TickYouOff
Sign in
Back
🔒

Windows Defender Firewall STIG Compliance Checklist

Medium 23 items · 2 hours
testuser's avatar
testuser Published 4 weeks ago
Security

This checklist helps IT staff and system owners implement the DISA STIG for Windows Defender Firewall with Advanced Security. Use it to apply baseline settings, validate compliance with SCAP/XCCDF, and maintain firewall policies in managed environments.

Source: https://ncp.nist.gov/checklist/686

Progress
0 / 23
  1. Download the latest STIG and supporting SCAP/GPO/Intune/SCC resources — Get SCAP 1.2 content, standalone XCCDF, GPO package, Intune policies, and SCC tools.
  2. Review the STIG baseline settings and change history — Read baseline controls, exceptions, and recent DISA updates before changes.
  3. Import the STIG GPO package into Group Policy Management — Import and verify GPOs match the STIG package before linking.
  4. Import the STIG Intune policy into Microsoft Intune (if used) — Import and assign Intune baseline policies where applicable.
  5. Apply the Windows Defender Firewall baseline to target systems — Deploy the approved baseline via GPO, Intune, or local configuration.
  6. Configure Firewall profiles per STIG — Ensure Domain, Private, and Public profiles follow STIG settings.
  7. Set Domain profile to 'On' and apply STIG profile settings — Enable and enforce domain-profile specific rules and logging.
  8. Set Private profile to 'On' and apply STIG profile settings — Enable and enforce private-network rules per baseline.
  9. Set Public profile to 'On' and apply STIG profile settings — Enable and enforce public-network restrictions per baseline.
  10. Set default inbound action to 'Block' and default outbound to 'Allow' — Implement STIG default actions unless exception rules exist.
  11. Block unsolicited inbound connections for all profiles — Ensure policy prevents inbound traffic that wasn't requested.
  12. Remove or disable unnecessary inbound rules — Minimize attack surface by eliminating unused exceptions.
  13. Create explicit allow rules for required services and document justification — Record why each exception exists, owner, and time-limited scope.
  14. Enable and configure Windows Defender Firewall logging — Set log path, file size and retention per STIG recommendations.
  15. Restrict ICMP responses (ping) according to the STIG — Disable or limit echo replies as specified by the baseline.
  16. Enable connection security (IPsec) rules where required — Apply IPsec policies for protected traffic per STIG guidance.
  17. Enforce rule ordering and confirm GPO precedence — Validate that higher-precedence policies are applied as intended.
  18. Test firewall behavior with controlled port scans and application tests — Verify allowed services work and blocked ports remain closed.
  19. Run SCAP/XCCDF benchmark scan to validate compliance — Use the downloaded SCAP/XCCDF content to produce a compliance report.
  20. Remediate scan findings and re-run scans until compliant — Triage findings, apply fixes, and re-scan to confirm remediation.
  21. Backup applied GPOs and export the current firewall policy — Store backups securely for rollback and audit purposes.
  22. Document changes, exceptions, and point of contact — Record rationale, owners, and references to the STIG document.
  23. Schedule regular checks for STIG resource updates and reapply as needed — Monitor DISA updates and refresh GPO/Intune/SCC resources regularly.
Sign in to save
📝 My Notes