TickYouOff
Sign in
Back
🔒

Microsoft Windows Defender Firewall STIG Checklist (Ver 2, Rel 2)

Medium 19 items · 2 hours
testuser's avatar
testuser Published 4 weeks ago
Security

This checklist guides administrators and IT staff through implementing the Microsoft Windows Defender Firewall with Advanced Security STIG. It covers downloading supporting resources, applying GPO/Intune policies, validating compliance, and documenting changes for managed environments.

Source: https://ncp.nist.gov/checklist/686

Progress
0 / 19
  1. Download STIG and supporting resources — Collect SCAP, XCCDF, GPO, Intune, and SCC files for the STIG version.
  2. Download SCAP 1.2 content for the STIG — Get the SCAP 1.2 package (verify Ver 2, Rel 2 or newer).
  3. Download standalone XCCDF content — Grab the XCCDF 1.1.4 file to run benchmark scans and reports.
  4. Download DISA GPO package — Download the supplied GPOs for automated Group Policy deployment.
  5. Download Intune policies — Get the Intune policy pack for managed endpoints (verify date/version).
  6. Download SCC/automated content — Obtain SCC or other automation tooling for deployment and scanning.
  7. Review the STIG and map requirements to your environment — Identify applicable controls and the systems they affect.
  8. Verify target systems meet STIG scope and prerequisites — Check OS versions, service packs, and HIP capability before applying STIGs.
  9. Backup current firewall configuration and export existing GPOs — Export GPOs and save firewall config backups before changes.
  10. Import DISA GPO package into Group Policy Management — Load the downloaded GPOs into your AD environment.
  11. Apply STIG firewall baseline via GPO to target OUs — Link and enforce the imported GPOs on the designated organizational units.
  12. Deploy DISA Intune policies to targeted device groups — Publish Intune configurations to managed device groups as applicable.
  13. Enable firewall logging and auditing per STIG guidance — Turn on dropped packet and connection logging and forward logs to collectors.
  14. Set default inbound/outbound behavior and configure exceptions — Enforce default deny inbound and required outbound rules; document exceptions.
  15. Restrict firewall rule scope to required IPs and interfaces — Limit rules by source/destination addresses and network interfaces.
  16. Run SCAP/XCCDF scans and verify STIG compliance — Use downloaded SCAP/XCCDF to generate compliance reports and findings.
  17. Test critical applications and network connectivity after changes — Validate business apps and services remain functional post-deployment.
  18. Document configuration changes and collect approval artifacts — Record changes, baseline snapshots, and sign-off evidence for audits.
  19. Monitor firewall logs and tune rules over the next 30 days — Review logs, adjust rules, and set alerts to reduce false positives.
Sign in to save
📝 My Notes