TickYouOff
Sign in
Back
🔒

Windows 10 STIG Checklist

Hard 19 items · 3 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist guides IT staff and administrators through implementing the Microsoft Windows 10 STIG (Version 3, Release 7) to improve endpoint security and compliance. It covers downloading resources, assessing systems, applying GPOs/Intune policies, remediation, and ongoing maintenance.

Source: https://ncp.nist.gov/checklist/629

Progress
0 / 19
  1. Download the Microsoft Windows 10 STIG and associated resources — Get SCAP 1.3 content, GPO packages, Intune policies, and SCC automated content.
  2. Review the STIG version, release notes, and change history — Confirm Version 3, Release 7 and recent updates or resource sunsets.
  3. Identify target systems and confirm Windows 10 edition — Document which endpoints are Enterprise vs Professional and domain-joined.
  4. Backup system images and critical data before changes — Create restore points or full image backups to prevent data loss.
  5. Import GPOs into Active Directory — Load the provided GPO package and link to appropriate OUs.
  6. Import and assign Intune policies to enrolled devices — Use the provided Intune policy package for mobile/modern-managed endpoints.
  7. Load and run SCC automated content to baseline systems — Use SCC content to automate baseline checks where available.
  8. Scan endpoints with the SCAP 1.3 benchmark for STIG compliance — Run SCAP benchmark scans to produce detailed compliance findings.
  9. Review scan results and prioritize remediation tasks — Categorize findings by severity and impact before fixing.
  10. Remediate high-severity findings (patches, configs, disable services) — Apply fixes for critical items first, then move to lower severities.
  11. Verify account and password policy settings — Confirm domain/local account settings match STIG requirements.
  12. Enforce password complexity and history — Enable complexity requirements and configure password history.
  13. Set minimum password length and account lockout thresholds — Configure minimum length, lockout count, and duration per STIG.
  14. Disable or secure Guest and local administrator accounts — Remove roaming Guest usage and secure built-in admin accounts.
  15. Disable legacy and insecure services (SMBv1, TELNET, etc.) — Turn off deprecated protocols and services referenced by the STIG.
  16. Enable and configure Windows Firewall and Defender settings — Ensure profiles, rules, and real-time protection are properly set.
  17. Apply OS updates and cumulative security patches — Install required updates and reboot systems as needed.
  18. Document remediation actions, baselines, and approved exceptions — Keep records of changes, justifications, and exception approvals.
  19. Schedule regular reassessments and update STIG resources — Plan periodic scans and refresh GPO, Intune, and SCC packages.
Sign in to save
📝 My Notes