensure auditing policies, log retention, and forwarding are configured.
  11. Apply STIG baseline to member servers and standalone systems (MS) — Deploy member-server-targeted baseline settings from the STIG.
  12. Configure local security options per STIG — Adjust local policies that cannot be centrally applied via GPO.
  13. Disable unnecessary services and features — Stop and disable services listed as unnecessary in the STIG.
  14. Validate host firewall and network access rules — Confirm Windows Firewall profiles and allowed inbound rules match STIG.
  15. Run automated compliance scans (SCAP/SCC) — Scan targets with SCAP/SCC tools using the downloaded content.
  16. Review scan results and remediate findings — Triage high-severity findings first and apply fixes per STIG guidance.
  17. Re-run scans and confirm remediation — Verify previously identified findings are resolved after fixes.
  18. Document implemented settings and update asset records — Record GPO versions, applied changes, and updated SHA values.
  19. Schedule regular STIG updates and GPO refresh — Subscribe to DISA updates and plan periodic reviews.
Sign in to save
📝 My Notes