TickYouOff
Sign in
Back
🔒

Win Server 2016 STIG Compliance

Medium 21 items · 4 hours
testuser's avatar
testuser Published 4 weeks ago
Security

This checklist guides administrators through core tasks to implement the Microsoft Windows Server 2016 STIG baseline and maintain ongoing compliance. It’s intended for system administrators, security engineers, and IT teams managing Windows Server 2016 in managed environments.

Source: https://ncp.nist.gov/checklist/753

Progress
0 / 21
  1. Install latest Windows Server 2016 patches — Include security and cumulative updates; verify reboot windows are scheduled
  2. Apply DISA STIG Group Policy Objects (GPO) — Baseline settings provided by DISA to enforce STIG controls
  3. Import DISA GPO package — Use the provided GPO archive and verify SHA/hash
  4. Link STIG GPOs to appropriate OUs — Apply GPOs to the correct organizational units for servers/DCs
  5. Run STIG compliance scan using SCAP/SCC tools — Use DISA SCAP, SCC or equivalent content to generate a compliance report
  6. Review and remediate critical scan findings — Triage high-severity findings first and patch/configure as required
  7. Disable SMBv1 — Turn off SMBv1 and verify file services use SMBv2/3
  8. Enable Windows Firewall and configure rules — Allow only necessary inbound services and restrict management ports
  9. Enforce password and account lockout policies — Set complexity, minimum length, maximum age, and lockout threshold
  10. Harden Remote Desktop Protocol (RDP) settings — Enable NLA, restrict who can logon, and limit exposed ports
  11. Configure auditing and logging — Enable audit policies and centralize logs for review
  12. Enable logon success/failure auditing — Capture authentication events for incident detection
  13. Configure log retention and forwarding to SIEM — Set retention, secure logs, and forward to your monitoring system
  14. Remove or disable unnecessary services and roles — Minimize attack surface by removing unused components
  15. Limit local administrator accounts and implement LAPS or centralized admin — Use unique local admin passwords or centralized privileged access
  16. Enable BitLocker for system volumes (if applicable) — Encrypt OS and data volumes to protect data at rest
  17. Ensure secure time synchronization with authenticated NTP — Use authenticated NTP sources for accurate logs and Kerberos
  18. Secure and monitor network shares and permissions — Restrict share access, audit changes, and remove anonymous access
  19. Document deviations and exceptions with approvals — Record justified exceptions, approval authority, and mitigation steps
  20. Schedule regular STIG scans and GPO updates — Automate recurring scans and apply updated DISA resources when released
  21. Keep a copy of applied STIG version and GPO hashes for auditing — Archive STIG files, SHA hashes, and change history for evidence
Sign in to save
📝 My Notes