TickYouOff
Sign in
Back
🔒

Windows Server 2025 STIG Checklist

Hard 17 items · 3 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist helps IT and security teams assess and harden Microsoft Windows Server 2025 using the DISA STIG guidance. It’s designed for administrators managing domain controllers and member/standalone servers in managed environments to scan, remediate, and maintain compliance.

Source: https://ncp.nist.gov/checklist/1324

Progress
0 / 17
  1. Download standalone XCCDF 1.1.4 for Microsoft Windows Server 2025 STIG — Get the DISA XCCDF package for automated scanning.
  2. Obtain the official STIG documents from DoD Cyber Exchange or public.cyber.mil — Retrieve STIGs, SRGs, and references for guidance.
  3. Inventory Windows Server 2025 hosts and classify each as domain controller or member/standalone — List hostnames, roles, OS builds, and IPs.
  4. Enroll servers in centralized management (e.g., SCCM, WSUS, or equivalent) — Ensure devices are managed for patching and configuration control.
  5. Scan servers with an XCCDF/SCAP tool using the downloaded STIG checklist — Run automated checks to identify configuration deviations.
  6. Review scan findings and prioritize high-severity issues — Triage by severity and mission impact before remediation.
  7. Remediate high-severity findings and document actions taken — Apply fixes, change configurations, or implement mitigations.
  8. Harden domain controllers — Apply DC-specific controls from the STIG to domain controllers.
  9. Apply DC-specific STIG settings (STIG IDs with 'DC' as second component) — Follow STIG items labeled for domain controllers.
  10. Verify AD replication, privileged account protections, and audit settings on DCs — Confirm replication, auditing, and privileged account controls are enforced.
  11. Harden member and standalone servers — Apply server-specific STIG controls for non-DC hosts.
  12. Apply MS-specific STIG settings to member/standalone servers (STIG IDs with 'MS') — Implement the controls designated for member servers.
  13. Configure centralized logging and forward security events to a SIEM — Ensure retention and centralized analysis of security logs.
  14. Implement patch management and verify systems meet DoDI 8500.01 requirements — Validate patch baselines and reporting across servers.
  15. Restrict administrative access and implement least privilege — Limit admin accounts and use privileged access management tools.
  16. Document exceptions, request waivers for justified deviations, and track approvals — Record rationale, compensating controls, and approval records.
  17. Schedule periodic reassessments and update controls when the STIG/NIST checklist is revised — Set recurring scans and review dates to maintain compliance.
Sign in to save
📝 My Notes